Malware Analysis Report

2025-08-10 16:34

Sample ID 250421-gv123awpx5
Target JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6
SHA256 cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1

Threat Level: Known bad

The file JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6 was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

Modifies WinLogon for persistence

Pykspa family

Pykspa

UAC bypass

Detect Pykspa worm

Disables RegEdit via registry modification

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Impair Defenses: Safe Mode Boot

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 06:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 06:08

Reported

2025-04-21 06:10

Platform

win10v2004-20250314-en

Max time kernel

53s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lim = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mmtglt = "zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\zmggytderlujgjlyzed.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\fqigwpxwhzgtoppaz.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Windows\oatsjdmmyrznjlmyyc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\bqmoifrujfqhglpehopea.exe N/A
N/A N/A C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
N/A N/A C:\Windows\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Windows\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Windows\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Windows\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
N/A N/A C:\Windows\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Windows\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\zmggytderlujgjlyzed.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Windows\bqmoifrujfqhglpehopea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Windows\bqmoifrujfqhglpehopea.exe N/A
N/A N/A C:\Windows\yizwldkisjpbvvue.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "oatsjdmmyrznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavwplwymhrhfjmaciiw.exe ." C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "bqmoifrujfqhglpehopea.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zaiwclj = "yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatsjdmmyrznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sqvg = "mavwplwymhrhfjmaciiw.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizwldkisjpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ycnenzaswh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sqvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqigwpxwhzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "yizwldkisjpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fisiqbbsv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmggytderlujgjlyzed.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bagsw = "fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oqzovfeu = "fqigwpxwhzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File created C:\Windows\SysWOW64\bagswdzmlrmnwlzylcnmseiplyx.yzi C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\SysWOW64\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\SysWOW64\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File created C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Program Files (x86)\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File created C:\Program Files (x86)\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bagswdzmlrmnwlzylcnmseiplyx.yzi C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File created C:\Windows\bagswdzmlrmnwlzylcnmseiplyx.yzi C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
File opened for modification C:\Windows\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\sifidbosifrjjpukowyolo.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
File opened for modification C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\yizwldkisjpbvvue.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\oatsjdmmyrznjlmyyc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bqmoifrujfqhglpehopea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\fqigwpxwhzgtoppaz.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5504 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5504 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5504 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 1828 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\bqmoifrujfqhglpehopea.exe
PID 1828 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\bqmoifrujfqhglpehopea.exe
PID 1828 wrote to memory of 4716 N/A C:\Windows\system32\cmd.exe C:\Windows\bqmoifrujfqhglpehopea.exe
PID 4848 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\oatsjdmmyrznjlmyyc.exe
PID 4848 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\oatsjdmmyrznjlmyyc.exe
PID 4848 wrote to memory of 4932 N/A C:\Windows\system32\cmd.exe C:\Windows\oatsjdmmyrznjlmyyc.exe
PID 4932 wrote to memory of 3584 N/A C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 4932 wrote to memory of 3584 N/A C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 4932 wrote to memory of 3584 N/A C:\Windows\oatsjdmmyrznjlmyyc.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 4904 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 4904 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 4904 wrote to memory of 3644 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 2456 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\yizwldkisjpbvvue.exe
PID 2456 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\yizwldkisjpbvvue.exe
PID 2456 wrote to memory of 5056 N/A C:\Windows\system32\cmd.exe C:\Windows\yizwldkisjpbvvue.exe
PID 5056 wrote to memory of 5012 N/A C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5056 wrote to memory of 5012 N/A C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5056 wrote to memory of 5012 N/A C:\Windows\yizwldkisjpbvvue.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5036 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
PID 5036 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
PID 5036 wrote to memory of 5032 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe
PID 3520 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
PID 3520 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
PID 3520 wrote to memory of 3724 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe
PID 3724 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 3724 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 3724 wrote to memory of 3592 N/A C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 1164 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
PID 1164 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
PID 1164 wrote to memory of 3024 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe
PID 4504 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
PID 4504 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
PID 4504 wrote to memory of 5008 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
PID 5008 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5008 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5008 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 2976 wrote to memory of 5836 N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe
PID 2976 wrote to memory of 5836 N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe
PID 2976 wrote to memory of 5836 N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe
PID 2976 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe
PID 2976 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe
PID 2976 wrote to memory of 1076 N/A C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe C:\Users\Admin\AppData\Local\Temp\bagsw.exe
PID 6104 wrote to memory of 5436 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 6104 wrote to memory of 5436 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 6104 wrote to memory of 5436 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 4372 wrote to memory of 5432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
PID 4372 wrote to memory of 5432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
PID 4372 wrote to memory of 5432 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe
PID 3432 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 3432 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 3432 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\zmggytderlujgjlyzed.exe
PID 2200 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\fqigwpxwhzgtoppaz.exe
PID 2200 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\fqigwpxwhzgtoppaz.exe
PID 2200 wrote to memory of 5780 N/A C:\Windows\system32\cmd.exe C:\Windows\fqigwpxwhzgtoppaz.exe
PID 696 wrote to memory of 5880 N/A C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 696 wrote to memory of 5880 N/A C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 696 wrote to memory of 5880 N/A C:\Windows\zmggytderlujgjlyzed.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5780 wrote to memory of 1796 N/A C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5780 wrote to memory of 1796 N/A C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 5780 wrote to memory of 1796 N/A C:\Windows\fqigwpxwhzgtoppaz.exe C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe
PID 3668 wrote to memory of 1380 N/A C:\Windows\system32\cmd.exe C:\Windows\yizwldkisjpbvvue.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bagsw.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\bagsw.exe

"C:\Users\Admin\AppData\Local\Temp\bagsw.exe" "-C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe"

C:\Users\Admin\AppData\Local\Temp\bagsw.exe

"C:\Users\Admin\AppData\Local\Temp\bagsw.exe" "-C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe .

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\yizwldkisjpbvvue.exe*."

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe .

C:\Windows\mavwplwymhrhfjmaciiw.exe

mavwplwymhrhfjmaciiw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\fqigwpxwhzgtoppaz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\fqigwpxwhzgtoppaz.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\oatsjdmmyrznjlmyyc.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Windows\oatsjdmmyrznjlmyyc.exe

oatsjdmmyrznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\oatsjdmmyrznjlmyyc.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe

C:\Users\Admin\AppData\Local\Temp\mavwplwymhrhfjmaciiw.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\mavwplwymhrhfjmaciiw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\zmggytderlujgjlyzed.exe*."

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe

C:\Users\Admin\AppData\Local\Temp\bqmoifrujfqhglpehopea.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\oatsjdmmyrznjlmyyc.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe

C:\Users\Admin\AppData\Local\Temp\yizwldkisjpbvvue.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\users\admin\appdata\local\temp\yizwldkisjpbvvue.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\yizwldkisjpbvvue.exe

yizwldkisjpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\zmggytderlujgjlyzed.exe

zmggytderlujgjlyzed.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqigwpxwhzgtoppaz.exe .

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqmoifrujfqhglpehopea.exe

C:\Windows\fqigwpxwhzgtoppaz.exe

fqigwpxwhzgtoppaz.exe .

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

"C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe" "c:\windows\bqmoifrujfqhglpehopea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmggytderlujgjlyzed.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

C:\Windows\bqmoifrujfqhglpehopea.exe

bqmoifrujfqhglpehopea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mavwplwymhrhfjmaciiw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.myspace.com udp
US 34.111.176.156:80 www.myspace.com tcp
LT 87.239.84.140:21712 tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 zjrcaat.net udp
US 8.8.8.8:53 jmjqnoun.info udp
US 8.8.8.8:53 asuqse.com udp
US 8.8.8.8:53 tefqhcfq.net udp
US 8.8.8.8:53 kirksjrvrv.info udp
US 8.8.8.8:53 pvnhaiyr.net udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 wqesocem.org udp
US 8.8.8.8:53 lgxmnxp.info udp
US 8.8.8.8:53 zgjnxthpviz.info udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 awisvuy.info udp
US 8.8.8.8:53 dagegqggpgf.org udp
US 8.8.8.8:53 lewkwnfrizjq.net udp
US 8.8.8.8:53 ruvyfws.com udp
US 8.8.8.8:53 gazllyhanki.info udp
US 8.8.8.8:53 gjtsbntbaatr.info udp
US 8.8.8.8:53 bbajrallgqn.org udp
US 8.8.8.8:53 jiwbamytikml.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 hoeezyywdoz.info udp
US 8.8.8.8:53 gbyalwlcv.net udp
US 8.8.8.8:53 kyokyukskecc.com udp
US 8.8.8.8:53 ttworno.org udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 yztalajwop.info udp
US 8.8.8.8:53 nbyutq.info udp
US 8.8.8.8:53 nnqjikusx.net udp
US 8.8.8.8:53 esgqqqogqq.com udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 goznlxhalsn.net udp
US 8.8.8.8:53 qsekoukeokqg.com udp
US 8.8.8.8:53 dipmkaqelcq.net udp
US 8.8.8.8:53 ueucscywqw.org udp
US 8.8.8.8:53 funxalhc.info udp
US 8.8.8.8:53 rgozhcdomyn.org udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 yaommmwa.org udp
US 8.8.8.8:53 hmrltcqifce.net udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 jnydlxt.info udp
US 8.8.8.8:53 wqvsigz.net udp
US 8.8.8.8:53 srsatozxrchk.net udp
US 8.8.8.8:53 keoudom.net udp
US 8.8.8.8:53 ayxsfupon.info udp
LT 78.61.122.246:36338 tcp
US 8.8.8.8:53 rktljt.info udp
US 8.8.8.8:53 iucege.org udp
US 8.8.8.8:53 muozoxdrrpnc.net udp
US 8.8.8.8:53 hqwrnlhoplzd.info udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 fnpisttwqql.net udp
US 8.8.8.8:53 johoxgt.info udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 okngzvevkk.net udp
US 8.8.8.8:53 aczmvctsvcwp.net udp
US 8.8.8.8:53 muqsxtbuvaqg.info udp
US 8.8.8.8:53 kyresqwg.net udp
US 8.8.8.8:53 usbaplchm.net udp
US 8.8.8.8:53 bbdhjljo.info udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 agmhzaxxdp.info udp
US 8.8.8.8:53 vdfubgb.net udp
US 8.8.8.8:53 eevzwywdnemu.info udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 xpgwfipglow.com udp
US 8.8.8.8:53 innykmrioo.net udp
US 8.8.8.8:53 skyakxeb.info udp
US 8.8.8.8:53 ohgfcpvmvy.net udp
US 8.8.8.8:53 omtzlccvxmkf.info udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 ewxxjq.net udp
US 8.8.8.8:53 tilspwhuzrn.info udp
US 8.8.8.8:53 xsdqkntopop.net udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 pzapgyrk.net udp
US 8.8.8.8:53 lglfnuhjut.info udp
US 8.8.8.8:53 eksckm.com udp
US 8.8.8.8:53 ccliyulceo.info udp
US 8.8.8.8:53 cssucwqysu.org udp
US 8.8.8.8:53 iouqmc.com udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 gcasfaq.info udp
US 8.8.8.8:53 pnnfblb.com udp
US 8.8.8.8:53 ccknyf.net udp
US 8.8.8.8:53 cyryymiju.net udp
US 8.8.8.8:53 mtcxagytnahn.info udp
US 8.8.8.8:53 zglsbswnrqx.com udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 esruxvjiltb.net udp
US 8.8.8.8:53 egwmww.com udp
US 8.8.8.8:53 gmhinip.net udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 nhjheyenyaf.org udp
US 8.8.8.8:53 uokiqop.info udp
LT 78.58.192.136:35141 tcp
US 8.8.8.8:53 fkbifozck.org udp
US 8.8.8.8:53 lwekcn.net udp
US 8.8.8.8:53 ablqhzl.net udp
US 8.8.8.8:53 xvzumiq.org udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 aqfofhqk.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 seirrjh.info udp
US 8.8.8.8:53 tbrijqq.com udp
US 8.8.8.8:53 smoasausig.com udp
US 8.8.8.8:53 frqjnqok.net udp
US 8.8.8.8:53 eqbemnxt.net udp
US 8.8.8.8:53 lwnwdktijgp.info udp
US 8.8.8.8:53 omuscigooi.com udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 nqgihqxcje.info udp
US 8.8.8.8:53 qenqycduz.info udp
US 8.8.8.8:53 letzcmg.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 mimqeou.net udp
US 8.8.8.8:53 dalsjnnthafg.net udp
US 8.8.8.8:53 gyqendzmscmd.info udp
US 8.8.8.8:53 vfgkbe.info udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 dnpxizc.info udp
US 8.8.8.8:53 uslzjq.info udp
US 8.8.8.8:53 xiawtn.net udp
US 8.8.8.8:53 edjldyu.net udp
US 8.8.8.8:53 xipjxswj.info udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 cdskkm.net udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 efrwinpm.net udp
US 8.8.8.8:53 zdexvcgcrif.com udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 umckeoqwkyiw.com udp
US 8.8.8.8:53 xvhxhv.info udp
US 8.8.8.8:53 lxefpcsfxcl.info udp
US 8.8.8.8:53 mvxemszzjkri.net udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 jstizsawrkc.org udp
US 8.8.8.8:53 jlxeto.net udp
US 8.8.8.8:53 rezvmsxsm.org udp
US 8.8.8.8:53 ksuequea.org udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 amtljiz.info udp
US 8.8.8.8:53 kuxzxsccd.net udp
US 8.8.8.8:53 tjzaee.net udp
US 8.8.8.8:53 temvdeeqf.net udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 xvgnzx.info udp
US 8.8.8.8:53 hxztgnnkjq.net udp
US 8.8.8.8:53 vranwj.net udp
US 8.8.8.8:53 wbdvmisb.net udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 xdldfpbqdp.info udp
US 8.8.8.8:53 opblxgtmn.net udp
US 8.8.8.8:53 nmbtfat.com udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 uuzpvad.info udp
US 8.8.8.8:53 mygnjljsmptl.info udp
BG 130.204.67.124:38194 tcp
US 8.8.8.8:53 ieesgy.com udp
US 8.8.8.8:53 swfnei.info udp
US 8.8.8.8:53 hhbvehzu.info udp
US 8.8.8.8:53 qolyygtjlcz.net udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 vauyyxuyzmr.info udp
US 8.8.8.8:53 gamaco.org udp
US 8.8.8.8:53 ksciycwg.org udp
US 8.8.8.8:53 tyxcbxpil.org udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 cwaewwwkey.com udp
US 8.8.8.8:53 miskiykeqk.com udp
US 8.8.8.8:53 agoikdgilq.net udp
US 8.8.8.8:53 jdviqqjndbp.info udp
US 8.8.8.8:53 ihvqrzy.net udp
US 8.8.8.8:53 saamksqwmc.org udp
US 8.8.8.8:53 mctxvqe.net udp
US 8.8.8.8:53 jtpxjgaiy.info udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 zkwpqkhtlcm.org udp
US 8.8.8.8:53 xlrqvvjyvy.net udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 pqyqsvmi.net udp
US 8.8.8.8:53 orfmafjrvyvp.net udp
US 8.8.8.8:53 ibbjtwcethv.info udp
US 8.8.8.8:53 pptvvz.info udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 oxaetw.net udp
US 8.8.8.8:53 twxmymfuh.net udp
US 8.8.8.8:53 nkgnoqa.com udp
US 8.8.8.8:53 waogsumy.com udp
US 8.8.8.8:53 lythnsgzjn.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 hdaflgsajr.net udp
US 8.8.8.8:53 xwkiaur.net udp
US 8.8.8.8:53 bzlenncy.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 zkmowr.net udp
US 8.8.8.8:53 uqlbzimdt.net udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 dcqybxb.net udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 mphorxao.info udp
US 8.8.8.8:53 vhbbcbnq.net udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 dljivorqbwr.net udp
US 8.8.8.8:53 cxqlztryntb.info udp
US 8.8.8.8:53 ccokspzpxiqx.info udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 uvsgusp.net udp
US 8.8.8.8:53 agngjan.net udp
US 8.8.8.8:53 mqzczandiiga.info udp
US 8.8.8.8:53 cgwmmgseue.org udp
US 8.8.8.8:53 ahkgvfbpposr.info udp
US 8.8.8.8:53 faacagdzpoz.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 refpzmhidkr.com udp
US 8.8.8.8:53 rygqruz.net udp
US 8.8.8.8:53 ozfuageg.net udp
US 8.8.8.8:53 qnifeztfnexf.info udp
US 8.8.8.8:53 sfiyjg.info udp
US 8.8.8.8:53 tzsmrdkivc.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 whieoliveilh.net udp
US 8.8.8.8:53 gjfopgnhwau.info udp
BG 130.204.87.10:40490 tcp
US 8.8.8.8:53 znxcxzx.net udp
US 8.8.8.8:53 bnvuxidzlemr.info udp
US 8.8.8.8:53 scgfeyxd.info udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 bgskncggc.com udp
US 8.8.8.8:53 muphoul.info udp
US 8.8.8.8:53 bahgygzqttb.com udp
US 8.8.8.8:53 eyptytbcfgjk.info udp
US 8.8.8.8:53 psntburxdar.net udp
US 8.8.8.8:53 wshubuxcvmi.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 nynxoaij.net udp
US 8.8.8.8:53 aqxgxntt.info udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 mipjgulenwx.info udp
US 8.8.8.8:53 czisbqmw.net udp
US 8.8.8.8:53 lxtezs.info udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 fqgnny.net udp
US 8.8.8.8:53 mjxxtvxsirxs.net udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 mfmmpvred.net udp
US 8.8.8.8:53 qytqtqxej.net udp
US 8.8.8.8:53 uacewcsi.org udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 omcoawgyqugi.org udp
US 8.8.8.8:53 koiuvgzyhzvf.net udp
US 8.8.8.8:53 dpnyefitealy.info udp
US 8.8.8.8:53 qwsqae.com udp
US 8.8.8.8:53 xpjcntyobq.net udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 nrhoprlqkf.net udp
US 8.8.8.8:53 gnjydacld.net udp
US 8.8.8.8:53 blgxajgjyomi.info udp
US 8.8.8.8:53 osqcyyccqe.com udp
US 8.8.8.8:53 dwhdjqq.org udp
US 8.8.8.8:53 bsmtnilhyjev.net udp
US 8.8.8.8:53 mqwcwakcacok.com udp
US 8.8.8.8:53 xixmpelmwxw.info udp
US 8.8.8.8:53 pezumjuvl.net udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 yogqummkqccc.org udp
US 8.8.8.8:53 kedyrqmar.net udp
US 8.8.8.8:53 mmceygmisc.org udp
US 8.8.8.8:53 geoauusquukw.com udp
US 8.8.8.8:53 ifxanmxr.net udp
US 8.8.8.8:53 qaaqjbnoma.info udp
US 8.8.8.8:53 mbfsjumkq.info udp
US 8.8.8.8:53 blriytvijot.com udp
LV 81.198.175.17:26835 tcp
US 8.8.8.8:53 egiehizwpo.net udp
US 8.8.8.8:53 kiwfgclohhh.info udp
US 8.8.8.8:53 zazwetpv.net udp
US 8.8.8.8:53 aqjcrip.info udp
US 8.8.8.8:53 jtfobcrufvig.info udp
US 8.8.8.8:53 siinbjp.info udp
US 8.8.8.8:53 iiumnibeazvy.net udp
US 8.8.8.8:53 rvfhdeirvqv.com udp
US 8.8.8.8:53 urdltzjz.net udp
US 8.8.8.8:53 zvdedtdq.net udp
US 8.8.8.8:53 tvruda.net udp
US 8.8.8.8:53 wmambwp.net udp
US 8.8.8.8:53 guqsfbz.info udp
US 8.8.8.8:53 rtgmvxt.info udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 sopuvrv.net udp
US 8.8.8.8:53 jojeqxqf.net udp
US 8.8.8.8:53 uynpjtp.info udp
US 8.8.8.8:53 acsysm.com udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 wihojvjefzt.net udp
US 8.8.8.8:53 hltuubbyq.net udp
US 8.8.8.8:53 drgaob.info udp
US 8.8.8.8:53 ggauku.org udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 jmaqisxd.net udp
US 8.8.8.8:53 zgywauslz.net udp
US 8.8.8.8:53 tgbyomtyjus.com udp
US 8.8.8.8:53 vlrbnp.net udp
US 8.8.8.8:53 wfekzb.info udp
US 8.8.8.8:53 xdmebxtplh.net udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 xlvqlmnzywa.org udp
US 8.8.8.8:53 qrvujthn.net udp
US 8.8.8.8:53 qzgqermax.net udp
US 8.8.8.8:53 seiqzsccd.info udp
US 8.8.8.8:53 rohfze.net udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 acyscumenj.info udp
US 8.8.8.8:53 dmxlrkohhq.net udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 eaoeysyyya.com udp
US 8.8.8.8:53 hlpusx.info udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 bnzwpuktjc.info udp
US 8.8.8.8:53 kamcyw.com udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 looaxhpnjaf.org udp
US 8.8.8.8:53 fysqbsfsc.info udp
US 8.8.8.8:53 rtehhf.net udp
US 8.8.8.8:53 kyocyq.org udp
US 8.8.8.8:53 coxvgkqtsib.info udp
US 8.8.8.8:53 vdpcjuhj.net udp
US 8.8.8.8:53 zynreu.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 junmtgy.com udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 aackwwyk.com udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 mlpenxfngr.info udp
US 8.8.8.8:53 zommurjdbywg.net udp
US 8.8.8.8:53 taktcaxol.com udp
US 8.8.8.8:53 fkfopirst.com udp
US 8.8.8.8:53 nxckvsmxy.net udp
US 8.8.8.8:53 sojotwg.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 etfipozbgcd.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 ayccwkiuuioo.org udp
US 8.8.8.8:53 gccgesykiyus.org udp
US 8.8.8.8:53 akowww.org udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 oiymgkeueesm.org udp
US 8.8.8.8:53 tfrlrazwjfbz.net udp
US 8.8.8.8:53 vmovellwztvz.net udp
US 8.8.8.8:53 hhxifefy.net udp
US 8.8.8.8:53 ljodhjf.org udp
US 8.8.8.8:53 gckcqaokwkqw.org udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 ljsgrdiegz.info udp
US 8.8.8.8:53 rxkcuhu.org udp
US 8.8.8.8:53 guxqktlobyz.net udp
US 8.8.8.8:53 zkfhhofqumr.info udp
US 8.8.8.8:53 lskioknupsg.net udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 sqpsqf.net udp
US 8.8.8.8:53 giztiauazy.info udp
US 8.8.8.8:53 vpqobqqml.net udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 ugvcvudls.info udp
US 8.8.8.8:53 vurojxpmuk.info udp
US 8.8.8.8:53 xrucxnzr.info udp
US 8.8.8.8:53 fajijdb.info udp
RU 78.85.83.34:32391 tcp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 xoqyowig.info udp
US 8.8.8.8:53 nwbuqmg.net udp
US 8.8.8.8:53 rkpwhqyc.net udp
US 8.8.8.8:53 bmdosozpo.net udp
US 8.8.8.8:53 msocwajdr.info udp
US 8.8.8.8:53 oewwlhtahvrl.info udp
US 8.8.8.8:53 wmnalmx.info udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 luzucodrx.net udp
US 8.8.8.8:53 gjtizw.net udp
US 8.8.8.8:53 nifsfgrcbrq.info udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 oeisiywiuies.org udp
US 8.8.8.8:53 vuizmyhrn.info udp
US 8.8.8.8:53 kqmuaeqmqkqa.com udp
US 8.8.8.8:53 ryrkpkx.com udp
US 8.8.8.8:53 ljjjvulmla.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 ugsvbou.info udp
US 8.8.8.8:53 yuqucvcb.net udp
US 8.8.8.8:53 rdbhduyy.net udp
US 8.8.8.8:53 jpzcvyd.info udp
US 8.8.8.8:53 jnjyhudpb.net udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 iuasoeeeko.org udp
US 8.8.8.8:53 wwgocoga.org udp
LT 78.56.55.11:21416 tcp
US 8.8.8.8:53 yigozda.info udp
US 8.8.8.8:53 hkiyxbmyrd.info udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 msoaukiwkswq.com udp
US 8.8.8.8:53 zmrcakty.info udp
US 8.8.8.8:53 nktlxsr.org udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 xoqqrix.com udp
US 8.8.8.8:53 kmcsqh.net udp
US 8.8.8.8:53 vozjvmlig.com udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 gvvdfatzrqr.info udp
US 8.8.8.8:53 jjncwbrsyehu.info udp
US 8.8.8.8:53 wnxmtm.info udp
US 8.8.8.8:53 rniwyrjlpzhc.info udp
US 8.8.8.8:53 pdiibmp.info udp
US 8.8.8.8:53 wwmewmuuyssy.org udp
US 8.8.8.8:53 eumxplbmsb.net udp
US 8.8.8.8:53 duwipawot.com udp
US 8.8.8.8:53 axdaxqby.info udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 emuidm.info udp
US 8.8.8.8:53 bngrtqp.com udp
US 8.8.8.8:53 dwhbjyryutk.org udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 zwtipnty.info udp
US 8.8.8.8:53 ohifahwyjuxu.net udp
US 8.8.8.8:53 tadcrz.net udp
US 8.8.8.8:53 isrkfebam.net udp
US 8.8.8.8:53 svdnfiytjpnj.info udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 hsvenpqlz.org udp
US 8.8.8.8:53 tzyuvkxjp.info udp
US 8.8.8.8:53 uonpnen.info udp
US 8.8.8.8:53 nehiaxa.org udp
US 8.8.8.8:53 ndwywrsr.net udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 zhtkgjaoeqvb.info udp
US 8.8.8.8:53 qkyinezoton.info udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 ikpcmmqssqd.net udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 ziksuzwgp.net udp
US 8.8.8.8:53 ywrzvvfhnufc.net udp
US 8.8.8.8:53 lzkdquculk.net udp
US 8.8.8.8:53 qkxebyttjudm.net udp
US 8.8.8.8:53 agfxoc.info udp
US 8.8.8.8:53 osgoao.com udp
US 8.8.8.8:53 isusgoykgyom.com udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 agagcg.org udp
US 8.8.8.8:53 qcwmqicw.com udp
US 8.8.8.8:53 noiibzptet.net udp
US 8.8.8.8:53 qwbkuixhlur.net udp
US 8.8.8.8:53 mmjpvskgpvlh.net udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 xolifsv.org udp
US 8.8.8.8:53 xjxezblbf.net udp
US 8.8.8.8:53 jjrztak.info udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 avjszaajyc.info udp
US 8.8.8.8:53 wsuadqcep.info udp
US 8.8.8.8:53 zgzsca.info udp
US 8.8.8.8:53 xzjelmhss.com udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 fhzxvrai.net udp
US 8.8.8.8:53 efzgjsu.info udp
US 8.8.8.8:53 bofsdcjkuks.org udp
US 8.8.8.8:53 rdpmxhnjpao.com udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 hmrulcizai.net udp
US 8.8.8.8:53 lotkpfnknsq.info udp
US 8.8.8.8:53 wyygwcgi.com udp
US 8.8.8.8:53 zzzabmdtebya.net udp
US 8.8.8.8:53 tfdjgocblgbk.info udp
US 8.8.8.8:53 fdkrpdfhhi.net udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 vjyhmkkzqw.net udp
US 8.8.8.8:53 vmemmvokxkit.net udp
US 8.8.8.8:53 bbqkfxvm.net udp
US 8.8.8.8:53 fzqqksnzg.net udp
BG 77.71.16.138:24169 tcp
US 8.8.8.8:53 xhnurihk.net udp
US 8.8.8.8:53 yssdlbjazpn.info udp
US 8.8.8.8:53 agqwme.com udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 kgfibfidzv.info udp
US 8.8.8.8:53 xmrkjfqcd.com udp
US 8.8.8.8:53 ggskwm.org udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 qcdqvoawdcp.net udp
US 8.8.8.8:53 ospslaxogst.info udp
US 8.8.8.8:53 sxzocaaql.net udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 iwodupfm.net udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 xsbwfymqggo.info udp
US 8.8.8.8:53 hnhkfrz.org udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 wqpofcaaw.info udp
US 8.8.8.8:53 yuznvxax.info udp
US 8.8.8.8:53 sldcha.net udp
US 8.8.8.8:53 vxrjiipucox.info udp
US 8.8.8.8:53 hafzwz.net udp
US 8.8.8.8:53 wobglu.info udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 lzeoasgihvzg.net udp
US 8.8.8.8:53 mocsrmzkg.net udp
US 8.8.8.8:53 xqfkvpjkpo.info udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 ledkogt.info udp
US 8.8.8.8:53 gqozztrutfv.info udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 hlmqsloprhmu.net udp
US 8.8.8.8:53 iwayoabes.net udp
US 8.8.8.8:53 blcsidosbbjn.net udp
US 8.8.8.8:53 vodhartcl.org udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 nttuue.net udp
US 8.8.8.8:53 oaowvozph.info udp
US 8.8.8.8:53 cemosksi.com udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 kkawko.org udp
US 8.8.8.8:53 iasuswuoqigw.com udp
US 8.8.8.8:53 jlvozbzqdqn.info udp
US 8.8.8.8:53 lwndquldxm.info udp
US 8.8.8.8:53 fjlvqhemmv.info udp
US 8.8.8.8:53 blqtanjn.info udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 hmzkrqzuz.org udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 usdvvgiyj.info udp
US 8.8.8.8:53 qhpmfmcspho.info udp
US 8.8.8.8:53 kkeiqw.com udp
US 8.8.8.8:53 zcamrnlqrgy.com udp
US 8.8.8.8:53 tdwffk.net udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 mqhqtnm.info udp
US 8.8.8.8:53 wccwooqckguo.org udp
US 8.8.8.8:53 idvllzxcwddt.info udp
US 8.8.8.8:53 rvlgriritcdx.info udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 xrnghv.info udp
US 8.8.8.8:53 gzoktzfsyp.info udp
US 8.8.8.8:53 kicoaot.info udp
US 8.8.8.8:53 azavlani.net udp
US 8.8.8.8:53 mwouksakgw.com udp
US 8.8.8.8:53 bohenuceyvj.net udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 qzuuudrq.info udp
US 8.8.8.8:53 phxqnablbpha.net udp
US 8.8.8.8:53 tsntsuwqvndu.net udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 bvfwtoyycx.info udp
LT 78.58.111.167:15485 tcp
US 8.8.8.8:53 tncdtcxo.info udp
US 8.8.8.8:53 zehqegugqtll.info udp
US 8.8.8.8:53 usvwrjn.net udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 qyunfjnupdfr.net udp
US 8.8.8.8:53 jnxuvgizpwda.info udp
US 8.8.8.8:53 oxvbjavuaql.info udp
US 8.8.8.8:53 lexydrnbj.org udp
US 8.8.8.8:53 qgksue.org udp
US 8.8.8.8:53 xdctlkvdqghe.net udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 dywhbsw.info udp
US 8.8.8.8:53 rdzgvtvocoux.info udp
US 8.8.8.8:53 sgsiqqagyomq.org udp
US 8.8.8.8:53 cgqwayca.com udp
US 8.8.8.8:53 toltpzmnzrry.info udp
US 8.8.8.8:53 ocnogqfjv.info udp
US 8.8.8.8:53 sshocuayamn.net udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 begivrkoxbi.info udp
US 8.8.8.8:53 infkbrdahd.net udp
US 8.8.8.8:53 dkseyg.info udp
US 8.8.8.8:53 huvcjmfksm.info udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 lmsyldlsh.com udp
US 8.8.8.8:53 vshuhpjqf.com udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 rtpjyork.info udp
US 8.8.8.8:53 ewcbusyz.net udp
US 8.8.8.8:53 pykyumbmz.com udp
US 8.8.8.8:53 xgxgtgx.info udp
US 8.8.8.8:53 kacuqesamccw.com udp
US 8.8.8.8:53 zkdetwv.org udp
US 8.8.8.8:53 jcuayurgsh.info udp
US 8.8.8.8:53 mhxxlwxd.net udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 xjtvzwtznkdu.net udp
US 8.8.8.8:53 lzdazo.net udp
US 8.8.8.8:53 kmcotcuyt.net udp
US 8.8.8.8:53 tllcpcggjqie.info udp
US 8.8.8.8:53 pljwxqnddncy.info udp
US 8.8.8.8:53 cirabxhbcq.net udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 fcnxdxzzh.net udp
US 8.8.8.8:53 nnmztrfrnx.info udp
US 8.8.8.8:53 tldlxlwktaro.info udp
US 8.8.8.8:53 cqwwgwdbdd.net udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 uuvxxqb.info udp
US 8.8.8.8:53 kevnvbmy.info udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 vgbfugpgbp.info udp
US 8.8.8.8:53 kflxzfccrev.net udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 rjqqjbxmqh.net udp
US 8.8.8.8:53 eyhrpqemz.info udp
US 8.8.8.8:53 ftfumumfsj.net udp
US 8.8.8.8:53 fgzczunuom.info udp
US 8.8.8.8:53 punwfyr.net udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 nkgyrfdywmce.net udp
US 8.8.8.8:53 xqvzvuewidov.info udp
US 8.8.8.8:53 dwmaxosnlqr.org udp
US 8.8.8.8:53 cbxhrtvcyx.net udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 epdjlovz.net udp
US 8.8.8.8:53 tyxmhljol.com udp
GB 142.250.187.195:80 c.pki.goog tcp
US 8.8.8.8:53 twkojj.info udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 ikhjxajlpyn.net udp
US 8.8.8.8:53 rvdycyziki.info udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 ymxbndxqc.info udp
US 8.8.8.8:53 edxewgiml.info udp
US 8.8.8.8:53 qeyiqcog.org udp
US 8.8.8.8:53 datqfabmxho.net udp
US 8.8.8.8:53 hsfspwfirsr.org udp
BR 201.95.88.110:19119 tcp
US 8.8.8.8:53 jhdscj.net udp
US 8.8.8.8:53 rfnkasj.info udp
US 8.8.8.8:53 rjirpwzz.net udp
US 8.8.8.8:53 nidipmp.net udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 msauwssysguu.org udp
US 8.8.8.8:53 bntspk.net udp
US 8.8.8.8:53 sydqlvmsdtip.info udp
US 8.8.8.8:53 bgzyhghlpiw.info udp
US 8.8.8.8:53 xwzxfwhmtqp.net udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 jktjcmhjscwv.info udp
US 8.8.8.8:53 moykocak.org udp
US 8.8.8.8:53 xzdjrucronfu.info udp
US 8.8.8.8:53 xkfnbfeovqn.org udp
US 8.8.8.8:53 ruemzw.net udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 jwyiwnnnh.info udp
US 8.8.8.8:53 abszyyogk.info udp
US 8.8.8.8:53 vmpgzgfnnv.net udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 slhzoddqht.info udp
US 8.8.8.8:53 dmxisozka.net udp
US 8.8.8.8:53 ecsokmawae.org udp
US 8.8.8.8:53 vchadohmp.com udp
US 8.8.8.8:53 ergfbapw.net udp
US 8.8.8.8:53 xrprhxdxqtrv.net udp
US 8.8.8.8:53 dyoboi.info udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 accfdyqjtz.net udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 dbzqlhmvv.net udp
US 8.8.8.8:53 vgoxtkrwdqb.info udp
US 8.8.8.8:53 jqufzosybgq.info udp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 nczeftfyt.net udp
US 8.8.8.8:53 zlfgtg.info udp
US 8.8.8.8:53 bleray.info udp
US 8.8.8.8:53 tiiqxcxatjv.com udp
US 8.8.8.8:53 hsggbldfdyjl.info udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 sczvmdl.net udp
US 8.8.8.8:53 ssmgckci.com udp
US 8.8.8.8:53 vbfpzrjegij.com udp
US 8.8.8.8:53 mmmygaykea.com udp
US 8.8.8.8:53 ceawcoaw.org udp
US 8.8.8.8:53 nokyiuyifmk.com udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 qchibaabzk.net udp
US 8.8.8.8:53 miigkaes.org udp
US 8.8.8.8:53 vkpwadruwgcq.net udp
US 8.8.8.8:53 geomuuyg.com udp
US 8.8.8.8:53 kxnovo.info udp
US 8.8.8.8:53 tpdyflf.org udp
US 8.8.8.8:53 aswqqjj.net udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 xznubi.net udp
US 8.8.8.8:53 xuness.info udp
US 8.8.8.8:53 didypazwpqv.com udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 ymhymgcuv.net udp
US 8.8.8.8:53 usefzwcav.net udp
US 8.8.8.8:53 auosegcmyi.com udp
US 8.8.8.8:53 ymsmiiagyiyc.org udp
US 8.8.8.8:53 pmtzvimrlm.net udp
US 8.8.8.8:53 qazzhx.net udp
US 8.8.8.8:53 zzwqpcbur.net udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 stwjad.net udp
US 8.8.8.8:53 wcmsgs.com udp
HK 154.92.74.26:80 wcmsgs.com tcp
BG 212.233.245.162:31517 tcp
US 8.8.8.8:53 eyeumieeyows.com udp
US 8.8.8.8:53 zocptdqvefmr.net udp
US 8.8.8.8:53 uszxpwbx.info udp
US 8.8.8.8:53 jegpxl.info udp
US 8.8.8.8:53 ubgttghqeg.net udp
US 8.8.8.8:53 gmqmckca.com udp
US 8.8.8.8:53 piiimwvby.net udp
US 8.8.8.8:53 uldodnh.net udp
US 8.8.8.8:53 wunidwv.info udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 ojhefeyblmx.net udp
US 8.8.8.8:53 euzmjat.info udp
US 8.8.8.8:53 oaoqmgiq.org udp
US 8.8.8.8:53 dcxctmblkmyf.net udp
US 8.8.8.8:53 myrwjqkrwpbk.info udp
US 8.8.8.8:53 xojexwu.org udp
US 8.8.8.8:53 yannfuv.info udp
US 8.8.8.8:53 pkdeezbah.com udp
US 8.8.8.8:53 gwkikgsimg.org udp
US 8.8.8.8:53 toqovtf.org udp
US 8.8.8.8:53 oiqgekoeusci.org udp
US 8.8.8.8:53 mpkbfsgyp.info udp
US 8.8.8.8:53 wubpgijglxbz.info udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 wbhxhzlf.net udp
US 8.8.8.8:53 oituwlfyq.net udp
US 8.8.8.8:53 fhbybarwz.info udp
US 8.8.8.8:53 habyyrxhiv.info udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 thtrec.net udp
US 8.8.8.8:53 jmvrlnop.info udp
US 8.8.8.8:53 eeaaaaieuwye.org udp
US 8.8.8.8:53 dihqfyt.org udp
US 8.8.8.8:53 oguzcwlt.info udp
US 8.8.8.8:53 iwfwsu.info udp
US 8.8.8.8:53 sjejytwhmotb.net udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 aqwscqqe.org udp
US 8.8.8.8:53 hylmkorpmaz.org udp
US 8.8.8.8:53 qmowooycqq.org udp
US 8.8.8.8:53 isqocuyy.org udp
US 8.8.8.8:53 gygkfyeze.info udp
US 8.8.8.8:53 mkxyphhceqz.net udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 htvdbbh.com udp
US 8.8.8.8:53 pzgkljuoas.net udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 tetfjwtjfz.info udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 fizsrliykav.info udp
US 8.8.8.8:53 iiboni.info udp
US 8.8.8.8:53 ooepolkc.info udp
US 8.8.8.8:53 ggcxtosxmqgn.info udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 msyguqagqm.org udp
US 8.8.8.8:53 kpgaszdgnb.net udp
US 8.8.8.8:53 gzbioldgme.info udp
US 8.8.8.8:53 zuzkmaz.info udp
US 8.8.8.8:53 tlrtrntp.info udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 cxektv.net udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 lohitrqmb.net udp
US 8.8.8.8:53 osavtktrywjw.net udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 bufmppmmtp.info udp
US 8.8.8.8:53 ibhlriiqvc.info udp
GB 84.32.152.67:27662 tcp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 zjembwxx.net udp
US 8.8.8.8:53 twmisgomptw.com udp
US 8.8.8.8:53 pqqkhp.net udp
US 8.8.8.8:53 knwgzqzz.net udp
US 8.8.8.8:53 hlhkkz.net udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 trlkdp.net udp
US 8.8.8.8:53 dxkwydeogh.net udp
US 8.8.8.8:53 yaqooeosyhs.info udp
US 8.8.8.8:53 rltpyjn.org udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 cydqsgpijrb.info udp
US 8.8.8.8:53 ucsecc.org udp
US 8.8.8.8:53 hbiqfsmydyf.org udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 wigyyrdp.info udp
US 8.8.8.8:53 yeneoczkx.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 vcllberonos.net udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 ygholuhft.info udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 cgrwbebeccj.info udp
US 8.8.8.8:53 gfcyibbfymqt.net udp
US 8.8.8.8:53 leagnqqer.net udp
US 8.8.8.8:53 gshujucdlud.net udp
US 8.8.8.8:53 hylnnoj.org udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 nwbvskgjvw.net udp
US 8.8.8.8:53 tkpazcggf.org udp
US 8.8.8.8:53 eexitkxrfmm.net udp
US 8.8.8.8:53 zmrdhmhshwa.info udp
US 8.8.8.8:53 ywbpvusejwz.net udp
US 8.8.8.8:53 nkiqxbxgtz.info udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 fjwjpmmiot.net udp
US 8.8.8.8:53 kigyih.info udp
US 8.8.8.8:53 idhyhn.net udp
US 8.8.8.8:53 jgizeevi.info udp
US 8.8.8.8:53 gsppnsamrcd.info udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 hdenwewl.net udp
US 8.8.8.8:53 mnhxtj.net udp
US 8.8.8.8:53 hddwtdhj.net udp
US 8.8.8.8:53 fgoudtyfcsfs.net udp
US 8.8.8.8:53 jmxetlsqb.org udp
US 8.8.8.8:53 bcvzjht.com udp
US 8.8.8.8:53 gdiecndz.net udp
US 8.8.8.8:53 nyjqfunbb.org udp
US 8.8.8.8:53 buuqaspmlhu.net udp
US 8.8.8.8:53 jrnmzxzen.com udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 ncxulvlzrhky.info udp
US 8.8.8.8:53 kzhcdiv.net udp
US 8.8.8.8:53 mqqiiy.org udp
US 8.8.8.8:53 ihlwyynw.net udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 dxtjbdcdfa.info udp
US 8.8.8.8:53 giekgyskeiik.org udp
US 8.8.8.8:53 oxmsrehyj.net udp
US 8.8.8.8:53 jujrlgkptdj.com udp
US 8.8.8.8:53 tucejr.info udp
US 8.8.8.8:53 ywxwfsq.net udp
US 8.8.8.8:53 jcicboe.info udp
US 8.8.8.8:53 bavppixu.net udp
US 8.8.8.8:53 hpzrrtsiy.org udp
US 8.8.8.8:53 ocffwwxk.info udp
US 8.8.8.8:53 uagemqua.com udp
US 8.8.8.8:53 rjhnzwndayb.net udp
US 8.8.8.8:53 owiogoqwye.com udp
US 8.8.8.8:53 xgvkyubmm.info udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 zqaiomzsvij.info udp
US 8.8.8.8:53 uyiflor.info udp
US 8.8.8.8:53 uuzesarn.net udp
US 8.8.8.8:53 sujealckrcn.net udp
US 8.8.8.8:53 jclrujvo.net udp
US 8.8.8.8:53 uljytqfeq.net udp
US 8.8.8.8:53 ypntkxfb.net udp
US 8.8.8.8:53 ptpwnlreeaxo.net udp
US 8.8.8.8:53 icjjzwopdfhv.info udp
US 8.8.8.8:53 vthnjumbihsj.net udp
US 8.8.8.8:53 sesqgosm.com udp
US 8.8.8.8:53 zuwvqomrpk.net udp
US 8.8.8.8:53 wuxqkrv.info udp
US 8.8.8.8:53 sepilej.net udp
US 8.8.8.8:53 eeeiusoc.com udp
US 8.8.8.8:53 fyzwwytslei.org udp
US 8.8.8.8:53 fugxfy.net udp
US 8.8.8.8:53 dtstyn.net udp
US 8.8.8.8:53 rznhhy.net udp
US 8.8.8.8:53 gwicmeqkqmgc.org udp
US 8.8.8.8:53 ugdqqcoyvcr.net udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 wjvudbhi.info udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 skjezuziejh.net udp
US 8.8.8.8:53 ciwkgw.org udp
US 8.8.8.8:53 wgyqyuai.com udp
US 8.8.8.8:53 xfzndln.net udp
US 8.8.8.8:53 msaeugqyakco.org udp
US 8.8.8.8:53 tvosclvkkrme.net udp
US 8.8.8.8:53 gugekm.org udp
US 8.8.8.8:53 ekwoewekwg.com udp
US 8.8.8.8:53 lcizvf.info udp
US 8.8.8.8:53 vfzslgycp.net udp
US 8.8.8.8:53 tmrxnmjrkb.net udp
US 8.8.8.8:53 beasxmcjb.com udp
US 8.8.8.8:53 vaizlhjv.net udp
US 8.8.8.8:53 meirbsegkmoj.info udp
US 8.8.8.8:53 uomieuwsgywa.com udp
US 8.8.8.8:53 uqmekexatiho.net udp
US 8.8.8.8:53 orkstbdi.info udp
US 8.8.8.8:53 vgrihkbcfik.com udp
US 8.8.8.8:53 zmprqprldq.info udp
US 8.8.8.8:53 msohca.net udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 jwkyzqzbjuf.com udp
US 8.8.8.8:53 kaukse.com udp
US 8.8.8.8:53 bynydzlp.info udp
US 8.8.8.8:53 bfxkrtjjbqhu.info udp
US 8.8.8.8:53 nwfeltvcr.net udp
US 8.8.8.8:53 perwmabvjaz.net udp
US 8.8.8.8:53 boecnjawbev.net udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 tdhqghrbdi.info udp
US 8.8.8.8:53 bvrlxiawb.net udp
US 8.8.8.8:53 zohacmkyqar.com udp
US 8.8.8.8:53 bujydax.net udp
US 8.8.8.8:53 ruauvwk.com udp
US 8.8.8.8:53 pwxotevmv.org udp
US 8.8.8.8:53 eoduzciknmp.net udp
US 8.8.8.8:53 odfjfr.info udp
US 8.8.8.8:53 iypglwjsqyn.info udp
US 8.8.8.8:53 hqszlktusxve.net udp
US 8.8.8.8:53 jynyzuyox.org udp
US 8.8.8.8:53 wkwukugg.org udp
US 8.8.8.8:53 sxsydftugfl.net udp
US 8.8.8.8:53 muzhxdduzpl.net udp
US 8.8.8.8:53 ucyyauoy.org udp
US 8.8.8.8:53 olvcrexyfbf.info udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 noufhu.info udp
US 8.8.8.8:53 hfzzlt.info udp
US 8.8.8.8:53 kczacgj.info udp
US 8.8.8.8:53 fmoywjaffd.info udp
US 8.8.8.8:53 awtrjqbmv.net udp
US 8.8.8.8:53 wkcogiumouwo.com udp
US 8.8.8.8:53 bmovzczabcbw.net udp
US 8.8.8.8:53 rmxokynod.info udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 ssgqsckw.com udp
US 8.8.8.8:53 spbmeodkvex.info udp
US 8.8.8.8:53 agpmpspwf.info udp
US 8.8.8.8:53 jrjyxfvmfet.info udp
US 8.8.8.8:53 vqrolytub.com udp
US 8.8.8.8:53 rgzcbsfpb.org udp
US 8.8.8.8:53 cxritgbkwiqj.net udp
US 8.8.8.8:53 xflrdxdu.net udp
US 8.8.8.8:53 psmqluhar.com udp
US 8.8.8.8:53 lcpqvyawk.info udp
US 8.8.8.8:53 yabgjuiyvpj.net udp
US 8.8.8.8:53 awlfwtwromo.net udp
US 8.8.8.8:53 aymelgrqd.info udp
US 8.8.8.8:53 dsbovouca.org udp
US 8.8.8.8:53 yqtafgfohsp.net udp
US 8.8.8.8:53 icgghcqukxz.net udp
US 8.8.8.8:53 taffpigblo.net udp
US 8.8.8.8:53 eizhfeiqzft.info udp
US 8.8.8.8:53 yyeysgkock.com udp
US 8.8.8.8:53 nrpqjt.info udp
US 8.8.8.8:53 ayrziajubkc.net udp
US 8.8.8.8:53 tuuqlfyjxqe.info udp
US 8.8.8.8:53 zelzmi.info udp
US 8.8.8.8:53 lkngjoezjnq.com udp
US 8.8.8.8:53 nbnsdp.net udp
US 8.8.8.8:53 ucgweeseak.com udp
US 8.8.8.8:53 vqoovoqtl.org udp
US 8.8.8.8:53 biuehdf.net udp
US 8.8.8.8:53 wrbgtg.info udp
US 8.8.8.8:53 adpmux.info udp
US 8.8.8.8:53 ymklhj.info udp
US 8.8.8.8:53 kkukikssxb.net udp
US 8.8.8.8:53 vknxabuk.info udp
US 8.8.8.8:53 csihpxjjme.info udp
US 8.8.8.8:53 xbfhtyff.info udp
US 8.8.8.8:53 twjwrsudhoz.net udp
US 8.8.8.8:53 bylfnxuo.info udp
US 8.8.8.8:53 vsswekgnat.info udp
US 8.8.8.8:53 nqhhls.info udp
US 8.8.8.8:53 ecbawwfhmdv.net udp
US 8.8.8.8:53 cehxfuxenqdu.net udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 mgogyimisgia.org udp
US 8.8.8.8:53 icgqseeoqwuq.org udp
US 8.8.8.8:53 drjrvbxq.info udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 hhwfhsilfvca.net udp
US 8.8.8.8:53 xlxutqnwhi.net udp
US 8.8.8.8:53 lgxmnxp.info udp
US 8.8.8.8:53 durbtbe.net udp
US 8.8.8.8:53 vhfqpxtkc.com udp
US 8.8.8.8:53 ahlcycuyjof.net udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 dvcavlbf.info udp
US 8.8.8.8:53 hbfuzmpxf.com udp
US 8.8.8.8:53 niqxyenx.net udp
US 8.8.8.8:53 hgxwxawynhmi.info udp
US 8.8.8.8:53 nxvcstmo.net udp
US 8.8.8.8:53 xnyxvite.info udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 tghljp.info udp
US 8.8.8.8:53 poxnbxfgpkbi.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 yetoikl.info udp
US 8.8.8.8:53 vvlzjqvskths.info udp
US 8.8.8.8:53 xotzfbr.org udp
US 8.8.8.8:53 cyqmeask.org udp
US 8.8.8.8:53 oswieyiiko.org udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 iesqumuvluzb.net udp
US 8.8.8.8:53 yaommmwa.org udp
US 8.8.8.8:53 dtpxtiwnx.com udp
US 8.8.8.8:53 tvshvh.info udp
US 8.8.8.8:53 ccuyga.org udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 aurimtpqz.net udp
US 8.8.8.8:53 atbiftsnvum.info udp
US 8.8.8.8:53 oqcgqjzhsb.net udp
US 8.8.8.8:53 uuezjfzx.net udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 kdybwms.info udp
US 8.8.8.8:53 qsgaci.com udp
US 8.8.8.8:53 ikhkxkanxyx.net udp
US 8.8.8.8:53 jcvqlzn.com udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 melbmcr.info udp
US 8.8.8.8:53 yacusmeiimog.org udp
US 8.8.8.8:53 avbzvrkcvjvh.net udp
US 8.8.8.8:53 bwzopcx.org udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 qeeyuwws.com udp
US 8.8.8.8:53 pyrqpyn.info udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 mpsluecp.info udp
US 8.8.8.8:53 acksqp.net udp
US 8.8.8.8:53 gnwvjvjc.net udp
US 8.8.8.8:53 qbhqtfueirwy.net udp
US 8.8.8.8:53 qkeieosjlmsw.info udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 xpgwfipglow.com udp
US 8.8.8.8:53 hjddssuzls.info udp
US 8.8.8.8:53 zvbehljghqu.com udp
US 8.8.8.8:53 scuabbyuz.net udp
US 8.8.8.8:53 jesxxfnxrb.info udp
US 8.8.8.8:53 omtzlccvxmkf.info udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 ywlilbnxr.net udp
US 8.8.8.8:53 qcpjfakwd.net udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 immkkkkeismw.org udp
US 8.8.8.8:53 hqrutpg.com udp
US 8.8.8.8:53 zanzvuhlarnd.net udp
US 8.8.8.8:53 hrhjzm.info udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 jctssigifd.info udp
US 8.8.8.8:53 kqvirufzq.info udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 bswkjqx.org udp
US 8.8.8.8:53 sywaxjkitnd.net udp
US 8.8.8.8:53 egwmww.com udp
US 8.8.8.8:53 ixvxzcqyt.info udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 lwsuxsvok.info udp
US 8.8.8.8:53 aegsao.com udp
US 8.8.8.8:53 wyfuvfblbtj.info udp
US 8.8.8.8:53 byeizl.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 myzmjev.net udp
US 8.8.8.8:53 mjvtphaadm.net udp
US 8.8.8.8:53 ptcutcpl.info udp
US 8.8.8.8:53 uslgdte.net udp
US 8.8.8.8:53 lisbhict.net udp
US 8.8.8.8:53 oahisgpny.net udp
US 8.8.8.8:53 yeuqlybq.info udp
US 8.8.8.8:53 icfyaovdjihs.info udp
US 8.8.8.8:53 ehmzdguwh.info udp
US 8.8.8.8:53 fzbhbpln.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 dpzdbigpebql.info udp
US 8.8.8.8:53 awnrwe.info udp
US 8.8.8.8:53 gmywye.org udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 uoyfua.info udp
US 8.8.8.8:53 caguxmgkg.info udp
US 8.8.8.8:53 urawzn.info udp
US 8.8.8.8:53 yqlttwfay.info udp
US 8.8.8.8:53 wndkkkd.info udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 dkdsgalwamd.net udp
US 8.8.8.8:53 zlmhvcv.net udp
US 8.8.8.8:53 acbwnkjuscn.net udp
BG 93.152.146.70:44601 tcp
US 8.8.8.8:53 oiwoimuqqg.com udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 qzkeygi.info udp
US 8.8.8.8:53 xbqhvi.info udp
US 8.8.8.8:53 ummsicus.org udp
US 8.8.8.8:53 zglhfr.info udp
US 8.8.8.8:53 fhngbai.com udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 runmxthttiuf.net udp
US 8.8.8.8:53 mwpczohqrpl.net udp
US 8.8.8.8:53 hqbeniron.org udp
US 8.8.8.8:53 takghwqz.net udp
US 8.8.8.8:53 ayskuuyege.org udp
US 8.8.8.8:53 wmromnp.info udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 vigkrh.info udp
US 8.8.8.8:53 rezvmsxsm.org udp
US 8.8.8.8:53 qumkqoskoomw.com udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 bpsdrobofbar.info udp
US 8.8.8.8:53 tyqrgkrojs.net udp
US 8.8.8.8:53 eqoyqceyagea.org udp
US 8.8.8.8:53 zmhutsnwxsu.org udp
US 8.8.8.8:53 pyapbh.info udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 hvqeij.net udp
US 8.8.8.8:53 sofndmpsjeu.info udp
US 8.8.8.8:53 rhjhxbhewd.net udp
US 8.8.8.8:53 rcsygerash.net udp
US 8.8.8.8:53 rafdtpxafivh.info udp
US 8.8.8.8:53 vranwj.net udp
US 8.8.8.8:53 nqxqys.net udp
US 8.8.8.8:53 fonkfotyd.net udp
US 8.8.8.8:53 ostbpgmikyz.net udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 vofeyrnodel.net udp
US 8.8.8.8:53 hsjphmpri.net udp
US 8.8.8.8:53 xbllvppeabws.info udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 isegumiwim.org udp
US 8.8.8.8:53 lcjtxdfqbtwg.net udp
US 8.8.8.8:53 bulzdydv.info udp
US 8.8.8.8:53 ekokmqmy.com udp
US 8.8.8.8:53 omhsdoa.net udp
US 8.8.8.8:53 kmbiem.info udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 lopivbnottk.net udp
US 8.8.8.8:53 zqtmzcnqtgyu.net udp
US 8.8.8.8:53 vcvneoiitt.net udp
US 8.8.8.8:53 xmgevneyuwn.org udp
US 8.8.8.8:53 ybbifcofn.net udp
US 8.8.8.8:53 wclazslaknj.net udp
US 8.8.8.8:53 xytkrxv.com udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 spddxdesep.info udp
US 8.8.8.8:53 aztsttzli.info udp
US 8.8.8.8:53 coqcqscq.com udp
US 8.8.8.8:53 lmksdgntqsp.com udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 nqtvvus.com udp
US 8.8.8.8:53 luaiexlo.net udp
US 8.8.8.8:53 cwrquthxwax.info udp
US 8.8.8.8:53 tgwszyqdbgf.info udp
US 8.8.8.8:53 dqxengr.com udp
US 8.8.8.8:53 xwkiaur.net udp
US 8.8.8.8:53 rydjwzmn.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 muvdirplpg.net udp
US 8.8.8.8:53 egvlaql.net udp
US 8.8.8.8:53 vidgvqfofi.net udp
US 8.8.8.8:53 mpngqybwxuu.net udp
US 8.8.8.8:53 natdnpx.net udp
US 8.8.8.8:53 thiheqnjfg.info udp
US 8.8.8.8:53 osogzxhgnxk.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 zdfetlo.info udp
US 8.8.8.8:53 oitwbowqhwf.info udp
US 8.8.8.8:53 diasfmjrjzyb.net udp
US 8.8.8.8:53 bnvoehmzojkj.info udp
US 8.8.8.8:53 cceyge.org udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 naecpjgn.info udp
US 8.8.8.8:53 mimcocse.org udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 nvbwfmdprbpk.net udp
BG 212.104.116.212:26364 tcp
US 8.8.8.8:53 faacagdzpoz.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 qipawytie.net udp
US 8.8.8.8:53 mysgmkwy.com udp
US 8.8.8.8:53 mpozqh.net udp
US 8.8.8.8:53 ptxuton.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 qakqmisiwu.org udp
US 8.8.8.8:53 doccomhaw.org udp
US 8.8.8.8:53 vtebqm.info udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 lglgfxphejqe.net udp
US 8.8.8.8:53 rathwubqm.info udp
US 8.8.8.8:53 psntburxdar.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 oqjfitexpdyb.info udp
US 8.8.8.8:53 jptblemode.info udp
US 8.8.8.8:53 pyskryzdre.info udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 aaycvmz.info udp
US 8.8.8.8:53 mipjgulenwx.info udp
US 8.8.8.8:53 ocuepejey.info udp
US 8.8.8.8:53 nurrdlrfvkd.net udp
US 8.8.8.8:53 vcsuct.net udp
IT 94.156.27.79:26140 tcp
US 8.8.8.8:53 lagawopiz.com udp
US 8.8.8.8:53 uafwsmsayy.info udp
US 8.8.8.8:53 fgkaxijop.com udp
US 8.8.8.8:53 umfezsign.net udp
US 8.8.8.8:53 jkqmmsgbi.net udp
US 8.8.8.8:53 agmifggt.info udp
US 8.8.8.8:53 mjxxtvxsirxs.net udp
US 8.8.8.8:53 jeqzkmwc.net udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 ismqceyewi.com udp
US 8.8.8.8:53 lgsnlwvyn.org udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 oncjrblf.net udp
US 8.8.8.8:53 kcvojil.net udp
US 8.8.8.8:53 cgoprg.info udp
US 8.8.8.8:53 muiguayq.org udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 wuwugk.com udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 kgzkrr.net udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 nryqlcjndfuo.net udp
US 8.8.8.8:53 dhtkhlo.info udp
US 8.8.8.8:53 geoauusquukw.com udp
US 8.8.8.8:53 qshgtkxcv.net udp
US 8.8.8.8:53 koificuqay.net udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 wgjkcuj.info udp
US 8.8.8.8:53 tunigxdxlx.net udp
US 8.8.8.8:53 bqqovhnmbgi.info udp
US 8.8.8.8:53 bufapldspds.net udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 fanttpzybtfc.net udp
US 8.8.8.8:53 zzltha.info udp
US 8.8.8.8:53 fxfhoslihy.info udp
US 8.8.8.8:53 bsuanaj.info udp

Files

C:\Users\Admin\AppData\Local\Temp\gncxrwpmqxm.exe

MD5 045f9ea14722872525b47ffff80be8e5
SHA1 015a67c71666b1d95dbcb25f396f969d1876e530
SHA256 5b963a83a37e345fc9763ac196e7b06d4d7ab57e4731d043a0a57202da956583
SHA512 54f891b83d7bd62a0101b4cd3f5382d3f5dcccc1d9c6b8875fed31b4be11e5e6421311c029a0a14823476c3b6b2f0fe01ccb9f2e876302e27d204b53f14f8318

C:\Windows\SysWOW64\oatsjdmmyrznjlmyyc.exe

MD5 c80e476ddc2450c7d1bf465e8796f0d6
SHA1 c01e78777fbd41c983942ef10546613ce2537f5b
SHA256 cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
SHA512 6adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832

C:\Users\Admin\AppData\Local\Temp\bagsw.exe

MD5 7be6738e379fe82c2d4ca6c30c9c878d
SHA1 3d5a55e2142795f0587857b5ef91c36b83931eb8
SHA256 3d5d165d0bd13970d39f621da8744e8c93fca536ec3aeb8448c0a16c61e5d724
SHA512 007b63d079f69f0ccac3c9a919aefda4ead865eeef50fa8410bd0afaf8ae686808b5126a6d4d9330b69b3c8f5364768ce62f20caf41e4cb31761c970417e74fb

C:\Users\Admin\AppData\Local\bagswdzmlrmnwlzylcnmseiplyx.yzi

MD5 2fa1a91f91842a6b461c0023e111e283
SHA1 edcc232a0f6d1845a05248e019103f21f20ad560
SHA256 8271a8825ef998bc6cdcd408b10d9dbef5eeca33afe2da05415739d30c6d3bae
SHA512 3a1b09ee98eed6233f8397f920a359b2e9312b31843f330825ffa4d321dfb7a824079dd1efab067589f7fd5ef825c5b01c356936210e7a5ef6c0938b424ad385

C:\Users\Admin\AppData\Local\yizwldkisjpbvvueceakbynfmkulrdxxwgegcm.aph

MD5 49dde8af2df4a2ff4f7707c171a5fae6
SHA1 391f1cb6f0092311809509d0ca68d64c9452391b
SHA256 ee4bc94532f1d34027bc620ebf9815ca5041fbed3873a015f1b967f97ad7e127
SHA512 0c664224732fa8a5608719bee463d891e91b8ef139685c2f1d3be80874514510e3c28bc01046ba87f386501bd3e67cbff0f76bcc9b7ee0fef750ff81e36a70c0

C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi

MD5 d4068bdd69afba2f5cca7b695a5ed2ec
SHA1 45c63054bd2cb6c06a6ec185a394988ad036804e
SHA256 cf7f450bacb843d641973119de08d78839dd5ecccbbe6187733461bdb63ce7ba
SHA512 7b1a7d3df11cd934830ad7a4e036b85ccfd39d50ec19d487262b6a634eb1a517bae974b4d0bed638597afeaf08f313dd7d95f7211bf48d7e3d3a85fbc046f175

C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi

MD5 b69b818fd7adc9816f03319716300e6c
SHA1 e501f7113f5f075acba19eed639f97fb08e26328
SHA256 7834dd62c54836039c25adc8a7be46b2f891dec00879a401b6346f51e2fe9825
SHA512 630d59ffa4b0105420c28fef3ee0e84c4d9ec682f5749ca2d17f7f3e2fafbe150aa990adcdc82208b496bdcd654b69106c597139a3cf751855dde9aeb5ff5e4f

C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi

MD5 9179b61a3930f913a95daec99e2cc2a2
SHA1 3427d58b58268e5dae5753ccd0bca8dc550e8ef4
SHA256 941a936d2d410da8e969324b7ca6e3f542ebdbfa06525737b1121af943f27bd9
SHA512 113480dd718f37371dca65f6b474876fe748db13cb2324d199ded747a42d6b8546b86efb62b0a5f2710964865aad68cbee1f657502e7dd32e435093a4976d925

C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi

MD5 952c023357eda15d8df220530d4a0015
SHA1 cb10305b780afdb68f7727716a527750a163b770
SHA256 b66e06e96d99a5b7c6e5470719ceed343cd4a30047e14e0383963ad63486d8be
SHA512 9e831c8dbbd04ea1e03553c004ca822ceb6b4a144b78c372f14f659a76c9c598e6740fc04e5c22eab844eec0a0404d8d3af1f0b6677aa40a3dcb39ae49c646e9

C:\Program Files (x86)\bagswdzmlrmnwlzylcnmseiplyx.yzi

MD5 e9cb96c2e1eed16251d8e3f95a9f1069
SHA1 5cbcec3366ba5d21a99dddc6479b88bd435022f9
SHA256 519c908446ada1b23feec312738a41cf88a70c95bb308dfb96cba408399598be
SHA512 ef3a22a0749b929c505ee502cfcdf5e5becfa2e0d9d300053429f1df2ea05a559d1030b8de4e3d9494a76273d9f2588a8e6e6efa0c396002f77f108440a4169a

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-21 06:08

Reported

2025-04-21 06:10

Platform

win11-20250410-en

Max time kernel

64s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pudnqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ucobhvgmakd = "gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\aqkftpiwsklehaynywe.exe N/A
N/A N/A C:\Windows\pexrezrezqqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\aqkftpiwsklehaynywe.exe N/A
N/A N/A C:\Windows\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
N/A N/A C:\Windows\nezvkhbqngicgazpbaja.exe N/A
N/A N/A C:\Windows\aqkftpiwsklehaynywe.exe N/A
N/A N/A C:\Windows\pexrezrezqqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\aqkftpiwsklehaynywe.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Windows\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Windows\pexrezrezqqikcznxu.exe N/A
N/A N/A C:\Windows\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\nezvkhbqngicgazpbaja.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\nezvkhbqngicgazpbaja.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Windows\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\gumfrlcoiyxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
N/A N/A C:\Windows\cuqndbwmkehchcctggqie.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "nezvkhbqngicgazpbaja.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "zmdvgzpatigwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "aqkftpiwsklehaynywe.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "aqkftpiwsklehaynywe.exe ." C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nezvkhbqngicgazpbaja.exe ." C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "nezvkhbqngicgazpbaja.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "cuqndbwmkehchcctggqie.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "nezvkhbqngicgazpbaja.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pexrezrezqqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "cuqndbwmkehchcctggqie.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ugwnxpeogurgfuo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqkftpiwsklehaynywe.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qaodlbowmytgd = "pexrezrezqqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\ranbixjqfqkw = "gumfrlcoiyxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rcrhqhveviesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gumfrlcoiyxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gmwhlxgkw = "zmdvgzpatigwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zgrdivfkxg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmdvgzpatigwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File created C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Program Files (x86)\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File created C:\Program Files (x86)\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File created C:\Windows\ecehdhieiirsdekhagwuwzv.awa C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\gumfrlcoiyxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\tmjhyxtkjeiekghznozspn.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\zmdvgzpatigwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\nezvkhbqngicgazpbaja.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\aqkftpiwsklehaynywe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pexrezrezqqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\gumfrlcoiyxopgcpy.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3776 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3776 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3776 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1896 wrote to memory of 5320 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 1896 wrote to memory of 5320 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 1896 wrote to memory of 5320 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 3696 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\pexrezrezqqikcznxu.exe
PID 3696 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\pexrezrezqqikcznxu.exe
PID 3696 wrote to memory of 4788 N/A C:\Windows\system32\cmd.exe C:\Windows\pexrezrezqqikcznxu.exe
PID 4788 wrote to memory of 4808 N/A C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4788 wrote to memory of 4808 N/A C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4788 wrote to memory of 4808 N/A C:\Windows\pexrezrezqqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4760 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 4760 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 4760 wrote to memory of 4920 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 5024 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\cuqndbwmkehchcctggqie.exe
PID 5024 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\cuqndbwmkehchcctggqie.exe
PID 5024 wrote to memory of 4864 N/A C:\Windows\system32\cmd.exe C:\Windows\cuqndbwmkehchcctggqie.exe
PID 4864 wrote to memory of 5056 N/A C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4864 wrote to memory of 5056 N/A C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4864 wrote to memory of 5056 N/A C:\Windows\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3588 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
PID 3588 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
PID 3588 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe
PID 4996 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
PID 4996 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
PID 4996 wrote to memory of 5076 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
PID 5076 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5076 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5076 wrote to memory of 4652 N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 2324 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
PID 2324 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
PID 2324 wrote to memory of 464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe
PID 5644 wrote to memory of 5480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
PID 5644 wrote to memory of 5480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
PID 5644 wrote to memory of 5480 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe
PID 5480 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5480 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5480 wrote to memory of 5772 N/A C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3252 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
PID 3252 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
PID 3252 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
PID 3252 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
PID 3252 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
PID 3252 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe
PID 4084 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\nezvkhbqngicgazpbaja.exe
PID 4084 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\nezvkhbqngicgazpbaja.exe
PID 4084 wrote to memory of 1488 N/A C:\Windows\system32\cmd.exe C:\Windows\nezvkhbqngicgazpbaja.exe
PID 3036 wrote to memory of 5532 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 3036 wrote to memory of 5532 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 3036 wrote to memory of 5532 N/A C:\Windows\system32\cmd.exe C:\Windows\aqkftpiwsklehaynywe.exe
PID 3128 wrote to memory of 6128 N/A C:\Windows\system32\cmd.exe C:\Windows\pexrezrezqqikcznxu.exe
PID 3128 wrote to memory of 6128 N/A C:\Windows\system32\cmd.exe C:\Windows\pexrezrezqqikcznxu.exe
PID 3128 wrote to memory of 6128 N/A C:\Windows\system32\cmd.exe C:\Windows\pexrezrezqqikcznxu.exe
PID 5532 wrote to memory of 6140 N/A C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5532 wrote to memory of 6140 N/A C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5532 wrote to memory of 6140 N/A C:\Windows\aqkftpiwsklehaynywe.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5716 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5716 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 5716 wrote to memory of 4572 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3656 wrote to memory of 5212 N/A C:\Windows\system32\cmd.exe C:\Windows\cuqndbwmkehchcctggqie.exe
PID 3656 wrote to memory of 5212 N/A C:\Windows\system32\cmd.exe C:\Windows\cuqndbwmkehchcctggqie.exe
PID 3656 wrote to memory of 5212 N/A C:\Windows\system32\cmd.exe C:\Windows\cuqndbwmkehchcctggqie.exe
PID 5756 wrote to memory of 1520 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe"

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c80e476ddc2450c7d1bf465e8796f0d6.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe

"C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe" "-C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe"

C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe

"C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe" "-C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\gumfrlcoiyxopgcpy.exe*."

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\pexrezrezqqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\pexrezrezqqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe .

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe

C:\Users\Admin\AppData\Local\Temp\aqkftpiwsklehaynywe.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\aqkftpiwsklehaynywe.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe .

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\gumfrlcoiyxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aqkftpiwsklehaynywe.exe

C:\Windows\aqkftpiwsklehaynywe.exe

aqkftpiwsklehaynywe.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe .

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\cuqndbwmkehchcctggqie.exe*."

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe

C:\Users\Admin\AppData\Local\Temp\cuqndbwmkehchcctggqie.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\cuqndbwmkehchcctggqie.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pexrezrezqqikcznxu.exe .

C:\Windows\pexrezrezqqikcznxu.exe

pexrezrezqqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gumfrlcoiyxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\pexrezrezqqikcznxu.exe*."

C:\Windows\gumfrlcoiyxopgcpy.exe

gumfrlcoiyxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmdvgzpatigwwmht.exe .

C:\Windows\zmdvgzpatigwwmht.exe

zmdvgzpatigwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Users\Admin\AppData\Local\Temp\nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe

C:\Users\Admin\AppData\Local\Temp\zmdvgzpatigwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\zmdvgzpatigwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c nezvkhbqngicgazpbaja.exe .

C:\Windows\nezvkhbqngicgazpbaja.exe

nezvkhbqngicgazpbaja.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\nezvkhbqngicgazpbaja.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cuqndbwmkehchcctggqie.exe

C:\Windows\cuqndbwmkehchcctggqie.exe

cuqndbwmkehchcctggqie.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
DE 172.217.19.78:80 www.youtube.com tcp
LV 109.229.204.136:34928 tcp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 nopafhn.com udp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
LV 46.109.250.120:24205 tcp
US 8.8.8.8:53 jmwtjf.net udp
US 8.8.8.8:53 vmrumy.net udp
MD 95.65.85.96:40253 tcp
US 8.8.8.8:53 fzbhbpln.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 ucgcixye.net udp
US 8.8.8.8:53 bklvfs.net udp
MD 178.168.91.49:35979 tcp
US 8.8.8.8:53 ehtxxlxjpzdt.net udp
US 8.8.8.8:53 wbhhhuh.info udp
US 8.8.8.8:53 nudbmguttzbq.net udp
BG 109.199.136.118:17148 tcp
US 8.8.8.8:53 ludrxtukexzw.net udp
US 8.8.8.8:53 hdmivoyua.com udp
LT 78.57.176.114:31785 tcp
US 8.8.8.8:53 vaygmufwnoo.org udp
US 8.8.8.8:53 twxywc.net udp
US 8.8.8.8:53 dhtkhlo.info udp
US 8.8.8.8:53 oynbdbhftsx.info udp
LT 78.57.144.167:13000 tcp
US 8.8.8.8:53 htpeqjognnpm.info udp
US 8.8.8.8:53 lktmayv.com udp
US 8.8.8.8:53 zbdispgco.info udp
US 8.8.8.8:53 zuhmapbot.net udp
LT 78.60.242.96:13556 tcp
US 8.8.8.8:53 iefialxo.net udp
US 8.8.8.8:53 cskfjyzihlwe.net udp
LT 78.61.72.236:43013 tcp
US 8.8.8.8:53 ofmygwzqf.info udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 jmipbn.info udp
US 8.8.8.8:53 nhmyomxjv.info udp
BG 91.148.146.249:20854 tcp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 eakirog.net udp
US 8.8.8.8:53 uwxmbnsumsu.net udp
BG 130.204.169.69:19438 tcp
US 8.8.8.8:53 uoxjsmld.info udp
BG 89.215.241.168:20497 tcp
US 8.8.8.8:53 rirawmevp.org udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 qeuouy.com udp
LT 84.32.125.156:25573 tcp
US 8.8.8.8:53 qurwhzshpg.net udp
US 8.8.8.8:53 wikosmioag.org udp
LT 78.157.80.186:13475 tcp
US 8.8.8.8:53 mcyiuguwgg.com udp
US 8.8.8.8:53 kimxnalcrpk.net udp
BG 94.156.81.22:37325 tcp
US 8.8.8.8:53 qfprkq.info udp
US 8.8.8.8:53 gvlqwyza.net udp
MD 92.115.169.145:37193 tcp
US 8.8.8.8:53 hnfkbcvqhpz.org udp
US 8.8.8.8:53 monwekv.info udp
RU 94.41.245.178:40201 tcp
US 8.8.8.8:53 zyvtdnih.net udp
US 8.8.8.8:53 llbsaq.info udp
US 8.8.8.8:53 burytra.info udp
BG 212.233.209.31:17159 tcp
US 8.8.8.8:53 wacwiq.org udp
US 8.8.8.8:53 tsbqamkmcqz.info udp
DE 85.214.228.140:80 gyuuym.org tcp
LT 78.57.172.106:36223 tcp
US 8.8.8.8:53 maqgaggm.org udp
US 8.8.8.8:53 fofghyx.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 sbdkki.info udp
US 8.8.8.8:53 enmahlfllkfw.info udp
US 8.8.8.8:53 zgwqwlbxnhgx.info udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 qofqgod.info udp
US 8.8.8.8:53 awisvuy.info udp
US 8.8.8.8:53 xuhgmsraiyx.info udp
US 8.8.8.8:53 eaharf.net udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 jksfafxq.net udp
US 8.8.8.8:53 emwiqo.com udp
US 8.8.8.8:53 bbxsopcbsv.net udp
US 8.8.8.8:53 butrrgffxwe.info udp
US 8.8.8.8:53 vmqkjur.info udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 mfnrnhqeeyv.info udp
US 8.8.8.8:53 qaxkzsv.net udp
US 8.8.8.8:53 xwhkkybcnwi.org udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 euxyhykczfj.info udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 iesqumuvluzb.net udp
US 8.8.8.8:53 psbybeacior.com udp
US 8.8.8.8:53 kmguszfz.net udp
US 8.8.8.8:53 ykjaji.net udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 kredomdjwq.info udp
US 8.8.8.8:53 nxnfng.info udp
US 8.8.8.8:53 lrnsnuisgbdt.info udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 ugaswoqi.com udp
US 8.8.8.8:53 jchaljguxsd.com udp
US 8.8.8.8:53 jmxwboqabud.info udp
US 8.8.8.8:53 hyravgpfay.info udp
US 8.8.8.8:53 smuwcyymiqme.com udp
US 8.8.8.8:53 sufmlejmugt.net udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 fatfknvnqauj.info udp
US 8.8.8.8:53 nnturowzjw.net udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 dahiuvsmkqrk.net udp
US 8.8.8.8:53 ivukvkcsxko.info udp
US 8.8.8.8:53 tiavpmp.info udp
US 8.8.8.8:53 jqngstdpd.com udp
US 8.8.8.8:53 rmvhpsu.org udp
US 8.8.8.8:53 trvbni.net udp
US 8.8.8.8:53 soxkamiyx.info udp
US 8.8.8.8:53 ocuosoimmq.com udp
US 8.8.8.8:53 qmmaac.org udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 gakgwdpjes.info udp
US 8.8.8.8:53 hkttbyct.net udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 pypovyqkzwd.com udp
US 8.8.8.8:53 mvsfddoqpx.net udp
US 8.8.8.8:53 oidktbl.net udp
US 8.8.8.8:53 rkdzryp.info udp
US 8.8.8.8:53 kjeuyo.net udp
US 8.8.8.8:53 wxpbyi.net udp
BG 93.155.153.12:13119 tcp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 xvfuumog.info udp
US 8.8.8.8:53 fydoswj.com udp
US 8.8.8.8:53 cssucwqysu.org udp
US 8.8.8.8:53 kruodbjopqw.info udp
US 8.8.8.8:53 jzlhcarsuu.net udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 vwpihwd.info udp
US 8.8.8.8:53 iudrtfph.info udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 bswkjqx.org udp
US 8.8.8.8:53 nxdzfgtyp.com udp
US 8.8.8.8:53 sugaiu.org udp
US 8.8.8.8:53 mmyyusriz.info udp
US 8.8.8.8:53 yiqjeelfpmzu.info udp
US 8.8.8.8:53 pvtjvcxzz.com udp
US 8.8.8.8:53 wowcaomy.com udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 dfdydoibdmlr.info udp
US 8.8.8.8:53 qcvurin.net udp
US 8.8.8.8:53 waqacqki.org udp
US 8.8.8.8:53 wygiokci.com udp
US 8.8.8.8:53 sfmyje.net udp
US 8.8.8.8:53 gwplpcriiur.net udp
US 8.8.8.8:53 qwaavh.net udp
US 8.8.8.8:53 todiyvu.net udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 vsgcvdewaap.net udp
US 8.8.8.8:53 quebrd.net udp
US 8.8.8.8:53 tizwrksiluz.net udp
US 8.8.8.8:53 liprnmfuf.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 olwdym.info udp
US 8.8.8.8:53 rgnyneo.info udp
US 8.8.8.8:53 pgnxdav.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 dalsjnnthafg.net udp
US 8.8.8.8:53 roefjlfcbm.net udp
US 8.8.8.8:53 pwbohet.org udp
US 8.8.8.8:53 zjjfdo.info udp
US 8.8.8.8:53 wmiyldz.net udp
US 8.8.8.8:53 leqdurjb.net udp

Files

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

MD5 bbab93c524d89d5ec7c7e314d34c3247
SHA1 56b345bdea006a61c5c91d61399b10070c187150
SHA256 8bf6a25f945237a78265c051e06f71ce9b67c4474bb395acf30a5ddcec8b320f
SHA512 50e8e362697874519b025e1690793a1fcbb4621b00716c796de3fd8bb830ea8d0851e434045dc5519890b1e3ef5675fdac72afbbf096a321dc2b52f9a962c053

C:\Windows\SysWOW64\pexrezrezqqikcznxu.exe

MD5 c80e476ddc2450c7d1bf465e8796f0d6
SHA1 c01e78777fbd41c983942ef10546613ce2537f5b
SHA256 cf50f189fc5b6fb4762cee07c4d5e22cdbeb853132f86f6c757033aff65a83a1
SHA512 6adc3688772558bcbc094335a84ea7bddd84615c509991788debeb9c34c94702c883e5cb06148a1aa45b5b4d63e362dead24b5e12056e7efa91cb46415f8f832

C:\Users\Admin\AppData\Local\Temp\nqxfgp.exe

MD5 5e6aee15c8fa260ee5ced7b5880cf71b
SHA1 99a790c3928f56bef630cda62b04b7378630f005
SHA256 18200fb5fb179ac35a1feb0e7f26bf5462424e6c844e0745eac9f1ce0d6e6ca0
SHA512 c73beda79fc6bf92131cdde1c8b4dbddef3472abc4cb1df2663627212ecbb252dcc8934e7e27c51cb53ccd260b9c31c21f440dda98ec371065e36eacf51b18de

C:\Users\Admin\AppData\Local\ecehdhieiirsdekhagwuwzv.awa

MD5 fe2acf124ec44cf617717aa25f0eb795
SHA1 6ccbc165b4593a35a14ea1a19d07ecfdaf1593e3
SHA256 6c8c80a5d8f111b468cd76cb2fa1506b35b555bc7c021c7260642c05b12172bc
SHA512 04f1b0ca3f1c8c524938e768abc5093dcc5918f06baf9a2ad34ab31bc7662fe8bbedd3f8f24b003377262a63dae5f812fa91de5c4a27072432c9b1bec119b9d3

C:\Users\Admin\AppData\Local\ranbixjqfqkwsevdhyzivjqfrynyseamdl.ghq

MD5 cec591a078094e29652b146e13b00498
SHA1 dd156de15dfe953f6618fe9d75cd58c06836a5c6
SHA256 1b225dfafd0434a6f78b2c03e44c83e6b3aad6701ecefc45ff2308e0f9de69c5
SHA512 e3ca149a632f36a91549c864b86acd5fbaa53c057c0c2911981fe60eae32e84924ece3f51b88a0a5f018767abb779ad242f78fa386f3c5023a577e0c6033d0ff

C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa

MD5 54e7106b08c9f7a58a23b90b06cd0f5c
SHA1 ac174fc011680836627156a8f162a660a629e812
SHA256 7a57577194a5b1fe7325558823e9c752e9cdf31b69c74a6b9c7e3d5413e8e9f3
SHA512 5fb32d4a6c9eec7435ac7514cc93d3f0242ed39c6091ce59b1307a0f4c12058d33ac86dc40deba33ec5c9e8cf9071e1c8b80fb955044b4f18e9c17aec02139ff

C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa

MD5 e96c7d50dfc0f11db2dfbafc8fc3f376
SHA1 d1c2b9bcb624027401802904d8911967d68ee4b8
SHA256 a8b8fc7eddcf47c4a2b76bd27f0585f480630a5f78e9a4f38b2cccf3a6d33731
SHA512 b91c32765c05787e5197fdaeb2e95ef266d4acc04399844994f3af8672319af55519b7ad3e62ead23387ef8e0780dfed1900b79dfe58fa314ed99b76c638528c

C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa

MD5 1c8634738c3f6db0e7515dad42331e3e
SHA1 5495eab1a8cc603dbc9a6c1a4aeee503f694bab4
SHA256 a595214ea1c26ca9af4909d79d97cd8f7f461526be9377e0bcd86a009cf4f12a
SHA512 bac621e93b58bcb689555799bab345d1c13b2c6f0256f20448c0be16dfc229353e40f01890b3c0bcfb2af00f36fbaaecd81237e7efaec765d251f7405eced123

C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa

MD5 c8cc48c2b323fdc7b022fb6e05242190
SHA1 c8f7f5cf1db2c50c3ab7c659b3b745b6c3b04766
SHA256 ba6d370affc10b641d3382fcc03072a9e5d9c63f94c2ee8a6370e93829343628
SHA512 e2c65f0fd518eb3d57fd50855867eb26065e94a216c06386a765df5a707f6afa9f66a06011ae485fa91e0c5d494681ff89e84a2a80f96de0c174737482c46855

C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa

MD5 668d48acb11fd87e03ca83902c4a5ed5
SHA1 c94b920c2f5543467538902487e4d8a98800e5c7
SHA256 bffa5013cee684218b7ef5dd31134a3d378c4a6404814319ee0625220b6ea475
SHA512 2f21a862a5bd5073cb61e304778141c84c81cd8a6ea78ff91b6d8fee1459102d818e73c94534bcc10b1bf7a5701f06fc27c32d7792fdaa08f9fca351b4824db8

C:\Program Files (x86)\ecehdhieiirsdekhagwuwzv.awa

MD5 12f11b011b2130f2395a2228a5b50515
SHA1 b9f3f1425f0e8a2554084a5d71e931d2ca6f1900
SHA256 41b3769ce19dd036ce21b124cd9bbedcd3c0736d728bfd84cfd7fa977ed871fd
SHA512 9e5a63c579e36b08bcf7ccfcb64591db22cde78fcfd8eaf00573efe027d424e771d5ff2fceb28e644612ef9a2ca236c8c1e8f222d48f709d9836e5aa5e3be496