Analysis Overview
SHA256
3dfd0e24cf3ccb5898676f46f706ada8a30636bc3383b2406c1cee28aaf319f3
Threat Level: Known bad
The file JaffaCakes118_bb9948c3da8fee376e600f5467021131 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Detect Pykspa worm
Pykspa family
Pykspa
Modifies WinLogon for persistence
Detect Pykspa worm
Disables RegEdit via registry modification
Adds policy Run key to start application
Checks computer location settings
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
System policy modification
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-17 23:27
Signatures
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pykspa family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-17 23:27
Reported
2025-04-17 23:30
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "ohzwqgaqlfmvbsjvxhkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "ohzwqgaqlfmvbsjvxhkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "apdwmyoarhkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "qhxskyqexpubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "dxqojavmidlvcumzcnrle.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "dxqojavmidlvcumzcnrle.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "apdwmyoarhkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "ohzwqgaqlfmvbsjvxhkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "ohzwqgaqlfmvbsjvxhkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "hxmgxkbogxbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "qhxskyqexpubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "hxmgxkbogxbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "qhxskyqexpubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "dxqojavmidlvcumzcnrle.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "ohzwqgaqlfmvbsjvxhkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "apdwmyoarhkprerz.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "dxqojavmidlvcumzcnrle.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe ." | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ijjoqoqortiznmlfphsttyay.ybd | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File created | C:\Windows\SysWOW64\ijjoqoqortiznmlfphsttyay.ybd | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File created | C:\Windows\SysWOW64\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File created | C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File opened for modification | C:\Program Files (x86)\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File created | C:\Program Files (x86)\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File created | C:\Windows\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File opened for modification | C:\Windows\ijjoqoqortiznmlfphsttyay.ybd | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| File created | C:\Windows\ijjoqoqortiznmlfphsttyay.ybd | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .
C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe
"C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe" "-"
C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe
"C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe" "-"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.12:80 | www.yahoo.com | tcp |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | dywqgiymjsxp.info | udp |
| US | 8.8.8.8:53 | tmpqvsl.net | udp |
| US | 8.8.8.8:53 | qakeugauggig.com | udp |
| US | 8.8.8.8:53 | vbuelvkz.net | udp |
| US | 8.8.8.8:53 | fjpgybyfscvh.info | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | huvsfct.com | udp |
| US | 8.8.8.8:53 | lrlirovtbolu.net | udp |
| US | 8.8.8.8:53 | mrnioqatteki.info | udp |
| US | 8.8.8.8:53 | oiaskc.com | udp |
| US | 8.8.8.8:53 | zhnqgdgrd.net | udp |
| US | 8.8.8.8:53 | ndzbjyfvquvb.info | udp |
| US | 8.8.8.8:53 | ncizvnhvbjth.info | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | uacccyiysieq.com | udp |
| US | 8.8.8.8:53 | pjnerp.net | udp |
| US | 8.8.8.8:53 | dhdyisaouwxs.info | udp |
| US | 8.8.8.8:53 | xlrgtvsuglnj.info | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | lozkdungkpw.info | udp |
| US | 8.8.8.8:53 | oyckjuitjmh.net | udp |
| US | 8.8.8.8:53 | qscwfvpmj.info | udp |
| US | 8.8.8.8:53 | kmrqcaywg.info | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | qgwmiglajgif.info | udp |
| US | 8.8.8.8:53 | ubfgbgmozos.info | udp |
| US | 8.8.8.8:53 | hhxevibrrw.info | udp |
| US | 8.8.8.8:53 | jpeewkmaqywf.info | udp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | qtlffe.info | udp |
| US | 8.8.8.8:53 | ssvfqkmtrbdw.info | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | cgjjbotd.net | udp |
| US | 8.8.8.8:53 | xxwsulsce.net | udp |
| US | 8.8.8.8:53 | ixhgiusqqdaw.net | udp |
| US | 8.8.8.8:53 | ckywesmw.com | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | xiuqjgdc.net | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | yoekgwsyck.org | udp |
| US | 8.8.8.8:53 | yywseiokoyso.org | udp |
| US | 8.8.8.8:53 | emwcuscecg.org | udp |
| US | 8.8.8.8:53 | omfvaanuj.info | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | wcuskiwiswmm.org | udp |
| US | 8.8.8.8:53 | ajekzgg.net | udp |
| US | 8.8.8.8:53 | xijgqilkt.info | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | znypzaiar.net | udp |
| US | 8.8.8.8:53 | kaiobcaulpp.info | udp |
| US | 8.8.8.8:53 | tlhqleme.net | udp |
| US | 8.8.8.8:53 | afscws.info | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | cfhthzfvpgof.info | udp |
| US | 8.8.8.8:53 | dqqjetyr.net | udp |
| US | 8.8.8.8:53 | eympqj.info | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | ihgjjpjqgn.net | udp |
| US | 8.8.8.8:53 | fqhsocicb.info | udp |
| US | 8.8.8.8:53 | cjzhze.info | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | vdtttprdap.net | udp |
| US | 8.8.8.8:53 | swoswi.com | udp |
| US | 8.8.8.8:53 | pyhqlvtydkj.org | udp |
| US | 8.8.8.8:53 | umqomqcwka.org | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | ygdoucnlat.info | udp |
| US | 8.8.8.8:53 | pwfglrh.org | udp |
| US | 8.8.8.8:53 | bspylsbqxsi.com | udp |
| US | 8.8.8.8:53 | sqrszune.net | udp |
| US | 8.8.8.8:53 | yzjaaxf.info | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | khpgykidabpz.net | udp |
| US | 8.8.8.8:53 | rclqcwxdk.org | udp |
| US | 8.8.8.8:53 | fdrkjaycec.info | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | qgkjsyrsp.info | udp |
| US | 8.8.8.8:53 | mnzennhp.net | udp |
| US | 8.8.8.8:53 | xclllibmlqxb.net | udp |
| US | 8.8.8.8:53 | lbmljmb.com | udp |
| US | 8.8.8.8:53 | vxvlprfjdjuk.info | udp |
| US | 8.8.8.8:53 | lyzefe.info | udp |
| US | 8.8.8.8:53 | aelqcytwjsf.info | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | aqmqcoysik.org | udp |
| US | 8.8.8.8:53 | jayynchr.net | udp |
| US | 8.8.8.8:53 | iwwewy.com | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | awzgvfvsdst.info | udp |
| US | 8.8.8.8:53 | gngnpe.info | udp |
| US | 8.8.8.8:53 | soeyscyg.com | udp |
| US | 8.8.8.8:53 | iqvuewwngus.info | udp |
| US | 8.8.8.8:53 | yqvquelp.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | tuiekvthhpr.com | udp |
| US | 8.8.8.8:53 | mrqibpdy.info | udp |
| US | 8.8.8.8:53 | tirquku.org | udp |
| US | 8.8.8.8:53 | yekswur.info | udp |
| US | 8.8.8.8:53 | wcgogiqosmmc.org | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | jgrgtmz.com | udp |
| US | 8.8.8.8:53 | lvnonrvapb.info | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | etfmwb.info | udp |
| US | 8.8.8.8:53 | bmvzvqwcfgk.net | udp |
| US | 8.8.8.8:53 | jqlczjqokw.net | udp |
| US | 8.8.8.8:53 | jgtqjibsf.org | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | swwjlgogj.info | udp |
| US | 8.8.8.8:53 | evaywdtglmdq.net | udp |
| US | 8.8.8.8:53 | enpegkvgmyv.net | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | ewlwvasbmwp.info | udp |
| US | 8.8.8.8:53 | ucnwlmr.net | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | tkbifnj.com | udp |
| US | 8.8.8.8:53 | aopqdyitvqq.net | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | xkjktiz.org | udp |
| US | 8.8.8.8:53 | wwewcyawyk.org | udp |
| US | 8.8.8.8:53 | vovdtgxlz.net | udp |
| US | 8.8.8.8:53 | ihxnzpnthfgj.info | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | hgecvvwfermo.info | udp |
| US | 8.8.8.8:53 | jejzcvvv.info | udp |
| US | 8.8.8.8:53 | nkxpgrpmg.info | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | iwgimiccqu.org | udp |
| US | 8.8.8.8:53 | rzyhkcwxjn.net | udp |
| US | 8.8.8.8:53 | bclizwt.org | udp |
| US | 8.8.8.8:53 | isuvukfozkz.net | udp |
| US | 8.8.8.8:53 | ysyqce.org | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | hldeegomyu.net | udp |
| US | 8.8.8.8:53 | yavcdinavym.info | udp |
| US | 8.8.8.8:53 | rrubdtnvsh.net | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | tsjvludtnud.org | udp |
| US | 8.8.8.8:53 | cuocaugksaim.com | udp |
| US | 8.8.8.8:53 | larkvwpfyn.info | udp |
| US | 8.8.8.8:53 | atbttilf.info | udp |
| US | 8.8.8.8:53 | awgqpeeet.info | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | zmbrlfbhed.info | udp |
| US | 8.8.8.8:53 | lztkipgzwahn.net | udp |
| US | 8.8.8.8:53 | bcvqzow.info | udp |
| US | 8.8.8.8:53 | sbariqicsy.net | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | occusc.org | udp |
| US | 8.8.8.8:53 | ldfcfn.info | udp |
| US | 8.8.8.8:53 | grzsjmtwsje.info | udp |
| US | 8.8.8.8:53 | dgpklpe.info | udp |
| US | 8.8.8.8:53 | vxabxzot.net | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | lrtyjgvn.info | udp |
| US | 8.8.8.8:53 | dacmhos.net | udp |
| US | 8.8.8.8:53 | wfdrxcrhdvcq.info | udp |
| US | 8.8.8.8:53 | phvjbmol.info | udp |
| US | 8.8.8.8:53 | ysoskueigg.com | udp |
| US | 8.8.8.8:53 | fxvptilnhai.com | udp |
| US | 8.8.8.8:53 | jxrlso.net | udp |
| US | 8.8.8.8:53 | xtakdnlh.info | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | gywaugismoym.org | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | lmmfbyez.info | udp |
| US | 8.8.8.8:53 | yymswswumgaw.com | udp |
| US | 8.8.8.8:53 | eocbcrwlsj.info | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | psieeafcv.org | udp |
| US | 8.8.8.8:53 | mgbhxax.net | udp |
| US | 8.8.8.8:53 | gbacyuj.info | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | dqlfzeledtff.info | udp |
| US | 8.8.8.8:53 | gynwtjxjulul.net | udp |
| US | 8.8.8.8:53 | sufkciycn.net | udp |
| US | 8.8.8.8:53 | imqsoacscoeo.com | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | dwfbmq.net | udp |
| US | 8.8.8.8:53 | zpdluy.net | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | vgzjdqliv.info | udp |
| US | 8.8.8.8:53 | squwkyamqeui.org | udp |
| US | 8.8.8.8:53 | temqoeb.net | udp |
| US | 8.8.8.8:53 | lgpmymr.net | udp |
| US | 8.8.8.8:53 | tnmnjw.info | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | fensder.net | udp |
| US | 8.8.8.8:53 | zhowjanoqoz.com | udp |
| US | 8.8.8.8:53 | lgqopfat.net | udp |
| US | 8.8.8.8:53 | otdalubgt.net | udp |
| US | 8.8.8.8:53 | ljlrpw.info | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | fwwydpssbyu.org | udp |
| US | 8.8.8.8:53 | enwcpqzhu.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | xfnidtblc.org | udp |
| US | 8.8.8.8:53 | amgeecys.com | udp |
| US | 8.8.8.8:53 | poxpkwder.info | udp |
| US | 8.8.8.8:53 | cdxbtaunjmj.info | udp |
| US | 8.8.8.8:53 | amemymzwl.net | udp |
| US | 8.8.8.8:53 | ptyedgj.org | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | nitvjbrzdehs.info | udp |
| US | 8.8.8.8:53 | zabpxb.info | udp |
| US | 8.8.8.8:53 | zqkcqwjl.net | udp |
| US | 8.8.8.8:53 | lihirhhjmer.org | udp |
| US | 8.8.8.8:53 | gnjijkxsdcy.net | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | ugmcea.org | udp |
| US | 8.8.8.8:53 | gmywqiwasgmq.com | udp |
| US | 8.8.8.8:53 | bezikcpkhu.net | udp |
| US | 8.8.8.8:53 | gwfasfhbwqhj.net | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | dadgkzy.org | udp |
| US | 8.8.8.8:53 | xrygvswkvyu.com | udp |
| US | 8.8.8.8:53 | cjgfnm.info | udp |
| US | 8.8.8.8:53 | sufizglaz.info | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | pmlwrs.net | udp |
| US | 8.8.8.8:53 | xgbikqhwt.org | udp |
| US | 8.8.8.8:53 | lqiexynw.net | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | czvkpji.info | udp |
| US | 8.8.8.8:53 | oyzgpbtrdgl.info | udp |
| US | 8.8.8.8:53 | ypvjmslx.net | udp |
| US | 8.8.8.8:53 | turylkg.info | udp |
| US | 8.8.8.8:53 | kgrjqedy.info | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | duflbswlg.net | udp |
| US | 8.8.8.8:53 | lslafuhozg.net | udp |
| US | 8.8.8.8:53 | eabetgh.net | udp |
| US | 8.8.8.8:53 | qumsmsgqaiig.org | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | bipqynbezc.info | udp |
| US | 8.8.8.8:53 | ddrgmyxc.net | udp |
| US | 8.8.8.8:53 | pdpibobucap.org | udp |
| US | 8.8.8.8:53 | jfvytim.org | udp |
| US | 8.8.8.8:53 | turagimcrylt.net | udp |
| US | 8.8.8.8:53 | ulpwlokwgen.info | udp |
| US | 8.8.8.8:53 | qcsekmwqag.org | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | uwtxnmryqbv.info | udp |
| US | 8.8.8.8:53 | xzrebpiabz.net | udp |
| US | 8.8.8.8:53 | hoggayp.com | udp |
| US | 8.8.8.8:53 | qsnnsthkfkkv.net | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | sumccgag.org | udp |
| US | 8.8.8.8:53 | imserobiq.info | udp |
| US | 8.8.8.8:53 | kgwqbib.net | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | yzxwucaklwf.info | udp |
| US | 8.8.8.8:53 | zkypzcxshxya.info | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | iurmpxp.info | udp |
| US | 8.8.8.8:53 | vwsqskcuszjg.info | udp |
| US | 8.8.8.8:53 | wgjjvkb.info | udp |
| US | 8.8.8.8:53 | jagdxc.net | udp |
| US | 8.8.8.8:53 | zzhsxt.net | udp |
| US | 8.8.8.8:53 | bzgpcnhxhhqu.info | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | hfiyhcjx.info | udp |
| US | 8.8.8.8:53 | vmlzlqbkxmu.org | udp |
| US | 8.8.8.8:53 | jtgojervsh.net | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | aegltilsxsy.info | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | jlnjjjgcwp.net | udp |
| US | 8.8.8.8:53 | oaekwkce.org | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | ugdmdijydow.net | udp |
| US | 8.8.8.8:53 | raxdyes.info | udp |
| US | 8.8.8.8:53 | lrroziupiqcg.net | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | wgyciqsguq.com | udp |
| US | 8.8.8.8:53 | vmseiytz.net | udp |
| US | 8.8.8.8:53 | hizaxqrkuil.info | udp |
| US | 8.8.8.8:53 | goeogwogcc.org | udp |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | xwtrnmfm.net | udp |
| US | 8.8.8.8:53 | huxakwxoag.info | udp |
| US | 8.8.8.8:53 | qjyxew.info | udp |
| US | 8.8.8.8:53 | lczoradauoz.net | udp |
| US | 8.8.8.8:53 | esnqcwxotkv.net | udp |
| US | 8.8.8.8:53 | aexeguwrvib.info | udp |
| US | 8.8.8.8:53 | sxfzwitpc.info | udp |
| US | 8.8.8.8:53 | vqyhfwl.info | udp |
| US | 8.8.8.8:53 | ymoutlibyvxz.info | udp |
| US | 8.8.8.8:53 | eeiqkiafvb.net | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | hekzmob.com | udp |
| US | 8.8.8.8:53 | cyfeidhliue.info | udp |
| US | 8.8.8.8:53 | cbemxtyii.net | udp |
| US | 8.8.8.8:53 | jmxfroh.info | udp |
| US | 8.8.8.8:53 | nlhsykvqr.org | udp |
| US | 8.8.8.8:53 | qsskcuymn.info | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | vqryfrsen.org | udp |
| US | 8.8.8.8:53 | jzthxr.net | udp |
| US | 8.8.8.8:53 | rmcktfhvpz.net | udp |
| US | 8.8.8.8:53 | febhzrdf.info | udp |
| US | 8.8.8.8:53 | okckysyu.com | udp |
| US | 8.8.8.8:53 | tjtwqp.net | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | bcgzivhun.net | udp |
| US | 8.8.8.8:53 | haisfg.net | udp |
| US | 8.8.8.8:53 | yvzeibhd.net | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | kkbsiwhqo.net | udp |
| US | 8.8.8.8:53 | notgaqftf.net | udp |
| US | 8.8.8.8:53 | kljgbpxajuk.net | udp |
| US | 8.8.8.8:53 | tcpbkuj.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | hsnapovuk.org | udp |
| US | 8.8.8.8:53 | bucenixpd.com | udp |
| US | 8.8.8.8:53 | tthogxelzchq.info | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | jyjxrii.info | udp |
| US | 8.8.8.8:53 | iofsluo.info | udp |
| US | 8.8.8.8:53 | pvatwndq.net | udp |
| US | 8.8.8.8:53 | bfnqjykchtrx.info | udp |
| US | 8.8.8.8:53 | wfkjduvflclh.net | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | uaqgvrpllsy.net | udp |
| US | 8.8.8.8:53 | qiybwkfewqx.info | udp |
| US | 8.8.8.8:53 | ebzzgkbhwljt.info | udp |
| US | 8.8.8.8:53 | mocavkdkfir.net | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | uceqviy.info | udp |
| US | 8.8.8.8:53 | nilspr.info | udp |
| US | 8.8.8.8:53 | rrfezjl.org | udp |
| US | 8.8.8.8:53 | aararuzmj.info | udp |
| US | 8.8.8.8:53 | uogegscemuce.org | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | qysuqi.org | udp |
| US | 8.8.8.8:53 | uapgincf.info | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | msjfqihxp.info | udp |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | heossofye.info | udp |
| US | 8.8.8.8:53 | ajfmze.info | udp |
| US | 8.8.8.8:53 | nqxijbihvn.info | udp |
| US | 8.8.8.8:53 | otbpxdpeowh.net | udp |
| US | 8.8.8.8:53 | xolqjzp.net | udp |
| US | 8.8.8.8:53 | vuyeot.net | udp |
| US | 8.8.8.8:53 | oecbllbu.info | udp |
| US | 8.8.8.8:53 | wwiyqgwy.org | udp |
| US | 8.8.8.8:53 | yspynbdonzn.net | udp |
| US | 8.8.8.8:53 | jhdrucksai.net | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | mxuziwhk.info | udp |
| US | 8.8.8.8:53 | dgvrtcuksq.net | udp |
| US | 8.8.8.8:53 | oqnmqmvvdwv.info | udp |
| US | 8.8.8.8:53 | eopphyp.net | udp |
| US | 8.8.8.8:53 | vazesaaub.org | udp |
| US | 8.8.8.8:53 | rfcqjgcwrllk.info | udp |
| US | 8.8.8.8:53 | eyganoltc.info | udp |
| US | 8.8.8.8:53 | gwakqoeoyw.org | udp |
| US | 8.8.8.8:53 | tkqwhttkz.org | udp |
| US | 8.8.8.8:53 | bamlapb.info | udp |
| US | 8.8.8.8:53 | sjithh.info | udp |
| US | 8.8.8.8:53 | acxtnicz.net | udp |
| US | 8.8.8.8:53 | gvgwafd.net | udp |
| US | 8.8.8.8:53 | ooewwc.org | udp |
| US | 8.8.8.8:53 | qlndczxhgjj.net | udp |
| US | 8.8.8.8:53 | jypigkw.net | udp |
| US | 8.8.8.8:53 | adpitmkkkqv.info | udp |
| US | 8.8.8.8:53 | gyfaphvt.info | udp |
| US | 8.8.8.8:53 | vwdseqljtth.net | udp |
| US | 8.8.8.8:53 | jphhtgd.com | udp |
| US | 8.8.8.8:53 | xvvsefgupi.info | udp |
| US | 8.8.8.8:53 | aesmuuwo.com | udp |
| US | 8.8.8.8:53 | wwqcueww.com | udp |
| US | 8.8.8.8:53 | omierhazkhgw.net | udp |
| US | 8.8.8.8:53 | ouzalyf.info | udp |
| US | 8.8.8.8:53 | mjeqabfwle.info | udp |
| US | 8.8.8.8:53 | twqufhmefz.info | udp |
| US | 8.8.8.8:53 | dalatbt.net | udp |
| US | 8.8.8.8:53 | bzrtps.info | udp |
| US | 8.8.8.8:53 | kwdrqyzrhd.net | udp |
| US | 8.8.8.8:53 | hfimkro.net | udp |
| US | 8.8.8.8:53 | bdpexv.info | udp |
| US | 8.8.8.8:53 | kxbknpwwosul.info | udp |
| US | 8.8.8.8:53 | xrjmbmgmisvh.info | udp |
| US | 8.8.8.8:53 | lutwrifej.org | udp |
| US | 8.8.8.8:53 | fvngbrhwupjr.net | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | qceuiioe.com | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| US | 8.8.8.8:53 | vqhxhcv.info | udp |
| US | 8.8.8.8:53 | wcgcuuiu.org | udp |
| US | 8.8.8.8:53 | jgrmrg.net | udp |
| US | 8.8.8.8:53 | kovkhylolko.info | udp |
| US | 8.8.8.8:53 | homaxclwzbsq.info | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| US | 8.8.8.8:53 | xxdnrfrsr.info | udp |
| US | 8.8.8.8:53 | vinctzesncnj.info | udp |
| US | 8.8.8.8:53 | puqbnzkgmx.net | udp |
| US | 8.8.8.8:53 | tyzkrdhyl.info | udp |
| US | 8.8.8.8:53 | iyfdyipefmo.net | udp |
| US | 8.8.8.8:53 | aqcawcgkkswi.com | udp |
| US | 8.8.8.8:53 | pivwtuqgxij.com | udp |
| US | 8.8.8.8:53 | cfjwneuxwsh.info | udp |
| US | 8.8.8.8:53 | fxepdaxqrez.com | udp |
| US | 8.8.8.8:53 | wxnovyb.info | udp |
| US | 8.8.8.8:53 | egvidbdaryx.info | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| US | 8.8.8.8:53 | vdsereqdxb.net | udp |
| US | 8.8.8.8:53 | ysukgkuo.com | udp |
| US | 8.8.8.8:53 | dcgirqqvfor.com | udp |
| US | 8.8.8.8:53 | vdjfzh.info | udp |
| US | 8.8.8.8:53 | hsrofavrq.net | udp |
| US | 8.8.8.8:53 | aoaukluib.info | udp |
| US | 8.8.8.8:53 | mepwiowgpip.net | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | zjltmqubfnvo.net | udp |
| US | 8.8.8.8:53 | cqaeskwyoogk.org | udp |
| US | 8.8.8.8:53 | mmvkuyl.info | udp |
| US | 8.8.8.8:53 | firlacfl.info | udp |
| US | 8.8.8.8:53 | ozglicoyf.net | udp |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | zwssrqqs.net | udp |
| US | 8.8.8.8:53 | xgbudgdfdkl.net | udp |
| US | 8.8.8.8:53 | ikooggko.org | udp |
| US | 8.8.8.8:53 | fzqqksnzg.net | udp |
| US | 8.8.8.8:53 | jzgndfbk.info | udp |
| US | 8.8.8.8:53 | pvrxbd.net | udp |
| US | 8.8.8.8:53 | yfvynotbryt.net | udp |
| US | 8.8.8.8:53 | lmgeww.info | udp |
| US | 8.8.8.8:53 | mzmnhc.net | udp |
| US | 8.8.8.8:53 | ofnuvwjex.info | udp |
| US | 8.8.8.8:53 | nwjxhsp.net | udp |
| US | 8.8.8.8:53 | xmlymtnez.org | udp |
| US | 8.8.8.8:53 | amkiaaawqe.org | udp |
| US | 8.8.8.8:53 | lbsllcpd.net | udp |
| US | 8.8.8.8:53 | odzbrjqoy.info | udp |
| US | 8.8.8.8:53 | aalijqi.info | udp |
| US | 8.8.8.8:53 | hkjgyjrqli.net | udp |
| US | 8.8.8.8:53 | moiwvi.info | udp |
| US | 8.8.8.8:53 | bnnnnacdlobz.net | udp |
| US | 8.8.8.8:53 | odqisf.info | udp |
| US | 8.8.8.8:53 | vnkmzg.info | udp |
| US | 8.8.8.8:53 | ukcvnbfxkqj.info | udp |
| US | 8.8.8.8:53 | zbkqsxz.net | udp |
| US | 8.8.8.8:53 | gmwiuewucasu.org | udp |
| US | 8.8.8.8:53 | ncpmyszzt.info | udp |
| US | 8.8.8.8:53 | popwwpvgw.info | udp |
| US | 8.8.8.8:53 | uusmqajwtmc.net | udp |
| US | 8.8.8.8:53 | ugxofer.info | udp |
| US | 8.8.8.8:53 | hhddnmeu.info | udp |
| US | 8.8.8.8:53 | xpmklsbeavei.info | udp |
| US | 8.8.8.8:53 | wmrprub.info | udp |
| US | 8.8.8.8:53 | nnkkmb.info | udp |
| US | 8.8.8.8:53 | saakcqkiis.com | udp |
| US | 8.8.8.8:53 | srhyrcfabien.info | udp |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | mwmhzbadpkzn.info | udp |
| US | 8.8.8.8:53 | tiovpj.net | udp |
| US | 8.8.8.8:53 | goaqje.net | udp |
| US | 8.8.8.8:53 | wywazjfaa.info | udp |
| US | 8.8.8.8:53 | bapdanyy.net | udp |
| US | 8.8.8.8:53 | jatdaajehomt.net | udp |
| US | 8.8.8.8:53 | nnfseh.info | udp |
| US | 8.8.8.8:53 | eqzqrhbgt.net | udp |
| US | 8.8.8.8:53 | lxzkvlxv.info | udp |
| US | 8.8.8.8:53 | eqoicyie.org | udp |
| US | 8.8.8.8:53 | mwgkuyee.org | udp |
| US | 8.8.8.8:53 | pcrcnepxpovl.net | udp |
| US | 8.8.8.8:53 | uiceesz.info | udp |
| US | 8.8.8.8:53 | kuwbvixvd.net | udp |
| US | 8.8.8.8:53 | bzaydhbkyko.info | udp |
| US | 8.8.8.8:53 | ogkcszkxrkd.net | udp |
| US | 8.8.8.8:53 | kwsdbbewb.net | udp |
| US | 8.8.8.8:53 | ooqsjj.net | udp |
| US | 8.8.8.8:53 | cgvenokoqkb.net | udp |
| US | 8.8.8.8:53 | uerajyf.net | udp |
| US | 8.8.8.8:53 | iiicuukeskmc.com | udp |
| US | 8.8.8.8:53 | pvjxchowfudm.net | udp |
| US | 8.8.8.8:53 | xnzmrkumr.info | udp |
| US | 8.8.8.8:53 | dcuvzcyttt.net | udp |
| US | 8.8.8.8:53 | wlxwqqwghup.net | udp |
| US | 8.8.8.8:53 | ewiuauieao.com | udp |
| US | 8.8.8.8:53 | gamoyg.org | udp |
| US | 8.8.8.8:53 | aqkmuy.com | udp |
| US | 8.8.8.8:53 | pnpuaqjubfkg.info | udp |
| US | 8.8.8.8:53 | bvfhotcf.info | udp |
| US | 8.8.8.8:53 | quhibmhgpfb.net | udp |
| US | 8.8.8.8:53 | bjpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | wogmiuiyuuam.com | udp |
| US | 8.8.8.8:53 | yquaague.com | udp |
| US | 8.8.8.8:53 | ngbysdjerh.info | udp |
| US | 8.8.8.8:53 | imwkkoik.com | udp |
| US | 8.8.8.8:53 | nwtglsk.com | udp |
| US | 8.8.8.8:53 | ieegcqoa.com | udp |
| US | 8.8.8.8:53 | xowtthpdly.net | udp |
| US | 8.8.8.8:53 | wesuek.org | udp |
| US | 8.8.8.8:53 | indafalddzkq.net | udp |
| US | 8.8.8.8:53 | sewuvwb.net | udp |
| US | 8.8.8.8:53 | wqmshiy.info | udp |
| US | 8.8.8.8:53 | vpoikknsfoup.info | udp |
| US | 8.8.8.8:53 | htbwiqcwsvye.net | udp |
| US | 8.8.8.8:53 | phpxpifloqaf.net | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | xbcvkpdgwrrs.info | udp |
| US | 8.8.8.8:53 | cizelthjo.net | udp |
| US | 8.8.8.8:53 | kywckaei.org | udp |
| US | 8.8.8.8:53 | sowwse.com | udp |
| US | 8.8.8.8:53 | dspojbwinyj.com | udp |
| US | 8.8.8.8:53 | wdeyjg.net | udp |
| US | 8.8.8.8:53 | ggawcwsooiwi.org | udp |
| US | 8.8.8.8:53 | oalwpcngx.info | udp |
| US | 8.8.8.8:53 | pojals.info | udp |
| US | 8.8.8.8:53 | xsjyivetagri.net | udp |
| US | 8.8.8.8:53 | dsccrtldjjf.com | udp |
| US | 8.8.8.8:53 | mckagagaci.org | udp |
| US | 8.8.8.8:53 | xcrfxbihvn.info | udp |
| US | 8.8.8.8:53 | fodqkbtwx.com | udp |
| US | 8.8.8.8:53 | vufyjzbut.net | udp |
| US | 8.8.8.8:53 | zijiyrgqtwd.net | udp |
| US | 8.8.8.8:53 | ywqqwcmwkcgi.org | udp |
| US | 8.8.8.8:53 | pvesxitaordl.info | udp |
| US | 8.8.8.8:53 | jfiuge.info | udp |
| US | 8.8.8.8:53 | mkecrnnaz.info | udp |
| US | 8.8.8.8:53 | ugesjqhxjg.net | udp |
| US | 8.8.8.8:53 | riyqtgpef.net | udp |
| US | 8.8.8.8:53 | dzrmxez.com | udp |
| US | 8.8.8.8:53 | qiiffqz.info | udp |
| US | 8.8.8.8:53 | agsjsap.info | udp |
| US | 8.8.8.8:53 | lspuhrugjh.info | udp |
| US | 8.8.8.8:53 | kxldwaoqfn.info | udp |
| US | 8.8.8.8:53 | pfqota.info | udp |
| US | 8.8.8.8:53 | sksksc.org | udp |
| US | 8.8.8.8:53 | xxbuvavqnao.net | udp |
| US | 8.8.8.8:53 | ywxjrh.net | udp |
| US | 8.8.8.8:53 | tgzzsilpuoyu.info | udp |
| US | 8.8.8.8:53 | dpagfue.net | udp |
| US | 8.8.8.8:53 | rejwrwpoa.info | udp |
| US | 8.8.8.8:53 | yzedrnlc.info | udp |
| US | 8.8.8.8:53 | agxwfifmp.info | udp |
| US | 8.8.8.8:53 | yaquakkwuysa.com | udp |
| US | 8.8.8.8:53 | jmuyzwjxj.net | udp |
| US | 8.8.8.8:53 | dkzifgl.info | udp |
| US | 8.8.8.8:53 | dqbzjvvbbjc.com | udp |
| US | 8.8.8.8:53 | sgescokcmo.org | udp |
| US | 8.8.8.8:53 | rcbesdskpqp.org | udp |
| US | 8.8.8.8:53 | mmoyuuoqgg.org | udp |
| US | 8.8.8.8:53 | tjjqpageoxn.net | udp |
| US | 8.8.8.8:53 | bubcpvvsemaw.info | udp |
| US | 8.8.8.8:53 | bktwpkdghk.net | udp |
| US | 8.8.8.8:53 | lzwgpqnxhy.net | udp |
| US | 8.8.8.8:53 | fufebuv.net | udp |
| US | 8.8.8.8:53 | rgrczf.info | udp |
| US | 8.8.8.8:53 | vazpjiz.info | udp |
| US | 8.8.8.8:53 | jehyhpbob.com | udp |
| US | 8.8.8.8:53 | gsiimiquom.org | udp |
| US | 8.8.8.8:53 | wxvhxxddpezi.info | udp |
| US | 8.8.8.8:53 | hgfrivgkyp.info | udp |
| US | 8.8.8.8:53 | luaiurlae.info | udp |
| US | 8.8.8.8:53 | sayrfujuemt.info | udp |
| US | 8.8.8.8:53 | nwvrdsl.com | udp |
| US | 8.8.8.8:53 | ktrgqbgm.net | udp |
| US | 8.8.8.8:53 | moscmcoc.org | udp |
| US | 8.8.8.8:53 | hsfspwfirsr.org | udp |
| US | 8.8.8.8:53 | odzkkdtuha.info | udp |
| US | 8.8.8.8:53 | aiwowwquuiwa.org | udp |
| US | 8.8.8.8:53 | akyaadd.info | udp |
| US | 8.8.8.8:53 | fumvct.net | udp |
| US | 8.8.8.8:53 | fplmbwvgd.net | udp |
| US | 8.8.8.8:53 | hobwtexgouz.com | udp |
| US | 8.8.8.8:53 | dnyidwf.info | udp |
| US | 8.8.8.8:53 | rnozpv.info | udp |
| US | 8.8.8.8:53 | auiecogw.com | udp |
| US | 8.8.8.8:53 | uzxiofna.net | udp |
| US | 8.8.8.8:53 | tunwaed.com | udp |
| US | 8.8.8.8:53 | iwooye.org | udp |
| US | 8.8.8.8:53 | yadxtkefpqdf.net | udp |
| US | 8.8.8.8:53 | zkvroijd.info | udp |
| US | 8.8.8.8:53 | amqfvzbu.info | udp |
| US | 8.8.8.8:53 | qngitmingp.net | udp |
| US | 8.8.8.8:53 | izepwfuwpeym.net | udp |
| US | 8.8.8.8:53 | uyzpxzcrtoz.net | udp |
| US | 8.8.8.8:53 | ulwprsdpevsj.info | udp |
| US | 8.8.8.8:53 | mxaviz.info | udp |
| US | 8.8.8.8:53 | oyxaqaj.info | udp |
| US | 8.8.8.8:53 | qyjxvcif.net | udp |
| US | 8.8.8.8:53 | hexhmh.net | udp |
| US | 8.8.8.8:53 | rkwlhccy.info | udp |
| US | 8.8.8.8:53 | useqsa.com | udp |
| US | 8.8.8.8:53 | nthafgeqx.org | udp |
| US | 8.8.8.8:53 | jflcfvez.net | udp |
| US | 8.8.8.8:53 | jetuecnckob.org | udp |
| US | 8.8.8.8:53 | owgmcwl.net | udp |
| US | 8.8.8.8:53 | rqzqmid.com | udp |
| US | 8.8.8.8:53 | vibshiiel.net | udp |
| US | 8.8.8.8:53 | dpexaxvlbhsr.info | udp |
| US | 8.8.8.8:53 | xhmvoamwps.net | udp |
| US | 8.8.8.8:53 | kkjelsqkhdx.info | udp |
| US | 8.8.8.8:53 | jjqtpeerkb.net | udp |
| US | 8.8.8.8:53 | smswjvw.net | udp |
| US | 8.8.8.8:53 | aklvtajqnal.info | udp |
| US | 8.8.8.8:53 | vcmwlyrgs.net | udp |
| US | 8.8.8.8:53 | qxvybgh.info | udp |
| US | 8.8.8.8:53 | urkcltobhpwf.net | udp |
| US | 8.8.8.8:53 | trxxital.info | udp |
| US | 8.8.8.8:53 | wmzmmmb.net | udp |
| US | 8.8.8.8:53 | mczetsb.info | udp |
| US | 8.8.8.8:53 | lhxlnwkk.net | udp |
| US | 8.8.8.8:53 | pkrmxtea.info | udp |
| US | 8.8.8.8:53 | jmtxhwgnudym.net | udp |
| US | 8.8.8.8:53 | avqzpghxeitz.net | udp |
| US | 8.8.8.8:53 | oismai.com | udp |
| US | 8.8.8.8:53 | tqrwzyr.com | udp |
| US | 8.8.8.8:53 | vgpvxcnmcxmj.net | udp |
| US | 8.8.8.8:53 | lvlhwlibbv.net | udp |
| US | 8.8.8.8:53 | xtjywdq.org | udp |
| US | 8.8.8.8:53 | bpzyqtbslulc.info | udp |
| US | 8.8.8.8:53 | majwriukhey.net | udp |
| US | 8.8.8.8:53 | naxcrgx.info | udp |
| US | 8.8.8.8:53 | kgdvotps.net | udp |
| US | 8.8.8.8:53 | eheflhppvg.net | udp |
| US | 8.8.8.8:53 | kuhzisv.net | udp |
| US | 8.8.8.8:53 | nabmasckuk.net | udp |
| US | 8.8.8.8:53 | uiryqjdyicl.info | udp |
| US | 8.8.8.8:53 | ifemydpptl.net | udp |
| US | 8.8.8.8:53 | rhszwdmgfi.net | udp |
| US | 8.8.8.8:53 | cykogcgqqcuu.com | udp |
| US | 8.8.8.8:53 | ixwheq.net | udp |
| US | 8.8.8.8:53 | uwagcc.com | udp |
| US | 8.8.8.8:53 | yfvcxxnys.info | udp |
| US | 8.8.8.8:53 | rgcsmms.info | udp |
| US | 8.8.8.8:53 | ugjyfpgfl.net | udp |
| US | 8.8.8.8:53 | wmkawuqo.com | udp |
| US | 8.8.8.8:53 | nargxed.info | udp |
| US | 8.8.8.8:53 | uafaxnf.net | udp |
| US | 8.8.8.8:53 | ympanulwi.net | udp |
| US | 8.8.8.8:53 | segdts.info | udp |
| US | 8.8.8.8:53 | myrwjqkrwpbk.info | udp |
| US | 8.8.8.8:53 | kktupuz.info | udp |
| US | 8.8.8.8:53 | wooyuntpug.net | udp |
| US | 8.8.8.8:53 | vrsicfbz.info | udp |
| US | 8.8.8.8:53 | hvgubfr.net | udp |
| US | 8.8.8.8:53 | ryqapqb.com | udp |
| US | 8.8.8.8:53 | qseoumkkca.org | udp |
| US | 8.8.8.8:53 | zefcprxdt.com | udp |
| US | 8.8.8.8:53 | tqhycnbun.org | udp |
| US | 8.8.8.8:53 | nclcaoz.net | udp |
| US | 8.8.8.8:53 | yeuueoas.org | udp |
| US | 8.8.8.8:53 | lmfrjjpmlwr.net | udp |
| US | 8.8.8.8:53 | keqqqsiaig.com | udp |
| US | 8.8.8.8:53 | oofnltcfbuqe.net | udp |
| US | 8.8.8.8:53 | qdnmhgdyrit.net | udp |
| US | 8.8.8.8:53 | tsfxlqrzhwxy.net | udp |
| US | 8.8.8.8:53 | oduhpqdwitsr.info | udp |
| US | 8.8.8.8:53 | bclvea.net | udp |
| US | 8.8.8.8:53 | qyqigk.com | udp |
| US | 8.8.8.8:53 | jaikher.org | udp |
| US | 8.8.8.8:53 | nwfevkj.net | udp |
| US | 8.8.8.8:53 | fyaylmbcb.net | udp |
| US | 8.8.8.8:53 | txlhehwwpoky.net | udp |
| US | 8.8.8.8:53 | oydgrdrjv.net | udp |
| US | 8.8.8.8:53 | wzxtyp.net | udp |
| US | 8.8.8.8:53 | ewqsaogoiwkm.com | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| US | 8.8.8.8:53 | nehotohwr.org | udp |
| US | 8.8.8.8:53 | ignsxgltz.net | udp |
| US | 8.8.8.8:53 | twbmkxufxim.net | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| US | 8.8.8.8:53 | oecojyjou.info | udp |
| US | 8.8.8.8:53 | hjfdpmp.org | udp |
| US | 8.8.8.8:53 | rvljpzomlf.net | udp |
| US | 8.8.8.8:53 | hfyskcielqan.info | udp |
| US | 8.8.8.8:53 | xfsgmpi.info | udp |
| US | 8.8.8.8:53 | gyxauudezwk.info | udp |
| US | 8.8.8.8:53 | ouqueiou.org | udp |
| US | 8.8.8.8:53 | gncpfgndb.info | udp |
| US | 8.8.8.8:53 | rjbifug.net | udp |
| US | 8.8.8.8:53 | pnvisx.info | udp |
| US | 8.8.8.8:53 | dplyusep.net | udp |
| US | 8.8.8.8:53 | motytrhrm.net | udp |
| US | 8.8.8.8:53 | yqdindvszcl.info | udp |
| US | 8.8.8.8:53 | qshqvelakcj.info | udp |
| US | 8.8.8.8:53 | ugfgpborwk.net | udp |
| US | 8.8.8.8:53 | nstvpgvrh.net | udp |
| US | 8.8.8.8:53 | ldlrgk.info | udp |
| US | 8.8.8.8:53 | wdhsjprg.info | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | vakavr.net | udp |
| US | 8.8.8.8:53 | vlnthukuzii.com | udp |
| US | 8.8.8.8:53 | jkabok.info | udp |
| US | 8.8.8.8:53 | pmvkgvhczeb.net | udp |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | cbrlsfec.info | udp |
| US | 8.8.8.8:53 | sackyi.org | udp |
| US | 8.8.8.8:53 | gukgkcokemgi.com | udp |
| US | 8.8.8.8:53 | wkufrmqdxw.net | udp |
| US | 8.8.8.8:53 | skqsiiae.org | udp |
| US | 8.8.8.8:53 | tydgygsud.net | udp |
| US | 8.8.8.8:53 | rdqvlj.net | udp |
| US | 8.8.8.8:53 | cseikcgaukiw.org | udp |
| US | 8.8.8.8:53 | pefhpq.info | udp |
| US | 8.8.8.8:53 | jwzilsepb.org | udp |
| US | 8.8.8.8:53 | alyypvemovoc.net | udp |
| US | 8.8.8.8:53 | ykbrpuro.net | udp |
| US | 8.8.8.8:53 | qlstpgkhcjbu.net | udp |
| US | 8.8.8.8:53 | burldiqgjiv.com | udp |
| US | 8.8.8.8:53 | fbczhwj.com | udp |
| US | 8.8.8.8:53 | dyxqtol.net | udp |
| US | 8.8.8.8:53 | vcnboyxn.info | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | ljhsbowtk.org | udp |
| US | 8.8.8.8:53 | thtwlyvcu.net | udp |
| US | 8.8.8.8:53 | dwoeezajbdgj.net | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | okkyqi.org | udp |
| US | 8.8.8.8:53 | rcoamwf.info | udp |
| US | 8.8.8.8:53 | mjktfvyj.net | udp |
| US | 8.8.8.8:53 | hyjodgw.info | udp |
| US | 8.8.8.8:53 | cietdehmzmv.info | udp |
| US | 8.8.8.8:53 | jlxxubcmhdml.info | udp |
| US | 8.8.8.8:53 | zkvftau.net | udp |
| US | 8.8.8.8:53 | idvjhz.net | udp |
| US | 8.8.8.8:53 | mucqoc.com | udp |
| US | 8.8.8.8:53 | dkdczgl.info | udp |
| US | 8.8.8.8:53 | yygimacwgyuk.com | udp |
| US | 8.8.8.8:53 | ygoqmm.org | udp |
| US | 8.8.8.8:53 | rdtdjgnhllf.net | udp |
| US | 8.8.8.8:53 | tgratfmb.net | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | sfdppaxs.net | udp |
| US | 8.8.8.8:53 | diihroanhk.net | udp |
| US | 8.8.8.8:53 | rvdfjxvm.net | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| US | 8.8.8.8:53 | uydyfrt.info | udp |
| US | 8.8.8.8:53 | vlztdovmupjy.net | udp |
| US | 8.8.8.8:53 | jdueejhsf.net | udp |
| US | 8.8.8.8:53 | mrbxltsb.info | udp |
| US | 8.8.8.8:53 | cgzqtowog.info | udp |
| US | 8.8.8.8:53 | lxuzwqzohu.net | udp |
| US | 8.8.8.8:53 | bteqlenbm.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe
| MD5 | 247486bad7958d56f37b84b4dc227422 |
| SHA1 | a387fc6e07fdb89a502fc207c9a1e49aef440c93 |
| SHA256 | d651a584e4b6c42fe5af4aa2f2b722f875055dae06875443deaa41c32ebb9347 |
| SHA512 | 51e17f08ff6e2c58c936734666e9bbea1ded165cfef6650a3017d7d2610f9bc76639abef3e2693c8f26acceb5d81d9db53f7665746efac7fa47768511001f591 |
C:\Users\Admin\AppData\Local\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | 91892b0c507d26880390d6c8b4f2a4af |
| SHA1 | 37e0a70c64c55d654be5b8233b90f37656d267b4 |
| SHA256 | 7e51e0b492f9dac5c6fbc3a47908ea58fc9584d2b83b7454e197a440e2d44422 |
| SHA512 | 989862b3f448acea8b413a35b7ccc57ac0a89d8682e7b50857dd340def2971024328fc8778f0b2a5341beb2915e1db21d8627a0131c36a56695ed3f60c943887 |
C:\Users\Admin\AppData\Local\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo
| MD5 | 43ded261096313e8be45833c76ce4a6b |
| SHA1 | d0349d4e8556f535d83838495f2d3acdb8ccf097 |
| SHA256 | ae21313db1c76356500daf0fa118523e99a0ca84453ae59192e52b10b8e8eded |
| SHA512 | 098b7b6cba65f7e62f41da5ade8844d4e499290ba39c2597f3ee330dca800b5bf7b2b8bdb42141b8214131b0b63bdc548608fd22a968f0317953cb0562ec9a2c |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | 89570a2049bbc47472ad26507994542f |
| SHA1 | 690d18ec2edb1556fe83ba68e554c937fb0b394e |
| SHA256 | 18f87434fc9c94576e7219a93a5db64c4f4b4d3d9ef611008707d37fa0d5660a |
| SHA512 | 65f374eceec0a8e7834e1070f52356744a2307f480180e0b75234cd87a13da88329a5ade19207ed917bce17ad06840a561a5c07eaa015e66ec20c81f865fe142 |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | b017e09806f53cff88c5470908c03ddb |
| SHA1 | a515f3a6c7bec54ae2fa7ceba2285d65b15d89f2 |
| SHA256 | 4d780e5ec70ae37cd2223e3b3cf349e68c515cb835f7230e771fdc2d517668a8 |
| SHA512 | f564c7e1d0bceb97e8e74b9455e2c48c5e710d0967a85b1ad4b652f0daf5b459f4e644a1ec59a5ff25de3406a99e936bebd68bb949780ae8f02e5d8711897e93 |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | eb20b08d429394b8dee3fb2fd55619cc |
| SHA1 | 5b60b332b3320786b4747e6243022c62df3b7a20 |
| SHA256 | be7bf61e8e085619d8f257cdbd47bef4f0f45b2b3abb8d8ffd596ef393bd0984 |
| SHA512 | eecc16152fdd01f0946ec0e65a3fc102e408827c4ed75677004b9f6179aacbf55669d64ba755747490909d72634528117f00f45b88a99a0bf24cb3f37e467130 |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | eaf188a456ac8f499da27cbfbf0c079b |
| SHA1 | e40057df3c94b111b0412c3e9ba834fcaeb0519d |
| SHA256 | 9104fc45c925c08fb8e026462f35ef382982f0d9ae0b2c33278b942b79c605ea |
| SHA512 | 59b5686cfcece8bcf3b018a9ac7f0593912b2e7872d919a60c7287681d10f1b6b083a74e24c119b75c565d1b15e7f68d3defcaa58d704d6905d5f55c09f7960e |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | d13578ca686f18869dcc9ae23bdb2eb0 |
| SHA1 | 24e7eef84f3d6f2d08755be9a161b40f82598e34 |
| SHA256 | ddecf8b8ae8afe734fb15d10cb9e3e5bf05eb7e772482fe786d35add3577992a |
| SHA512 | b7a20048cba61da1909afa4048cc84a521dffa23c22250725b0fcaf612716591375766e9f45b913da3515089b40341c16a5302f9dca2bb09f4c5fce914f373c2 |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | 53c189665d9d4e179e0080edbdd8dc6a |
| SHA1 | e4edecc8b7307df6a578d8eac6e5ebd9e3cd875a |
| SHA256 | 6cbd41b2e0ffd2f222f1f7457d25aa363f9f0334d84f32ef2ba5f793b9da26c0 |
| SHA512 | 55363197ff9eafffbab8192e9b4b2561ce7aa6e8730f67abd43a3b66560d4961cd355c096e9201a605311b4b514db9cd2a4b37d2f666940937c19a06628f8876 |
C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd
| MD5 | ee67440fbefe7baa0b007e26085728bc |
| SHA1 | fe70088bf1c7592f320c40c5f99632c22d1dac84 |
| SHA256 | 64d727b49b432373948d308949cbaeb47aa9594dd753000b1e181a07b638fc39 |
| SHA512 | aef20123a8d21df0c08279c846e8c22b64aa6660093db5e0e8c2520304b77d0137ff0278db4f2d7763e57844310b8230e5508d7752988ebe973248830594c32f |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-17 23:27
Reported
2025-04-17 23:30
Platform
win11-20250410-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ixiculxxfzwkxpamm.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "phvsnhwzkhhyojxmpxld.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ixiculxxfzwkxpamm.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "phvsnhwzkhhyojxmpxld.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "rhtohzmnwrpeslxklr.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "rhtohzmnwrpeslxklr.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "exmkgbrvhfgyplaqudsla.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "exmkgbrvhfgyplaqudsla.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "bpzsjzkjqjfsevfq.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "rhtohzmnwrpeslxklr.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ixiculxxfzwkxpamm.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "rhtohzmnwrpeslxklr.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "phvsnhwzkhhyojxmpxld.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phvsnhwzkhhyojxmpxld.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "bpzsjzkjqjfsevfq.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ixiculxxfzwkxpamm.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "exmkgbrvhfgyplaqudsla.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "phvsnhwzkhhyojxmpxld.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "phvsnhwzkhhyojxmpxld.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "exmkgbrvhfgyplaqudsla.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phvsnhwzkhhyojxmpxld.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "bpzsjzkjqjfsevfq.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ctgcwpdfplkapjwkmtg.exe ." | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "bpzsjzkjqjfsevfq.exe" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\vxvchlkxszjkkpnmzrprpwbfer.tde | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File created | C:\Windows\SysWOW64\vxvchlkxszjkkpnmzrprpwbfer.tde | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File created | C:\Windows\SysWOW64\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File created | C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File created | C:\Program Files (x86)\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\vxvchlkxszjkkpnmzrprpwbfer.tde | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File created | C:\Windows\vxvchlkxszjkkpnmzrprpwbfer.tde | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File opened for modification | C:\Windows\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| File created | C:\Windows\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\chisahj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Users\Admin\AppData\Local\Temp\chisahj.exe
"C:\Users\Admin\AppData\Local\Temp\chisahj.exe" "-"
C:\Users\Admin\AppData\Local\Temp\chisahj.exe
"C:\Users\Admin\AppData\Local\Temp\chisahj.exe" "-"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 172.66.43.169:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| NL | 185.15.59.224:80 | www.wikipedia.org | tcp |
| GB | 87.248.114.12:80 | www.yahoo.com | tcp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | syxjnmzar.net | udp |
| US | 8.8.8.8:53 | biwwjubsz.org | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | juzqosrac.info | udp |
| US | 8.8.8.8:53 | qjfzrhhjlp.info | udp |
| US | 8.8.8.8:53 | tbxydhujty.info | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | suwroer.net | udp |
| US | 8.8.8.8:53 | chrmphfkzehv.net | udp |
| US | 8.8.8.8:53 | lxweiwijlen.info | udp |
| US | 8.8.8.8:53 | ikluwqy.net | udp |
| US | 8.8.8.8:53 | uqaemiwg.org | udp |
| US | 8.8.8.8:53 | xkjsuyq.net | udp |
| US | 8.8.8.8:53 | igekumgwqeqg.com | udp |
| US | 8.8.8.8:53 | cgoyuggksm.org | udp |
| US | 8.8.8.8:53 | qayqhfbrqobk.info | udp |
| US | 8.8.8.8:53 | mckuasyc.com | udp |
| US | 8.8.8.8:53 | gqvozdjclcp.info | udp |
| US | 8.8.8.8:53 | cpehjrdkkwjn.net | udp |
| US | 8.8.8.8:53 | ykkaaw.com | udp |
| US | 8.8.8.8:53 | towgosibpzv.net | udp |
| US | 8.8.8.8:53 | bphixkbossi.info | udp |
| US | 8.8.8.8:53 | fsdqsmnk.info | udp |
| US | 8.8.8.8:53 | zatkvea.com | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | iggksimq.com | udp |
| US | 8.8.8.8:53 | jwlqlclkr.info | udp |
| US | 8.8.8.8:53 | tqhpjydzl.com | udp |
| US | 8.8.8.8:53 | lefolijqtod.com | udp |
| US | 8.8.8.8:53 | sisimu.org | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | auauykaa.org | udp |
| US | 8.8.8.8:53 | cunzzsfay.info | udp |
| US | 8.8.8.8:53 | icvmbgdwp.net | udp |
| US | 8.8.8.8:53 | yhewpdc.net | udp |
| US | 8.8.8.8:53 | lphcisjlecym.info | udp |
| US | 8.8.8.8:53 | rxtxyn.net | udp |
| US | 8.8.8.8:53 | aakoyhbqj.net | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | iggomqaooasq.org | udp |
| US | 8.8.8.8:53 | eoronncfjrvp.info | udp |
| US | 8.8.8.8:53 | xcrfxbihvn.info | udp |
| US | 8.8.8.8:53 | woqhokwpnbyo.info | udp |
| US | 8.8.8.8:53 | sgescokcmo.org | udp |
| US | 8.8.8.8:53 | lzwgpqnxhy.net | udp |
| US | 8.8.8.8:53 | ridwmcsiykiy.net | udp |
| US | 8.8.8.8:53 | aupcyyw.info | udp |
| US | 8.8.8.8:53 | oceygcmawi.org | udp |
| US | 8.8.8.8:53 | bznwgkagbor.net | udp |
| US | 8.8.8.8:53 | rezaowjdmoq.org | udp |
| US | 8.8.8.8:53 | duzqcwdwf.info | udp |
| US | 8.8.8.8:53 | erwegzpolfjg.info | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | vakavr.net | udp |
| US | 8.8.8.8:53 | skqsiiae.org | udp |
| US | 8.8.8.8:53 | btrzbnhuvsx.info | udp |
| US | 8.8.8.8:53 | kcryxrris.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\chisahj.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\chisahj.exe
| MD5 | 5375f99dad321f22133d833010986f72 |
| SHA1 | 52e47c376992d1ac2272ff17bea8ee3570163328 |
| SHA256 | 25cd6168288dc12f89de839ab4c11fa67f6668a32c270e10b274b02c5e000142 |
| SHA512 | 09dc0592ec43afc7968c6af658caf9114fe7933f5a7f3fedb58d7d544ee5f808ea040494a3644628c52ace38d4f8b78f2fe58d7f9241cc56e3be745dd5e3a243 |
C:\Users\Admin\AppData\Local\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | c32bc75c2c415ab068f72cb8def2c575 |
| SHA1 | 06a95e05813b1799541b06b67b904c8bd0ff81cb |
| SHA256 | b0c77a7aa7ba90caf29fb0abe9994c7ca27c3700a269eb6e0788a732d139cc6f |
| SHA512 | eebf705d42e25681d99164b6e79e94a9eb84baf6d1605089545546e562596ea0d6f4a5abbf3f7b1795456c872e1fc60fed80d4b2b6358b0f539cc65b10ea01d0 |
C:\Users\Admin\AppData\Local\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu
| MD5 | 4d3a94eacfe378a80eca9b507573967e |
| SHA1 | 29bf9775173cf9b9c37c14a9509eedf494a7a49b |
| SHA256 | 462974ae8baaab79688b4de26f47d464be73f15b6726c7904a3748d90d14f871 |
| SHA512 | df9a9e075dccfd3c89d9bfc544c6bb8b37e1e99e82be4b64201ae15141a1c48513aa463c179a3eabebf1b5b378484aebbea5119eb822746ddc50de83cb208a16 |
C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | 7792bf374814362fe03704bf85c06112 |
| SHA1 | 92f3cf7724da724d94ad045e76b557a4767f1595 |
| SHA256 | b0eee999e16d56b07eed321e13d98300b0032fe1a4513359d5ac975059748859 |
| SHA512 | a1dbb12f6fda46614068ca88f20d6e5fef24e50d3396c788480326bc660caa1ecfa619252c7a51d18c6b17987e8e488da56c225a0c623b6e4e2ea4d31677b419 |
C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | cad2bb495f935cf5b0264e66ad42cd2e |
| SHA1 | 60a06786410a9911185f2128c9089d852518df3a |
| SHA256 | 7897e2bd70503c3900793fa804db739f6c06969111679d8385e1b9b4c70f0ae6 |
| SHA512 | a53f3c1b876970d8a21dbea555b9f353e4f0975ea7e5760d21412f8d57a1d4944350f1174ff0a4974dde2163d2ca31714c3452b8537fd72ff1b2b68da5958464 |
C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | aedc286d63ffe535e46ca30a24ccadee |
| SHA1 | cae6a5bf6db67fbfd779376a833dca61b754797c |
| SHA256 | d58d0238edbc3944122f362cc43ce8f583c5b4dda0dbe40b6a50d58af7a93f13 |
| SHA512 | 43658b63b45f59f4865b61811151434a0dc7938b5a4bacfb0f7cd1695b673992049bb04cbd39aa1b9cfb34c7daf212f51332ee84e2a76677593c1c620e1861e3 |
C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | 231020694e8d5b74a9c24372063484e0 |
| SHA1 | 6f2da9d0c02b786bcd58898f50b0ae1d742f6422 |
| SHA256 | d235e7d71294ac2cd3693c95f24b2e46d2b15023a7fd3793b10a39f78fadb371 |
| SHA512 | 1d74a4d59171da9a342ba7560d80b2723bc6b93e34979fbe0eba4f435ad9921dcb0feaef39fba54f9a07b250fc2abbe01ce63cf8c82e26863668218a5ed9fe0c |
C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | 18efc8e0057a6de0aacd25e87eb2e1c7 |
| SHA1 | df3a7fb11888b56ff66d0715c08f07fb96da1b21 |
| SHA256 | 575ca9f832799a7427bc0d5e5ffe17e97a8988392e1e8a9beadb0f9c6d6bdecd |
| SHA512 | f21a4b616c4c8fffe0a044e34d414a39b32ae22e305c26f90f05ad8dee11679a5ad30286a84a9e1f47b4b1bff87a312b5e59be6e86d80f9f44cadb3101b9e9e3 |
C:\Users\Admin\AppData\Local\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | 0aedd812ee0828972a85921724ae9b0e |
| SHA1 | 86eef9f14cc51b8af35b06f23c1103e178cd5264 |
| SHA256 | 2da544593936fd0536777d46e3a3eba6717362b57fe6e8bb9c4f4543a9491439 |
| SHA512 | 9e872d5919c09aa5b98a80d5ba4aed0fa1e8d6dd37618dabd5f704c724ebd5f48c68c1f36944ff14d9327fcc53280e4ee9ac1eede0e625691119cc29b98002ab |
C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde
| MD5 | fe6d44f267ba627a096559bff139a53b |
| SHA1 | a26f47476b8f73851cf2b0d34e85a300914b24b6 |
| SHA256 | 574436636053582bdce3176235a3e89d6c25f918b1baddcef74f8f842117c89b |
| SHA512 | e7192e98b4e458189c0713f87020bf9eb6918809213915d0f4e784e52402704a442d54685cd535ffcecedf94431e285e7a523af910d75ff0ddc1ad247201a659 |