Analysis Overview
SHA256
cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
Threat Level: Known bad
The file JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Pykspa family
Pykspa
UAC bypass
Detect Pykspa worm
Disables RegEdit via registry modification
Adds policy Run key to start application
Executes dropped EXE
Checks computer location settings
Impair Defenses: Safe Mode Boot
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-21 06:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-21 06:08
Reported
2025-04-21 06:10
Platform
win10v2004-20250314-en
Max time kernel
53s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "oatsjdmmyrznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "bqmoifrujfqhglpehopea.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "mavwplwymhrhfjmaciiw.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "yizwldkisjpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "fqigwpxwhzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File created | C:\Windows\SysWOW64\bagswdzmlrmnwlzylcnmseiplyx.yzi | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File created | C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Program Files (x86)\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File created | C:\Program Files (x86)\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\mavwplwymhrhfjmaciiw.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\fqigwpxwhzgtoppaz.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bagswdzmlrmnwlzylcnmseiplyx.yzi | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\oatsjdmmyrznjlmyyc.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\zmggytderlujgjlyzed.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File created | C:\Windows\bagswdzmlrmnwlzylcnmseiplyx.yzi | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| File opened for modification | C:\Windows\bqmoifrujfqhglpehopea.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\sifidbosifrjjpukowyolo.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| File opened for modification | C:\Windows\yizwldkisjpbvvue.exe | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\yizwldkisjpbvvue.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\oatsjdmmyrznjlmyyc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\bqmoifrujfqhglpehopea.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\fqigwpxwhzgtoppaz.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bagsw.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\bagsw.exe
"C:\Users\Admin\AppData\Local\Temp\bagsw.exe" "-C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe"
C:\Users\Admin\AppData\Local\Temp\bagsw.exe
"C:\Users\Admin\AppData\Local\Temp\bagsw.exe" "-C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .
C:\Windows\mavwplwymhrhfjmaciiw.exe
mavwplwymhrhfjmaciiw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Windows\oatsjdmmyrznjlmyyc.exe
oatsjdmmyrznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe
C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\yizwldkisjpbvvue.exe
yizwldkisjpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\zmggytderlujgjlyzed.exe
zmggytderlujgjlyzed.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe
C:\Windows\fqigwpxwhzgtoppaz.exe
fqigwpxwhzgtoppaz.exe .
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
C:\Windows\bqmoifrujfqhglpehopea.exe
bqmoifrujfqhglpehopea.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.myspace.com | udp |
| US | 34.111.176.156:80 | www.myspace.com | tcp |
| LT | 87.239.84.140:21712 | tcp | |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | zjrcaat.net | udp |
| US | 8.8.8.8:53 | jmjqnoun.info | udp |
| US | 8.8.8.8:53 | asuqse.com | udp |
| US | 8.8.8.8:53 | tefqhcfq.net | udp |
| US | 8.8.8.8:53 | kirksjrvrv.info | udp |
| US | 8.8.8.8:53 | pvnhaiyr.net | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | wqesocem.org | udp |
| US | 8.8.8.8:53 | lgxmnxp.info | udp |
| US | 8.8.8.8:53 | zgjnxthpviz.info | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | awisvuy.info | udp |
| US | 8.8.8.8:53 | dagegqggpgf.org | udp |
| US | 8.8.8.8:53 | lewkwnfrizjq.net | udp |
| US | 8.8.8.8:53 | ruvyfws.com | udp |
| US | 8.8.8.8:53 | gazllyhanki.info | udp |
| US | 8.8.8.8:53 | gjtsbntbaatr.info | udp |
| US | 8.8.8.8:53 | bbajrallgqn.org | udp |
| US | 8.8.8.8:53 | jiwbamytikml.info | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | hoeezyywdoz.info | udp |
| US | 8.8.8.8:53 | gbyalwlcv.net | udp |
| US | 8.8.8.8:53 | kyokyukskecc.com | udp |
| US | 8.8.8.8:53 | ttworno.org | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | yztalajwop.info | udp |
| US | 8.8.8.8:53 | nbyutq.info | udp |
| US | 8.8.8.8:53 | nnqjikusx.net | udp |
| US | 8.8.8.8:53 | esgqqqogqq.com | udp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | goznlxhalsn.net | udp |
| US | 8.8.8.8:53 | qsekoukeokqg.com | udp |
| US | 8.8.8.8:53 | dipmkaqelcq.net | udp |
| US | 8.8.8.8:53 | ueucscywqw.org | udp |
| US | 8.8.8.8:53 | funxalhc.info | udp |
| US | 8.8.8.8:53 | rgozhcdomyn.org | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | yaommmwa.org | udp |
| US | 8.8.8.8:53 | hmrltcqifce.net | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | jnydlxt.info | udp |
| US | 8.8.8.8:53 | wqvsigz.net | udp |
| US | 8.8.8.8:53 | srsatozxrchk.net | udp |
| US | 8.8.8.8:53 | keoudom.net | udp |
| US | 8.8.8.8:53 | ayxsfupon.info | udp |
| LT | 78.61.122.246:36338 | tcp | |
| US | 8.8.8.8:53 | rktljt.info | udp |
| US | 8.8.8.8:53 | iucege.org | udp |
| US | 8.8.8.8:53 | muozoxdrrpnc.net | udp |
| US | 8.8.8.8:53 | hqwrnlhoplzd.info | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | fnpisttwqql.net | udp |
| US | 8.8.8.8:53 | johoxgt.info | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | okngzvevkk.net | udp |
| US | 8.8.8.8:53 | aczmvctsvcwp.net | udp |
| US | 8.8.8.8:53 | muqsxtbuvaqg.info | udp |
| US | 8.8.8.8:53 | kyresqwg.net | udp |
| US | 8.8.8.8:53 | usbaplchm.net | udp |
| US | 8.8.8.8:53 | bbdhjljo.info | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | agmhzaxxdp.info | udp |
| US | 8.8.8.8:53 | vdfubgb.net | udp |
| US | 8.8.8.8:53 | eevzwywdnemu.info | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | xpgwfipglow.com | udp |
| US | 8.8.8.8:53 | innykmrioo.net | udp |
| US | 8.8.8.8:53 | skyakxeb.info | udp |
| US | 8.8.8.8:53 | ohgfcpvmvy.net | udp |
| US | 8.8.8.8:53 | omtzlccvxmkf.info | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | ewxxjq.net | udp |
| US | 8.8.8.8:53 | tilspwhuzrn.info | udp |
| US | 8.8.8.8:53 | xsdqkntopop.net | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | pzapgyrk.net | udp |
| US | 8.8.8.8:53 | lglfnuhjut.info | udp |
| US | 8.8.8.8:53 | eksckm.com | udp |
| US | 8.8.8.8:53 | ccliyulceo.info | udp |
| US | 8.8.8.8:53 | cssucwqysu.org | udp |
| US | 8.8.8.8:53 | iouqmc.com | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | gcasfaq.info | udp |
| US | 8.8.8.8:53 | pnnfblb.com | udp |
| US | 8.8.8.8:53 | ccknyf.net | udp |
| US | 8.8.8.8:53 | cyryymiju.net | udp |
| US | 8.8.8.8:53 | mtcxagytnahn.info | udp |
| US | 8.8.8.8:53 | zglsbswnrqx.com | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | esruxvjiltb.net | udp |
| US | 8.8.8.8:53 | egwmww.com | udp |
| US | 8.8.8.8:53 | gmhinip.net | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | nhjheyenyaf.org | udp |
| US | 8.8.8.8:53 | uokiqop.info | udp |
| LT | 78.58.192.136:35141 | tcp | |
| US | 8.8.8.8:53 | fkbifozck.org | udp |
| US | 8.8.8.8:53 | lwekcn.net | udp |
| US | 8.8.8.8:53 | ablqhzl.net | udp |
| US | 8.8.8.8:53 | xvzumiq.org | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | aqfofhqk.net | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | seirrjh.info | udp |
| US | 8.8.8.8:53 | tbrijqq.com | udp |
| US | 8.8.8.8:53 | smoasausig.com | udp |
| US | 8.8.8.8:53 | frqjnqok.net | udp |
| US | 8.8.8.8:53 | eqbemnxt.net | udp |
| US | 8.8.8.8:53 | lwnwdktijgp.info | udp |
| US | 8.8.8.8:53 | omuscigooi.com | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | nqgihqxcje.info | udp |
| US | 8.8.8.8:53 | qenqycduz.info | udp |
| US | 8.8.8.8:53 | letzcmg.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | mimqeou.net | udp |
| US | 8.8.8.8:53 | dalsjnnthafg.net | udp |
| US | 8.8.8.8:53 | gyqendzmscmd.info | udp |
| US | 8.8.8.8:53 | vfgkbe.info | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | dnpxizc.info | udp |
| US | 8.8.8.8:53 | uslzjq.info | udp |
| US | 8.8.8.8:53 | xiawtn.net | udp |
| US | 8.8.8.8:53 | edjldyu.net | udp |
| US | 8.8.8.8:53 | xipjxswj.info | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | cdskkm.net | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | efrwinpm.net | udp |
| US | 8.8.8.8:53 | zdexvcgcrif.com | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | umckeoqwkyiw.com | udp |
| US | 8.8.8.8:53 | xvhxhv.info | udp |
| US | 8.8.8.8:53 | lxefpcsfxcl.info | udp |
| US | 8.8.8.8:53 | mvxemszzjkri.net | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | jstizsawrkc.org | udp |
| US | 8.8.8.8:53 | jlxeto.net | udp |
| US | 8.8.8.8:53 | rezvmsxsm.org | udp |
| US | 8.8.8.8:53 | ksuequea.org | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | amtljiz.info | udp |
| US | 8.8.8.8:53 | kuxzxsccd.net | udp |
| US | 8.8.8.8:53 | tjzaee.net | udp |
| US | 8.8.8.8:53 | temvdeeqf.net | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | xvgnzx.info | udp |
| US | 8.8.8.8:53 | hxztgnnkjq.net | udp |
| US | 8.8.8.8:53 | vranwj.net | udp |
| US | 8.8.8.8:53 | wbdvmisb.net | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | xdldfpbqdp.info | udp |
| US | 8.8.8.8:53 | opblxgtmn.net | udp |
| US | 8.8.8.8:53 | nmbtfat.com | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | uuzpvad.info | udp |
| US | 8.8.8.8:53 | mygnjljsmptl.info | udp |
| BG | 130.204.67.124:38194 | tcp | |
| US | 8.8.8.8:53 | ieesgy.com | udp |
| US | 8.8.8.8:53 | swfnei.info | udp |
| US | 8.8.8.8:53 | hhbvehzu.info | udp |
| US | 8.8.8.8:53 | qolyygtjlcz.net | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | vauyyxuyzmr.info | udp |
| US | 8.8.8.8:53 | gamaco.org | udp |
| US | 8.8.8.8:53 | ksciycwg.org | udp |
| US | 8.8.8.8:53 | tyxcbxpil.org | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | cwaewwwkey.com | udp |
| US | 8.8.8.8:53 | miskiykeqk.com | udp |
| US | 8.8.8.8:53 | agoikdgilq.net | udp |
| US | 8.8.8.8:53 | jdviqqjndbp.info | udp |
| US | 8.8.8.8:53 | ihvqrzy.net | udp |
| US | 8.8.8.8:53 | saamksqwmc.org | udp |
| US | 8.8.8.8:53 | mctxvqe.net | udp |
| US | 8.8.8.8:53 | jtpxjgaiy.info | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | zkwpqkhtlcm.org | udp |
| US | 8.8.8.8:53 | xlrqvvjyvy.net | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | pqyqsvmi.net | udp |
| US | 8.8.8.8:53 | orfmafjrvyvp.net | udp |
| US | 8.8.8.8:53 | ibbjtwcethv.info | udp |
| US | 8.8.8.8:53 | pptvvz.info | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | oxaetw.net | udp |
| US | 8.8.8.8:53 | twxmymfuh.net | udp |
| US | 8.8.8.8:53 | nkgnoqa.com | udp |
| US | 8.8.8.8:53 | waogsumy.com | udp |
| US | 8.8.8.8:53 | lythnsgzjn.info | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | hdaflgsajr.net | udp |
| US | 8.8.8.8:53 | xwkiaur.net | udp |
| US | 8.8.8.8:53 | bzlenncy.info | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | zkmowr.net | udp |
| US | 8.8.8.8:53 | uqlbzimdt.net | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | dcqybxb.net | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | mphorxao.info | udp |
| US | 8.8.8.8:53 | vhbbcbnq.net | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | dljivorqbwr.net | udp |
| US | 8.8.8.8:53 | cxqlztryntb.info | udp |
| US | 8.8.8.8:53 | ccokspzpxiqx.info | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | uvsgusp.net | udp |
| US | 8.8.8.8:53 | agngjan.net | udp |
| US | 8.8.8.8:53 | mqzczandiiga.info | udp |
| US | 8.8.8.8:53 | cgwmmgseue.org | udp |
| US | 8.8.8.8:53 | ahkgvfbpposr.info | udp |
| US | 8.8.8.8:53 | faacagdzpoz.net | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | refpzmhidkr.com | udp |
| US | 8.8.8.8:53 | rygqruz.net | udp |
| US | 8.8.8.8:53 | ozfuageg.net | udp |
| US | 8.8.8.8:53 | qnifeztfnexf.info | udp |
| US | 8.8.8.8:53 | sfiyjg.info | udp |
| US | 8.8.8.8:53 | tzsmrdkivc.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | whieoliveilh.net | udp |
| US | 8.8.8.8:53 | gjfopgnhwau.info | udp |
| BG | 130.204.87.10:40490 | tcp | |
| US | 8.8.8.8:53 | znxcxzx.net | udp |
| US | 8.8.8.8:53 | bnvuxidzlemr.info | udp |
| US | 8.8.8.8:53 | scgfeyxd.info | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | bgskncggc.com | udp |
| US | 8.8.8.8:53 | muphoul.info | udp |
| US | 8.8.8.8:53 | bahgygzqttb.com | udp |
| US | 8.8.8.8:53 | eyptytbcfgjk.info | udp |
| US | 8.8.8.8:53 | psntburxdar.net | udp |
| US | 8.8.8.8:53 | wshubuxcvmi.net | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | nynxoaij.net | udp |
| US | 8.8.8.8:53 | aqxgxntt.info | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | mipjgulenwx.info | udp |
| US | 8.8.8.8:53 | czisbqmw.net | udp |
| US | 8.8.8.8:53 | lxtezs.info | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | fqgnny.net | udp |
| US | 8.8.8.8:53 | mjxxtvxsirxs.net | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | mfmmpvred.net | udp |
| US | 8.8.8.8:53 | qytqtqxej.net | udp |
| US | 8.8.8.8:53 | uacewcsi.org | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | omcoawgyqugi.org | udp |
| US | 8.8.8.8:53 | koiuvgzyhzvf.net | udp |
| US | 8.8.8.8:53 | dpnyefitealy.info | udp |
| US | 8.8.8.8:53 | qwsqae.com | udp |
| US | 8.8.8.8:53 | xpjcntyobq.net | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | nrhoprlqkf.net | udp |
| US | 8.8.8.8:53 | gnjydacld.net | udp |
| US | 8.8.8.8:53 | blgxajgjyomi.info | udp |
| US | 8.8.8.8:53 | osqcyyccqe.com | udp |
| US | 8.8.8.8:53 | dwhdjqq.org | udp |
| US | 8.8.8.8:53 | bsmtnilhyjev.net | udp |
| US | 8.8.8.8:53 | mqwcwakcacok.com | udp |
| US | 8.8.8.8:53 | xixmpelmwxw.info | udp |
| US | 8.8.8.8:53 | pezumjuvl.net | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | yogqummkqccc.org | udp |
| US | 8.8.8.8:53 | kedyrqmar.net | udp |
| US | 8.8.8.8:53 | mmceygmisc.org | udp |
| US | 8.8.8.8:53 | geoauusquukw.com | udp |
| US | 8.8.8.8:53 | ifxanmxr.net | udp |
| US | 8.8.8.8:53 | qaaqjbnoma.info | udp |
| US | 8.8.8.8:53 | mbfsjumkq.info | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| LV | 81.198.175.17:26835 | tcp | |
| US | 8.8.8.8:53 | egiehizwpo.net | udp |
| US | 8.8.8.8:53 | kiwfgclohhh.info | udp |
| US | 8.8.8.8:53 | zazwetpv.net | udp |
| US | 8.8.8.8:53 | aqjcrip.info | udp |
| US | 8.8.8.8:53 | jtfobcrufvig.info | udp |
| US | 8.8.8.8:53 | siinbjp.info | udp |
| US | 8.8.8.8:53 | iiumnibeazvy.net | udp |
| US | 8.8.8.8:53 | rvfhdeirvqv.com | udp |
| US | 8.8.8.8:53 | urdltzjz.net | udp |
| US | 8.8.8.8:53 | zvdedtdq.net | udp |
| US | 8.8.8.8:53 | tvruda.net | udp |
| US | 8.8.8.8:53 | wmambwp.net | udp |
| US | 8.8.8.8:53 | guqsfbz.info | udp |
| US | 8.8.8.8:53 | rtgmvxt.info | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | sopuvrv.net | udp |
| US | 8.8.8.8:53 | jojeqxqf.net | udp |
| US | 8.8.8.8:53 | uynpjtp.info | udp |
| US | 8.8.8.8:53 | acsysm.com | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | wihojvjefzt.net | udp |
| US | 8.8.8.8:53 | hltuubbyq.net | udp |
| US | 8.8.8.8:53 | drgaob.info | udp |
| US | 8.8.8.8:53 | ggauku.org | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | jmaqisxd.net | udp |
| US | 8.8.8.8:53 | zgywauslz.net | udp |
| US | 8.8.8.8:53 | tgbyomtyjus.com | udp |
| US | 8.8.8.8:53 | vlrbnp.net | udp |
| US | 8.8.8.8:53 | wfekzb.info | udp |
| US | 8.8.8.8:53 | xdmebxtplh.net | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | xlvqlmnzywa.org | udp |
| US | 8.8.8.8:53 | qrvujthn.net | udp |
| US | 8.8.8.8:53 | qzgqermax.net | udp |
| US | 8.8.8.8:53 | seiqzsccd.info | udp |
| US | 8.8.8.8:53 | rohfze.net | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | acyscumenj.info | udp |
| US | 8.8.8.8:53 | dmxlrkohhq.net | udp |
| US | 8.8.8.8:53 | dykwknvmdfdj.info | udp |
| US | 8.8.8.8:53 | eaoeysyyya.com | udp |
| US | 8.8.8.8:53 | hlpusx.info | udp |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | bnzwpuktjc.info | udp |
| US | 8.8.8.8:53 | kamcyw.com | udp |
| US | 8.8.8.8:53 | lczoradauoz.net | udp |
| US | 8.8.8.8:53 | looaxhpnjaf.org | udp |
| US | 8.8.8.8:53 | fysqbsfsc.info | udp |
| US | 8.8.8.8:53 | rtehhf.net | udp |
| US | 8.8.8.8:53 | kyocyq.org | udp |
| US | 8.8.8.8:53 | coxvgkqtsib.info | udp |
| US | 8.8.8.8:53 | vdpcjuhj.net | udp |
| US | 8.8.8.8:53 | zynreu.net | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | junmtgy.com | udp |
| US | 8.8.8.8:53 | jzthxr.net | udp |
| US | 8.8.8.8:53 | aackwwyk.com | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | mlpenxfngr.info | udp |
| US | 8.8.8.8:53 | zommurjdbywg.net | udp |
| US | 8.8.8.8:53 | taktcaxol.com | udp |
| US | 8.8.8.8:53 | fkfopirst.com | udp |
| US | 8.8.8.8:53 | nxckvsmxy.net | udp |
| US | 8.8.8.8:53 | sojotwg.net | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | etfipozbgcd.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | ayccwkiuuioo.org | udp |
| US | 8.8.8.8:53 | gccgesykiyus.org | udp |
| US | 8.8.8.8:53 | akowww.org | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | oiymgkeueesm.org | udp |
| US | 8.8.8.8:53 | tfrlrazwjfbz.net | udp |
| US | 8.8.8.8:53 | vmovellwztvz.net | udp |
| US | 8.8.8.8:53 | hhxifefy.net | udp |
| US | 8.8.8.8:53 | ljodhjf.org | udp |
| US | 8.8.8.8:53 | gckcqaokwkqw.org | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | ljsgrdiegz.info | udp |
| US | 8.8.8.8:53 | rxkcuhu.org | udp |
| US | 8.8.8.8:53 | guxqktlobyz.net | udp |
| US | 8.8.8.8:53 | zkfhhofqumr.info | udp |
| US | 8.8.8.8:53 | lskioknupsg.net | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | sqpsqf.net | udp |
| US | 8.8.8.8:53 | giztiauazy.info | udp |
| US | 8.8.8.8:53 | vpqobqqml.net | udp |
| US | 8.8.8.8:53 | aararuzmj.info | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | ugvcvudls.info | udp |
| US | 8.8.8.8:53 | vurojxpmuk.info | udp |
| US | 8.8.8.8:53 | xrucxnzr.info | udp |
| US | 8.8.8.8:53 | fajijdb.info | udp |
| RU | 78.85.83.34:32391 | tcp | |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | xoqyowig.info | udp |
| US | 8.8.8.8:53 | nwbuqmg.net | udp |
| US | 8.8.8.8:53 | rkpwhqyc.net | udp |
| US | 8.8.8.8:53 | bmdosozpo.net | udp |
| US | 8.8.8.8:53 | msocwajdr.info | udp |
| US | 8.8.8.8:53 | oewwlhtahvrl.info | udp |
| US | 8.8.8.8:53 | wmnalmx.info | udp |
| US | 8.8.8.8:53 | nqxijbihvn.info | udp |
| US | 8.8.8.8:53 | luzucodrx.net | udp |
| US | 8.8.8.8:53 | gjtizw.net | udp |
| US | 8.8.8.8:53 | nifsfgrcbrq.info | udp |
| US | 8.8.8.8:53 | yspynbdonzn.net | udp |
| US | 8.8.8.8:53 | oeisiywiuies.org | udp |
| US | 8.8.8.8:53 | vuizmyhrn.info | udp |
| US | 8.8.8.8:53 | kqmuaeqmqkqa.com | udp |
| US | 8.8.8.8:53 | ryrkpkx.com | udp |
| US | 8.8.8.8:53 | ljjjvulmla.net | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | ugsvbou.info | udp |
| US | 8.8.8.8:53 | yuqucvcb.net | udp |
| US | 8.8.8.8:53 | rdbhduyy.net | udp |
| US | 8.8.8.8:53 | jpzcvyd.info | udp |
| US | 8.8.8.8:53 | jnjyhudpb.net | udp |
| US | 8.8.8.8:53 | rfcqjgcwrllk.info | udp |
| US | 8.8.8.8:53 | iuasoeeeko.org | udp |
| US | 8.8.8.8:53 | wwgocoga.org | udp |
| LT | 78.56.55.11:21416 | tcp | |
| US | 8.8.8.8:53 | yigozda.info | udp |
| US | 8.8.8.8:53 | hkiyxbmyrd.info | udp |
| US | 8.8.8.8:53 | ooewwc.org | udp |
| US | 8.8.8.8:53 | msoaukiwkswq.com | udp |
| US | 8.8.8.8:53 | zmrcakty.info | udp |
| US | 8.8.8.8:53 | nktlxsr.org | udp |
| US | 8.8.8.8:53 | jypigkw.net | udp |
| US | 8.8.8.8:53 | xoqqrix.com | udp |
| US | 8.8.8.8:53 | kmcsqh.net | udp |
| US | 8.8.8.8:53 | vozjvmlig.com | udp |
| US | 8.8.8.8:53 | jphhtgd.com | udp |
| US | 8.8.8.8:53 | gvvdfatzrqr.info | udp |
| US | 8.8.8.8:53 | jjncwbrsyehu.info | udp |
| US | 8.8.8.8:53 | wnxmtm.info | udp |
| US | 8.8.8.8:53 | rniwyrjlpzhc.info | udp |
| US | 8.8.8.8:53 | pdiibmp.info | udp |
| US | 8.8.8.8:53 | wwmewmuuyssy.org | udp |
| US | 8.8.8.8:53 | eumxplbmsb.net | udp |
| US | 8.8.8.8:53 | duwipawot.com | udp |
| US | 8.8.8.8:53 | axdaxqby.info | udp |
| US | 8.8.8.8:53 | omierhazkhgw.net | udp |
| US | 8.8.8.8:53 | emuidm.info | udp |
| US | 8.8.8.8:53 | bngrtqp.com | udp |
| US | 8.8.8.8:53 | dwhbjyryutk.org | udp |
| US | 8.8.8.8:53 | kwdrqyzrhd.net | udp |
| US | 8.8.8.8:53 | zwtipnty.info | udp |
| US | 8.8.8.8:53 | ohifahwyjuxu.net | udp |
| US | 8.8.8.8:53 | tadcrz.net | udp |
| US | 8.8.8.8:53 | isrkfebam.net | udp |
| US | 8.8.8.8:53 | svdnfiytjpnj.info | udp |
| US | 8.8.8.8:53 | xrjmbmgmisvh.info | udp |
| US | 8.8.8.8:53 | hsvenpqlz.org | udp |
| US | 8.8.8.8:53 | tzyuvkxjp.info | udp |
| US | 8.8.8.8:53 | uonpnen.info | udp |
| US | 8.8.8.8:53 | nehiaxa.org | udp |
| US | 8.8.8.8:53 | ndwywrsr.net | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | zhtkgjaoeqvb.info | udp |
| US | 8.8.8.8:53 | qkyinezoton.info | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| US | 8.8.8.8:53 | ikpcmmqssqd.net | udp |
| US | 8.8.8.8:53 | wcgcuuiu.org | udp |
| US | 8.8.8.8:53 | ziksuzwgp.net | udp |
| US | 8.8.8.8:53 | ywrzvvfhnufc.net | udp |
| US | 8.8.8.8:53 | lzkdquculk.net | udp |
| US | 8.8.8.8:53 | qkxebyttjudm.net | udp |
| US | 8.8.8.8:53 | agfxoc.info | udp |
| US | 8.8.8.8:53 | osgoao.com | udp |
| US | 8.8.8.8:53 | isusgoykgyom.com | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| US | 8.8.8.8:53 | agagcg.org | udp |
| US | 8.8.8.8:53 | qcwmqicw.com | udp |
| US | 8.8.8.8:53 | noiibzptet.net | udp |
| US | 8.8.8.8:53 | qwbkuixhlur.net | udp |
| US | 8.8.8.8:53 | mmjpvskgpvlh.net | udp |
| US | 8.8.8.8:53 | tyzkrdhyl.info | udp |
| US | 8.8.8.8:53 | xolifsv.org | udp |
| US | 8.8.8.8:53 | xjxezblbf.net | udp |
| US | 8.8.8.8:53 | jjrztak.info | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| US | 8.8.8.8:53 | avjszaajyc.info | udp |
| US | 8.8.8.8:53 | wsuadqcep.info | udp |
| US | 8.8.8.8:53 | zgzsca.info | udp |
| US | 8.8.8.8:53 | xzjelmhss.com | udp |
| US | 8.8.8.8:53 | hsrofavrq.net | udp |
| US | 8.8.8.8:53 | fhzxvrai.net | udp |
| US | 8.8.8.8:53 | efzgjsu.info | udp |
| US | 8.8.8.8:53 | bofsdcjkuks.org | udp |
| US | 8.8.8.8:53 | rdpmxhnjpao.com | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | hmrulcizai.net | udp |
| US | 8.8.8.8:53 | lotkpfnknsq.info | udp |
| US | 8.8.8.8:53 | wyygwcgi.com | udp |
| US | 8.8.8.8:53 | zzzabmdtebya.net | udp |
| US | 8.8.8.8:53 | tfdjgocblgbk.info | udp |
| US | 8.8.8.8:53 | fdkrpdfhhi.net | udp |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | vjyhmkkzqw.net | udp |
| US | 8.8.8.8:53 | vmemmvokxkit.net | udp |
| US | 8.8.8.8:53 | bbqkfxvm.net | udp |
| US | 8.8.8.8:53 | fzqqksnzg.net | udp |
| BG | 77.71.16.138:24169 | tcp | |
| US | 8.8.8.8:53 | xhnurihk.net | udp |
| US | 8.8.8.8:53 | yssdlbjazpn.info | udp |
| US | 8.8.8.8:53 | agqwme.com | udp |
| US | 8.8.8.8:53 | xmlymtnez.org | udp |
| US | 8.8.8.8:53 | kgfibfidzv.info | udp |
| US | 8.8.8.8:53 | xmrkjfqcd.com | udp |
| US | 8.8.8.8:53 | ggskwm.org | udp |
| US | 8.8.8.8:53 | odzbrjqoy.info | udp |
| US | 8.8.8.8:53 | qcdqvoawdcp.net | udp |
| US | 8.8.8.8:53 | ospslaxogst.info | udp |
| US | 8.8.8.8:53 | sxzocaaql.net | udp |
| US | 8.8.8.8:53 | aalijqi.info | udp |
| US | 8.8.8.8:53 | iwodupfm.net | udp |
| US | 8.8.8.8:53 | odqisf.info | udp |
| US | 8.8.8.8:53 | xsbwfymqggo.info | udp |
| US | 8.8.8.8:53 | hnhkfrz.org | udp |
| US | 8.8.8.8:53 | ncpmyszzt.info | udp |
| US | 8.8.8.8:53 | wqpofcaaw.info | udp |
| US | 8.8.8.8:53 | yuznvxax.info | udp |
| US | 8.8.8.8:53 | sldcha.net | udp |
| US | 8.8.8.8:53 | vxrjiipucox.info | udp |
| US | 8.8.8.8:53 | hafzwz.net | udp |
| US | 8.8.8.8:53 | wobglu.info | udp |
| US | 8.8.8.8:53 | ybxsqlwexbnh.info | udp |
| US | 8.8.8.8:53 | lzeoasgihvzg.net | udp |
| US | 8.8.8.8:53 | mocsrmzkg.net | udp |
| US | 8.8.8.8:53 | xqfkvpjkpo.info | udp |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | ledkogt.info | udp |
| US | 8.8.8.8:53 | gqozztrutfv.info | udp |
| US | 8.8.8.8:53 | jatdaajehomt.net | udp |
| US | 8.8.8.8:53 | hlmqsloprhmu.net | udp |
| US | 8.8.8.8:53 | iwayoabes.net | udp |
| US | 8.8.8.8:53 | blcsidosbbjn.net | udp |
| US | 8.8.8.8:53 | vodhartcl.org | udp |
| US | 8.8.8.8:53 | mwgkuyee.org | udp |
| US | 8.8.8.8:53 | nttuue.net | udp |
| US | 8.8.8.8:53 | oaowvozph.info | udp |
| US | 8.8.8.8:53 | cemosksi.com | udp |
| US | 8.8.8.8:53 | uiceesz.info | udp |
| US | 8.8.8.8:53 | kkawko.org | udp |
| US | 8.8.8.8:53 | iasuswuoqigw.com | udp |
| US | 8.8.8.8:53 | jlvozbzqdqn.info | udp |
| US | 8.8.8.8:53 | lwndquldxm.info | udp |
| US | 8.8.8.8:53 | fjlvqhemmv.info | udp |
| US | 8.8.8.8:53 | blqtanjn.info | udp |
| US | 8.8.8.8:53 | bzaydhbkyko.info | udp |
| US | 8.8.8.8:53 | hmzkrqzuz.org | udp |
| US | 8.8.8.8:53 | uoxjsmld.info | udp |
| US | 8.8.8.8:53 | usdvvgiyj.info | udp |
| US | 8.8.8.8:53 | qhpmfmcspho.info | udp |
| US | 8.8.8.8:53 | kkeiqw.com | udp |
| US | 8.8.8.8:53 | zcamrnlqrgy.com | udp |
| US | 8.8.8.8:53 | tdwffk.net | udp |
| US | 8.8.8.8:53 | ewiuauieao.com | udp |
| US | 8.8.8.8:53 | mqhqtnm.info | udp |
| US | 8.8.8.8:53 | wccwooqckguo.org | udp |
| US | 8.8.8.8:53 | idvllzxcwddt.info | udp |
| US | 8.8.8.8:53 | rvlgriritcdx.info | udp |
| US | 8.8.8.8:53 | bjpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | xrnghv.info | udp |
| US | 8.8.8.8:53 | gzoktzfsyp.info | udp |
| US | 8.8.8.8:53 | kicoaot.info | udp |
| US | 8.8.8.8:53 | azavlani.net | udp |
| US | 8.8.8.8:53 | mwouksakgw.com | udp |
| US | 8.8.8.8:53 | bohenuceyvj.net | udp |
| US | 8.8.8.8:53 | imwkkoik.com | udp |
| US | 8.8.8.8:53 | qzuuudrq.info | udp |
| US | 8.8.8.8:53 | phxqnablbpha.net | udp |
| US | 8.8.8.8:53 | tsntsuwqvndu.net | udp |
| US | 8.8.8.8:53 | sewuvwb.net | udp |
| US | 8.8.8.8:53 | bvfwtoyycx.info | udp |
| LT | 78.58.111.167:15485 | tcp | |
| US | 8.8.8.8:53 | tncdtcxo.info | udp |
| US | 8.8.8.8:53 | zehqegugqtll.info | udp |
| US | 8.8.8.8:53 | usvwrjn.net | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | qyunfjnupdfr.net | udp |
| US | 8.8.8.8:53 | jnxuvgizpwda.info | udp |
| US | 8.8.8.8:53 | oxvbjavuaql.info | udp |
| US | 8.8.8.8:53 | lexydrnbj.org | udp |
| US | 8.8.8.8:53 | qgksue.org | udp |
| US | 8.8.8.8:53 | xdctlkvdqghe.net | udp |
| US | 8.8.8.8:53 | oalwpcngx.info | udp |
| US | 8.8.8.8:53 | dywhbsw.info | udp |
| US | 8.8.8.8:53 | rdzgvtvocoux.info | udp |
| US | 8.8.8.8:53 | sgsiqqagyomq.org | udp |
| US | 8.8.8.8:53 | cgqwayca.com | udp |
| US | 8.8.8.8:53 | toltpzmnzrry.info | udp |
| US | 8.8.8.8:53 | ocnogqfjv.info | udp |
| US | 8.8.8.8:53 | sshocuayamn.net | udp |
| US | 8.8.8.8:53 | xcrfxbihvn.info | udp |
| US | 8.8.8.8:53 | begivrkoxbi.info | udp |
| US | 8.8.8.8:53 | infkbrdahd.net | udp |
| US | 8.8.8.8:53 | dkseyg.info | udp |
| US | 8.8.8.8:53 | huvcjmfksm.info | udp |
| US | 8.8.8.8:53 | pvesxitaordl.info | udp |
| US | 8.8.8.8:53 | lmsyldlsh.com | udp |
| US | 8.8.8.8:53 | vshuhpjqf.com | udp |
| US | 8.8.8.8:53 | dzrmxez.com | udp |
| US | 8.8.8.8:53 | rtpjyork.info | udp |
| US | 8.8.8.8:53 | ewcbusyz.net | udp |
| US | 8.8.8.8:53 | pykyumbmz.com | udp |
| US | 8.8.8.8:53 | xgxgtgx.info | udp |
| US | 8.8.8.8:53 | kacuqesamccw.com | udp |
| US | 8.8.8.8:53 | zkdetwv.org | udp |
| US | 8.8.8.8:53 | jcuayurgsh.info | udp |
| US | 8.8.8.8:53 | mhxxlwxd.net | udp |
| US | 8.8.8.8:53 | kxldwaoqfn.info | udp |
| US | 8.8.8.8:53 | xjtvzwtznkdu.net | udp |
| US | 8.8.8.8:53 | lzdazo.net | udp |
| US | 8.8.8.8:53 | kmcotcuyt.net | udp |
| US | 8.8.8.8:53 | tllcpcggjqie.info | udp |
| US | 8.8.8.8:53 | pljwxqnddncy.info | udp |
| US | 8.8.8.8:53 | cirabxhbcq.net | udp |
| US | 8.8.8.8:53 | xxbuvavqnao.net | udp |
| US | 8.8.8.8:53 | fcnxdxzzh.net | udp |
| US | 8.8.8.8:53 | nnmztrfrnx.info | udp |
| US | 8.8.8.8:53 | tldlxlwktaro.info | udp |
| US | 8.8.8.8:53 | cqwwgwdbdd.net | udp |
| US | 8.8.8.8:53 | tgzzsilpuoyu.info | udp |
| US | 8.8.8.8:53 | uuvxxqb.info | udp |
| US | 8.8.8.8:53 | kevnvbmy.info | udp |
| US | 8.8.8.8:53 | rejwrwpoa.info | udp |
| US | 8.8.8.8:53 | vgbfugpgbp.info | udp |
| US | 8.8.8.8:53 | kflxzfccrev.net | udp |
| US | 8.8.8.8:53 | jmuyzwjxj.net | udp |
| US | 8.8.8.8:53 | rjqqjbxmqh.net | udp |
| US | 8.8.8.8:53 | eyhrpqemz.info | udp |
| US | 8.8.8.8:53 | ftfumumfsj.net | udp |
| US | 8.8.8.8:53 | fgzczunuom.info | udp |
| US | 8.8.8.8:53 | punwfyr.net | udp |
| US | 8.8.8.8:53 | sgescokcmo.org | udp |
| US | 8.8.8.8:53 | nkgyrfdywmce.net | udp |
| US | 8.8.8.8:53 | xqvzvuewidov.info | udp |
| US | 8.8.8.8:53 | dwmaxosnlqr.org | udp |
| US | 8.8.8.8:53 | cbxhrtvcyx.net | udp |
| US | 8.8.8.8:53 | lzwgpqnxhy.net | udp |
| US | 8.8.8.8:53 | epdjlovz.net | udp |
| US | 8.8.8.8:53 | tyxmhljol.com | udp |
| GB | 142.250.187.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | twkojj.info | udp |
| US | 8.8.8.8:53 | jehyhpbob.com | udp |
| US | 8.8.8.8:53 | ikhjxajlpyn.net | udp |
| US | 8.8.8.8:53 | rvdycyziki.info | udp |
| US | 8.8.8.8:53 | luaiurlae.info | udp |
| US | 8.8.8.8:53 | ymxbndxqc.info | udp |
| US | 8.8.8.8:53 | edxewgiml.info | udp |
| US | 8.8.8.8:53 | qeyiqcog.org | udp |
| US | 8.8.8.8:53 | datqfabmxho.net | udp |
| US | 8.8.8.8:53 | hsfspwfirsr.org | udp |
| BR | 201.95.88.110:19119 | tcp | |
| US | 8.8.8.8:53 | jhdscj.net | udp |
| US | 8.8.8.8:53 | rfnkasj.info | udp |
| US | 8.8.8.8:53 | rjirpwzz.net | udp |
| US | 8.8.8.8:53 | nidipmp.net | udp |
| US | 8.8.8.8:53 | fumvct.net | udp |
| US | 8.8.8.8:53 | msauwssysguu.org | udp |
| US | 8.8.8.8:53 | bntspk.net | udp |
| US | 8.8.8.8:53 | sydqlvmsdtip.info | udp |
| US | 8.8.8.8:53 | bgzyhghlpiw.info | udp |
| US | 8.8.8.8:53 | xwzxfwhmtqp.net | udp |
| US | 8.8.8.8:53 | dnyidwf.info | udp |
| US | 8.8.8.8:53 | jktjcmhjscwv.info | udp |
| US | 8.8.8.8:53 | moykocak.org | udp |
| US | 8.8.8.8:53 | xzdjrucronfu.info | udp |
| US | 8.8.8.8:53 | xkfnbfeovqn.org | udp |
| US | 8.8.8.8:53 | ruemzw.net | udp |
| US | 8.8.8.8:53 | yadxtkefpqdf.net | udp |
| US | 8.8.8.8:53 | jwyiwnnnh.info | udp |
| US | 8.8.8.8:53 | abszyyogk.info | udp |
| US | 8.8.8.8:53 | vmpgzgfnnv.net | udp |
| US | 8.8.8.8:53 | qngitmingp.net | udp |
| US | 8.8.8.8:53 | slhzoddqht.info | udp |
| US | 8.8.8.8:53 | dmxisozka.net | udp |
| US | 8.8.8.8:53 | ecsokmawae.org | udp |
| US | 8.8.8.8:53 | vchadohmp.com | udp |
| US | 8.8.8.8:53 | ergfbapw.net | udp |
| US | 8.8.8.8:53 | xrprhxdxqtrv.net | udp |
| US | 8.8.8.8:53 | dyoboi.info | udp |
| US | 8.8.8.8:53 | ulwprsdpevsj.info | udp |
| US | 8.8.8.8:53 | accfdyqjtz.net | udp |
| US | 8.8.8.8:53 | qyjxvcif.net | udp |
| US | 8.8.8.8:53 | dbzqlhmvv.net | udp |
| US | 8.8.8.8:53 | vgoxtkrwdqb.info | udp |
| US | 8.8.8.8:53 | jqufzosybgq.info | udp |
| US | 8.8.8.8:53 | rkwlhccy.info | udp |
| US | 8.8.8.8:53 | nczeftfyt.net | udp |
| US | 8.8.8.8:53 | zlfgtg.info | udp |
| US | 8.8.8.8:53 | bleray.info | udp |
| US | 8.8.8.8:53 | tiiqxcxatjv.com | udp |
| US | 8.8.8.8:53 | hsggbldfdyjl.info | udp |
| US | 8.8.8.8:53 | nthafgeqx.org | udp |
| US | 8.8.8.8:53 | sczvmdl.net | udp |
| US | 8.8.8.8:53 | ssmgckci.com | udp |
| US | 8.8.8.8:53 | vbfpzrjegij.com | udp |
| US | 8.8.8.8:53 | mmmygaykea.com | udp |
| US | 8.8.8.8:53 | ceawcoaw.org | udp |
| US | 8.8.8.8:53 | nokyiuyifmk.com | udp |
| US | 8.8.8.8:53 | vibshiiel.net | udp |
| US | 8.8.8.8:53 | qchibaabzk.net | udp |
| US | 8.8.8.8:53 | miigkaes.org | udp |
| US | 8.8.8.8:53 | vkpwadruwgcq.net | udp |
| US | 8.8.8.8:53 | geomuuyg.com | udp |
| US | 8.8.8.8:53 | kxnovo.info | udp |
| US | 8.8.8.8:53 | tpdyflf.org | udp |
| US | 8.8.8.8:53 | aswqqjj.net | udp |
| US | 8.8.8.8:53 | jjqtpeerkb.net | udp |
| US | 8.8.8.8:53 | xznubi.net | udp |
| US | 8.8.8.8:53 | xuness.info | udp |
| US | 8.8.8.8:53 | didypazwpqv.com | udp |
| US | 8.8.8.8:53 | urkcltobhpwf.net | udp |
| US | 8.8.8.8:53 | ymhymgcuv.net | udp |
| US | 8.8.8.8:53 | usefzwcav.net | udp |
| US | 8.8.8.8:53 | auosegcmyi.com | udp |
| US | 8.8.8.8:53 | ymsmiiagyiyc.org | udp |
| US | 8.8.8.8:53 | pmtzvimrlm.net | udp |
| US | 8.8.8.8:53 | qazzhx.net | udp |
| US | 8.8.8.8:53 | zzwqpcbur.net | udp |
| US | 8.8.8.8:53 | eheflhppvg.net | udp |
| US | 8.8.8.8:53 | stwjad.net | udp |
| US | 8.8.8.8:53 | wcmsgs.com | udp |
| HK | 154.92.74.26:80 | wcmsgs.com | tcp |
| BG | 212.233.245.162:31517 | tcp | |
| US | 8.8.8.8:53 | eyeumieeyows.com | udp |
| US | 8.8.8.8:53 | zocptdqvefmr.net | udp |
| US | 8.8.8.8:53 | uszxpwbx.info | udp |
| US | 8.8.8.8:53 | jegpxl.info | udp |
| US | 8.8.8.8:53 | ubgttghqeg.net | udp |
| US | 8.8.8.8:53 | gmqmckca.com | udp |
| US | 8.8.8.8:53 | piiimwvby.net | udp |
| US | 8.8.8.8:53 | uldodnh.net | udp |
| US | 8.8.8.8:53 | wunidwv.info | udp |
| US | 8.8.8.8:53 | ugjyfpgfl.net | udp |
| US | 8.8.8.8:53 | ojhefeyblmx.net | udp |
| US | 8.8.8.8:53 | euzmjat.info | udp |
| US | 8.8.8.8:53 | oaoqmgiq.org | udp |
| US | 8.8.8.8:53 | dcxctmblkmyf.net | udp |
| US | 8.8.8.8:53 | myrwjqkrwpbk.info | udp |
| US | 8.8.8.8:53 | xojexwu.org | udp |
| US | 8.8.8.8:53 | yannfuv.info | udp |
| US | 8.8.8.8:53 | pkdeezbah.com | udp |
| US | 8.8.8.8:53 | gwkikgsimg.org | udp |
| US | 8.8.8.8:53 | toqovtf.org | udp |
| US | 8.8.8.8:53 | oiqgekoeusci.org | udp |
| US | 8.8.8.8:53 | mpkbfsgyp.info | udp |
| US | 8.8.8.8:53 | wubpgijglxbz.info | udp |
| US | 8.8.8.8:53 | qseoumkkca.org | udp |
| US | 8.8.8.8:53 | wbhxhzlf.net | udp |
| US | 8.8.8.8:53 | oituwlfyq.net | udp |
| US | 8.8.8.8:53 | fhbybarwz.info | udp |
| US | 8.8.8.8:53 | habyyrxhiv.info | udp |
| US | 8.8.8.8:53 | qdnmhgdyrit.net | udp |
| US | 8.8.8.8:53 | thtrec.net | udp |
| US | 8.8.8.8:53 | jmvrlnop.info | udp |
| US | 8.8.8.8:53 | eeaaaaieuwye.org | udp |
| US | 8.8.8.8:53 | dihqfyt.org | udp |
| US | 8.8.8.8:53 | oguzcwlt.info | udp |
| US | 8.8.8.8:53 | iwfwsu.info | udp |
| US | 8.8.8.8:53 | sjejytwhmotb.net | udp |
| US | 8.8.8.8:53 | qyqigk.com | udp |
| US | 8.8.8.8:53 | aqwscqqe.org | udp |
| US | 8.8.8.8:53 | hylmkorpmaz.org | udp |
| US | 8.8.8.8:53 | qmowooycqq.org | udp |
| US | 8.8.8.8:53 | isqocuyy.org | udp |
| US | 8.8.8.8:53 | gygkfyeze.info | udp |
| US | 8.8.8.8:53 | mkxyphhceqz.net | udp |
| US | 8.8.8.8:53 | fyaylmbcb.net | udp |
| US | 8.8.8.8:53 | htvdbbh.com | udp |
| US | 8.8.8.8:53 | pzgkljuoas.net | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| US | 8.8.8.8:53 | tetfjwtjfz.info | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| US | 8.8.8.8:53 | fizsrliykav.info | udp |
| US | 8.8.8.8:53 | iiboni.info | udp |
| US | 8.8.8.8:53 | ooepolkc.info | udp |
| US | 8.8.8.8:53 | ggcxtosxmqgn.info | udp |
| US | 8.8.8.8:53 | hjfdpmp.org | udp |
| US | 8.8.8.8:53 | msyguqagqm.org | udp |
| US | 8.8.8.8:53 | kpgaszdgnb.net | udp |
| US | 8.8.8.8:53 | gzbioldgme.info | udp |
| US | 8.8.8.8:53 | zuzkmaz.info | udp |
| US | 8.8.8.8:53 | tlrtrntp.info | udp |
| US | 8.8.8.8:53 | yqdindvszcl.info | udp |
| US | 8.8.8.8:53 | cxektv.net | udp |
| US | 8.8.8.8:53 | ldlrgk.info | udp |
| US | 8.8.8.8:53 | lohitrqmb.net | udp |
| US | 8.8.8.8:53 | osavtktrywjw.net | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | bufmppmmtp.info | udp |
| US | 8.8.8.8:53 | ibhlriiqvc.info | udp |
| GB | 84.32.152.67:27662 | tcp | |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | zjembwxx.net | udp |
| US | 8.8.8.8:53 | twmisgomptw.com | udp |
| US | 8.8.8.8:53 | pqqkhp.net | udp |
| US | 8.8.8.8:53 | knwgzqzz.net | udp |
| US | 8.8.8.8:53 | hlhkkz.net | udp |
| US | 8.8.8.8:53 | alyypvemovoc.net | udp |
| US | 8.8.8.8:53 | trlkdp.net | udp |
| US | 8.8.8.8:53 | dxkwydeogh.net | udp |
| US | 8.8.8.8:53 | yaqooeosyhs.info | udp |
| US | 8.8.8.8:53 | rltpyjn.org | udp |
| US | 8.8.8.8:53 | qlstpgkhcjbu.net | udp |
| US | 8.8.8.8:53 | cydqsgpijrb.info | udp |
| US | 8.8.8.8:53 | ucsecc.org | udp |
| US | 8.8.8.8:53 | hbiqfsmydyf.org | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | wigyyrdp.info | udp |
| US | 8.8.8.8:53 | yeneoczkx.net | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | vcllberonos.net | udp |
| US | 8.8.8.8:53 | hyjodgw.info | udp |
| US | 8.8.8.8:53 | ygholuhft.info | udp |
| US | 8.8.8.8:53 | dkdczgl.info | udp |
| US | 8.8.8.8:53 | cgrwbebeccj.info | udp |
| US | 8.8.8.8:53 | gfcyibbfymqt.net | udp |
| US | 8.8.8.8:53 | leagnqqer.net | udp |
| US | 8.8.8.8:53 | gshujucdlud.net | udp |
| US | 8.8.8.8:53 | hylnnoj.org | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | nwbvskgjvw.net | udp |
| US | 8.8.8.8:53 | tkpazcggf.org | udp |
| US | 8.8.8.8:53 | eexitkxrfmm.net | udp |
| US | 8.8.8.8:53 | zmrdhmhshwa.info | udp |
| US | 8.8.8.8:53 | ywbpvusejwz.net | udp |
| US | 8.8.8.8:53 | nkiqxbxgtz.info | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| US | 8.8.8.8:53 | fjwjpmmiot.net | udp |
| US | 8.8.8.8:53 | kigyih.info | udp |
| US | 8.8.8.8:53 | idhyhn.net | udp |
| US | 8.8.8.8:53 | jgizeevi.info | udp |
| US | 8.8.8.8:53 | gsppnsamrcd.info | udp |
| US | 8.8.8.8:53 | cgzqtowog.info | udp |
| US | 8.8.8.8:53 | hdenwewl.net | udp |
| US | 8.8.8.8:53 | mnhxtj.net | udp |
| US | 8.8.8.8:53 | hddwtdhj.net | udp |
| US | 8.8.8.8:53 | fgoudtyfcsfs.net | udp |
| US | 8.8.8.8:53 | jmxetlsqb.org | udp |
| US | 8.8.8.8:53 | bcvzjht.com | udp |
| US | 8.8.8.8:53 | gdiecndz.net | udp |
| US | 8.8.8.8:53 | nyjqfunbb.org | udp |
| US | 8.8.8.8:53 | buuqaspmlhu.net | udp |
| US | 8.8.8.8:53 | jrnmzxzen.com | udp |
| US | 8.8.8.8:53 | fevpfshvp.org | udp |
| US | 8.8.8.8:53 | ncxulvlzrhky.info | udp |
| US | 8.8.8.8:53 | kzhcdiv.net | udp |
| US | 8.8.8.8:53 | mqqiiy.org | udp |
| US | 8.8.8.8:53 | ihlwyynw.net | udp |
| US | 8.8.8.8:53 | kcryxrris.info | udp |
| US | 8.8.8.8:53 | dxtjbdcdfa.info | udp |
| US | 8.8.8.8:53 | giekgyskeiik.org | udp |
| US | 8.8.8.8:53 | oxmsrehyj.net | udp |
| US | 8.8.8.8:53 | jujrlgkptdj.com | udp |
| US | 8.8.8.8:53 | tucejr.info | udp |
| US | 8.8.8.8:53 | ywxwfsq.net | udp |
| US | 8.8.8.8:53 | jcicboe.info | udp |
| US | 8.8.8.8:53 | bavppixu.net | udp |
| US | 8.8.8.8:53 | hpzrrtsiy.org | udp |
| US | 8.8.8.8:53 | ocffwwxk.info | udp |
| US | 8.8.8.8:53 | uagemqua.com | udp |
| US | 8.8.8.8:53 | rjhnzwndayb.net | udp |
| US | 8.8.8.8:53 | owiogoqwye.com | udp |
| US | 8.8.8.8:53 | xgvkyubmm.info | udp |
| US | 8.8.8.8:53 | fkgritslx.org | udp |
| US | 8.8.8.8:53 | zqaiomzsvij.info | udp |
| US | 8.8.8.8:53 | uyiflor.info | udp |
| US | 8.8.8.8:53 | uuzesarn.net | udp |
| US | 8.8.8.8:53 | sujealckrcn.net | udp |
| US | 8.8.8.8:53 | jclrujvo.net | udp |
| US | 8.8.8.8:53 | uljytqfeq.net | udp |
| US | 8.8.8.8:53 | ypntkxfb.net | udp |
| US | 8.8.8.8:53 | ptpwnlreeaxo.net | udp |
| US | 8.8.8.8:53 | icjjzwopdfhv.info | udp |
| US | 8.8.8.8:53 | vthnjumbihsj.net | udp |
| US | 8.8.8.8:53 | sesqgosm.com | udp |
| US | 8.8.8.8:53 | zuwvqomrpk.net | udp |
| US | 8.8.8.8:53 | wuxqkrv.info | udp |
| US | 8.8.8.8:53 | sepilej.net | udp |
| US | 8.8.8.8:53 | eeeiusoc.com | udp |
| US | 8.8.8.8:53 | fyzwwytslei.org | udp |
| US | 8.8.8.8:53 | fugxfy.net | udp |
| US | 8.8.8.8:53 | dtstyn.net | udp |
| US | 8.8.8.8:53 | rznhhy.net | udp |
| US | 8.8.8.8:53 | gwicmeqkqmgc.org | udp |
| US | 8.8.8.8:53 | ugdqqcoyvcr.net | udp |
| US | 8.8.8.8:53 | zbqtpeerkb.net | udp |
| US | 8.8.8.8:53 | wjvudbhi.info | udp |
| US | 8.8.8.8:53 | zuwrljtqss.net | udp |
| US | 8.8.8.8:53 | skjezuziejh.net | udp |
| US | 8.8.8.8:53 | ciwkgw.org | udp |
| US | 8.8.8.8:53 | wgyqyuai.com | udp |
| US | 8.8.8.8:53 | xfzndln.net | udp |
| US | 8.8.8.8:53 | msaeugqyakco.org | udp |
| US | 8.8.8.8:53 | tvosclvkkrme.net | udp |
| US | 8.8.8.8:53 | gugekm.org | udp |
| US | 8.8.8.8:53 | ekwoewekwg.com | udp |
| US | 8.8.8.8:53 | lcizvf.info | udp |
| US | 8.8.8.8:53 | vfzslgycp.net | udp |
| US | 8.8.8.8:53 | tmrxnmjrkb.net | udp |
| US | 8.8.8.8:53 | beasxmcjb.com | udp |
| US | 8.8.8.8:53 | vaizlhjv.net | udp |
| US | 8.8.8.8:53 | meirbsegkmoj.info | udp |
| US | 8.8.8.8:53 | uomieuwsgywa.com | udp |
| US | 8.8.8.8:53 | uqmekexatiho.net | udp |
| US | 8.8.8.8:53 | orkstbdi.info | udp |
| US | 8.8.8.8:53 | vgrihkbcfik.com | udp |
| US | 8.8.8.8:53 | zmprqprldq.info | udp |
| US | 8.8.8.8:53 | msohca.net | udp |
| US | 8.8.8.8:53 | fzkrxmam.info | udp |
| US | 8.8.8.8:53 | jwkyzqzbjuf.com | udp |
| US | 8.8.8.8:53 | kaukse.com | udp |
| US | 8.8.8.8:53 | bynydzlp.info | udp |
| US | 8.8.8.8:53 | bfxkrtjjbqhu.info | udp |
| US | 8.8.8.8:53 | nwfeltvcr.net | udp |
| US | 8.8.8.8:53 | perwmabvjaz.net | udp |
| US | 8.8.8.8:53 | boecnjawbev.net | udp |
| US | 8.8.8.8:53 | fixijml.org | udp |
| US | 8.8.8.8:53 | tdhqghrbdi.info | udp |
| US | 8.8.8.8:53 | bvrlxiawb.net | udp |
| US | 8.8.8.8:53 | zohacmkyqar.com | udp |
| US | 8.8.8.8:53 | bujydax.net | udp |
| US | 8.8.8.8:53 | ruauvwk.com | udp |
| US | 8.8.8.8:53 | pwxotevmv.org | udp |
| US | 8.8.8.8:53 | eoduzciknmp.net | udp |
| US | 8.8.8.8:53 | odfjfr.info | udp |
| US | 8.8.8.8:53 | iypglwjsqyn.info | udp |
| US | 8.8.8.8:53 | hqszlktusxve.net | udp |
| US | 8.8.8.8:53 | jynyzuyox.org | udp |
| US | 8.8.8.8:53 | wkwukugg.org | udp |
| US | 8.8.8.8:53 | sxsydftugfl.net | udp |
| US | 8.8.8.8:53 | muzhxdduzpl.net | udp |
| US | 8.8.8.8:53 | ucyyauoy.org | udp |
| US | 8.8.8.8:53 | olvcrexyfbf.info | udp |
| US | 8.8.8.8:53 | msoiygcw.org | udp |
| US | 8.8.8.8:53 | noufhu.info | udp |
| US | 8.8.8.8:53 | hfzzlt.info | udp |
| US | 8.8.8.8:53 | kczacgj.info | udp |
| US | 8.8.8.8:53 | fmoywjaffd.info | udp |
| US | 8.8.8.8:53 | awtrjqbmv.net | udp |
| US | 8.8.8.8:53 | wkcogiumouwo.com | udp |
| US | 8.8.8.8:53 | bmovzczabcbw.net | udp |
| US | 8.8.8.8:53 | rmxokynod.info | udp |
| US | 8.8.8.8:53 | ejpdqikairvo.info | udp |
| US | 8.8.8.8:53 | ssgqsckw.com | udp |
| US | 8.8.8.8:53 | spbmeodkvex.info | udp |
| US | 8.8.8.8:53 | agpmpspwf.info | udp |
| US | 8.8.8.8:53 | jrjyxfvmfet.info | udp |
| US | 8.8.8.8:53 | vqrolytub.com | udp |
| US | 8.8.8.8:53 | rgzcbsfpb.org | udp |
| US | 8.8.8.8:53 | cxritgbkwiqj.net | udp |
| US | 8.8.8.8:53 | xflrdxdu.net | udp |
| US | 8.8.8.8:53 | psmqluhar.com | udp |
| US | 8.8.8.8:53 | lcpqvyawk.info | udp |
| US | 8.8.8.8:53 | yabgjuiyvpj.net | udp |
| US | 8.8.8.8:53 | awlfwtwromo.net | udp |
| US | 8.8.8.8:53 | aymelgrqd.info | udp |
| US | 8.8.8.8:53 | dsbovouca.org | udp |
| US | 8.8.8.8:53 | yqtafgfohsp.net | udp |
| US | 8.8.8.8:53 | icgghcqukxz.net | udp |
| US | 8.8.8.8:53 | taffpigblo.net | udp |
| US | 8.8.8.8:53 | eizhfeiqzft.info | udp |
| US | 8.8.8.8:53 | yyeysgkock.com | udp |
| US | 8.8.8.8:53 | nrpqjt.info | udp |
| US | 8.8.8.8:53 | ayrziajubkc.net | udp |
| US | 8.8.8.8:53 | tuuqlfyjxqe.info | udp |
| US | 8.8.8.8:53 | zelzmi.info | udp |
| US | 8.8.8.8:53 | lkngjoezjnq.com | udp |
| US | 8.8.8.8:53 | nbnsdp.net | udp |
| US | 8.8.8.8:53 | ucgweeseak.com | udp |
| US | 8.8.8.8:53 | vqoovoqtl.org | udp |
| US | 8.8.8.8:53 | biuehdf.net | udp |
| US | 8.8.8.8:53 | wrbgtg.info | udp |
| US | 8.8.8.8:53 | adpmux.info | udp |
| US | 8.8.8.8:53 | ymklhj.info | udp |
| US | 8.8.8.8:53 | kkukikssxb.net | udp |
| US | 8.8.8.8:53 | vknxabuk.info | udp |
| US | 8.8.8.8:53 | csihpxjjme.info | udp |
| US | 8.8.8.8:53 | xbfhtyff.info | udp |
| US | 8.8.8.8:53 | twjwrsudhoz.net | udp |
| US | 8.8.8.8:53 | bylfnxuo.info | udp |
| US | 8.8.8.8:53 | vsswekgnat.info | udp |
| US | 8.8.8.8:53 | nqhhls.info | udp |
| US | 8.8.8.8:53 | ecbawwfhmdv.net | udp |
| US | 8.8.8.8:53 | cehxfuxenqdu.net | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | mgogyimisgia.org | udp |
| US | 8.8.8.8:53 | icgqseeoqwuq.org | udp |
| US | 8.8.8.8:53 | drjrvbxq.info | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | hhwfhsilfvca.net | udp |
| US | 8.8.8.8:53 | xlxutqnwhi.net | udp |
| US | 8.8.8.8:53 | lgxmnxp.info | udp |
| US | 8.8.8.8:53 | durbtbe.net | udp |
| US | 8.8.8.8:53 | vhfqpxtkc.com | udp |
| US | 8.8.8.8:53 | ahlcycuyjof.net | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | dvcavlbf.info | udp |
| US | 8.8.8.8:53 | hbfuzmpxf.com | udp |
| US | 8.8.8.8:53 | niqxyenx.net | udp |
| US | 8.8.8.8:53 | hgxwxawynhmi.info | udp |
| US | 8.8.8.8:53 | nxvcstmo.net | udp |
| US | 8.8.8.8:53 | xnyxvite.info | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | tghljp.info | udp |
| US | 8.8.8.8:53 | poxnbxfgpkbi.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | yetoikl.info | udp |
| US | 8.8.8.8:53 | vvlzjqvskths.info | udp |
| US | 8.8.8.8:53 | xotzfbr.org | udp |
| US | 8.8.8.8:53 | cyqmeask.org | udp |
| US | 8.8.8.8:53 | oswieyiiko.org | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | iesqumuvluzb.net | udp |
| US | 8.8.8.8:53 | yaommmwa.org | udp |
| US | 8.8.8.8:53 | dtpxtiwnx.com | udp |
| US | 8.8.8.8:53 | tvshvh.info | udp |
| US | 8.8.8.8:53 | ccuyga.org | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | aurimtpqz.net | udp |
| US | 8.8.8.8:53 | atbiftsnvum.info | udp |
| US | 8.8.8.8:53 | oqcgqjzhsb.net | udp |
| US | 8.8.8.8:53 | uuezjfzx.net | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | kdybwms.info | udp |
| US | 8.8.8.8:53 | qsgaci.com | udp |
| US | 8.8.8.8:53 | ikhkxkanxyx.net | udp |
| US | 8.8.8.8:53 | jcvqlzn.com | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | melbmcr.info | udp |
| US | 8.8.8.8:53 | yacusmeiimog.org | udp |
| US | 8.8.8.8:53 | avbzvrkcvjvh.net | udp |
| US | 8.8.8.8:53 | bwzopcx.org | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | qeeyuwws.com | udp |
| US | 8.8.8.8:53 | pyrqpyn.info | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | mpsluecp.info | udp |
| US | 8.8.8.8:53 | acksqp.net | udp |
| US | 8.8.8.8:53 | gnwvjvjc.net | udp |
| US | 8.8.8.8:53 | qbhqtfueirwy.net | udp |
| US | 8.8.8.8:53 | qkeieosjlmsw.info | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | xpgwfipglow.com | udp |
| US | 8.8.8.8:53 | hjddssuzls.info | udp |
| US | 8.8.8.8:53 | zvbehljghqu.com | udp |
| US | 8.8.8.8:53 | scuabbyuz.net | udp |
| US | 8.8.8.8:53 | jesxxfnxrb.info | udp |
| US | 8.8.8.8:53 | omtzlccvxmkf.info | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | ywlilbnxr.net | udp |
| US | 8.8.8.8:53 | qcpjfakwd.net | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | immkkkkeismw.org | udp |
| US | 8.8.8.8:53 | hqrutpg.com | udp |
| US | 8.8.8.8:53 | zanzvuhlarnd.net | udp |
| US | 8.8.8.8:53 | hrhjzm.info | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | jctssigifd.info | udp |
| US | 8.8.8.8:53 | kqvirufzq.info | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | bswkjqx.org | udp |
| US | 8.8.8.8:53 | sywaxjkitnd.net | udp |
| US | 8.8.8.8:53 | egwmww.com | udp |
| US | 8.8.8.8:53 | ixvxzcqyt.info | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | lwsuxsvok.info | udp |
| US | 8.8.8.8:53 | aegsao.com | udp |
| US | 8.8.8.8:53 | wyfuvfblbtj.info | udp |
| US | 8.8.8.8:53 | byeizl.net | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | myzmjev.net | udp |
| US | 8.8.8.8:53 | mjvtphaadm.net | udp |
| US | 8.8.8.8:53 | ptcutcpl.info | udp |
| US | 8.8.8.8:53 | uslgdte.net | udp |
| US | 8.8.8.8:53 | lisbhict.net | udp |
| US | 8.8.8.8:53 | oahisgpny.net | udp |
| US | 8.8.8.8:53 | yeuqlybq.info | udp |
| US | 8.8.8.8:53 | icfyaovdjihs.info | udp |
| US | 8.8.8.8:53 | ehmzdguwh.info | udp |
| US | 8.8.8.8:53 | fzbhbpln.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | dpzdbigpebql.info | udp |
| US | 8.8.8.8:53 | awnrwe.info | udp |
| US | 8.8.8.8:53 | gmywye.org | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | uoyfua.info | udp |
| US | 8.8.8.8:53 | caguxmgkg.info | udp |
| US | 8.8.8.8:53 | urawzn.info | udp |
| US | 8.8.8.8:53 | yqlttwfay.info | udp |
| US | 8.8.8.8:53 | wndkkkd.info | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | dkdsgalwamd.net | udp |
| US | 8.8.8.8:53 | zlmhvcv.net | udp |
| US | 8.8.8.8:53 | acbwnkjuscn.net | udp |
| BG | 93.152.146.70:44601 | tcp | |
| US | 8.8.8.8:53 | oiwoimuqqg.com | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | qzkeygi.info | udp |
| US | 8.8.8.8:53 | xbqhvi.info | udp |
| US | 8.8.8.8:53 | ummsicus.org | udp |
| US | 8.8.8.8:53 | zglhfr.info | udp |
| US | 8.8.8.8:53 | fhngbai.com | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | runmxthttiuf.net | udp |
| US | 8.8.8.8:53 | mwpczohqrpl.net | udp |
| US | 8.8.8.8:53 | hqbeniron.org | udp |
| US | 8.8.8.8:53 | takghwqz.net | udp |
| US | 8.8.8.8:53 | ayskuuyege.org | udp |
| US | 8.8.8.8:53 | wmromnp.info | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | vigkrh.info | udp |
| US | 8.8.8.8:53 | rezvmsxsm.org | udp |
| US | 8.8.8.8:53 | qumkqoskoomw.com | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | bpsdrobofbar.info | udp |
| US | 8.8.8.8:53 | tyqrgkrojs.net | udp |
| US | 8.8.8.8:53 | eqoyqceyagea.org | udp |
| US | 8.8.8.8:53 | zmhutsnwxsu.org | udp |
| US | 8.8.8.8:53 | pyapbh.info | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | hvqeij.net | udp |
| US | 8.8.8.8:53 | sofndmpsjeu.info | udp |
| US | 8.8.8.8:53 | rhjhxbhewd.net | udp |
| US | 8.8.8.8:53 | rcsygerash.net | udp |
| US | 8.8.8.8:53 | rafdtpxafivh.info | udp |
| US | 8.8.8.8:53 | vranwj.net | udp |
| US | 8.8.8.8:53 | nqxqys.net | udp |
| US | 8.8.8.8:53 | fonkfotyd.net | udp |
| US | 8.8.8.8:53 | ostbpgmikyz.net | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | vofeyrnodel.net | udp |
| US | 8.8.8.8:53 | hsjphmpri.net | udp |
| US | 8.8.8.8:53 | xbllvppeabws.info | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | isegumiwim.org | udp |
| US | 8.8.8.8:53 | lcjtxdfqbtwg.net | udp |
| US | 8.8.8.8:53 | bulzdydv.info | udp |
| US | 8.8.8.8:53 | ekokmqmy.com | udp |
| US | 8.8.8.8:53 | omhsdoa.net | udp |
| US | 8.8.8.8:53 | kmbiem.info | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | lopivbnottk.net | udp |
| US | 8.8.8.8:53 | zqtmzcnqtgyu.net | udp |
| US | 8.8.8.8:53 | vcvneoiitt.net | udp |
| US | 8.8.8.8:53 | xmgevneyuwn.org | udp |
| US | 8.8.8.8:53 | ybbifcofn.net | udp |
| US | 8.8.8.8:53 | wclazslaknj.net | udp |
| US | 8.8.8.8:53 | xytkrxv.com | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | spddxdesep.info | udp |
| US | 8.8.8.8:53 | aztsttzli.info | udp |
| US | 8.8.8.8:53 | coqcqscq.com | udp |
| US | 8.8.8.8:53 | lmksdgntqsp.com | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | nqtvvus.com | udp |
| US | 8.8.8.8:53 | luaiexlo.net | udp |
| US | 8.8.8.8:53 | cwrquthxwax.info | udp |
| US | 8.8.8.8:53 | tgwszyqdbgf.info | udp |
| US | 8.8.8.8:53 | dqxengr.com | udp |
| US | 8.8.8.8:53 | xwkiaur.net | udp |
| US | 8.8.8.8:53 | rydjwzmn.info | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | muvdirplpg.net | udp |
| US | 8.8.8.8:53 | egvlaql.net | udp |
| US | 8.8.8.8:53 | vidgvqfofi.net | udp |
| US | 8.8.8.8:53 | mpngqybwxuu.net | udp |
| US | 8.8.8.8:53 | natdnpx.net | udp |
| US | 8.8.8.8:53 | thiheqnjfg.info | udp |
| US | 8.8.8.8:53 | osogzxhgnxk.info | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | zdfetlo.info | udp |
| US | 8.8.8.8:53 | oitwbowqhwf.info | udp |
| US | 8.8.8.8:53 | diasfmjrjzyb.net | udp |
| US | 8.8.8.8:53 | bnvoehmzojkj.info | udp |
| US | 8.8.8.8:53 | cceyge.org | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | naecpjgn.info | udp |
| US | 8.8.8.8:53 | mimcocse.org | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | nvbwfmdprbpk.net | udp |
| BG | 212.104.116.212:26364 | tcp | |
| US | 8.8.8.8:53 | faacagdzpoz.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | qipawytie.net | udp |
| US | 8.8.8.8:53 | mysgmkwy.com | udp |
| US | 8.8.8.8:53 | mpozqh.net | udp |
| US | 8.8.8.8:53 | ptxuton.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | qakqmisiwu.org | udp |
| US | 8.8.8.8:53 | doccomhaw.org | udp |
| US | 8.8.8.8:53 | vtebqm.info | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | lglgfxphejqe.net | udp |
| US | 8.8.8.8:53 | rathwubqm.info | udp |
| US | 8.8.8.8:53 | psntburxdar.net | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | oqjfitexpdyb.info | udp |
| US | 8.8.8.8:53 | jptblemode.info | udp |
| US | 8.8.8.8:53 | pyskryzdre.info | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | aaycvmz.info | udp |
| US | 8.8.8.8:53 | mipjgulenwx.info | udp |
| US | 8.8.8.8:53 | ocuepejey.info | udp |
| US | 8.8.8.8:53 | nurrdlrfvkd.net | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| IT | 94.156.27.79:26140 | tcp | |
| US | 8.8.8.8:53 | lagawopiz.com | udp |
| US | 8.8.8.8:53 | uafwsmsayy.info | udp |
| US | 8.8.8.8:53 | fgkaxijop.com | udp |
| US | 8.8.8.8:53 | umfezsign.net | udp |
| US | 8.8.8.8:53 | jkqmmsgbi.net | udp |
| US | 8.8.8.8:53 | agmifggt.info | udp |
| US | 8.8.8.8:53 | mjxxtvxsirxs.net | udp |
| US | 8.8.8.8:53 | jeqzkmwc.net | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | ismqceyewi.com | udp |
| US | 8.8.8.8:53 | lgsnlwvyn.org | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | oncjrblf.net | udp |
| US | 8.8.8.8:53 | kcvojil.net | udp |
| US | 8.8.8.8:53 | cgoprg.info | udp |
| US | 8.8.8.8:53 | muiguayq.org | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | wuwugk.com | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | kgzkrr.net | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | nryqlcjndfuo.net | udp |
| US | 8.8.8.8:53 | dhtkhlo.info | udp |
| US | 8.8.8.8:53 | geoauusquukw.com | udp |
| US | 8.8.8.8:53 | qshgtkxcv.net | udp |
| US | 8.8.8.8:53 | koificuqay.net | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | wgjkcuj.info | udp |
| US | 8.8.8.8:53 | tunigxdxlx.net | udp |
| US | 8.8.8.8:53 | bqqovhnmbgi.info | udp |
| US | 8.8.8.8:53 | bufapldspds.net | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | fanttpzybtfc.net | udp |
| US | 8.8.8.8:53 | zzltha.info | udp |
| US | 8.8.8.8:53 | fxfhoslihy.info | udp |
| US | 8.8.8.8:53 | bsuanaj.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
| MD5 | 045f9ea14722872525b47ffff80be8e5 |
| SHA1 | 015a67c71666b1d95dbcb25f396f969d1876e530 |
| SHA256 | 5b963a83a37e345fc9763ac196e7b06d4d7ab57e4731d043a0a57202da956583 |
| SHA512 | 54f891b83d7bd62a0101b4cd3f5382d3f5dcccc1d9c6b8875fed31b4be11e5e6421311c029a0a14823476c3b6b2f0fe01ccb9f2e876302e27d204b53f14f8318 |
C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe
| MD5 | c80e476ddc2450c7d1bf465e8796f0d6 |
| SHA1 | c01e78777fbd41c983942ef10546613ce2537f5b |
| SHA256 | cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1 |
| SHA512 | 6adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832 |
C:\Users\Admin\AppData\Local\Temp\bagsw.exe
| MD5 | 7be6738e379fe82c2d4ca6c30c9c878d |
| SHA1 | 3d5a55e2142795f0587857b5ef91c36b83931eb8 |
| SHA256 | 3d5d165d0bd13970d39f621da8744e8c93fca536ec3aeb8448c0a16c61e5d724 |
| SHA512 | 007b63d079f69f0ccac3c9a919aefda4ead865eeef50fa8410bd0afaf8ae686808b5126a6d4d9330b69b3c8f5364768ce62f20caf41e4cb31761c970417e74fb |
C:\Users\Admin\AppData\Local\bagswdzmlrmnwlzylcnmseiplyx.yzi
| MD5 | 2fa1a91f91842a6b461c0023e111e283 |
| SHA1 | edcc232a0f6d1845a05248e019103f21f20ad560 |
| SHA256 | 8271a8825ef998bc6cdcd408b10d9dbef5eeca33afe2da05415739d30c6d3bae |
| SHA512 | 3a1b09ee98eed6233f8397f920a359b2e9312b31843f330825ffa4d321dfb7a824079dd1efab067589f7fd5ef825c5b01c356936210e7a5ef6c0938b424ad385 |
C:\Users\Admin\AppData\Local\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph
| MD5 | 49dde8af2df4a2ff4f7707c171a5fae6 |
| SHA1 | 391f1cb6f0092311809509d0ca68d64c9452391b |
| SHA256 | ee4bc94532f1d34027bc620ebf9815ca5041fbed3873a015f1b967f97ad7e127 |
| SHA512 | 0c664224732fa8a5608719bee463d891e91b8ef139685c2f1d3be80874514510e3c28bc01046ba87f386501bd3e67cbff0f76bcc9b7ee0fef750ff81e36a70c0 |
C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi
| MD5 | d4068bdd69afba2f5cca7b695a5ed2ec |
| SHA1 | 45c63054bd2cb6c06a6ec185a394988ad036804e |
| SHA256 | cf7f450bacb843d641973119de08d78839dd5ecccbbe6187733461bdb63ce7ba |
| SHA512 | 7b1a7d3df11cd934830ad7a4e036b85ccfd39d50ec19d487262b6a634eb1a517bae974b4d0bed638597afeaf08f313dd7d95f7211bf48d7e3d3a85fbc046f175 |
C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi
| MD5 | b69b818fd7adc9816f03319716300e6c |
| SHA1 | e501f7113f5f075acba19eed639f97fb08e26328 |
| SHA256 | 7834dd62c54836039c25adc8a7be46b2f891dec00879a401b6346f51e2fe9825 |
| SHA512 | 630d59ffa4b0105420c28fef3ee0e84c4d9ec682f5749ca2d17f7f3e2fafbe150aa990adcdc82208b496bdcd654b69106c597139a3cf751855dde9aeb5ff5e4f |
C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi
| MD5 | 9179b61a3930f913a95daec99e2cc2a2 |
| SHA1 | 3427d58b58268e5dae5753ccd0bca8dc550e8ef4 |
| SHA256 | 941a936d2d410da8e969324b7ca6e3f542ebdbfa06525737b1121af943f27bd9 |
| SHA512 | 113480dd718f37371dca65f6b474876fe748db13cb2324d199ded747a42d6b8546b86efb62b0a5f2710964865aad68cbee1f657502e7dd32e435093a4976d925 |
C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi
| MD5 | 952c023357eda15d8df220530d4a0015 |
| SHA1 | cb10305b780afdb68f7727716a527750a163b770 |
| SHA256 | b66e06e96d99a5b7c6e5470719ceed343cd4a30047e14e0383963ad63486d8be |
| SHA512 | 9e831c8dbbd04ea1e03553c004ca822ceb6b4a144b78c372f14f659a76c9c598e6740fc04e5c22eab844eec0a0404d8d3af1f0b6677aa40a3dcb39ae49c646e9 |
C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi
| MD5 | e9cb96c2e1eed16251d8e3f95a9f1069 |
| SHA1 | 5cbcec3366ba5d21a99dddc6479b88bd435022f9 |
| SHA256 | 519c908446ada1b23feec312738a41cf88a70c95bb308dfb96cba408399598be |
| SHA512 | ef3a22a0749b929c505ee502cfcdf5e5becfa2e0d9d300053429f1df2ea05a559d1030b8de4e3d9494a76273d9f2588a8e6e6efa0c396002f77f108440a4169a |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-21 06:08
Reported
2025-04-21 06:10
Platform
win11-20250410-en
Max time kernel
64s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
Executes dropped EXE
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "nezvkhbqngicgazpbaja.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "zmdvgzpatigwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "aqkftpiwsklehaynywe.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "aqkftpiwsklehaynywe.exe ." | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe ." | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "nezvkhbqngicgazpbaja.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "cuqndbwmkehchcctggqie.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "nezvkhbqngicgazpbaja.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "cuqndbwmkehchcctggqie.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "pexrezrezqqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "gumfrlcoiyxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File created | C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File created | C:\Program Files (x86)\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File created | C:\Windows\ecehdhieiirsdekhagwuwzv.awa | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\gumfrlcoiyxopgcpy.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\tmjhyxtkjeiekghznozspn.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\zmdvgzpatigwwmht.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\pexrezrezqqikcznxu.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\nezvkhbqngicgazpbaja.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\cuqndbwmkehchcctggqie.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| File opened for modification | C:\Windows\aqkftpiwsklehaynywe.exe | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\aqkftpiwsklehaynywe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\pexrezrezqqikcznxu.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\gumfrlcoiyxopgcpy.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe*"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
"C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe" "-C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe"
C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
"C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe" "-C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe
C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe
C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe
C:\Windows\aqkftpiwsklehaynywe.exe
aqkftpiwsklehaynywe.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .
C:\Windows\pexrezrezqqikcznxu.exe
pexrezrezqqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."
C:\Windows\gumfrlcoiyxopgcpy.exe
gumfrlcoiyxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .
C:\Windows\zmdvgzpatigwwmht.exe
zmdvgzpatigwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe
C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .
C:\Windows\nezvkhbqngicgazpbaja.exe
nezvkhbqngicgazpbaja.exe .
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe
C:\Windows\cuqndbwmkehchcctggqie.exe
cuqndbwmkehchcctggqie.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| DE | 172.217.19.78:80 | www.youtube.com | tcp |
| LV | 109.229.204.136:34928 | tcp | |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | nopafhn.com | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| LV | 46.109.250.120:24205 | tcp | |
| US | 8.8.8.8:53 | jmwtjf.net | udp |
| US | 8.8.8.8:53 | vmrumy.net | udp |
| MD | 95.65.85.96:40253 | tcp | |
| US | 8.8.8.8:53 | fzbhbpln.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | ucgcixye.net | udp |
| US | 8.8.8.8:53 | bklvfs.net | udp |
| MD | 178.168.91.49:35979 | tcp | |
| US | 8.8.8.8:53 | ehtxxlxjpzdt.net | udp |
| US | 8.8.8.8:53 | wbhhhuh.info | udp |
| US | 8.8.8.8:53 | nudbmguttzbq.net | udp |
| BG | 109.199.136.118:17148 | tcp | |
| US | 8.8.8.8:53 | ludrxtukexzw.net | udp |
| US | 8.8.8.8:53 | hdmivoyua.com | udp |
| LT | 78.57.176.114:31785 | tcp | |
| US | 8.8.8.8:53 | vaygmufwnoo.org | udp |
| US | 8.8.8.8:53 | twxywc.net | udp |
| US | 8.8.8.8:53 | dhtkhlo.info | udp |
| US | 8.8.8.8:53 | oynbdbhftsx.info | udp |
| LT | 78.57.144.167:13000 | tcp | |
| US | 8.8.8.8:53 | htpeqjognnpm.info | udp |
| US | 8.8.8.8:53 | lktmayv.com | udp |
| US | 8.8.8.8:53 | zbdispgco.info | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| LT | 78.60.242.96:13556 | tcp | |
| US | 8.8.8.8:53 | iefialxo.net | udp |
| US | 8.8.8.8:53 | cskfjyzihlwe.net | udp |
| LT | 78.61.72.236:43013 | tcp | |
| US | 8.8.8.8:53 | ofmygwzqf.info | udp |
| US | 8.8.8.8:53 | xrjmbmgmisvh.info | udp |
| US | 8.8.8.8:53 | jmipbn.info | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| BG | 91.148.146.249:20854 | tcp | |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | eakirog.net | udp |
| US | 8.8.8.8:53 | uwxmbnsumsu.net | udp |
| BG | 130.204.169.69:19438 | tcp | |
| US | 8.8.8.8:53 | uoxjsmld.info | udp |
| BG | 89.215.241.168:20497 | tcp | |
| US | 8.8.8.8:53 | rirawmevp.org | udp |
| US | 8.8.8.8:53 | pvesxitaordl.info | udp |
| US | 8.8.8.8:53 | qeuouy.com | udp |
| LT | 84.32.125.156:25573 | tcp | |
| US | 8.8.8.8:53 | qurwhzshpg.net | udp |
| US | 8.8.8.8:53 | wikosmioag.org | udp |
| LT | 78.157.80.186:13475 | tcp | |
| US | 8.8.8.8:53 | mcyiuguwgg.com | udp |
| US | 8.8.8.8:53 | kimxnalcrpk.net | udp |
| BG | 94.156.81.22:37325 | tcp | |
| US | 8.8.8.8:53 | qfprkq.info | udp |
| US | 8.8.8.8:53 | gvlqwyza.net | udp |
| MD | 92.115.169.145:37193 | tcp | |
| US | 8.8.8.8:53 | hnfkbcvqhpz.org | udp |
| US | 8.8.8.8:53 | monwekv.info | udp |
| RU | 94.41.245.178:40201 | tcp | |
| US | 8.8.8.8:53 | zyvtdnih.net | udp |
| US | 8.8.8.8:53 | llbsaq.info | udp |
| US | 8.8.8.8:53 | burytra.info | udp |
| BG | 212.233.209.31:17159 | tcp | |
| US | 8.8.8.8:53 | wacwiq.org | udp |
| US | 8.8.8.8:53 | tsbqamkmcqz.info | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| LT | 78.57.172.106:36223 | tcp | |
| US | 8.8.8.8:53 | maqgaggm.org | udp |
| US | 8.8.8.8:53 | fofghyx.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | sbdkki.info | udp |
| US | 8.8.8.8:53 | enmahlfllkfw.info | udp |
| US | 8.8.8.8:53 | zgwqwlbxnhgx.info | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | qofqgod.info | udp |
| US | 8.8.8.8:53 | awisvuy.info | udp |
| US | 8.8.8.8:53 | xuhgmsraiyx.info | udp |
| US | 8.8.8.8:53 | eaharf.net | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | jksfafxq.net | udp |
| US | 8.8.8.8:53 | emwiqo.com | udp |
| US | 8.8.8.8:53 | bbxsopcbsv.net | udp |
| US | 8.8.8.8:53 | butrrgffxwe.info | udp |
| US | 8.8.8.8:53 | vmqkjur.info | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | mfnrnhqeeyv.info | udp |
| US | 8.8.8.8:53 | qaxkzsv.net | udp |
| US | 8.8.8.8:53 | xwhkkybcnwi.org | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | euxyhykczfj.info | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | iesqumuvluzb.net | udp |
| US | 8.8.8.8:53 | psbybeacior.com | udp |
| US | 8.8.8.8:53 | kmguszfz.net | udp |
| US | 8.8.8.8:53 | ykjaji.net | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | kredomdjwq.info | udp |
| US | 8.8.8.8:53 | nxnfng.info | udp |
| US | 8.8.8.8:53 | lrnsnuisgbdt.info | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | ugaswoqi.com | udp |
| US | 8.8.8.8:53 | jchaljguxsd.com | udp |
| US | 8.8.8.8:53 | jmxwboqabud.info | udp |
| US | 8.8.8.8:53 | hyravgpfay.info | udp |
| US | 8.8.8.8:53 | smuwcyymiqme.com | udp |
| US | 8.8.8.8:53 | sufmlejmugt.net | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | fatfknvnqauj.info | udp |
| US | 8.8.8.8:53 | nnturowzjw.net | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | dahiuvsmkqrk.net | udp |
| US | 8.8.8.8:53 | ivukvkcsxko.info | udp |
| US | 8.8.8.8:53 | tiavpmp.info | udp |
| US | 8.8.8.8:53 | jqngstdpd.com | udp |
| US | 8.8.8.8:53 | rmvhpsu.org | udp |
| US | 8.8.8.8:53 | trvbni.net | udp |
| US | 8.8.8.8:53 | soxkamiyx.info | udp |
| US | 8.8.8.8:53 | ocuosoimmq.com | udp |
| US | 8.8.8.8:53 | qmmaac.org | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | gakgwdpjes.info | udp |
| US | 8.8.8.8:53 | hkttbyct.net | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | pypovyqkzwd.com | udp |
| US | 8.8.8.8:53 | mvsfddoqpx.net | udp |
| US | 8.8.8.8:53 | oidktbl.net | udp |
| US | 8.8.8.8:53 | rkdzryp.info | udp |
| US | 8.8.8.8:53 | kjeuyo.net | udp |
| US | 8.8.8.8:53 | wxpbyi.net | udp |
| BG | 93.155.153.12:13119 | tcp | |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | xvfuumog.info | udp |
| US | 8.8.8.8:53 | fydoswj.com | udp |
| US | 8.8.8.8:53 | cssucwqysu.org | udp |
| US | 8.8.8.8:53 | kruodbjopqw.info | udp |
| US | 8.8.8.8:53 | jzlhcarsuu.net | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | vwpihwd.info | udp |
| US | 8.8.8.8:53 | iudrtfph.info | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | bswkjqx.org | udp |
| US | 8.8.8.8:53 | nxdzfgtyp.com | udp |
| US | 8.8.8.8:53 | sugaiu.org | udp |
| US | 8.8.8.8:53 | mmyyusriz.info | udp |
| US | 8.8.8.8:53 | yiqjeelfpmzu.info | udp |
| US | 8.8.8.8:53 | pvtjvcxzz.com | udp |
| US | 8.8.8.8:53 | wowcaomy.com | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | dfdydoibdmlr.info | udp |
| US | 8.8.8.8:53 | qcvurin.net | udp |
| US | 8.8.8.8:53 | waqacqki.org | udp |
| US | 8.8.8.8:53 | wygiokci.com | udp |
| US | 8.8.8.8:53 | sfmyje.net | udp |
| US | 8.8.8.8:53 | gwplpcriiur.net | udp |
| US | 8.8.8.8:53 | qwaavh.net | udp |
| US | 8.8.8.8:53 | todiyvu.net | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | vsgcvdewaap.net | udp |
| US | 8.8.8.8:53 | quebrd.net | udp |
| US | 8.8.8.8:53 | tizwrksiluz.net | udp |
| US | 8.8.8.8:53 | liprnmfuf.net | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | olwdym.info | udp |
| US | 8.8.8.8:53 | rgnyneo.info | udp |
| US | 8.8.8.8:53 | pgnxdav.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | dalsjnnthafg.net | udp |
| US | 8.8.8.8:53 | roefjlfcbm.net | udp |
| US | 8.8.8.8:53 | pwbohet.org | udp |
| US | 8.8.8.8:53 | zjjfdo.info | udp |
| US | 8.8.8.8:53 | wmiyldz.net | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
| MD5 | bbab93c524d89d5ec7c7e314d34c3247 |
| SHA1 | 56b345bdea006a61c5c91d61399b10070c187150 |
| SHA256 | 8bf6a25f945237a78265c051e06f71ce9b67c4474bb395acf30a5ddcec8b320f |
| SHA512 | 50e8e362697874519b025e1690793a1fcbb4621b00716c796de3fd8bb830ea8d0851e434045dc5519890b1e3ef5675fdac72afbbf096a321dc2b52f9a962c053 |
C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe
| MD5 | c80e476ddc2450c7d1bf465e8796f0d6 |
| SHA1 | c01e78777fbd41c983942ef10546613ce2537f5b |
| SHA256 | cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1 |
| SHA512 | 6adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832 |
C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
| MD5 | 5e6aee15c8fa260ee5ced7b5880cf71b |
| SHA1 | 99a790c3928f56bef630cda62b04b7378630f005 |
| SHA256 | 18200fb5fb179ac35a1feb0e7f26bf5462424e6c844e0745eac9f1ce0d6e6ca0 |
| SHA512 | c73beda79fc6bf92131cdde1c8b4dbddef3472abc4cb1df2663627212ecbb252dcc8934e7e27c51cb53ccd260b9c31c21f440dda98ec371065e36eacf51b18de |
C:\Users\Admin\AppData\Local\ecehdhieiirsdekhagwuwzv.awa
| MD5 | fe2acf124ec44cf617717aa25f0eb795 |
| SHA1 | 6ccbc165b4593a35a14ea1a19d07ecfdaf1593e3 |
| SHA256 | 6c8c80a5d8f111b468cd76cb2fa1506b35b555bc7c021c7260642c05b12172bc |
| SHA512 | 04f1b0ca3f1c8c524938e768abc5093dcc5918f06baf9a2ad34ab31bc7662fe8bbedd3f8f24b003377262a63dae5f812fa91de5c4a27072432c9b1bec119b9d3 |
C:\Users\Admin\AppData\Local\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq
| MD5 | cec591a078094e29652b146e13b00498 |
| SHA1 | dd156de15dfe953f6618fe9d75cd58c06836a5c6 |
| SHA256 | 1b225dfafd0434a6f78b2c03e44c83e6b3aad6701ecefc45ff2308e0f9de69c5 |
| SHA512 | e3ca149a632f36a91549c864b86acd5fbaa53c057c0c2911981fe60eae32e84924ece3f51b88a0a5f018767abb779ad242f78fa386f3c5023a577e0c6033d0ff |
C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa
| MD5 | 54e7106b08c9f7a58a23b90b06cd0f5c |
| SHA1 | ac174fc011680836627156a8f162a660a629e812 |
| SHA256 | 7a57577194a5b1fe7325558823e9c752e9cdf31b69c74a6b9c7e3d5413e8e9f3 |
| SHA512 | 5fb32d4a6c9eec7435ac7514cc93d3f0242ed39c6091ce59b1307a0f4c12058d33ac86dc40deba33ec5c9e8cf9071e1c8b80fb955044b4f18e9c17aec02139ff |
C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa
| MD5 | e96c7d50dfc0f11db2dfbafc8fc3f376 |
| SHA1 | d1c2b9bcb624027401802904d8911967d68ee4b8 |
| SHA256 | a8b8fc7eddcf47c4a2b76bd27f0585f480630a5f78e9a4f38b2cccf3a6d33731 |
| SHA512 | b91c32765c05787e5197fdaeb2e95ef266d4acc04399844994f3af8672319af55519b7ad3e62ead23387ef8e0780dfed1900b79dfe58fa314ed99b76c638528c |
C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa
| MD5 | 1c8634738c3f6db0e7515dad42331e3e |
| SHA1 | 5495eab1a8cc603dbc9a6c1a4aeee503f694bab4 |
| SHA256 | a595214ea1c26ca9af4909d79d97cd8f7f461526be9377e0bcd86a009cf4f12a |
| SHA512 | bac621e93b58bcb689555799bab345d1c13b2c6f0256f20448c0be16dfc229353e40f01890b3c0bcfb2af00f36fbaaecd81237e7efaec765d251f7405eced123 |
C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa
| MD5 | c8cc48c2b323fdc7b022fb6e05242190 |
| SHA1 | c8f7f5cf1db2c50c3ab7c659b3b745b6c3b04766 |
| SHA256 | ba6d370affc10b641d3382fcc03072a9e5d9c63f94c2ee8a6370e93829343628 |
| SHA512 | e2c65f0fd518eb3d57fd50855867eb26065e94a216c06386a765df5a707f6afa9f66a06011ae485fa91e0c5d494681ff89e84a2a80f96de0c174737482c46855 |
C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa
| MD5 | 668d48acb11fd87e03ca83902c4a5ed5 |
| SHA1 | c94b920c2f5543467538902487e4d8a98800e5c7 |
| SHA256 | bffa5013cee684218b7ef5dd31134a3d378c4a6404814319ee0625220b6ea475 |
| SHA512 | 2f21a862a5bd5073cb61e304778141c84c81cd8a6ea78ff91b6d8fee1459102d818e73c94534bcc10b1bf7a5701f06fc27c32d7792fdaa08f9fca351b4824db8 |
C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa
| MD5 | 12f11b011b2130f2395a2228a5b50515 |
| SHA1 | b9f3f1425f0e8a2554084a5d71e931d2ca6f1900 |
| SHA256 | 41b3769ce19dd036ce21b124cd9bbedcd3c0736d728bfd84cfd7fa977ed871fd |
| SHA512 | 9e5a63c579e36b08bcf7ccfcb64591db22cde78fcfd8eaf00573efe027d424e771d5ff2fceb28e644612ef9a2ca236c8c1e8f222d48f709d9836e5aa5e3be496 |