Malware Analysis Report

2025-08-10 16:33

Sample ID 250421-pkp6tattev
Target JaffaCakes118_c940916a51510ded99612bd93114de0d
SHA256 23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a

Threat Level: Known bad

The file JaffaCakes118_c940916a51510ded99612bd93114de0d was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

UAC bypass

Pykspa family

Modifies WinLogon for persistence

Pykspa

Detect Pykspa worm

Adds policy Run key to start application

Disables RegEdit via registry modification

Impair Defenses: Safe Mode Boot

Checks computer location settings

Executes dropped EXE

Checks whether UAC is enabled

Hijack Execution Flow: Executable Installer File Permissions Weakness

Adds Run key to start application

Looks up external IP address via web service

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 12:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-21 12:23

Reported

2025-04-21 12:26

Platform

win11-20250410-en

Max time kernel

83s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbqqzep = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udvyksglbh = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Windows\ujhqiwqbxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
N/A N/A C:\Windows\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Windows\ujhqiwqbxjgwwmht.exe N/A
N/A N/A C:\Windows\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Windows\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Windows\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Windows\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Windows\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Windows\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Windows\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
N/A N/A C:\Windows\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Windows\kbbmgwsfdrqikcznxu.exe N/A
N/A N/A C:\Windows\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Windows\brqatidpmzxopgcpy.exe N/A
N/A N/A C:\Windows\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Windows\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ujhqiwqbxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "ibdqmecrrhicgazpbaex.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "ujhqiwqbxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "kbbmgwsfdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ibdqmecrrhicgazpbaex.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "kbbmgwsfdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "brqatidpmzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brqatidpmzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ibdqmecrrhicgazpbaex.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "brqatidpmzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "ujhqiwqbxjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzvcsewfzjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xruifyxnofhchcctgglfi.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "kbbmgwsfdrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "xruifyxnofhchcctgglfi.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "ujhqiwqbxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bjacnuhla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnoavmjxwllehaynywz.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\krhisykn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbbmgwsfdrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxsynypxqztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujhqiwqbxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "brqatidpmzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\mxrwkukrjrkw = "ujhqiwqbxjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\pzswjshneld = "ibdqmecrrhicgazpbaex.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krhisykn = "vnoavmjxwllehaynywz.exe" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\SysWOW64\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\SysWOW64\yxfyaycxdzggqqvrjoyxfy.ycx C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\pzswjshneldojukrukfpimzixdubtezka.kav C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File created C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Program Files (x86)\pzswjshneldojukrukfpimzixdubtezka.kav C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\pzswjshneldojukrukfpimzixdubtezka.kav C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File created C:\Windows\yxfyaycxdzggqqvrjoyxfy.ycx C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\kbbmgwsfdrqikcznxu.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\ojncauulnfiekghznoupti.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
File opened for modification C:\Windows\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\xruifyxnofhchcctgglfi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\kbbmgwsfdrqikcznxu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 5400 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1752 wrote to memory of 5400 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1752 wrote to memory of 5400 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 3400 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\brqatidpmzxopgcpy.exe
PID 3400 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\brqatidpmzxopgcpy.exe
PID 3400 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\brqatidpmzxopgcpy.exe
PID 6112 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\ibdqmecrrhicgazpbaex.exe
PID 6112 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\ibdqmecrrhicgazpbaex.exe
PID 6112 wrote to memory of 4820 N/A C:\Windows\system32\cmd.exe C:\Windows\ibdqmecrrhicgazpbaex.exe
PID 4820 wrote to memory of 5028 N/A C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4820 wrote to memory of 5028 N/A C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4820 wrote to memory of 5028 N/A C:\Windows\ibdqmecrrhicgazpbaex.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5060 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\ibdqmecrrhicgazpbaex.exe
PID 5060 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\ibdqmecrrhicgazpbaex.exe
PID 5060 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\ibdqmecrrhicgazpbaex.exe
PID 3812 wrote to memory of 5144 N/A C:\Windows\system32\cmd.exe C:\Windows\ujhqiwqbxjgwwmht.exe
PID 3812 wrote to memory of 5144 N/A C:\Windows\system32\cmd.exe C:\Windows\ujhqiwqbxjgwwmht.exe
PID 3812 wrote to memory of 5144 N/A C:\Windows\system32\cmd.exe C:\Windows\ujhqiwqbxjgwwmht.exe
PID 2684 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe
PID 2684 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe
PID 2684 wrote to memory of 3064 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe
PID 5144 wrote to memory of 3732 N/A C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5144 wrote to memory of 3732 N/A C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5144 wrote to memory of 3732 N/A C:\Windows\ujhqiwqbxjgwwmht.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5164 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe
PID 5164 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe
PID 5164 wrote to memory of 392 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe
PID 392 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 392 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 392 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4548 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe
PID 4548 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe
PID 4548 wrote to memory of 4984 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe
PID 4872 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe
PID 4872 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe
PID 4872 wrote to memory of 4464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe
PID 4464 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4464 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 4464 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5400 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe
PID 5400 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe
PID 5400 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe
PID 5400 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe
PID 5400 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe
PID 5400 wrote to memory of 5296 N/A C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe C:\Users\Admin\AppData\Local\Temp\xbomt.exe
PID 3248 wrote to memory of 5564 N/A C:\Windows\system32\cmd.exe C:\Windows\brqatidpmzxopgcpy.exe
PID 3248 wrote to memory of 5564 N/A C:\Windows\system32\cmd.exe C:\Windows\brqatidpmzxopgcpy.exe
PID 3248 wrote to memory of 5564 N/A C:\Windows\system32\cmd.exe C:\Windows\brqatidpmzxopgcpy.exe
PID 5536 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\ujhqiwqbxjgwwmht.exe
PID 5536 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\ujhqiwqbxjgwwmht.exe
PID 5536 wrote to memory of 3128 N/A C:\Windows\system32\cmd.exe C:\Windows\ujhqiwqbxjgwwmht.exe
PID 1708 wrote to memory of 5352 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe
PID 1708 wrote to memory of 5352 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe
PID 1708 wrote to memory of 5352 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe
PID 2444 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe
PID 2444 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe
PID 2444 wrote to memory of 1688 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe
PID 5352 wrote to memory of 5156 N/A C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5352 wrote to memory of 5156 N/A C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5352 wrote to memory of 5156 N/A C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1688 wrote to memory of 5508 N/A C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1688 wrote to memory of 5508 N/A C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 1688 wrote to memory of 5508 N/A C:\Windows\xruifyxnofhchcctgglfi.exe C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe
PID 5216 wrote to memory of 1432 N/A C:\Windows\system32\cmd.exe C:\Windows\xruifyxnofhchcctgglfi.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xbomt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xbomt.exe

"C:\Users\Admin\AppData\Local\Temp\xbomt.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"

C:\Users\Admin\AppData\Local\Temp\xbomt.exe

"C:\Users\Admin\AppData\Local\Temp\xbomt.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe .

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\xruifyxnofhchcctgglfi.exe*."

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\xruifyxnofhchcctgglfi.exe

xruifyxnofhchcctgglfi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xruifyxnofhchcctgglfi.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\xruifyxnofhchcctgglfi.exe*."

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe

C:\Users\Admin\AppData\Local\Temp\kbbmgwsfdrqikcznxu.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\kbbmgwsfdrqikcznxu.exe*."

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe

C:\Users\Admin\AppData\Local\Temp\vnoavmjxwllehaynywz.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\vnoavmjxwllehaynywz.exe*."

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\ujhqiwqbxjgwwmht.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ujhqiwqbxjgwwmht.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibdqmecrrhicgazpbaex.exe

C:\Windows\ibdqmecrrhicgazpbaex.exe

ibdqmecrrhicgazpbaex.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c kbbmgwsfdrqikcznxu.exe .

C:\Windows\kbbmgwsfdrqikcznxu.exe

kbbmgwsfdrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ujhqiwqbxjgwwmht.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\kbbmgwsfdrqikcznxu.exe*."

C:\Windows\ujhqiwqbxjgwwmht.exe

ujhqiwqbxjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\windows\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\brqatidpmzxopgcpy.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Users\Admin\AppData\Local\Temp\brqatidpmzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe

C:\Users\Admin\AppData\Local\Temp\ibdqmecrrhicgazpbaex.exe .

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

"C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe" "c:\users\admin\appdata\local\temp\ibdqmecrrhicgazpbaex.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vnoavmjxwllehaynywz.exe

C:\Windows\vnoavmjxwllehaynywz.exe

vnoavmjxwllehaynywz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c brqatidpmzxopgcpy.exe .

C:\Windows\brqatidpmzxopgcpy.exe

brqatidpmzxopgcpy.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
DE 142.250.181.196:80 www.google.com tcp
MD 178.168.50.42:31596 tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
MD 178.168.50.42:31596 tcp
US 8.8.8.8:53 piltbovqlfd.info udp
US 8.8.8.8:53 udlstbbbnv.net udp
ES 82.98.135.44:80 sociga.org tcp
US 8.8.8.8:53 tlrvmx.net udp
US 8.8.8.8:53 wasasacsas.org udp
US 8.8.8.8:53 nwdcdhnlvb.info udp
US 8.8.8.8:53 qwzokydmf.net udp
US 8.8.8.8:53 kcpklmfl.info udp
US 8.8.8.8:53 zbdopgfag.org udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 rskbcv.info udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 amhgyanwm.info udp
US 8.8.8.8:53 yjlsjglyt.info udp
US 8.8.8.8:53 sqzurfx.net udp
US 8.8.8.8:53 bgmsfpzk.net udp
US 8.8.8.8:53 hgqozgyaplm.net udp
US 8.8.8.8:53 hgtwwotr.net udp
US 8.8.8.8:53 begivrkoxbi.info udp
US 8.8.8.8:53 rinsjbzocndh.info udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 pjomcj.net udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 hqekff.info udp
US 8.8.8.8:53 robammlhw.net udp
US 8.8.8.8:53 hvmmnzl.org udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 uhfqljdhdr.info udp
US 8.8.8.8:53 tmfdrqxojeb.org udp
US 8.8.8.8:53 zugbedrtbm.net udp
US 8.8.8.8:53 bgywghag.info udp
US 8.8.8.8:53 xdfjnszdrz.net udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 hrzclowol.net udp
US 8.8.8.8:53 emnuniy.info udp
US 8.8.8.8:53 wlukwtuwiylg.info udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 knwgzqzz.net udp
US 8.8.8.8:53 hhegdjniewax.net udp
US 8.8.8.8:53 kugblw.info udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 rbxzcgxodwei.info udp
US 8.8.8.8:53 pfnwhnkygf.net udp
US 8.8.8.8:53 egcssoqe.com udp
US 8.8.8.8:53 sdovmqavfrld.net udp
US 8.8.8.8:53 urwdwyzxuv.net udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 hyuller.net udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 lguviyyx.net udp
US 8.8.8.8:53 fbwabifpbh.info udp
US 8.8.8.8:53 qkwoniwiffi.info udp
US 8.8.8.8:53 behvvjw.com udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 dwksjuz.org udp
US 8.8.8.8:53 kkswcyeq.com udp
US 8.8.8.8:53 dgbubanshmj.net udp
US 8.8.8.8:53 qndglusk.net udp
US 8.8.8.8:53 ouhmywkhjlr.net udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 ywsumsiu.com udp
US 8.8.8.8:53 oqeyieiwws.com udp
US 8.8.8.8:53 ypxwasyzz.net udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 aeqgoumeeweg.org udp
US 8.8.8.8:53 ygblqgsrn.info udp
US 8.8.8.8:53 civurjm.net udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 qswifh.info udp
US 8.8.8.8:53 qecwdday.net udp
US 8.8.8.8:53 wqjarcbelof.info udp
US 8.8.8.8:53 bykepb.info udp
US 8.8.8.8:53 saqyjoxqhfqd.info udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 azsivhbed.info udp
US 8.8.8.8:53 fevpekof.info udp
US 8.8.8.8:53 vrnsxayt.info udp
US 8.8.8.8:53 uoapkyl.net udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 mosuokoiqaew.com udp
US 8.8.8.8:53 ckbbfpizdmfo.info udp
US 8.8.8.8:53 hbmkpt.net udp
US 8.8.8.8:53 qeasooggkkye.org udp
US 8.8.8.8:53 jjuvjqhgxwcm.info udp
US 8.8.8.8:53 jmxetlsqb.org udp
US 8.8.8.8:53 xuaiitdib.com udp
US 8.8.8.8:53 xqbqlg.net udp
US 8.8.8.8:53 gdiecndz.net udp
US 8.8.8.8:53 pwbyhgiedcz.com udp
US 8.8.8.8:53 wwflbn.net udp
US 8.8.8.8:53 pegezo.info udp
US 8.8.8.8:53 ntukzwe.com udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 eylhtgqncoy.net udp
US 8.8.8.8:53 xtruvapagyu.info udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 vfcuvqvau.net udp
US 8.8.8.8:53 cuaqewgmco.com udp
US 8.8.8.8:53 xdtptyxdfbmq.net udp
US 8.8.8.8:53 zbfpgmgprk.info udp
US 8.8.8.8:53 jfjnkp.net udp
US 8.8.8.8:53 izsdiokvhb.net udp
US 8.8.8.8:53 pvzoenx.net udp
US 8.8.8.8:53 hzmjwu.info udp
US 8.8.8.8:53 ycqsioqs.org udp
US 8.8.8.8:53 giekgyskeiik.org udp
US 8.8.8.8:53 uvvirknz.info udp
US 8.8.8.8:53 eemskciyamks.com udp
US 8.8.8.8:53 mkcgkaac.org udp
US 8.8.8.8:53 hsulio.info udp
US 8.8.8.8:53 bavppixu.net udp
US 8.8.8.8:53 cmieoieocgkc.com udp
US 8.8.8.8:53 mrbncerydwf.info udp
US 8.8.8.8:53 ggwokqcu.info udp
US 8.8.8.8:53 cyseys.com udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 rkpbcmlltej.org udp
US 8.8.8.8:53 iwkose.com udp
US 8.8.8.8:53 jfkkjw.info udp
US 8.8.8.8:53 anpobkamou.info udp
US 8.8.8.8:53 mdowkkd.info udp
US 8.8.8.8:53 lftavwpghnay.net udp
US 8.8.8.8:53 zanxbglov.net udp
US 8.8.8.8:53 dtstyn.net udp
US 8.8.8.8:53 niynlyncd.info udp
US 8.8.8.8:53 gxjrxz.info udp
US 8.8.8.8:53 zrlccdiqfqp.info udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 lbysmyvsf.com udp
US 8.8.8.8:53 lhkalsoxbxbs.info udp
US 8.8.8.8:53 aueabafxsuh.info udp
US 8.8.8.8:53 bhlabua.net udp
US 8.8.8.8:53 zsnwlezrm.org udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 ahohqylx.net udp
US 8.8.8.8:53 gfikfcl.net udp
US 8.8.8.8:53 uwvwpkf.info udp
US 8.8.8.8:53 msieoseq.org udp
US 8.8.8.8:53 ceujds.info udp
US 8.8.8.8:53 uvlwtqamveh.net udp
US 8.8.8.8:53 tmrxnmjrkb.net udp
US 8.8.8.8:53 gwzgpmfejib.info udp
US 8.8.8.8:53 talwbyj.com udp
US 8.8.8.8:53 fgfitdmkxkz.com udp
US 8.8.8.8:53 agkkkgaagoog.com udp
US 8.8.8.8:53 wgqwxbkuowh.net udp
US 8.8.8.8:53 xcbedngyf.com udp
US 8.8.8.8:53 bynthivwtx.net udp
US 8.8.8.8:53 uomieuwsgywa.com udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 lebgjn.info udp
US 8.8.8.8:53 aijmpvapvc.net udp
US 8.8.8.8:53 uxxbxpfirm.info udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 eklwrsuu.info udp
US 8.8.8.8:53 vdsjxbhublny.net udp
US 8.8.8.8:53 botaksobzyf.net udp
US 8.8.8.8:53 bvrlxiawb.net udp
US 8.8.8.8:53 hpizemympz.net udp
US 8.8.8.8:53 ncngoqugjkv.net udp
US 8.8.8.8:53 uuooyqumoq.org udp
US 8.8.8.8:53 rzdxhawz.info udp
US 8.8.8.8:53 bujydax.net udp
US 8.8.8.8:53 guftbyn.net udp
US 8.8.8.8:53 qhewjij.net udp
US 8.8.8.8:53 dwkcrend.info udp
US 8.8.8.8:53 egaeaaaowkgg.com udp
US 8.8.8.8:53 lhqijd.net udp
US 8.8.8.8:53 amvhpcrl.net udp
US 8.8.8.8:53 sxsydftugfl.net udp
US 8.8.8.8:53 qoluxcicfjb.info udp
US 8.8.8.8:53 ucyyauoy.org udp
US 8.8.8.8:53 arrksr.info udp
US 8.8.8.8:53 dddojxdkt.info udp
US 8.8.8.8:53 qclkbwh.info udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 teuufipozon.org udp
US 8.8.8.8:53 ilbuxgg.net udp
US 8.8.8.8:53 jntxuexoq.net udp
US 8.8.8.8:53 rrflqt.info udp
US 8.8.8.8:53 dlgplkngr.info udp
US 8.8.8.8:53 bmxdra.net udp
US 8.8.8.8:53 jexeggp.info udp
US 8.8.8.8:53 rgbcprqwglca.info udp
US 8.8.8.8:53 awtrjqbmv.net udp
US 8.8.8.8:53 uijutweml.info udp
US 8.8.8.8:53 tcmyprl.org udp
US 8.8.8.8:53 bgknufqxrr.net udp
US 8.8.8.8:53 cydgbr.net udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 lefcimnpbcw.net udp
US 8.8.8.8:53 epmvsjkgcypv.info udp
US 8.8.8.8:53 zaheatxxrlb.net udp
US 8.8.8.8:53 hrhxvw.net udp
US 8.8.8.8:53 ssgqsckw.com udp
US 8.8.8.8:53 tzeoljmx.net udp
US 8.8.8.8:53 paaidistdbtq.net udp
US 8.8.8.8:53 eqskuitr.net udp
US 8.8.8.8:53 cxritgbkwiqj.net udp
US 8.8.8.8:53 eaeeqk.org udp
US 8.8.8.8:53 tbvxhkoasb.info udp
US 8.8.8.8:53 uexcfyd.info udp
US 8.8.8.8:53 wfrqxpvej.net udp
US 8.8.8.8:53 xflrdxdu.net udp
US 8.8.8.8:53 idmevs.info udp
US 8.8.8.8:53 llvcwyqgiy.info udp
US 8.8.8.8:53 gptaoesms.net udp
US 8.8.8.8:53 yabgjuiyvpj.net udp
US 8.8.8.8:53 emjwobloydp.net udp
US 8.8.8.8:53 jwlskujozdq.com udp
US 8.8.8.8:53 ymaawysgye.com udp
US 8.8.8.8:53 mrrhvip.net udp
US 8.8.8.8:53 eidweipmccj.net udp
US 8.8.8.8:53 yqtafgfohsp.net udp
US 8.8.8.8:53 aoqcohkuksfx.info udp
US 8.8.8.8:53 woeoaqumey.com udp
US 8.8.8.8:53 adfyesnezgd.info udp
US 8.8.8.8:53 ehmkhp.net udp
US 8.8.8.8:53 nrpqjt.info udp
US 8.8.8.8:53 xehudwfktlj.info udp
US 8.8.8.8:53 wyvccqhyhyl.net udp
US 8.8.8.8:53 fvqyfimtluav.net udp
US 8.8.8.8:53 qmxgxwtqoan.info udp
US 8.8.8.8:53 nvcfunplg.org udp
US 8.8.8.8:53 lktgnxez.info udp
US 8.8.8.8:53 xrxadkxki.com udp
US 8.8.8.8:53 uqbhmbokfqr.net udp
US 8.8.8.8:53 qgooeigi.com udp
US 8.8.8.8:53 lkngjoezjnq.com udp
US 8.8.8.8:53 kapgkkhqpmr.info udp
US 8.8.8.8:53 cojtdsnev.info udp
US 8.8.8.8:53 srbwimxsnx.net udp
US 8.8.8.8:53 vqoovoqtl.org udp
US 8.8.8.8:53 wrbgtg.info udp
US 8.8.8.8:53 ozxwvmtjlc.info udp
US 8.8.8.8:53 xbfhtyff.info udp
US 8.8.8.8:53 diryrxcmd.info udp
US 8.8.8.8:53 cseomiaumgcq.com udp
US 8.8.8.8:53 vsswekgnat.info udp
US 8.8.8.8:53 oldsyvr.info udp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 dcmglijgb.com udp
US 8.8.8.8:53 pinetsredld.net udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 qofqgod.info udp
US 8.8.8.8:53 badhmt.net udp
US 8.8.8.8:53 eisumi.org udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 avzepmbyh.net udp
US 8.8.8.8:53 uaumuuyw.org udp
US 8.8.8.8:53 zcjnaizp.info udp
US 8.8.8.8:53 kmgynxdaj.info udp
US 8.8.8.8:53 vmqkjur.info udp
US 8.8.8.8:53 ovplbv.net udp
US 8.8.8.8:53 iyeiiuuioq.com udp
US 8.8.8.8:53 ygoukmwg.org udp

Files

C:\Users\Admin\AppData\Local\Temp\xidoeloehsn.exe

MD5 06aedb342d1b1429c6220b98a5d34b44
SHA1 fa8a483de5cee3e6c4e12c825f001e84c6359e77
SHA256 f8304c8d806a881ff1ebc0c18b162f9e8a1dcd4829682efb92b6d5c12c21cd8b
SHA512 d6dc56e6f6f4ee32800b93057ced5da7ee361f1f172985e640f6485554d82aaafa97bddb4add76d13c90967fc8323074ede4ff218525c1612ff9c51c9e6be2ed

C:\Windows\SysWOW64\kbbmgwsfdrqikcznxu.exe

MD5 c940916a51510ded99612bd93114de0d
SHA1 af052d166386189ab6c14e8e49831b6459c42b5f
SHA256 23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
SHA512 7981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1

C:\Users\Admin\AppData\Local\Temp\xbomt.exe

MD5 94fe44c33b3426786e9f80da8fca49cc
SHA1 d74811a3a5a9fa17f3c19fcd25601fdc3d2aaf91
SHA256 c07020e4dea59e1431387932e218be23478f96804eed9d761190fc72e36fce7d
SHA512 95954735f8e8de699cc477d61b82da09dcf601313d1ca04888bbdd0916a547ba9dca9e391783266895f4ceb8bc0098d2e1e5f4191c3389f419f125a4546e594a

C:\Users\Admin\AppData\Local\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 03f7a126523640e6f5c9a630368e22e8
SHA1 ecff08853e3412d9b977d21e8c0e78df3eb7a88b
SHA256 698dd85a0deed6b6f62686899046ef29cd0553f932d857bdd9e4bfb4f531fc24
SHA512 28979783ab8e31825734a9b58c9fd07013f2f0bc183bd1f35325f2b597cd8b109df9783ef2b4f4a454258b4377cfb52f0dd1e4167439d7b5510b4635e7d20694

C:\Users\Admin\AppData\Local\pzswjshneldojukrukfpimzixdubtezka.kav

MD5 a60512e18b998a5f4e465a3dc686671d
SHA1 64f2214f334e35b9e23859703cb262a520fd5dfd
SHA256 0743046edae013af23027160a86de4725aeb40fbc358a85f2aa752c15cfbfe6d
SHA512 6edcbc8826bba1c7bd25f662228b0b16a74aec0cbb9a21274e2757305ff4187f6d4f20284ac1a0a558c560c91e8b2374b129a548b8e21cb5b9081455bcb10184

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 7fbd9b6926cd467f0c7396e36aa1987a
SHA1 032a48b6d70cfc537e539d01618b34c7b016f673
SHA256 1b9f30934fc2613c17a4903cfc82992bee3589a6407c926f0f5c674a72e16d78
SHA512 3727bc825c789c91774c221310d71950a46267788b52cc98c3e4e563082d3f8776dbf5284300d73939d646086bdf40c620fe88e2fd8818b39ffda947bb6e424f

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 d7f192a835cbe8690a11caa25e656372
SHA1 0c6950eaead3e5fa0d9ea669164d7fc13405e782
SHA256 ad15d2e52384d3e9481d77f84d6b73e1495b87a31379a1300a12879aa72bb173
SHA512 d0c40205b9051eade5330abcd31ec1b3dbf418520d6590d0ce3e3c7b58058fa059b0478017f1c9be6d4d34ef9adaaa17592bb13e82648b154ee5df9de8b42a26

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 4c9f7036cebc18473e3cf04af5fffafa
SHA1 0e7eb358dab620b358bf85565f66bb2017b4e239
SHA256 a050139e8dc193963a630158375442a5b0dca46c42c9db02079bfa5d90d3c922
SHA512 77980ece2ff8358f47ebc8dc0ceeb8128a04879ffa5034199248dabacc42c2640b4b1ad60b8dba2eb6f79215dad16e953017d96e230eed993be64caaa1eedad3

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 a34b86fe5207c8c471f01bbe8d1f3461
SHA1 dfc226a2a24101df3e27b2079fd2541fa7ea7e8f
SHA256 b648f0525be8f3098628bac58a13db5a9b7fe433e52626500449a974d7fb134c
SHA512 17d5660d5523fe844675f9e17d29879a95d86e236eec55589962b9d1bbf291dd4c64dea1e8f2d364e3efbac5a90f34f862b74ac79545be361744194c315d8c94

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 5db14073a212e1f89568013b181375fd
SHA1 6cab57163ad797dea8b4138dcf7fcb2b26cf6462
SHA256 a9d0803a8a7682d628d196a9e144c866d53f54274fa771b0d209b2075e5000bb
SHA512 876643c42d444cd01d9eec4fc082bdbb3f880219fda5398ffb8e460239d99e9bdbab1c4513478c2630af3dd427996497668b1eea82823a22339e8bf235126c3e

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 0fa0d89d61fb6a48de9a42838839ecad
SHA1 9c71eff791c5b52915b92cb59d3317e8577d0ad8
SHA256 af471fcc02869ce5c062048732167268b9a82b92d1b3e79b3954e7abacaa7d20
SHA512 be6945073b248e315abc7f8277fad5f4d51676b0356f089e624f8031b9889f10a9db66521c820104fd568d96c0cb92a3378deb273de45d852c873e99b0148a63

C:\Program Files (x86)\yxfyaycxdzggqqvrjoyxfy.ycx

MD5 b5c22be196fdd402b466256461fbca3f
SHA1 77946c8802f5a8b3f0aaa209af88367e703827b6
SHA256 5fa3a5ebbd7dd1949ce11bed322cbf8332509589715dd5e2e7f879c083313e11
SHA512 fcee7e6c58cd13c932f62f56723c10e9bcd295ecbc857f9b346a8629b01b990c6aaa25ed3cec9ad3bb61e330e17cef15cd98214dd97f50f32923e160a84b6c39

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 12:23

Reported

2025-04-21 12:26

Platform

win10v2004-20250314-en

Max time kernel

77s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\swkemzqwpyndy = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bcnejthkag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\bizwhxrawiatrxfu.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\Control Panel\International\Geo\Nation C:\Windows\bizwhxrawiatrxfu.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
N/A N/A C:\Windows\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
N/A N/A C:\Windows\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Windows\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Windows\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\bizwhxrawiatrxfu.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
N/A N/A C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
N/A N/A C:\Windows\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Windows\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Windows\ratsfxtecqkffnxoze.exe N/A
N/A N/A C:\Windows\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
N/A N/A C:\Windows\iqigsjeolyrlkraqa.exe N/A
N/A N/A C:\Windows\iqigsjeolyrlkraqa.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "ratsfxtecqkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "cmggunkwvkfbclwoagg.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "ratsfxtecqkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "cmggunkwvkfbclwoagg.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "iqigsjeolyrlkraqa.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "ratsfxtecqkffnxoze.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ratsfxtecqkffnxoze.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bizwhxrawiatrxfu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\iqigsjeolyrlkraqa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cmggunkwvkfbclwoagg.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pavwlfdqqgczblxqdklw.exe" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "bizwhxrawiatrxfu.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wcsoyngojuldafm = "eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tynirfxeyiyplp = "iqigsjeolyrlkraqa.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3342763580-2723508992-2885672917-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqmoezymnebzcnauiqsea.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wykcitimdkx = "bizwhxrawiatrxfu.exe" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\twjcjvlqiqet = "eqmoezymnebzcnauiqsea.exe ." C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\SysWOW64\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File created C:\Windows\SysWOW64\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\SysWOW64\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File created C:\Program Files (x86)\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File created C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\cmggunkwvkfbclwoagg.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\eqmoezymnebzcnauiqsea.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vifizvvkmecbfrfapybolo.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\pavwlfdqqgczblxqdklw.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\vqvgfjroyyelxrnqnepkpazdli.syf C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
File opened for modification C:\Windows\iqigsjeolyrlkraqa.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
File opened for modification C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bizwhxrawiatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bizwhxrawiatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\bizwhxrawiatrxfu.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1228 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 1228 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 1228 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 2688 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\eqmoezymnebzcnauiqsea.exe
PID 2688 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\eqmoezymnebzcnauiqsea.exe
PID 2688 wrote to memory of 3424 N/A C:\Windows\system32\cmd.exe C:\Windows\eqmoezymnebzcnauiqsea.exe
PID 4748 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\bizwhxrawiatrxfu.exe
PID 4748 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\bizwhxrawiatrxfu.exe
PID 4748 wrote to memory of 4560 N/A C:\Windows\system32\cmd.exe C:\Windows\bizwhxrawiatrxfu.exe
PID 4560 wrote to memory of 2724 N/A C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4560 wrote to memory of 2724 N/A C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4560 wrote to memory of 2724 N/A C:\Windows\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4788 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 4788 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 4788 wrote to memory of 1448 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 5944 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 5944 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 5944 wrote to memory of 4908 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 4712 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe
PID 4712 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe
PID 4712 wrote to memory of 4344 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe
PID 4908 wrote to memory of 1316 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4908 wrote to memory of 1316 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4908 wrote to memory of 1316 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5008 wrote to memory of 3532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe
PID 5008 wrote to memory of 3532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe
PID 5008 wrote to memory of 3532 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe
PID 3532 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3532 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3532 wrote to memory of 3080 N/A C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 4700 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe
PID 4700 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe
PID 4700 wrote to memory of 4244 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe
PID 2664 wrote to memory of 5788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe
PID 2664 wrote to memory of 5788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe
PID 2664 wrote to memory of 5788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe
PID 5788 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5788 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 5788 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 640 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe
PID 640 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe
PID 640 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe
PID 640 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe
PID 640 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe
PID 640 wrote to memory of 4000 N/A C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe C:\Users\Admin\AppData\Local\Temp\eagss.exe
PID 1588 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\bizwhxrawiatrxfu.exe
PID 1588 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\bizwhxrawiatrxfu.exe
PID 1588 wrote to memory of 816 N/A C:\Windows\system32\cmd.exe C:\Windows\bizwhxrawiatrxfu.exe
PID 5268 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\cmggunkwvkfbclwoagg.exe
PID 5268 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\cmggunkwvkfbclwoagg.exe
PID 5268 wrote to memory of 1108 N/A C:\Windows\system32\cmd.exe C:\Windows\cmggunkwvkfbclwoagg.exe
PID 2712 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 2712 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 2712 wrote to memory of 3748 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 1132 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 1132 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 1132 wrote to memory of 1452 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 5924 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 5924 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 5924 wrote to memory of 748 N/A C:\Windows\system32\cmd.exe C:\Windows\ratsfxtecqkffnxoze.exe
PID 3748 wrote to memory of 2928 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3748 wrote to memory of 2928 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 3748 wrote to memory of 2928 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe
PID 1452 wrote to memory of 3812 N/A C:\Windows\ratsfxtecqkffnxoze.exe C:\Windows\system32\cmd.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\eagss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c940916a51510ded99612bd93114de0d.exe"

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe*"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\eagss.exe

"C:\Users\Admin\AppData\Local\Temp\eagss.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"

C:\Users\Admin\AppData\Local\Temp\eagss.exe

"C:\Users\Admin\AppData\Local\Temp\eagss.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_c940916a51510ded99612bd93114de0d.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\ratsfxtecqkffnxoze.exe*."

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\ratsfxtecqkffnxoze.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c iqigsjeolyrlkraqa.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\eqmoezymnebzcnauiqsea.exe*."

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Windows\iqigsjeolyrlkraqa.exe

iqigsjeolyrlkraqa.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\iqigsjeolyrlkraqa.exe*."

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\cmggunkwvkfbclwoagg.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe .

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Windows\pavwlfdqqgczblxqdklw.exe

pavwlfdqqgczblxqdklw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\eqmoezymnebzcnauiqsea.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\pavwlfdqqgczblxqdklw.exe*."

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe

C:\Users\Admin\AppData\Local\Temp\pavwlfdqqgczblxqdklw.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\pavwlfdqqgczblxqdklw.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gbcxjicxolnxjcpwojkf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\gbcxjicxolnxjcpwojkf.exe

gbcxjicxolnxjcpwojkf.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tnnhsqjdtpqzkcoulff.exe .

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe .

C:\Windows\tnnhsqjdtpqzkcoulff.exe

tnnhsqjdtpqzkcoulff.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ibatdaslavvdnepukd.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\iqigsjeolyrlkraqa.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zrphqmdvjdcjsiswl.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\tnnhsqjdtpqzkcoulff.exe*."

C:\Windows\ibatdaslavvdnepukd.exe

ibatdaslavvdnepukd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vrtpccxtljmxkesatprna.exe

C:\Windows\zrphqmdvjdcjsiswl.exe

zrphqmdvjdcjsiswl.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gbcxjicxolnxjcpwojkf.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\vrtpccxtljmxkesatprna.exe

C:\Users\Admin\AppData\Local\Temp\vrtpccxtljmxkesatprna.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\zrphqmdvjdcjsiswl.exe*."

C:\Users\Admin\AppData\Local\Temp\gbcxjicxolnxjcpwojkf.exe

C:\Users\Admin\AppData\Local\Temp\gbcxjicxolnxjcpwojkf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ratsfxtecqkffnxoze.exe

C:\Windows\ratsfxtecqkffnxoze.exe

ratsfxtecqkffnxoze.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\gbcxjicxolnxjcpwojkf.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c eqmoezymnebzcnauiqsea.exe .

C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe

C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\eqmoezymnebzcnauiqsea.exe

eqmoezymnebzcnauiqsea.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe

C:\Users\Admin\AppData\Local\Temp\zrphqmdvjdcjsiswl.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\eqmoezymnebzcnauiqsea.exe*."

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bizwhxrawiatrxfu.exe .

C:\Windows\cmggunkwvkfbclwoagg.exe

cmggunkwvkfbclwoagg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Windows\bizwhxrawiatrxfu.exe

bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\zrphqmdvjdcjsiswl.exe*."

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\cmggunkwvkfbclwoagg.exe

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\windows\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe

C:\Users\Admin\AppData\Local\Temp\bizwhxrawiatrxfu.exe .

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

"C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe" "c:\users\admin\appdata\local\temp\bizwhxrawiatrxfu.exe*."

C:\Users\Admin\AppData\Local\Temp\vbntq.exe

"C:\Users\Admin\AppData\Local\Temp\vbntq.exe" "-c:\windows\pavwlfdqqgczblxqdklw.exe"

C:\Users\Admin\AppData\Local\Temp\vbntq.exe

"C:\Users\Admin\AppData\Local\Temp\vbntq.exe" "-c:\windows\pavwlfdqqgczblxqdklw.exe"

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Users\Admin\AppData\Local\Temp\iqigsjeolyrlkraqa.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pavwlfdqqgczblxqdklw.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.blogger.com udp
DE 142.250.181.201:80 www.blogger.com tcp
MD 178.168.50.42:31596 tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 qikceyaugmiw.com udp
US 8.8.8.8:53 sirovuj.info udp
US 8.8.8.8:53 uwckxps.info udp
US 8.8.8.8:53 uetspfggvki.info udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 mhhwfz.info udp
US 8.8.8.8:53 dcmglijgb.com udp
US 8.8.8.8:53 rincuwzgu.info udp
US 8.8.8.8:53 lgqgeoppr.net udp
US 8.8.8.8:53 mrdlsmbibhnd.info udp
US 8.8.8.8:53 zgjnxthpviz.info udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 badhmt.net udp
US 8.8.8.8:53 pihsnkxel.net udp
US 8.8.8.8:53 ockngd.net udp
US 8.8.8.8:53 gazllyhanki.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 dvcavlbf.info udp
US 8.8.8.8:53 hbfuzmpxf.com udp
US 8.8.8.8:53 hoeezyywdoz.info udp
US 8.8.8.8:53 yokrmgqkpwi.info udp
US 8.8.8.8:53 guegeibjgs.info udp
US 8.8.8.8:53 ybbtrxy.info udp
MD 178.168.50.42:31596 tcp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 qgftais.net udp
US 8.8.8.8:53 xwhkkybcnwi.org udp
US 8.8.8.8:53 jwalnrwfvb.net udp
US 8.8.8.8:53 caokygmqsycc.com udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 rtfnutere.org udp
US 8.8.8.8:53 mszelkj.net udp
US 8.8.8.8:53 harckl.net udp
US 8.8.8.8:53 niqhqqr.net udp
US 8.8.8.8:53 zzdafaholy.net udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 uuynba.info udp
US 8.8.8.8:53 guzbeusup.net udp
US 8.8.8.8:53 kuyucamqsueg.org udp
US 8.8.8.8:53 smjftulnp.info udp
US 8.8.8.8:53 xmtdbqdz.info udp
US 8.8.8.8:53 ykjaji.net udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 ybgbrculkg.net udp
US 8.8.8.8:53 ngsoxwyc.info udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 cvsyampmbyej.net udp
US 8.8.8.8:53 uyzgupbw.net udp
US 8.8.8.8:53 iucege.org udp
US 8.8.8.8:53 vujucjnybvef.info udp
US 8.8.8.8:53 jcvqlzn.com udp
US 8.8.8.8:53 ysjizl.info udp
US 8.8.8.8:53 kiyzyqtytm.net udp
US 8.8.8.8:53 todyvdjzpyt.com udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 tjhyzifra.info udp
US 8.8.8.8:53 avbzvrkcvjvh.net udp
US 8.8.8.8:53 uaqawegmguog.org udp
US 8.8.8.8:53 rpurmovyvp.info udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 litqtolf.net udp
US 8.8.8.8:53 lwfypod.com udp
US 8.8.8.8:53 trvbni.net udp
US 8.8.8.8:53 mgbdtszlrc.net udp
US 8.8.8.8:53 soxkamiyx.info udp
US 8.8.8.8:53 qmmaac.org udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 ummsvlki.info udp
US 8.8.8.8:53 oeciyqag.com udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 yodmvuxapmd.info udp
US 8.8.8.8:53 qyooawes.com udp
US 8.8.8.8:53 susoqcys.org udp
US 8.8.8.8:53 mosouquuecgq.com udp
US 8.8.8.8:53 famwstruama.net udp
US 8.8.8.8:53 oidktbl.net udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 lofiemv.org udp
US 8.8.8.8:53 kjeuyo.net udp
US 8.8.8.8:53 zwodof.info udp
US 8.8.8.8:53 tuetjetob.org udp
US 8.8.8.8:53 oomqjnzehmv.info udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 ltlyzbhylr.net udp
US 8.8.8.8:53 mqqacewyyg.org udp
US 8.8.8.8:53 csicqeeckooo.org udp
US 8.8.8.8:53 kruodbjopqw.info udp
US 8.8.8.8:53 vsfohubmkgw.com udp
US 8.8.8.8:53 xtrvar.net udp
US 8.8.8.8:53 yyqyigakeikq.org udp
US 8.8.8.8:53 qejtdzpmtma.net udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 irfrrki.net udp
US 8.8.8.8:53 vkmsvoxco.info udp
US 8.8.8.8:53 sarrrcncdxd.net udp
US 8.8.8.8:53 pdgjlv.info udp
US 8.8.8.8:53 mtcxagytnahn.info udp
US 8.8.8.8:53 knrgfdzojrjn.info udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 gggwsimoqsuk.com udp
US 8.8.8.8:53 nuaohz.info udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 rhyiuyj.net udp
US 8.8.8.8:53 sfmyje.net udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 pbxijvqazdzv.net udp
US 8.8.8.8:53 vgxmpibov.info udp
US 8.8.8.8:53 lhofkm.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 mjvtphaadm.net udp
US 8.8.8.8:53 fngenjhb.info udp
US 8.8.8.8:53 tyagpkb.com udp
US 8.8.8.8:53 nktzlhgub.org udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 mthhkjqosx.net udp
US 8.8.8.8:53 piltbovqlfd.info udp
US 8.8.8.8:53 cwkhmg.info udp
US 8.8.8.8:53 dylhcido.net udp
US 8.8.8.8:53 xcxrjkbei.net udp
US 8.8.8.8:53 fzbhbpln.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 gmywye.org udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 ystiykjlzzu.info udp
US 8.8.8.8:53 eczfjddmvwqb.info udp
US 8.8.8.8:53 hzlwxktkmsl.info udp
US 8.8.8.8:53 jsfoltcib.org udp
US 8.8.8.8:53 xiawtn.net udp
US 8.8.8.8:53 olrxdjpz.info udp
US 8.8.8.8:53 pxlyeifrvo.net udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 ykcckoaamy.com udp
US 8.8.8.8:53 rlvmlxh.org udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 ximysiprs.org udp
US 8.8.8.8:53 dobyzbhfeg.info udp
US 8.8.8.8:53 gxtxjkwpjd.info udp
US 8.8.8.8:53 udlstbbbnv.net udp
US 8.8.8.8:53 rilpnelkd.net udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 hlkdgwbzxhtg.net udp
US 8.8.8.8:53 tixfzfn.com udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 qcpxoxfnbu.net udp
US 8.8.8.8:53 vvssun.net udp
US 8.8.8.8:53 njlsktww.info udp
US 8.8.8.8:53 jlxeto.net udp
US 8.8.8.8:53 jifghacgp.com udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 istsxkh.net udp
US 8.8.8.8:53 bpsdrobofbar.info udp
US 8.8.8.8:53 zxrddhxghe.info udp
US 8.8.8.8:53 ownirn.net udp
US 8.8.8.8:53 pkzevfw.info udp
US 8.8.8.8:53 wslkletgzqt.info udp
US 8.8.8.8:53 jlrxzfhn.info udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 rbnxhbxoannn.info udp
US 8.8.8.8:53 pdgjpshqss.net udp
US 8.8.8.8:53 sofndmpsjeu.info udp
US 8.8.8.8:53 wjberpyg.info udp
US 8.8.8.8:53 dpnlcf.net udp
US 8.8.8.8:53 bkvkbiogpsn.com udp
US 8.8.8.8:53 kryszotnxlo.net udp
US 8.8.8.8:53 ostbpgmikyz.net udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 eqrxsjpuhyc.net udp
US 8.8.8.8:53 pbnouk.net udp
US 8.8.8.8:53 iarcmgz.net udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 pxjxlvh.com udp
US 8.8.8.8:53 ygeeoeyksc.org udp
US 8.8.8.8:53 rzlqhnd.org udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 isegumiwim.org udp
US 8.8.8.8:53 zgrabzvho.net udp
US 8.8.8.8:53 kmpwhjmmspq.net udp
US 8.8.8.8:53 fchiuifsm.info udp
US 8.8.8.8:53 lnnxfbmihwjl.net udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 rcxnbkpnxijp.info udp
US 8.8.8.8:53 gwcamwok.com udp
US 8.8.8.8:53 rjiwhwl.net udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 xkdxriodovod.info udp
US 8.8.8.8:53 usrgbaezriu.net udp
US 8.8.8.8:53 qjcehmirhr.info udp
US 8.8.8.8:53 dcjonzvgvt.net udp
US 8.8.8.8:53 szesgnzuljvr.net udp
US 8.8.8.8:53 neeuhhdpvp.net udp
US 8.8.8.8:53 odlgqao.info udp
US 8.8.8.8:53 vaovhdhfxoaf.info udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 vrajnahvax.net udp
US 8.8.8.8:53 fysaxvagxdsc.net udp
US 8.8.8.8:53 bebgrsmz.net udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 shdwedn.info udp
US 8.8.8.8:53 oxaetw.net udp
US 8.8.8.8:53 kowyshf.info udp
US 8.8.8.8:53 xvlrzcvypay.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 tnzjdtdkzeqo.info udp
US 8.8.8.8:53 zqjhcnlcf.com udp
US 8.8.8.8:53 bxhctax.info udp
US 8.8.8.8:53 hdaflgsajr.net udp
US 8.8.8.8:53 xdxyoplejx.net udp
US 8.8.8.8:53 rdpmvsy.net udp
US 8.8.8.8:53 jmdktsgww.com udp
US 8.8.8.8:53 omfceefijsd.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 ltfacch.net udp
US 8.8.8.8:53 cwwqhmfmnbip.net udp
US 8.8.8.8:53 kccegmwo.org udp
US 8.8.8.8:53 cqawya.com udp
US 8.8.8.8:53 woaiemuygo.org udp
US 8.8.8.8:53 jhpcmvmwzxv.info udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 iuhqhpxp.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 crnvfkbzhoh.net udp
US 8.8.8.8:53 bdfnhhhgpm.info udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 gwwoasrgid.info udp
US 8.8.8.8:53 somslssm.net udp
US 8.8.8.8:53 ekhwyit.net udp
US 8.8.8.8:53 ikoems.org udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 erbzhagrsz.net udp
US 8.8.8.8:53 yimkxzip.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 dadbxsi.org udp
US 8.8.8.8:53 uozvovvk.net udp
US 8.8.8.8:53 mhraahh.info udp
US 8.8.8.8:53 mfngsd.net udp
US 8.8.8.8:53 ptxuton.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 gorcqaxop.info udp
US 8.8.8.8:53 vzgdqdzpov.net udp
US 8.8.8.8:53 zstpczzynx.info udp
US 8.8.8.8:53 mmgkcwis.org udp
US 8.8.8.8:53 gpvotl.info udp
US 8.8.8.8:53 wcmely.net udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 alrwhknmbtp.info udp
US 8.8.8.8:53 zfhbmzzpoa.net udp
US 8.8.8.8:53 fqcslafjh.info udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 ueckgg.org udp
US 8.8.8.8:53 lirezebem.net udp
US 8.8.8.8:53 hxrkitxfuw.info udp
US 8.8.8.8:53 orwysnotnhrl.net udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 bkouzlskna.info udp
US 8.8.8.8:53 ioeeka.info udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 nptkczhpnkd.org udp
US 8.8.8.8:53 agmifggt.info udp
US 8.8.8.8:53 zalbqswic.net udp
US 8.8.8.8:53 rkzidmzt.net udp
US 8.8.8.8:53 jbvgnhkc.info udp
US 8.8.8.8:53 dfqccjcuab.info udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 ikiyoesqis.org udp
US 8.8.8.8:53 xnpnvhjaoyys.net udp
US 8.8.8.8:53 uqwegb.info udp
US 8.8.8.8:53 ptzgflgddctr.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 vtxhmv.info udp
US 8.8.8.8:53 kwpnwxoftfik.info udp
US 8.8.8.8:53 edahasmtdszj.net udp
US 8.8.8.8:53 fmhrxirb.info udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 rftewtey.info udp
US 8.8.8.8:53 vwvyrozbthu.info udp
US 8.8.8.8:53 xgxspghttiw.org udp
US 8.8.8.8:53 gnjydacld.net udp
US 8.8.8.8:53 fktmxuqefwi.com udp
US 8.8.8.8:53 katjop.net udp
US 8.8.8.8:53 tshmbk.info udp
US 8.8.8.8:53 mqwcwakcacok.com udp
US 8.8.8.8:53 ndkibmjy.info udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 gksjlntrzvpo.info udp
US 8.8.8.8:53 znlnvoxoa.info udp
US 8.8.8.8:53 psmcdhgilix.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 wgjkcuj.info udp
US 8.8.8.8:53 egiehizwpo.net udp
US 8.8.8.8:53 etttukpvscma.net udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 xsxbrfdvrxq.org udp
US 8.8.8.8:53 qiinwvpxhc.net udp
US 8.8.8.8:53 ggrhawfinynh.net udp
US 8.8.8.8:53 tvruda.net udp
US 8.8.8.8:53 wmambwp.net udp
US 8.8.8.8:53 ummumi.com udp
US 8.8.8.8:53 noutubpgrub.com udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 soywsu.org udp
US 8.8.8.8:53 xyvquuemlcn.info udp
US 8.8.8.8:53 owewbsnw.info udp
US 8.8.8.8:53 odimydg.info udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 ggvadldcjsy.info udp
US 8.8.8.8:53 gmiiys.com udp
US 8.8.8.8:53 zuzwlwi.com udp
US 8.8.8.8:53 fzeiet.net udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 pddwmyhyql.net udp
US 8.8.8.8:53 pccavkfojob.net udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 lnesdurm.info udp
US 8.8.8.8:53 bihlswxgza.net udp
US 8.8.8.8:53 djtkxyaabsu.net udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 bnfuehck.net udp
US 8.8.8.8:53 dwezpm.net udp
US 8.8.8.8:53 tgnqtwz.info udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 xjozkqup.info udp
US 8.8.8.8:53 jgaidkhhz.net udp
US 8.8.8.8:53 fyzref.info udp
US 8.8.8.8:53 vperro.net udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 sqhlvwicquw.net udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 mmdnfmo.net udp
US 8.8.8.8:53 kldelwdjeih.net udp
US 8.8.8.8:53 jcsrkfzz.net udp
US 8.8.8.8:53 hirulmrid.com udp
US 8.8.8.8:53 aoiyviv.net udp
US 8.8.8.8:53 lgbhamisdvki.info udp
US 8.8.8.8:53 wjwsrivt.info udp
US 8.8.8.8:53 wacigsae.com udp
US 8.8.8.8:53 eivisiz.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 lixcmjcfp.info udp
US 8.8.8.8:53 mjfylyp.info udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 budmtdjuhxr.net udp
US 8.8.8.8:53 etpikd.info udp
US 8.8.8.8:53 esbnoizzpwr.info udp
US 8.8.8.8:53 nlpsux.net udp
US 8.8.8.8:53 uyrslxxflyx.net udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 iuoccsyygs.org udp
US 8.8.8.8:53 lebubjt.com udp
US 8.8.8.8:53 cmjnvuxutot.info udp
US 8.8.8.8:53 nxckvsmxy.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 ftjhrgasq.com udp
US 8.8.8.8:53 aezefhl.info udp
US 8.8.8.8:53 hsxyzompncxz.net udp
US 8.8.8.8:53 ybozqxdeda.net udp
US 8.8.8.8:53 yfluaw.net udp
US 8.8.8.8:53 dqjxtgf.org udp
US 8.8.8.8:53 dhaxbalfsxdm.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 pxgbvh.net udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 zarqgmnmf.com udp
US 8.8.8.8:53 oiymgkeueesm.org udp
US 8.8.8.8:53 vusexhzax.info udp
US 8.8.8.8:53 ejbuigrni.info udp
US 8.8.8.8:53 psgoroz.com udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 cerobuy.info udp
US 8.8.8.8:53 kqnmysnuj.net udp
US 8.8.8.8:53 ampmlitscwx.info udp
US 8.8.8.8:53 rvkhtez.org udp
US 8.8.8.8:53 tjuffkpkht.net udp
US 8.8.8.8:53 geimasbotcq.net udp
US 8.8.8.8:53 jtrribhiao.info udp
US 8.8.8.8:53 jchqvtja.net udp
US 8.8.8.8:53 tanxkfqvacph.net udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 vfnagubqjetj.net udp
US 8.8.8.8:53 qguxpucj.net udp
US 8.8.8.8:53 loayryfmoao.info udp
US 8.8.8.8:53 ryxsxamud.org udp
US 8.8.8.8:53 lzraggjubajv.net udp
US 8.8.8.8:53 sekwozqb.info udp
US 8.8.8.8:53 qoscbfwgekmh.net udp
US 8.8.8.8:53 awdqihic.info udp
US 8.8.8.8:53 mmyyumko.org udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 udbmxmboiiv.info udp
US 8.8.8.8:53 hfgtdbkg.net udp
US 8.8.8.8:53 kglohyite.net udp
US 8.8.8.8:53 aeqsoorotqoy.net udp
US 8.8.8.8:53 eizthq.net udp
US 8.8.8.8:53 awgfwifmpcx.net udp
US 8.8.8.8:53 gtmlziuowd.info udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 nkviukd.info udp
US 8.8.8.8:53 mbnxxncrks.info udp
US 8.8.8.8:53 eqxmja.info udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 gjvwzi.net udp
US 8.8.8.8:53 onmmpbuk.info udp
US 8.8.8.8:53 jrghlzet.net udp
US 8.8.8.8:53 luogeczir.info udp
US 8.8.8.8:53 qapqhz.info udp
US 8.8.8.8:53 mqsasi.com udp
US 8.8.8.8:53 kevkjeter.net udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 dstkmmwwx.org udp
US 8.8.8.8:53 ertmvok.info udp
US 8.8.8.8:53 kujowdttudi.info udp
US 8.8.8.8:53 luzucodrx.net udp
US 8.8.8.8:53 wvdwmcairecg.net udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 ssiaewim.org udp
US 8.8.8.8:53 yiabvs.net udp
US 8.8.8.8:53 lbwcsywcqqg.net udp
US 8.8.8.8:53 kcycncu.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 rsrmwfogfggb.net udp
US 8.8.8.8:53 oeqiqyiiec.com udp
US 8.8.8.8:53 vshlhpmatyo.com udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 qoolnadvf.net udp
US 8.8.8.8:53 nmdgzgac.net udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 vllsxp.net udp
US 8.8.8.8:53 yadkxxu.net udp
US 8.8.8.8:53 lazsjnl.org udp
US 8.8.8.8:53 cqkwpf.net udp
US 8.8.8.8:53 qquxdoe.info udp
US 8.8.8.8:53 bfswvevrvsjr.info udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 vpihvnzdxz.net udp
US 8.8.8.8:53 nwugjaofact.org udp
US 8.8.8.8:53 ickaeucegccc.com udp
US 8.8.8.8:53 pyxvjyrqe.net udp
US 8.8.8.8:53 dmlutakit.info udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 mrcujtvexnjl.info udp
US 8.8.8.8:53 jjncwbrsyehu.info udp
US 8.8.8.8:53 kccmvtdbash.net udp
US 8.8.8.8:53 yitluyqh.net udp
US 8.8.8.8:53 wwmewmuuyssy.org udp
US 8.8.8.8:53 eumxplbmsb.net udp
US 8.8.8.8:53 uelacxnjhyn.info udp
US 8.8.8.8:53 gddxwcum.info udp
US 8.8.8.8:53 axdaxqby.info udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 eoogacag.com udp
US 8.8.8.8:53 dqhsbblmdlnr.info udp
US 8.8.8.8:53 ymmwsswsgocw.com udp
US 8.8.8.8:53 ebtkae.net udp
US 8.8.8.8:53 ereujumop.net udp
US 8.8.8.8:53 yqlnftoodyt.net udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 rktshzjcvcyu.info udp
US 8.8.8.8:53 zqhwwsv.net udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 tzyuvkxjp.info udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 beinlqj.org udp
US 8.8.8.8:53 oqdeovkozgp.info udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 imenusmvrt.info udp
US 8.8.8.8:53 lwyqvxnxbez.org udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 euueaygm.org udp
US 8.8.8.8:53 gezezv.info udp
US 8.8.8.8:53 agfxoc.info udp
US 8.8.8.8:53 cczuael.info udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 gatzneaty.net udp
US 8.8.8.8:53 yhoezcfes.net udp
US 8.8.8.8:53 jhpxpkivklnr.info udp
US 8.8.8.8:53 kucrgyoz.info udp
US 8.8.8.8:53 gkzotntemow.net udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 miuonjhet.net udp
US 8.8.8.8:53 qrxczmlz.info udp
US 8.8.8.8:53 yzswdrceb.info udp
US 8.8.8.8:53 brjjhvba.net udp
US 8.8.8.8:53 gseuua.com udp
US 8.8.8.8:53 nubupzacj.info udp
US 8.8.8.8:53 vezxlorsjj.net udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 wsuadqcep.info udp
US 8.8.8.8:53 ntrtdq.net udp
US 8.8.8.8:53 zutahmnphhf.org udp
US 8.8.8.8:53 cbnjjdpbhh.net udp
US 8.8.8.8:53 eaufjyoeu.net udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 ouzixcaqw.net udp
US 8.8.8.8:53 jeexyjwkek.info udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 iqhjrl.net udp
US 8.8.8.8:53 vxoixjjtujl.com udp
US 8.8.8.8:53 qsjkanegi.net udp
US 8.8.8.8:53 kitwmzlqiw.net udp
US 8.8.8.8:53 mhqnwjttv.info udp
US 8.8.8.8:53 ouxnksx.net udp
US 8.8.8.8:53 iairbmma.info udp
US 8.8.8.8:53 c.pki.goog udp
DE 172.217.16.67:80 c.pki.goog tcp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 oqhnqvht.net udp
US 8.8.8.8:53 ohvbxmx.info udp
US 8.8.8.8:53 byntnatgout.com udp
US 8.8.8.8:53 pzdohkdetwb.org udp
US 8.8.8.8:53 pqlwrud.info udp
US 8.8.8.8:53 bbqkfxvm.net udp
US 8.8.8.8:53 fzqqksnzg.net udp
US 8.8.8.8:53 agqwme.com udp
US 8.8.8.8:53 purwztuodiv.net udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 seamwsuiwu.org udp
US 8.8.8.8:53 aguorernvoo.info udp
US 8.8.8.8:53 phvezdnax.net udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 cevacterlipl.info udp
US 8.8.8.8:53 xmdhjhbyvwtp.info udp
US 8.8.8.8:53 dzxehcuaknps.info udp
US 8.8.8.8:53 dalsey.net udp
US 8.8.8.8:53 qizfiirq.info udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 ycggwkaukiqu.com udp
US 8.8.8.8:53 yodxdhh.net udp
US 8.8.8.8:53 ztpmhitsl.com udp
US 8.8.8.8:53 hzqyldtaayb.net udp
US 8.8.8.8:53 wiwgmewsey.org udp
US 8.8.8.8:53 tzhglzdcjok.com udp
US 8.8.8.8:53 isfktsvjdmyl.net udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 tvveyixix.com udp
US 8.8.8.8:53 cxdhyphw.net udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 eyysasoe.com udp
US 8.8.8.8:53 tgticatwwkz.com udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 pvksnm.net udp
US 8.8.8.8:53 hkbqkhfv.info udp
US 8.8.8.8:53 okluiwhyfmc.net udp
US 8.8.8.8:53 oqzkxuyslcp.info udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 ledkogt.info udp
US 8.8.8.8:53 xaejgol.info udp
US 8.8.8.8:53 cmiucq.com udp
US 8.8.8.8:53 rvxetshwfbrx.net udp
US 8.8.8.8:53 rwlelylkm.net udp
US 8.8.8.8:53 iqlrojajxlae.net udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 umfeagp.net udp
US 8.8.8.8:53 lopapyl.info udp
US 8.8.8.8:53 jmzwqqasg.net udp
US 8.8.8.8:53 jhccfthza.net udp
US 8.8.8.8:53 tgtkqedh.net udp
US 8.8.8.8:53 ryokpgu.info udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 xcwputtnrc.info udp
US 8.8.8.8:53 fwpydlnsm.org udp
US 8.8.8.8:53 dezovwtux.org udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 cucuyiwmsisw.com udp
US 8.8.8.8:53 amnyvalxii.net udp
US 8.8.8.8:53 smsetiwswwf.info udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 rrcnpslj.net udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 bvtwxoj.net udp
US 8.8.8.8:53 aozhnsbtryh.net udp
US 8.8.8.8:53 mwyciy.org udp
US 8.8.8.8:53 bfhilgj.info udp
US 8.8.8.8:53 epjqjptooi.info udp
US 8.8.8.8:53 lnudhr.net udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 dunbraffji.net udp
US 8.8.8.8:53 wbatnzd.info udp
US 8.8.8.8:53 hhqmxcesyyr.net udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 naaavcg.net udp
US 8.8.8.8:53 btulpimrp.org udp
US 8.8.8.8:53 gigqyi.org udp
US 8.8.8.8:53 zudswklapt.info udp
US 8.8.8.8:53 fgccfyvkmqw.org udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 qsjdnguup.info udp
US 8.8.8.8:53 bqghwrfh.net udp
US 8.8.8.8:53 uxgmenvx.info udp
US 8.8.8.8:53 qxrdbojcvv.net udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 rdzgvtvocoux.info udp
US 8.8.8.8:53 uxhanoj.net udp
US 8.8.8.8:53 dhrgstbzr.org udp
US 8.8.8.8:53 bkefmanf.net udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 okuugqeny.net udp
US 8.8.8.8:53 xlffae.net udp
US 8.8.8.8:53 eebwzuj.info udp
US 8.8.8.8:53 gkcdnlgibipe.net udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 swqzbc.net udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 rajhjlpujtxr.net udp
US 8.8.8.8:53 uafkeyperez.net udp
US 8.8.8.8:53 eusgnwl.net udp
US 8.8.8.8:53 bogjswnepo.info udp
US 8.8.8.8:53 ykloqufmvsz.info udp
US 8.8.8.8:53 uohutkd.info udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 fvnttj.net udp
US 8.8.8.8:53 xycfixpl.net udp
US 8.8.8.8:53 bezmqd.info udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 pydhppfekvm.info udp
US 8.8.8.8:53 pmwgeoaorhp.org udp
US 8.8.8.8:53 zunlevyykjvk.net udp
US 8.8.8.8:53 xptqpyju.info udp
US 8.8.8.8:53 bjsehqbwnnd.org udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 yqqigkwo.org udp
US 8.8.8.8:53 ubzndba.net udp
US 8.8.8.8:53 gifafbjxpc.info udp
US 8.8.8.8:53 eisaagmg.com udp
US 8.8.8.8:53 wsemtqtmtya.info udp
US 8.8.8.8:53 lyzsxmgwjbj.org udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 iivwjau.info udp
US 8.8.8.8:53 wedsguzygla.info udp
US 8.8.8.8:53 skghlo.net udp
US 8.8.8.8:53 owwawfra.net udp
US 8.8.8.8:53 hffqnn.net udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 uicgherub.net udp
US 8.8.8.8:53 cmcmqgqigcsq.com udp
US 8.8.8.8:53 qkyabb.info udp
US 8.8.8.8:53 cmyxpmrvqh.info udp
US 8.8.8.8:53 bcedrse.net udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 jegyfmtykkc.org udp
US 8.8.8.8:53 hlqsiishnzvn.info udp
US 8.8.8.8:53 beaqed.net udp
US 8.8.8.8:53 heggidkv.info udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 ribcsxe.net udp
US 8.8.8.8:53 jvjcarzyixai.info udp
US 8.8.8.8:53 rukuvubbl.com udp
US 8.8.8.8:53 gggnogwmsxbc.info udp
US 8.8.8.8:53 zqtuiw.net udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 zfbgjtyjexjh.info udp
US 8.8.8.8:53 tlfipuxyziw.net udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 qqxqfajvl.info udp
US 8.8.8.8:53 qwyguaiokegy.com udp
US 8.8.8.8:53 jcxkmst.net udp
US 8.8.8.8:53 nwccgwnz.info udp
US 8.8.8.8:53 qeyiqcog.org udp
US 8.8.8.8:53 hivqpthstvf.com udp
US 8.8.8.8:53 gmkmswgeh.net udp
US 8.8.8.8:53 vkbcrtzkio.net udp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 uwgivrk.info udp
US 8.8.8.8:53 jekmpqjlk.net udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 zizcxulmw.org udp
US 8.8.8.8:53 zciknizk.info udp
US 8.8.8.8:53 hodfpguq.net udp
US 8.8.8.8:53 safsvdgowhpq.info udp
US 8.8.8.8:53 xwzxfwhmtqp.net udp
US 8.8.8.8:53 xmvuzwtad.org udp
US 8.8.8.8:53 pamopxk.info udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 ugiwweyaqw.com udp
US 8.8.8.8:53 khbvvflj.net udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 qanamzn.info udp
US 8.8.8.8:53 jipgzkbyv.net udp
US 8.8.8.8:53 uruyfxbunh.info udp
US 8.8.8.8:53 hrxuuivu.info udp
US 8.8.8.8:53 davjsyt.info udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 qesyhoikwgh.info udp
US 8.8.8.8:53 vchadohmp.com udp
US 8.8.8.8:53 dyoboi.info udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 hgukyfgrd.com udp
US 8.8.8.8:53 swcksyke.com udp
US 8.8.8.8:53 fwhhlgbahu.info udp
US 8.8.8.8:53 idnumaf.info udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 qmsiug.com udp
US 8.8.8.8:53 ruzfpyd.info udp
US 8.8.8.8:53 fmvmlgjccbt.info udp
US 8.8.8.8:53 akioqmgkowqu.com udp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 vfbsbuoob.info udp
US 8.8.8.8:53 kirxkmviw.info udp
US 8.8.8.8:53 ijzwwskldu.net udp
US 8.8.8.8:53 rtbxvocdtj.info udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 bdxrdepreqq.info udp
US 8.8.8.8:53 gswwhpzezol.info udp
US 8.8.8.8:53 kbjqlgjovkz.info udp
US 8.8.8.8:53 modgimmsfel.net udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 gmiicw.com udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 uqmmekiack.com udp
US 8.8.8.8:53 vziominv.net udp
US 8.8.8.8:53 didypazwpqv.com udp
US 8.8.8.8:53 oyymui.com udp
US 8.8.8.8:53 okeamgag.org udp
US 8.8.8.8:53 oycwcpku.info udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 zginfctmr.net udp
US 8.8.8.8:53 dizovszwh.info udp
US 8.8.8.8:53 cinvwtzyom.net udp
US 8.8.8.8:53 mrvdhhh.info udp
US 8.8.8.8:53 zvqowljubmth.net udp
US 8.8.8.8:53 gryyhidmhyw.net udp
US 8.8.8.8:53 jgqcpgtufma.com udp
US 8.8.8.8:53 cecuaipn.net udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 cdbvtovae.net udp
US 8.8.8.8:53 kkcadcm.net udp
US 8.8.8.8:53 abywsoii.net udp
US 8.8.8.8:53 rrxfomqa.info udp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 zgtidbvalmof.net udp
US 8.8.8.8:53 oorcphn.net udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 jwhugm.net udp
US 8.8.8.8:53 myrwjqkrwpbk.info udp
US 8.8.8.8:53 wnrmuzzkrwji.info udp
US 8.8.8.8:53 ewjcunuihgt.net udp
US 8.8.8.8:53 tkzrur.net udp
US 8.8.8.8:53 vltddb.net udp
US 8.8.8.8:53 mqwyusisso.org udp
US 8.8.8.8:53 xrepwf.net udp
US 8.8.8.8:53 lzmdkfpn.net udp
US 8.8.8.8:53 czvfsqln.net udp
US 8.8.8.8:53 mpkbfsgyp.info udp
US 8.8.8.8:53 koxydhdobmn.info udp
US 8.8.8.8:53 yymooggyaieg.com udp
US 8.8.8.8:53 nlrwsafslgo.info udp
US 8.8.8.8:53 ckugqywm.org udp
US 8.8.8.8:53 feqkdbt.net udp
US 8.8.8.8:53 qmcccqtoj.net udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 viweboltp.org udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 wwosug.org udp
US 8.8.8.8:53 thtrec.net udp
US 8.8.8.8:53 rmguptzwl.info udp
US 8.8.8.8:53 pwxevezaknf.net udp
US 8.8.8.8:53 adszbk.net udp
US 8.8.8.8:53 ntdznjba.info udp
US 8.8.8.8:53 vxlgyfq.org udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 qmowooycqq.org udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 dncmpbfdqahv.net udp
US 8.8.8.8:53 ncpnrjdqqid.info udp
US 8.8.8.8:53 lmesdkbqx.org udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 ckfsfzvb.info udp
US 8.8.8.8:53 xpprgyv.info udp
US 8.8.8.8:53 pmrvduodowf.com udp
US 8.8.8.8:53 satiuqpyn.net udp
US 8.8.8.8:53 iswacuimwoem.com udp
US 8.8.8.8:53 cssazz.net udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 xsejbqqsh.com udp
US 8.8.8.8:53 eeocswg.net udp
US 8.8.8.8:53 mrjifgq.info udp
US 8.8.8.8:53 dduwpgojsllf.info udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 bxlglkji.net udp
US 8.8.8.8:53 esagcs.org udp
US 54.161.116.39:80 esagcs.org tcp
US 8.8.8.8:53 rjbifug.net udp
US 8.8.8.8:53 nvzrtazf.net udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 cyyeukesgqya.com udp
US 8.8.8.8:53 emmvumposwl.info udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 imdpldaw.net udp
US 8.8.8.8:53 kndhzlaofft.info udp
US 8.8.8.8:53 gzlujum.net udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 wkvbivvnu.net udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 uwyooy.org udp
US 8.8.8.8:53 wbxghgbab.net udp
US 8.8.8.8:53 bqhidmhdxwk.info udp
US 8.8.8.8:53 myayqqkeiy.com udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 dsrbckrxvofo.info udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 zsachgjx.net udp
US 8.8.8.8:53 peasjqfgbu.info udp
US 8.8.8.8:53 ryjatlcd.net udp
US 8.8.8.8:53 hzbctrmwrod.info udp
US 8.8.8.8:53 keoeyu.com udp
US 8.8.8.8:53 rxzdpgdckdj.net udp
US 8.8.8.8:53 celavxwmxyf.net udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 mqiasm.org udp
US 8.8.8.8:53 uwszhmaoow.info udp
US 8.8.8.8:53 cjpwba.info udp
US 8.8.8.8:53 nbrdrfqc.info udp
US 8.8.8.8:53 jegurd.info udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 egxrdgftoeze.net udp
US 8.8.8.8:53 qolpsmv.net udp
US 8.8.8.8:53 bwhhiptfrf.info udp
US 8.8.8.8:53 puridn.net udp
US 8.8.8.8:53 pnrqwpwa.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 blbtypqagr.info udp
US 8.8.8.8:53 ayualyfpmtvc.net udp
US 8.8.8.8:53 wuyouagfzxho.info udp
US 8.8.8.8:53 karcxeeda.net udp
US 8.8.8.8:53 rwxizundrgz.org udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 hrdsgohxw.info udp
US 8.8.8.8:53 kqyeky.org udp
US 8.8.8.8:53 gspcxzpfn.info udp
US 8.8.8.8:53 aksamm.com udp
US 8.8.8.8:53 quytrmdgtt.info udp
US 8.8.8.8:53 xmnugwo.org udp
US 8.8.8.8:53 fdfochsfea.net udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 ygblqgsrn.info udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 vcznoccwfml.com udp
US 8.8.8.8:53 zadzaljgtz.net udp
US 8.8.8.8:53 imtkvkh.net udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 fjzchhimx.net udp
US 8.8.8.8:53 telbrvdoxztc.net udp
US 8.8.8.8:53 rchnidb.info udp
US 8.8.8.8:53 falhskzmthc.org udp
US 8.8.8.8:53 xipmiqs.com udp
US 8.8.8.8:53 lzrabyc.com udp
US 8.8.8.8:53 hakodixwz.com udp
US 8.8.8.8:53 qeasooggkkye.org udp
US 8.8.8.8:53 oxqkaujgkcr.info udp
US 8.8.8.8:53 acwmqiaeec.com udp
US 8.8.8.8:53 ufuxzugrlunj.net udp
US 8.8.8.8:53 gdiecndz.net udp
US 8.8.8.8:53 cnugzmrcnup.info udp
US 8.8.8.8:53 germpssgx.net udp
US 8.8.8.8:53 hiwihfo.com udp
US 8.8.8.8:53 tavkirvzfwl.com udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 bpppiqomphdu.info udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 kzjaimvcg.net udp
US 8.8.8.8:53 fwbgrnpwliv.org udp
US 8.8.8.8:53 xlvnuxzyyvnh.net udp
US 8.8.8.8:53 zqjhrfqubiw.net udp
US 8.8.8.8:53 hzmjwu.info udp
US 8.8.8.8:53 gmdsxyg.net udp
US 8.8.8.8:53 hslofy.info udp
US 8.8.8.8:53 jetnzbjh.info udp
US 8.8.8.8:53 kawmwaggqmks.com udp
US 8.8.8.8:53 bavppixu.net udp
US 8.8.8.8:53 hpzrrtsiy.org udp
US 8.8.8.8:53 cmieoieocgkc.com udp
US 8.8.8.8:53 lnjdeazo.info udp
US 8.8.8.8:53 ylabgkph.net udp
US 8.8.8.8:53 afabzxjgrwen.net udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 ntpohnlnfb.info udp
US 8.8.8.8:53 xxyzvqrs.info udp
US 8.8.8.8:53 vumblxozh.info udp
US 8.8.8.8:53 owouomuuwg.org udp
US 8.8.8.8:53 uljytqfeq.net udp
US 8.8.8.8:53 ptpwnlreeaxo.net udp
US 8.8.8.8:53 bgyycmchtyla.net udp
US 8.8.8.8:53 iwkose.com udp
US 8.8.8.8:53 tfapcmkztfik.info udp
US 8.8.8.8:53 wcicueay.com udp
US 8.8.8.8:53 jwqgsstftsj.org udp
US 8.8.8.8:53 fbqgqvimvbld.info udp
US 8.8.8.8:53 eeeiusoc.com udp
US 8.8.8.8:53 vojaxwa.info udp
US 8.8.8.8:53 xcokxewkn.net udp
US 8.8.8.8:53 mxyidtz.net udp
US 8.8.8.8:53 ypqiusdyvoj.info udp
US 8.8.8.8:53 dtstyn.net udp
US 8.8.8.8:53 fwkusllco.info udp
US 8.8.8.8:53 pmbljjlq.info udp
US 8.8.8.8:53 uuloamxggyl.net udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 lbysmyvsf.com udp
US 8.8.8.8:53 nvmowzmq.net udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 dqsqfd.net udp
US 8.8.8.8:53 jqlmpmi.net udp
US 8.8.8.8:53 vgkgbaoqt.org udp
US 8.8.8.8:53 rhjhxelcun.net udp
US 8.8.8.8:53 ceujds.info udp
US 8.8.8.8:53 qqfssenh.info udp
US 8.8.8.8:53 yrbfnb.net udp
US 8.8.8.8:53 ugjexkomvyfa.info udp
US 8.8.8.8:53 tmrxnmjrkb.net udp
US 8.8.8.8:53 tccjcu.net udp
US 8.8.8.8:53 vtbeuc.net udp
US 8.8.8.8:53 pziuxmp.com udp
US 8.8.8.8:53 ixzpxofi.net udp
US 8.8.8.8:53 uomieuwsgywa.com udp
US 8.8.8.8:53 vvvatizwp.com udp
US 8.8.8.8:53 eaaymkuowm.com udp
US 8.8.8.8:53 ucukic.com udp
US 8.8.8.8:53 zglyzztxny.info udp
US 8.8.8.8:53 nwvcvub.net udp
US 8.8.8.8:53 dsejsv.info udp
US 8.8.8.8:53 ncvmmhncs.org udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 azwlydffquei.info udp
US 8.8.8.8:53 wmkuii.com udp
US 8.8.8.8:53 sitybyytb.net udp
US 8.8.8.8:53 cslekkzmvur.net udp
US 8.8.8.8:53 vasycwhnz.org udp
US 8.8.8.8:53 pylchmhko.net udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 qkkmmi.com udp
US 8.8.8.8:53 ozpejehsgw.net udp
US 8.8.8.8:53 fkjipaz.net udp
US 8.8.8.8:53 pqnmbrnujh.info udp
US 8.8.8.8:53 cpwpuw.info udp
US 8.8.8.8:53 flxcxav.com udp
US 8.8.8.8:53 botaksobzyf.net udp
US 8.8.8.8:53 estuldhgvez.net udp
US 8.8.8.8:53 bvrlxiawb.net udp
US 8.8.8.8:53 mahfbnswjbff.info udp
US 8.8.8.8:53 uqsaeocqcgkw.org udp
US 8.8.8.8:53 asssgmqkiwag.com udp
US 8.8.8.8:53 vgspcei.org udp
US 8.8.8.8:53 ujnvvb.net udp
US 8.8.8.8:53 bujydax.net udp
US 8.8.8.8:53 ruauvwk.com udp
US 8.8.8.8:53 cijgywn.net udp
US 8.8.8.8:53 uauyemsuwe.org udp
US 8.8.8.8:53 sxsydftugfl.net udp
US 8.8.8.8:53 cimyrrdhhrb.info udp
US 8.8.8.8:53 moysaa.org udp
US 8.8.8.8:53 ofsgiipylcn.net udp
US 8.8.8.8:53 juxerrdxhcrb.net udp
US 8.8.8.8:53 sysicgqsai.com udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 lmlrtwz.info udp
US 8.8.8.8:53 pfqcnlguwo.net udp
US 8.8.8.8:53 aasaotjlxp.net udp
US 8.8.8.8:53 sxnddev.info udp
US 8.8.8.8:53 kjspftjd.net udp
US 8.8.8.8:53 mawukimaukse.com udp
US 8.8.8.8:53 jntxuexoq.net udp
US 8.8.8.8:53 vvjnczlqzt.info udp
US 8.8.8.8:53 berpdayr.info udp
US 8.8.8.8:53 qcsfndwz.info udp
US 8.8.8.8:53 jojmneoeo.com udp
US 8.8.8.8:53 dwrvygfmm.org udp
US 8.8.8.8:53 ceuququmuiso.com udp
US 8.8.8.8:53 sogkcaei.com udp
US 8.8.8.8:53 awtrjqbmv.net udp
US 8.8.8.8:53 jyyassu.net udp
US 8.8.8.8:53 bspmbepxigb.org udp
US 8.8.8.8:53 jivowkwv.net udp
US 8.8.8.8:53 ncvwfsyyn.net udp
US 8.8.8.8:53 tcmyprl.org udp
US 8.8.8.8:53 bpttpbvgvqe.net udp
US 8.8.8.8:53 bgknufqxrr.net udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 oixdxmkad.net udp
US 8.8.8.8:53 chzpqrukkvwg.net udp
US 8.8.8.8:53 osevuuqylsyk.info udp
US 8.8.8.8:53 srhixefbk.info udp
US 8.8.8.8:53 ssgqsckw.com udp
US 8.8.8.8:53 rqxalwqext.net udp
US 8.8.8.8:53 yardwyz.net udp
US 8.8.8.8:53 qucicswcesus.com udp
US 8.8.8.8:53 cxritgbkwiqj.net udp
US 8.8.8.8:53 lcqfpoyzny.net udp
US 8.8.8.8:53 gndjlgrw.net udp
US 8.8.8.8:53 hkkgmjucyz.info udp
US 8.8.8.8:53 tsdwdmacfkj.org udp
US 8.8.8.8:53 vgrliplw.net udp
US 8.8.8.8:53 xflrdxdu.net udp
US 8.8.8.8:53 ukouoaac.com udp
US 8.8.8.8:53 lwbliwikju.net udp
US 8.8.8.8:53 sjrvzggh.net udp
US 8.8.8.8:53 llvcwyqgiy.info udp
US 8.8.8.8:53 yabgjuiyvpj.net udp
US 8.8.8.8:53 evvnincdai.info udp
US 8.8.8.8:53 bosffsfb.net udp
US 8.8.8.8:53 uoxvkfdoneh.net udp
US 8.8.8.8:53 dhzidetxtzu.org udp
US 8.8.8.8:53 cgkswwim.org udp
US 8.8.8.8:53 bulexlfsph.info udp
US 8.8.8.8:53 yqtafgfohsp.net udp
US 8.8.8.8:53 woeoaqumey.com udp
US 8.8.8.8:53 kogasquq.org udp
US 8.8.8.8:53 kyimsspmwr.info udp
US 8.8.8.8:53 lwxvnulqz.org udp
US 8.8.8.8:53 nrpqjt.info udp
US 8.8.8.8:53 simyxeei.info udp
US 8.8.8.8:53 aicmqi.org udp
US 8.8.8.8:53 cygqoab.net udp
US 8.8.8.8:53 dmxmmwaaw.org udp
US 8.8.8.8:53 lkngjoezjnq.com udp
US 8.8.8.8:53 lytvvalutr.info udp
US 8.8.8.8:53 kaiaieww.org udp
US 8.8.8.8:53 vuvkzyxbfqr.net udp
US 8.8.8.8:53 srbwimxsnx.net udp
US 8.8.8.8:53 jqfijibmecmu.info udp
US 8.8.8.8:53 zkhowqliqkb.net udp
US 8.8.8.8:53 biuehdf.net udp
US 8.8.8.8:53 exjqrcgo.info udp
US 8.8.8.8:53 wrbgtg.info udp
US 8.8.8.8:53 ymklhj.info udp
US 8.8.8.8:53 aijlry.net udp
US 8.8.8.8:53 gndzuw.info udp
US 8.8.8.8:53 detuny.net udp
US 8.8.8.8:53 xbfhtyff.info udp
US 8.8.8.8:53 iwrcerpsdsjy.info udp
US 8.8.8.8:53 qtelxuwoildp.info udp
US 8.8.8.8:53 iubyxwvwvno.net udp
US 8.8.8.8:53 rcqapfjrtozt.net udp
US 8.8.8.8:53 vsswekgnat.info udp
US 8.8.8.8:53 oldsyvr.info udp
US 8.8.8.8:53 corspkbyr.info udp
US 8.8.8.8:53 trxnpluv.net udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 nrdxoc.net udp
US 8.8.8.8:53 kjwejx.net udp
US 8.8.8.8:53 uycaoe.org udp
US 8.8.8.8:53 icgqseeoqwuq.org udp
SG 18.142.91.111:80 unxfuild.info tcp

Files

C:\Users\Admin\AppData\Local\Temp\rfyzcmqobpi.exe

MD5 8bd4091e56ecf7598b0e0b150f3a70df
SHA1 d6cee503765ae819eea451a68555d1c9e5c71143
SHA256 7e1216c3e258bca31f9c2b696e8dd4625e0e9de1a5890a45b22682bdf19f9f95
SHA512 1c9f00aea43924dcba226487b6533edf0e6e0bbbb88d290c2e601085a7646d333bb43dfe57af28658f539941792376306d4fa2823acbdd902f2d4dacf2d68f39

C:\Windows\SysWOW64\ratsfxtecqkffnxoze.exe

MD5 c940916a51510ded99612bd93114de0d
SHA1 af052d166386189ab6c14e8e49831b6459c42b5f
SHA256 23500abd545b632364da058b1e9fa90a6c5377fd39266246bee94b0be750775a
SHA512 7981e1a0e321645e396b80b9bddc102f901466f85f74bb252bf99088e083033a55a8eaad519b428cd161038a6d32e5a47c44dbc3ec2e2f8dc41cc21c2bd87ef1

C:\Users\Admin\AppData\Local\Temp\eagss.exe

MD5 f95c4c576d7f3d3c881ded9f712b453e
SHA1 5afc0e7f4853675af33293c058a1c2bff316326d
SHA256 46c667d846467a239e6a101a0e6ebe5e45ae426302ed943941693cf46b3fe269
SHA512 03c26b1c4586a8650945b606df9cd0d443c4a75a34e1579e99a5d18a800777685c2df47e0603e6cd241303a12ededac891d68af970b121769edd28451fd65466

C:\Users\Admin\AppData\Local\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 19ab9b05c6208bce17119bc16c7992c8
SHA1 1ec18173b00abaa7dd27ff7b3644fc7cd5ac386b
SHA256 e04133cf34c0008154790cbd32ea32f6c76cc1ca708a53dce7c1bc2d9848627c
SHA512 0f221ebfacb020b505dc08b5cc0b581ce8e0282ee17b84cbbb033e0f45692280f21cfe77830ab12ad5c3e5e50425668343f4aee3fcec8386a02e4cf9456f788e

C:\Users\Admin\AppData\Local\wcsoyngojuldafmaikgmcyixqytevnkpwksuq.mis

MD5 5f7a7797a4f4dcf54c9a600af8b42c7a
SHA1 62bb2c5bfa15fd713568703db59b94df4ec9ee5d
SHA256 3618e36236c5a3e286d0a6ceed9dbd34f3e5c4e22057082ed273d3173811f536
SHA512 1135ece30c94be98e459ec109c45f215ed24e66eddfc663dedc00f6e1154704ab63bede6dd3318dc64ed1f6a51069fc989635c7a06d3712adc6df3a864bf8dae

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 3607d6485f63900bfd637386ff98f4cf
SHA1 056ba64b2c5cae8aa6da6d36490c6fc0d57fcd98
SHA256 3e1295d9dc17f0d68fc8b05e9ca665ee69a7cb5e31f9f18ce1183044e28df7ae
SHA512 50bebdbf5622d4d54e0bfb9c60c959d37759510539db6c407c47d3951dd8b8bdbd2853e04e699fdfa3b9a0c46eb0331fffec69acf0866b7abc083738311d50ea

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 eb3af33817085cb45de2ba3a685b18ab
SHA1 98249d1967ff5bc2722de34015a1ddd0b68ba38a
SHA256 3689fce0a915a79827fffe1ed623a836d778961367e76518b36938158790d34e
SHA512 89e12d3e64e7e33f9505710d8d1723d8c68612ba94b3c046a643b5bb780b4be349f9406dfe972487550f073f66093d4026dbac5a013e250a115d0db88f1f5206

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 d0f0a8050e35f519fc9ced9b1bfebbeb
SHA1 987c117febbcec143934d21377e2280b234b4a9e
SHA256 a7ced65a86116a9b4c4fcf58f98d29960d9dec64b34c4c6990acc030b25df59e
SHA512 5f0a1f77532b5ee4fa8d7cffdb01dd8d84d30e6dee5a06738bb0d5eeff919f4240e0003f2cbeac06e021c3e08d74a492adfd2d902ed5afbcbff174fa12299c0c

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 65869c87082cc9f4baf16d80635a69d3
SHA1 3ccf4edbe503790f72375ef24e6fa35499c61f15
SHA256 e792200a6aae3f1a8644a53018111a7b02de077d0cf2262ed8cbbd718069eb5a
SHA512 ff10db0248f8a01f4b963b498a40d736f06fc034d09f1d7064b8416f2f46b8d273e4c26de921e0248aa9dfc0f9b421bd66816f7fac9e98019109ebafc13a9528

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 39834596afec1ec0d634bb330712eb35
SHA1 45eded30ead4ccebb42071bbf1e3eccc414a007e
SHA256 553f9bfdfb17866aa3d1818cb686e41912e85a2e7a41cfb9609fdfcc779edbc7
SHA512 30fbf56ee02b1a05bb30b3bf8a54c3da072317a5b7336c84af07b5a579c847d97311a283d225bdd4e8d1dd75670e52044fa97b4d9d5f71ab86e10912fdbe3adb

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 b028d212afc1c0a9690c6a48af88b4b2
SHA1 be1ef5990e27fb01245574cac9c5a41092f06f20
SHA256 16d8f4ba768420392104f1043849bb8c97ea9ff0ef31b40958f5e42e856d2638
SHA512 2a460970cf823ca78e41d3bef3bf62f371612db16f2696ad4c4e79ce196b163c54cfb2595b655d8d4fb51048a864dd12ceee09792ea37ba086be99e837289177

C:\Program Files (x86)\vqvgfjroyyelxrnqnepkpazdli.syf

MD5 6df0f220f456da45d078c684c63e0146
SHA1 95f866ac61eb4e1615cc2369ae01a054116a2497
SHA256 741a06a19a3dd79a7cd6f28cc47987baa20a503f38cbb6bdd2b8ff772b6fa421
SHA512 27f82e9895ff755b7bb0aeecdc4a88815805ca2d564bbb1aa789dbe45ead9e04d4d13b7181f4c54afc1a79c402cd5369ed2236a0cf63dfeb23aac5cbed2bf568