Malware Analysis Report

2025-08-10 16:33

Sample ID 250417-3fnn3svzbt
Target JaffaCakes118_bb9948c3da8fee376e600f5467021131
SHA256 3dfd0e24cf3ccb5898676f46f706ada8a30636bc3383b2406c1cee28aaf319f3
Tags
worm pykspa defense_evasion discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3dfd0e24cf3ccb5898676f46f706ada8a30636bc3383b2406c1cee28aaf319f3

Threat Level: Known bad

The file JaffaCakes118_bb9948c3da8fee376e600f5467021131 was found to be: Known bad.

Malicious Activity Summary

worm pykspa defense_evasion discovery persistence privilege_escalation trojan

UAC bypass

Detect Pykspa worm

Pykspa family

Pykspa

Modifies WinLogon for persistence

Detect Pykspa worm

Disables RegEdit via registry modification

Adds policy Run key to start application

Checks computer location settings

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-17 23:27

Signatures

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Pykspa family

pykspa

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-17 23:27

Reported

2025-04-17 23:30

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "ohzwqgaqlfmvbsjvxhkd.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "ohzwqgaqlfmvbsjvxhkd.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxdowaim = "hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhksx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "apdwmyoarhkprerz.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "qhxskyqexpubfujttb.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "dxqojavmidlvcumzcnrle.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "dxqojavmidlvcumzcnrle.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "apdwmyoarhkprerz.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "ohzwqgaqlfmvbsjvxhkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "ohzwqgaqlfmvbsjvxhkd.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "hxmgxkbogxbhkymvu.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "qhxskyqexpubfujttb.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "hxmgxkbogxbhkymvu.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajreouekvf = "qhxskyqexpubfujttb.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohzwqgaqlfmvbsjvxhkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\otxgmo = "apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhxskyqexpubfujttb.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apdwmyoarhkprerz.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "dxqojavmidlvcumzcnrle.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "ohzwqgaqlfmvbsjvxhkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "apdwmyoarhkprerz.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btkgzohwqjpxcsitudf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vfocnufmyjh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\otxgmo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hpwirwfku = "dxqojavmidlvcumzcnrle.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bhmwdgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxqojavmidlvcumzcnrle.exe ." C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sdncowiqdpop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxmgxkbogxbhkymvu.exe" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ijjoqoqortiznmlfphsttyay.ybd C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File created C:\Windows\SysWOW64\ijjoqoqortiznmlfphsttyay.ybd C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File opened for modification C:\Windows\SysWOW64\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File created C:\Windows\SysWOW64\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File created C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File opened for modification C:\Program Files (x86)\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File created C:\Program Files (x86)\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File created C:\Windows\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File opened for modification C:\Windows\ijjoqoqortiznmlfphsttyay.ybd C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
File created C:\Windows\ijjoqoqortiznmlfphsttyay.ybd C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-83325578-304917428-1200496059-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .

C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe

"C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe" "-"

C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe

"C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ohzwqgaqlfmvbsjvxhkd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qhxskyqexpubfujttb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dxqojavmidlvcumzcnrle.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c apdwmyoarhkprerz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c btkgzohwqjpxcsitudf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qhxskyqexpubfujttb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ohzwqgaqlfmvbsjvxhkd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hxmgxkbogxbhkymvu.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 dywqgiymjsxp.info udp
US 8.8.8.8:53 tmpqvsl.net udp
US 8.8.8.8:53 qakeugauggig.com udp
US 8.8.8.8:53 vbuelvkz.net udp
US 8.8.8.8:53 fjpgybyfscvh.info udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 huvsfct.com udp
US 8.8.8.8:53 lrlirovtbolu.net udp
US 8.8.8.8:53 mrnioqatteki.info udp
US 8.8.8.8:53 oiaskc.com udp
US 8.8.8.8:53 zhnqgdgrd.net udp
US 8.8.8.8:53 ndzbjyfvquvb.info udp
US 8.8.8.8:53 ncizvnhvbjth.info udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 uacccyiysieq.com udp
US 8.8.8.8:53 pjnerp.net udp
US 8.8.8.8:53 dhdyisaouwxs.info udp
US 8.8.8.8:53 xlrgtvsuglnj.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 lozkdungkpw.info udp
US 8.8.8.8:53 oyckjuitjmh.net udp
US 8.8.8.8:53 qscwfvpmj.info udp
US 8.8.8.8:53 kmrqcaywg.info udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 qgwmiglajgif.info udp
US 8.8.8.8:53 ubfgbgmozos.info udp
US 8.8.8.8:53 hhxevibrrw.info udp
US 8.8.8.8:53 jpeewkmaqywf.info udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 qtlffe.info udp
US 8.8.8.8:53 ssvfqkmtrbdw.info udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 cgjjbotd.net udp
US 8.8.8.8:53 xxwsulsce.net udp
US 8.8.8.8:53 ixhgiusqqdaw.net udp
US 8.8.8.8:53 ckywesmw.com udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 xiuqjgdc.net udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 yoekgwsyck.org udp
US 8.8.8.8:53 yywseiokoyso.org udp
US 8.8.8.8:53 emwcuscecg.org udp
US 8.8.8.8:53 omfvaanuj.info udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 wcuskiwiswmm.org udp
US 8.8.8.8:53 ajekzgg.net udp
US 8.8.8.8:53 xijgqilkt.info udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 znypzaiar.net udp
US 8.8.8.8:53 kaiobcaulpp.info udp
US 8.8.8.8:53 tlhqleme.net udp
US 8.8.8.8:53 afscws.info udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 cfhthzfvpgof.info udp
US 8.8.8.8:53 dqqjetyr.net udp
US 8.8.8.8:53 eympqj.info udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 ihgjjpjqgn.net udp
US 8.8.8.8:53 fqhsocicb.info udp
US 8.8.8.8:53 cjzhze.info udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 vdtttprdap.net udp
US 8.8.8.8:53 swoswi.com udp
US 8.8.8.8:53 pyhqlvtydkj.org udp
US 8.8.8.8:53 umqomqcwka.org udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 ygdoucnlat.info udp
US 8.8.8.8:53 pwfglrh.org udp
US 8.8.8.8:53 bspylsbqxsi.com udp
US 8.8.8.8:53 sqrszune.net udp
US 8.8.8.8:53 yzjaaxf.info udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 khpgykidabpz.net udp
US 8.8.8.8:53 rclqcwxdk.org udp
US 8.8.8.8:53 fdrkjaycec.info udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 qgkjsyrsp.info udp
US 8.8.8.8:53 mnzennhp.net udp
US 8.8.8.8:53 xclllibmlqxb.net udp
US 8.8.8.8:53 lbmljmb.com udp
US 8.8.8.8:53 vxvlprfjdjuk.info udp
US 8.8.8.8:53 lyzefe.info udp
US 8.8.8.8:53 aelqcytwjsf.info udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 aqmqcoysik.org udp
US 8.8.8.8:53 jayynchr.net udp
US 8.8.8.8:53 iwwewy.com udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 awzgvfvsdst.info udp
US 8.8.8.8:53 gngnpe.info udp
US 8.8.8.8:53 soeyscyg.com udp
US 8.8.8.8:53 iqvuewwngus.info udp
US 8.8.8.8:53 yqvquelp.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 tuiekvthhpr.com udp
US 8.8.8.8:53 mrqibpdy.info udp
US 8.8.8.8:53 tirquku.org udp
US 8.8.8.8:53 yekswur.info udp
US 8.8.8.8:53 wcgogiqosmmc.org udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 jgrgtmz.com udp
US 8.8.8.8:53 lvnonrvapb.info udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 etfmwb.info udp
US 8.8.8.8:53 bmvzvqwcfgk.net udp
US 8.8.8.8:53 jqlczjqokw.net udp
US 8.8.8.8:53 jgtqjibsf.org udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 swwjlgogj.info udp
US 8.8.8.8:53 evaywdtglmdq.net udp
US 8.8.8.8:53 enpegkvgmyv.net udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 ewlwvasbmwp.info udp
US 8.8.8.8:53 ucnwlmr.net udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 tkbifnj.com udp
US 8.8.8.8:53 aopqdyitvqq.net udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 xkjktiz.org udp
US 8.8.8.8:53 wwewcyawyk.org udp
US 8.8.8.8:53 vovdtgxlz.net udp
US 8.8.8.8:53 ihxnzpnthfgj.info udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 hgecvvwfermo.info udp
US 8.8.8.8:53 jejzcvvv.info udp
US 8.8.8.8:53 nkxpgrpmg.info udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 iwgimiccqu.org udp
US 8.8.8.8:53 rzyhkcwxjn.net udp
US 8.8.8.8:53 bclizwt.org udp
US 8.8.8.8:53 isuvukfozkz.net udp
US 8.8.8.8:53 ysyqce.org udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 hldeegomyu.net udp
US 8.8.8.8:53 yavcdinavym.info udp
US 8.8.8.8:53 rrubdtnvsh.net udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 tsjvludtnud.org udp
US 8.8.8.8:53 cuocaugksaim.com udp
US 8.8.8.8:53 larkvwpfyn.info udp
US 8.8.8.8:53 atbttilf.info udp
US 8.8.8.8:53 awgqpeeet.info udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 zmbrlfbhed.info udp
US 8.8.8.8:53 lztkipgzwahn.net udp
US 8.8.8.8:53 bcvqzow.info udp
US 8.8.8.8:53 sbariqicsy.net udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 occusc.org udp
US 8.8.8.8:53 ldfcfn.info udp
US 8.8.8.8:53 grzsjmtwsje.info udp
US 8.8.8.8:53 dgpklpe.info udp
US 8.8.8.8:53 vxabxzot.net udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 lrtyjgvn.info udp
US 8.8.8.8:53 dacmhos.net udp
US 8.8.8.8:53 wfdrxcrhdvcq.info udp
US 8.8.8.8:53 phvjbmol.info udp
US 8.8.8.8:53 ysoskueigg.com udp
US 8.8.8.8:53 fxvptilnhai.com udp
US 8.8.8.8:53 jxrlso.net udp
US 8.8.8.8:53 xtakdnlh.info udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 gywaugismoym.org udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 lmmfbyez.info udp
US 8.8.8.8:53 yymswswumgaw.com udp
US 8.8.8.8:53 eocbcrwlsj.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 psieeafcv.org udp
US 8.8.8.8:53 mgbhxax.net udp
US 8.8.8.8:53 gbacyuj.info udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 dqlfzeledtff.info udp
US 8.8.8.8:53 gynwtjxjulul.net udp
US 8.8.8.8:53 sufkciycn.net udp
US 8.8.8.8:53 imqsoacscoeo.com udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 dwfbmq.net udp
US 8.8.8.8:53 zpdluy.net udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 vgzjdqliv.info udp
US 8.8.8.8:53 squwkyamqeui.org udp
US 8.8.8.8:53 temqoeb.net udp
US 8.8.8.8:53 lgpmymr.net udp
US 8.8.8.8:53 tnmnjw.info udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 fensder.net udp
US 8.8.8.8:53 zhowjanoqoz.com udp
US 8.8.8.8:53 lgqopfat.net udp
US 8.8.8.8:53 otdalubgt.net udp
US 8.8.8.8:53 ljlrpw.info udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 fwwydpssbyu.org udp
US 8.8.8.8:53 enwcpqzhu.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 xfnidtblc.org udp
US 8.8.8.8:53 amgeecys.com udp
US 8.8.8.8:53 poxpkwder.info udp
US 8.8.8.8:53 cdxbtaunjmj.info udp
US 8.8.8.8:53 amemymzwl.net udp
US 8.8.8.8:53 ptyedgj.org udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 nitvjbrzdehs.info udp
US 8.8.8.8:53 zabpxb.info udp
US 8.8.8.8:53 zqkcqwjl.net udp
US 8.8.8.8:53 lihirhhjmer.org udp
US 8.8.8.8:53 gnjijkxsdcy.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 ugmcea.org udp
US 8.8.8.8:53 gmywqiwasgmq.com udp
US 8.8.8.8:53 bezikcpkhu.net udp
US 8.8.8.8:53 gwfasfhbwqhj.net udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 dadgkzy.org udp
US 8.8.8.8:53 xrygvswkvyu.com udp
US 8.8.8.8:53 cjgfnm.info udp
US 8.8.8.8:53 sufizglaz.info udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 pmlwrs.net udp
US 8.8.8.8:53 xgbikqhwt.org udp
US 8.8.8.8:53 lqiexynw.net udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 czvkpji.info udp
US 8.8.8.8:53 oyzgpbtrdgl.info udp
US 8.8.8.8:53 ypvjmslx.net udp
US 8.8.8.8:53 turylkg.info udp
US 8.8.8.8:53 kgrjqedy.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 duflbswlg.net udp
US 8.8.8.8:53 lslafuhozg.net udp
US 8.8.8.8:53 eabetgh.net udp
US 8.8.8.8:53 qumsmsgqaiig.org udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 bipqynbezc.info udp
US 8.8.8.8:53 ddrgmyxc.net udp
US 8.8.8.8:53 pdpibobucap.org udp
US 8.8.8.8:53 jfvytim.org udp
US 8.8.8.8:53 turagimcrylt.net udp
US 8.8.8.8:53 ulpwlokwgen.info udp
US 8.8.8.8:53 qcsekmwqag.org udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 uwtxnmryqbv.info udp
US 8.8.8.8:53 xzrebpiabz.net udp
US 8.8.8.8:53 hoggayp.com udp
US 8.8.8.8:53 qsnnsthkfkkv.net udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 sumccgag.org udp
US 8.8.8.8:53 imserobiq.info udp
US 8.8.8.8:53 kgwqbib.net udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 yzxwucaklwf.info udp
US 8.8.8.8:53 zkypzcxshxya.info udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 iurmpxp.info udp
US 8.8.8.8:53 vwsqskcuszjg.info udp
US 8.8.8.8:53 wgjjvkb.info udp
US 8.8.8.8:53 jagdxc.net udp
US 8.8.8.8:53 zzhsxt.net udp
US 8.8.8.8:53 bzgpcnhxhhqu.info udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 hfiyhcjx.info udp
US 8.8.8.8:53 vmlzlqbkxmu.org udp
US 8.8.8.8:53 jtgojervsh.net udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 aegltilsxsy.info udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 jlnjjjgcwp.net udp
US 8.8.8.8:53 oaekwkce.org udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 ugdmdijydow.net udp
US 8.8.8.8:53 raxdyes.info udp
US 8.8.8.8:53 lrroziupiqcg.net udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 wgyciqsguq.com udp
US 8.8.8.8:53 vmseiytz.net udp
US 8.8.8.8:53 hizaxqrkuil.info udp
US 8.8.8.8:53 goeogwogcc.org udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 xwtrnmfm.net udp
US 8.8.8.8:53 huxakwxoag.info udp
US 8.8.8.8:53 qjyxew.info udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 esnqcwxotkv.net udp
US 8.8.8.8:53 aexeguwrvib.info udp
US 8.8.8.8:53 sxfzwitpc.info udp
US 8.8.8.8:53 vqyhfwl.info udp
US 8.8.8.8:53 ymoutlibyvxz.info udp
US 8.8.8.8:53 eeiqkiafvb.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 hekzmob.com udp
US 8.8.8.8:53 cyfeidhliue.info udp
US 8.8.8.8:53 cbemxtyii.net udp
US 8.8.8.8:53 jmxfroh.info udp
US 8.8.8.8:53 nlhsykvqr.org udp
US 8.8.8.8:53 qsskcuymn.info udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 vqryfrsen.org udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 rmcktfhvpz.net udp
US 8.8.8.8:53 febhzrdf.info udp
US 8.8.8.8:53 okckysyu.com udp
US 8.8.8.8:53 tjtwqp.net udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 bcgzivhun.net udp
US 8.8.8.8:53 haisfg.net udp
US 8.8.8.8:53 yvzeibhd.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 kkbsiwhqo.net udp
US 8.8.8.8:53 notgaqftf.net udp
US 8.8.8.8:53 kljgbpxajuk.net udp
US 8.8.8.8:53 tcpbkuj.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 hsnapovuk.org udp
US 8.8.8.8:53 bucenixpd.com udp
US 8.8.8.8:53 tthogxelzchq.info udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 jyjxrii.info udp
US 8.8.8.8:53 iofsluo.info udp
US 8.8.8.8:53 pvatwndq.net udp
US 8.8.8.8:53 bfnqjykchtrx.info udp
US 8.8.8.8:53 wfkjduvflclh.net udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 uaqgvrpllsy.net udp
US 8.8.8.8:53 qiybwkfewqx.info udp
US 8.8.8.8:53 ebzzgkbhwljt.info udp
US 8.8.8.8:53 mocavkdkfir.net udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 uceqviy.info udp
US 8.8.8.8:53 nilspr.info udp
US 8.8.8.8:53 rrfezjl.org udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 uogegscemuce.org udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 qysuqi.org udp
US 8.8.8.8:53 uapgincf.info udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 msjfqihxp.info udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 heossofye.info udp
US 8.8.8.8:53 ajfmze.info udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 otbpxdpeowh.net udp
US 8.8.8.8:53 xolqjzp.net udp
US 8.8.8.8:53 vuyeot.net udp
US 8.8.8.8:53 oecbllbu.info udp
US 8.8.8.8:53 wwiyqgwy.org udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 jhdrucksai.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 mxuziwhk.info udp
US 8.8.8.8:53 dgvrtcuksq.net udp
US 8.8.8.8:53 oqnmqmvvdwv.info udp
US 8.8.8.8:53 eopphyp.net udp
US 8.8.8.8:53 vazesaaub.org udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 eyganoltc.info udp
US 8.8.8.8:53 gwakqoeoyw.org udp
US 8.8.8.8:53 tkqwhttkz.org udp
US 8.8.8.8:53 bamlapb.info udp
US 8.8.8.8:53 sjithh.info udp
US 8.8.8.8:53 acxtnicz.net udp
US 8.8.8.8:53 gvgwafd.net udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 qlndczxhgjj.net udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 adpitmkkkqv.info udp
US 8.8.8.8:53 gyfaphvt.info udp
US 8.8.8.8:53 vwdseqljtth.net udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 xvvsefgupi.info udp
US 8.8.8.8:53 aesmuuwo.com udp
US 8.8.8.8:53 wwqcueww.com udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 ouzalyf.info udp
US 8.8.8.8:53 mjeqabfwle.info udp
US 8.8.8.8:53 twqufhmefz.info udp
US 8.8.8.8:53 dalatbt.net udp
US 8.8.8.8:53 bzrtps.info udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 hfimkro.net udp
US 8.8.8.8:53 bdpexv.info udp
US 8.8.8.8:53 kxbknpwwosul.info udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 lutwrifej.org udp
US 8.8.8.8:53 fvngbrhwupjr.net udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 qceuiioe.com udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 vqhxhcv.info udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 jgrmrg.net udp
US 8.8.8.8:53 kovkhylolko.info udp
US 8.8.8.8:53 homaxclwzbsq.info udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 xxdnrfrsr.info udp
US 8.8.8.8:53 vinctzesncnj.info udp
US 8.8.8.8:53 puqbnzkgmx.net udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 iyfdyipefmo.net udp
US 8.8.8.8:53 aqcawcgkkswi.com udp
US 8.8.8.8:53 pivwtuqgxij.com udp
US 8.8.8.8:53 cfjwneuxwsh.info udp
US 8.8.8.8:53 fxepdaxqrez.com udp
US 8.8.8.8:53 wxnovyb.info udp
US 8.8.8.8:53 egvidbdaryx.info udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 vdsereqdxb.net udp
US 8.8.8.8:53 ysukgkuo.com udp
US 8.8.8.8:53 dcgirqqvfor.com udp
US 8.8.8.8:53 vdjfzh.info udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 aoaukluib.info udp
US 8.8.8.8:53 mepwiowgpip.net udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 zjltmqubfnvo.net udp
US 8.8.8.8:53 cqaeskwyoogk.org udp
US 8.8.8.8:53 mmvkuyl.info udp
US 8.8.8.8:53 firlacfl.info udp
US 8.8.8.8:53 ozglicoyf.net udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 zwssrqqs.net udp
US 8.8.8.8:53 xgbudgdfdkl.net udp
US 8.8.8.8:53 ikooggko.org udp
US 8.8.8.8:53 fzqqksnzg.net udp
US 8.8.8.8:53 jzgndfbk.info udp
US 8.8.8.8:53 pvrxbd.net udp
US 8.8.8.8:53 yfvynotbryt.net udp
US 8.8.8.8:53 lmgeww.info udp
US 8.8.8.8:53 mzmnhc.net udp
US 8.8.8.8:53 ofnuvwjex.info udp
US 8.8.8.8:53 nwjxhsp.net udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 amkiaaawqe.org udp
US 8.8.8.8:53 lbsllcpd.net udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 hkjgyjrqli.net udp
US 8.8.8.8:53 moiwvi.info udp
US 8.8.8.8:53 bnnnnacdlobz.net udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 vnkmzg.info udp
US 8.8.8.8:53 ukcvnbfxkqj.info udp
US 8.8.8.8:53 zbkqsxz.net udp
US 8.8.8.8:53 gmwiuewucasu.org udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 popwwpvgw.info udp
US 8.8.8.8:53 uusmqajwtmc.net udp
US 8.8.8.8:53 ugxofer.info udp
US 8.8.8.8:53 hhddnmeu.info udp
US 8.8.8.8:53 xpmklsbeavei.info udp
US 8.8.8.8:53 wmrprub.info udp
US 8.8.8.8:53 nnkkmb.info udp
US 8.8.8.8:53 saakcqkiis.com udp
US 8.8.8.8:53 srhyrcfabien.info udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 mwmhzbadpkzn.info udp
US 8.8.8.8:53 tiovpj.net udp
US 8.8.8.8:53 goaqje.net udp
US 8.8.8.8:53 wywazjfaa.info udp
US 8.8.8.8:53 bapdanyy.net udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 nnfseh.info udp
US 8.8.8.8:53 eqzqrhbgt.net udp
US 8.8.8.8:53 lxzkvlxv.info udp
US 8.8.8.8:53 eqoicyie.org udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 pcrcnepxpovl.net udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 kuwbvixvd.net udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 ogkcszkxrkd.net udp
US 8.8.8.8:53 kwsdbbewb.net udp
US 8.8.8.8:53 ooqsjj.net udp
US 8.8.8.8:53 cgvenokoqkb.net udp
US 8.8.8.8:53 uerajyf.net udp
US 8.8.8.8:53 iiicuukeskmc.com udp
US 8.8.8.8:53 pvjxchowfudm.net udp
US 8.8.8.8:53 xnzmrkumr.info udp
US 8.8.8.8:53 dcuvzcyttt.net udp
US 8.8.8.8:53 wlxwqqwghup.net udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 gamoyg.org udp
US 8.8.8.8:53 aqkmuy.com udp
US 8.8.8.8:53 pnpuaqjubfkg.info udp
US 8.8.8.8:53 bvfhotcf.info udp
US 8.8.8.8:53 quhibmhgpfb.net udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 wogmiuiyuuam.com udp
US 8.8.8.8:53 yquaague.com udp
US 8.8.8.8:53 ngbysdjerh.info udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 nwtglsk.com udp
US 8.8.8.8:53 ieegcqoa.com udp
US 8.8.8.8:53 xowtthpdly.net udp
US 8.8.8.8:53 wesuek.org udp
US 8.8.8.8:53 indafalddzkq.net udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 wqmshiy.info udp
US 8.8.8.8:53 vpoikknsfoup.info udp
US 8.8.8.8:53 htbwiqcwsvye.net udp
US 8.8.8.8:53 phpxpifloqaf.net udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 xbcvkpdgwrrs.info udp
US 8.8.8.8:53 cizelthjo.net udp
US 8.8.8.8:53 kywckaei.org udp
US 8.8.8.8:53 sowwse.com udp
US 8.8.8.8:53 dspojbwinyj.com udp
US 8.8.8.8:53 wdeyjg.net udp
US 8.8.8.8:53 ggawcwsooiwi.org udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 pojals.info udp
US 8.8.8.8:53 xsjyivetagri.net udp
US 8.8.8.8:53 dsccrtldjjf.com udp
US 8.8.8.8:53 mckagagaci.org udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 fodqkbtwx.com udp
US 8.8.8.8:53 vufyjzbut.net udp
US 8.8.8.8:53 zijiyrgqtwd.net udp
US 8.8.8.8:53 ywqqwcmwkcgi.org udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 jfiuge.info udp
US 8.8.8.8:53 mkecrnnaz.info udp
US 8.8.8.8:53 ugesjqhxjg.net udp
US 8.8.8.8:53 riyqtgpef.net udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 qiiffqz.info udp
US 8.8.8.8:53 agsjsap.info udp
US 8.8.8.8:53 lspuhrugjh.info udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 pfqota.info udp
US 8.8.8.8:53 sksksc.org udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 ywxjrh.net udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 dpagfue.net udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 yzedrnlc.info udp
US 8.8.8.8:53 agxwfifmp.info udp
US 8.8.8.8:53 yaquakkwuysa.com udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 dkzifgl.info udp
US 8.8.8.8:53 dqbzjvvbbjc.com udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 rcbesdskpqp.org udp
US 8.8.8.8:53 mmoyuuoqgg.org udp
US 8.8.8.8:53 tjjqpageoxn.net udp
US 8.8.8.8:53 bubcpvvsemaw.info udp
US 8.8.8.8:53 bktwpkdghk.net udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 fufebuv.net udp
US 8.8.8.8:53 rgrczf.info udp
US 8.8.8.8:53 vazpjiz.info udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 gsiimiquom.org udp
US 8.8.8.8:53 wxvhxxddpezi.info udp
US 8.8.8.8:53 hgfrivgkyp.info udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 sayrfujuemt.info udp
US 8.8.8.8:53 nwvrdsl.com udp
US 8.8.8.8:53 ktrgqbgm.net udp
US 8.8.8.8:53 moscmcoc.org udp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 odzkkdtuha.info udp
US 8.8.8.8:53 aiwowwquuiwa.org udp
US 8.8.8.8:53 akyaadd.info udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 fplmbwvgd.net udp
US 8.8.8.8:53 hobwtexgouz.com udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 rnozpv.info udp
US 8.8.8.8:53 auiecogw.com udp
US 8.8.8.8:53 uzxiofna.net udp
US 8.8.8.8:53 tunwaed.com udp
US 8.8.8.8:53 iwooye.org udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 zkvroijd.info udp
US 8.8.8.8:53 amqfvzbu.info udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 izepwfuwpeym.net udp
US 8.8.8.8:53 uyzpxzcrtoz.net udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 mxaviz.info udp
US 8.8.8.8:53 oyxaqaj.info udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 hexhmh.net udp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 useqsa.com udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 jflcfvez.net udp
US 8.8.8.8:53 jetuecnckob.org udp
US 8.8.8.8:53 owgmcwl.net udp
US 8.8.8.8:53 rqzqmid.com udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 dpexaxvlbhsr.info udp
US 8.8.8.8:53 xhmvoamwps.net udp
US 8.8.8.8:53 kkjelsqkhdx.info udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 smswjvw.net udp
US 8.8.8.8:53 aklvtajqnal.info udp
US 8.8.8.8:53 vcmwlyrgs.net udp
US 8.8.8.8:53 qxvybgh.info udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 trxxital.info udp
US 8.8.8.8:53 wmzmmmb.net udp
US 8.8.8.8:53 mczetsb.info udp
US 8.8.8.8:53 lhxlnwkk.net udp
US 8.8.8.8:53 pkrmxtea.info udp
US 8.8.8.8:53 jmtxhwgnudym.net udp
US 8.8.8.8:53 avqzpghxeitz.net udp
US 8.8.8.8:53 oismai.com udp
US 8.8.8.8:53 tqrwzyr.com udp
US 8.8.8.8:53 vgpvxcnmcxmj.net udp
US 8.8.8.8:53 lvlhwlibbv.net udp
US 8.8.8.8:53 xtjywdq.org udp
US 8.8.8.8:53 bpzyqtbslulc.info udp
US 8.8.8.8:53 majwriukhey.net udp
US 8.8.8.8:53 naxcrgx.info udp
US 8.8.8.8:53 kgdvotps.net udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 kuhzisv.net udp
US 8.8.8.8:53 nabmasckuk.net udp
US 8.8.8.8:53 uiryqjdyicl.info udp
US 8.8.8.8:53 ifemydpptl.net udp
US 8.8.8.8:53 rhszwdmgfi.net udp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 ixwheq.net udp
US 8.8.8.8:53 uwagcc.com udp
US 8.8.8.8:53 yfvcxxnys.info udp
US 8.8.8.8:53 rgcsmms.info udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 wmkawuqo.com udp
US 8.8.8.8:53 nargxed.info udp
US 8.8.8.8:53 uafaxnf.net udp
US 8.8.8.8:53 ympanulwi.net udp
US 8.8.8.8:53 segdts.info udp
US 8.8.8.8:53 myrwjqkrwpbk.info udp
US 8.8.8.8:53 kktupuz.info udp
US 8.8.8.8:53 wooyuntpug.net udp
US 8.8.8.8:53 vrsicfbz.info udp
US 8.8.8.8:53 hvgubfr.net udp
US 8.8.8.8:53 ryqapqb.com udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 zefcprxdt.com udp
US 8.8.8.8:53 tqhycnbun.org udp
US 8.8.8.8:53 nclcaoz.net udp
US 8.8.8.8:53 yeuueoas.org udp
US 8.8.8.8:53 lmfrjjpmlwr.net udp
US 8.8.8.8:53 keqqqsiaig.com udp
US 8.8.8.8:53 oofnltcfbuqe.net udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 tsfxlqrzhwxy.net udp
US 8.8.8.8:53 oduhpqdwitsr.info udp
US 8.8.8.8:53 bclvea.net udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 jaikher.org udp
US 8.8.8.8:53 nwfevkj.net udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 txlhehwwpoky.net udp
US 8.8.8.8:53 oydgrdrjv.net udp
US 8.8.8.8:53 wzxtyp.net udp
US 8.8.8.8:53 ewqsaogoiwkm.com udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 nehotohwr.org udp
US 8.8.8.8:53 ignsxgltz.net udp
US 8.8.8.8:53 twbmkxufxim.net udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 oecojyjou.info udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 rvljpzomlf.net udp
US 8.8.8.8:53 hfyskcielqan.info udp
US 8.8.8.8:53 xfsgmpi.info udp
US 8.8.8.8:53 gyxauudezwk.info udp
US 8.8.8.8:53 ouqueiou.org udp
US 8.8.8.8:53 gncpfgndb.info udp
US 8.8.8.8:53 rjbifug.net udp
US 8.8.8.8:53 pnvisx.info udp
US 8.8.8.8:53 dplyusep.net udp
US 8.8.8.8:53 motytrhrm.net udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 qshqvelakcj.info udp
US 8.8.8.8:53 ugfgpborwk.net udp
US 8.8.8.8:53 nstvpgvrh.net udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 wdhsjprg.info udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 vakavr.net udp
US 8.8.8.8:53 vlnthukuzii.com udp
US 8.8.8.8:53 jkabok.info udp
US 8.8.8.8:53 pmvkgvhczeb.net udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 cbrlsfec.info udp
US 8.8.8.8:53 sackyi.org udp
US 8.8.8.8:53 gukgkcokemgi.com udp
US 8.8.8.8:53 wkufrmqdxw.net udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 tydgygsud.net udp
US 8.8.8.8:53 rdqvlj.net udp
US 8.8.8.8:53 cseikcgaukiw.org udp
US 8.8.8.8:53 pefhpq.info udp
US 8.8.8.8:53 jwzilsepb.org udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 ykbrpuro.net udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 burldiqgjiv.com udp
US 8.8.8.8:53 fbczhwj.com udp
US 8.8.8.8:53 dyxqtol.net udp
US 8.8.8.8:53 vcnboyxn.info udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 ljhsbowtk.org udp
US 8.8.8.8:53 thtwlyvcu.net udp
US 8.8.8.8:53 dwoeezajbdgj.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 okkyqi.org udp
US 8.8.8.8:53 rcoamwf.info udp
US 8.8.8.8:53 mjktfvyj.net udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 cietdehmzmv.info udp
US 8.8.8.8:53 jlxxubcmhdml.info udp
US 8.8.8.8:53 zkvftau.net udp
US 8.8.8.8:53 idvjhz.net udp
US 8.8.8.8:53 mucqoc.com udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 yygimacwgyuk.com udp
US 8.8.8.8:53 ygoqmm.org udp
US 8.8.8.8:53 rdtdjgnhllf.net udp
US 8.8.8.8:53 tgratfmb.net udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 sfdppaxs.net udp
US 8.8.8.8:53 diihroanhk.net udp
US 8.8.8.8:53 rvdfjxvm.net udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 uydyfrt.info udp
US 8.8.8.8:53 vlztdovmupjy.net udp
US 8.8.8.8:53 jdueejhsf.net udp
US 8.8.8.8:53 mrbxltsb.info udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 lxuzwqzohu.net udp
US 8.8.8.8:53 bteqlenbm.info udp

Files

C:\Users\Admin\AppData\Local\Temp\bhmwdgn.exe

MD5 247486bad7958d56f37b84b4dc227422
SHA1 a387fc6e07fdb89a502fc207c9a1e49aef440c93
SHA256 d651a584e4b6c42fe5af4aa2f2b722f875055dae06875443deaa41c32ebb9347
SHA512 51e17f08ff6e2c58c936734666e9bbea1ded165cfef6650a3017d7d2610f9bc76639abef3e2693c8f26acceb5d81d9db53f7665746efac7fa47768511001f591

C:\Users\Admin\AppData\Local\ijjoqoqortiznmlfphsttyay.ybd

MD5 91892b0c507d26880390d6c8b4f2a4af
SHA1 37e0a70c64c55d654be5b8233b90f37656d267b4
SHA256 7e51e0b492f9dac5c6fbc3a47908ea58fc9584d2b83b7454e197a440e2d44422
SHA512 989862b3f448acea8b413a35b7ccc57ac0a89d8682e7b50857dd340def2971024328fc8778f0b2a5341beb2915e1db21d8627a0131c36a56695ed3f60c943887

C:\Users\Admin\AppData\Local\rdoeranwkxxzyisxsvrdoeranwkxxzyisxs.rdo

MD5 43ded261096313e8be45833c76ce4a6b
SHA1 d0349d4e8556f535d83838495f2d3acdb8ccf097
SHA256 ae21313db1c76356500daf0fa118523e99a0ca84453ae59192e52b10b8e8eded
SHA512 098b7b6cba65f7e62f41da5ade8844d4e499290ba39c2597f3ee330dca800b5bf7b2b8bdb42141b8214131b0b63bdc548608fd22a968f0317953cb0562ec9a2c

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 89570a2049bbc47472ad26507994542f
SHA1 690d18ec2edb1556fe83ba68e554c937fb0b394e
SHA256 18f87434fc9c94576e7219a93a5db64c4f4b4d3d9ef611008707d37fa0d5660a
SHA512 65f374eceec0a8e7834e1070f52356744a2307f480180e0b75234cd87a13da88329a5ade19207ed917bce17ad06840a561a5c07eaa015e66ec20c81f865fe142

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 b017e09806f53cff88c5470908c03ddb
SHA1 a515f3a6c7bec54ae2fa7ceba2285d65b15d89f2
SHA256 4d780e5ec70ae37cd2223e3b3cf349e68c515cb835f7230e771fdc2d517668a8
SHA512 f564c7e1d0bceb97e8e74b9455e2c48c5e710d0967a85b1ad4b652f0daf5b459f4e644a1ec59a5ff25de3406a99e936bebd68bb949780ae8f02e5d8711897e93

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 eb20b08d429394b8dee3fb2fd55619cc
SHA1 5b60b332b3320786b4747e6243022c62df3b7a20
SHA256 be7bf61e8e085619d8f257cdbd47bef4f0f45b2b3abb8d8ffd596ef393bd0984
SHA512 eecc16152fdd01f0946ec0e65a3fc102e408827c4ed75677004b9f6179aacbf55669d64ba755747490909d72634528117f00f45b88a99a0bf24cb3f37e467130

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 eaf188a456ac8f499da27cbfbf0c079b
SHA1 e40057df3c94b111b0412c3e9ba834fcaeb0519d
SHA256 9104fc45c925c08fb8e026462f35ef382982f0d9ae0b2c33278b942b79c605ea
SHA512 59b5686cfcece8bcf3b018a9ac7f0593912b2e7872d919a60c7287681d10f1b6b083a74e24c119b75c565d1b15e7f68d3defcaa58d704d6905d5f55c09f7960e

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 d13578ca686f18869dcc9ae23bdb2eb0
SHA1 24e7eef84f3d6f2d08755be9a161b40f82598e34
SHA256 ddecf8b8ae8afe734fb15d10cb9e3e5bf05eb7e772482fe786d35add3577992a
SHA512 b7a20048cba61da1909afa4048cc84a521dffa23c22250725b0fcaf612716591375766e9f45b913da3515089b40341c16a5302f9dca2bb09f4c5fce914f373c2

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 53c189665d9d4e179e0080edbdd8dc6a
SHA1 e4edecc8b7307df6a578d8eac6e5ebd9e3cd875a
SHA256 6cbd41b2e0ffd2f222f1f7457d25aa363f9f0334d84f32ef2ba5f793b9da26c0
SHA512 55363197ff9eafffbab8192e9b4b2561ce7aa6e8730f67abd43a3b66560d4961cd355c096e9201a605311b4b514db9cd2a4b37d2f666940937c19a06628f8876

C:\Program Files (x86)\ijjoqoqortiznmlfphsttyay.ybd

MD5 ee67440fbefe7baa0b007e26085728bc
SHA1 fe70088bf1c7592f320c40c5f99632c22d1dac84
SHA256 64d727b49b432373948d308949cbaeb47aa9594dd753000b1e181a07b638fc39
SHA512 aef20123a8d21df0c08279c846e8c22b64aa6660093db5e0e8c2520304b77d0137ff0278db4f2d7763e57844310b8230e5508d7752988ebe973248830594c32f

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-17 23:27

Reported

2025-04-17 23:30

Platform

win11-20250410-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ixiculxxfzwkxpamm.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "phvsnhwzkhhyojxmpxld.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sdkaobjfjzscl = "ixiculxxfzwkxpamm.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bjnalvatuh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "phvsnhwzkhhyojxmpxld.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "rhtohzmnwrpeslxklr.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "rhtohzmnwrpeslxklr.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "exmkgbrvhfgyplaqudsla.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "exmkgbrvhfgyplaqudsla.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "bpzsjzkjqjfsevfq.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "rhtohzmnwrpeslxklr.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ixiculxxfzwkxpamm.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "rhtohzmnwrpeslxklr.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "phvsnhwzkhhyojxmpxld.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phvsnhwzkhhyojxmpxld.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "bpzsjzkjqjfsevfq.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bpzsjzkjqjfsevfq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ixiculxxfzwkxpamm.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exmkgbrvhfgyplaqudsla.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wjskapzxdvqcndm = "ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "exmkgbrvhfgyplaqudsla.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "phvsnhwzkhhyojxmpxld.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "phvsnhwzkhhyojxmpxld.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "exmkgbrvhfgyplaqudsla.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\tfnethqnsjdoyn = "ctgcwpdfplkapjwkmtg.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phvsnhwzkhhyojxmpxld.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000\Software\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixiculxxfzwkxpamm.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "bpzsjzkjqjfsevfq.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ixiculxxfzwkxpamm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhtohzmnwrpeslxklr.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tdjylxezcrjs = "ctgcwpdfplkapjwkmtg.exe ." C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wfkykvbvxlc = "bpzsjzkjqjfsevfq.exe" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vxvchlkxszjkkpnmzrprpwbfer.tde C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File created C:\Windows\SysWOW64\vxvchlkxszjkkpnmzrprpwbfer.tde C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File opened for modification C:\Windows\SysWOW64\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File created C:\Windows\SysWOW64\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File created C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File opened for modification C:\Program Files (x86)\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File created C:\Program Files (x86)\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\vxvchlkxszjkkpnmzrprpwbfer.tde C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File created C:\Windows\vxvchlkxszjkkpnmzrprpwbfer.tde C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File opened for modification C:\Windows\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
File created C:\Windows\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3664858464-2411077738-2029630556-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\chisahj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb9948c3da8fee376e600f5467021131.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Users\Admin\AppData\Local\Temp\chisahj.exe

"C:\Users\Admin\AppData\Local\Temp\chisahj.exe" "-"

C:\Users\Admin\AppData\Local\Temp\chisahj.exe

"C:\Users\Admin\AppData\Local\Temp\chisahj.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ixiculxxfzwkxpamm.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bpzsjzkjqjfsevfq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ixiculxxfzwkxpamm.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c exmkgbrvhfgyplaqudsla.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\rhtohzmnwrpeslxklr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ctgcwpdfplkapjwkmtg.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\phvsnhwzkhhyojxmpxld.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\exmkgbrvhfgyplaqudsla.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
NL 185.15.59.224:80 www.wikipedia.org tcp
GB 87.248.114.12:80 www.yahoo.com tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 syxjnmzar.net udp
US 8.8.8.8:53 biwwjubsz.org udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 juzqosrac.info udp
US 8.8.8.8:53 qjfzrhhjlp.info udp
US 8.8.8.8:53 tbxydhujty.info udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 suwroer.net udp
US 8.8.8.8:53 chrmphfkzehv.net udp
US 8.8.8.8:53 lxweiwijlen.info udp
US 8.8.8.8:53 ikluwqy.net udp
US 8.8.8.8:53 uqaemiwg.org udp
US 8.8.8.8:53 xkjsuyq.net udp
US 8.8.8.8:53 igekumgwqeqg.com udp
US 8.8.8.8:53 cgoyuggksm.org udp
US 8.8.8.8:53 qayqhfbrqobk.info udp
US 8.8.8.8:53 mckuasyc.com udp
US 8.8.8.8:53 gqvozdjclcp.info udp
US 8.8.8.8:53 cpehjrdkkwjn.net udp
US 8.8.8.8:53 ykkaaw.com udp
US 8.8.8.8:53 towgosibpzv.net udp
US 8.8.8.8:53 bphixkbossi.info udp
US 8.8.8.8:53 fsdqsmnk.info udp
US 8.8.8.8:53 zatkvea.com udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 iggksimq.com udp
US 8.8.8.8:53 jwlqlclkr.info udp
US 8.8.8.8:53 tqhpjydzl.com udp
US 8.8.8.8:53 lefolijqtod.com udp
US 8.8.8.8:53 sisimu.org udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 auauykaa.org udp
US 8.8.8.8:53 cunzzsfay.info udp
US 8.8.8.8:53 icvmbgdwp.net udp
US 8.8.8.8:53 yhewpdc.net udp
US 8.8.8.8:53 lphcisjlecym.info udp
US 8.8.8.8:53 rxtxyn.net udp
US 8.8.8.8:53 aakoyhbqj.net udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 iggomqaooasq.org udp
US 8.8.8.8:53 eoronncfjrvp.info udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 woqhokwpnbyo.info udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 ridwmcsiykiy.net udp
US 8.8.8.8:53 aupcyyw.info udp
US 8.8.8.8:53 oceygcmawi.org udp
US 8.8.8.8:53 bznwgkagbor.net udp
US 8.8.8.8:53 rezaowjdmoq.org udp
US 8.8.8.8:53 duzqcwdwf.info udp
US 8.8.8.8:53 erwegzpolfjg.info udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 vakavr.net udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 btrzbnhuvsx.info udp
US 8.8.8.8:53 kcryxrris.info udp

Files

C:\Users\Admin\AppData\Local\Temp\chisahj.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\chisahj.exe

MD5 5375f99dad321f22133d833010986f72
SHA1 52e47c376992d1ac2272ff17bea8ee3570163328
SHA256 25cd6168288dc12f89de839ab4c11fa67f6668a32c270e10b274b02c5e000142
SHA512 09dc0592ec43afc7968c6af658caf9114fe7933f5a7f3fedb58d7d544ee5f808ea040494a3644628c52ace38d4f8b78f2fe58d7f9241cc56e3be745dd5e3a243

C:\Users\Admin\AppData\Local\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 c32bc75c2c415ab068f72cb8def2c575
SHA1 06a95e05813b1799541b06b67b904c8bd0ff81cb
SHA256 b0c77a7aa7ba90caf29fb0abe9994c7ca27c3700a269eb6e0788a732d139cc6f
SHA512 eebf705d42e25681d99164b6e79e94a9eb84baf6d1605089545546e562596ea0d6f4a5abbf3f7b1795456c872e1fc60fed80d4b2b6358b0f539cc65b10ea01d0

C:\Users\Admin\AppData\Local\wjskapzxdvqcndmwuxgtcukzjhnfamxnwgehq.meu

MD5 4d3a94eacfe378a80eca9b507573967e
SHA1 29bf9775173cf9b9c37c14a9509eedf494a7a49b
SHA256 462974ae8baaab79688b4de26f47d464be73f15b6726c7904a3748d90d14f871
SHA512 df9a9e075dccfd3c89d9bfc544c6bb8b37e1e99e82be4b64201ae15141a1c48513aa463c179a3eabebf1b5b378484aebbea5119eb822746ddc50de83cb208a16

C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 7792bf374814362fe03704bf85c06112
SHA1 92f3cf7724da724d94ad045e76b557a4767f1595
SHA256 b0eee999e16d56b07eed321e13d98300b0032fe1a4513359d5ac975059748859
SHA512 a1dbb12f6fda46614068ca88f20d6e5fef24e50d3396c788480326bc660caa1ecfa619252c7a51d18c6b17987e8e488da56c225a0c623b6e4e2ea4d31677b419

C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 cad2bb495f935cf5b0264e66ad42cd2e
SHA1 60a06786410a9911185f2128c9089d852518df3a
SHA256 7897e2bd70503c3900793fa804db739f6c06969111679d8385e1b9b4c70f0ae6
SHA512 a53f3c1b876970d8a21dbea555b9f353e4f0975ea7e5760d21412f8d57a1d4944350f1174ff0a4974dde2163d2ca31714c3452b8537fd72ff1b2b68da5958464

C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 aedc286d63ffe535e46ca30a24ccadee
SHA1 cae6a5bf6db67fbfd779376a833dca61b754797c
SHA256 d58d0238edbc3944122f362cc43ce8f583c5b4dda0dbe40b6a50d58af7a93f13
SHA512 43658b63b45f59f4865b61811151434a0dc7938b5a4bacfb0f7cd1695b673992049bb04cbd39aa1b9cfb34c7daf212f51332ee84e2a76677593c1c620e1861e3

C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 231020694e8d5b74a9c24372063484e0
SHA1 6f2da9d0c02b786bcd58898f50b0ae1d742f6422
SHA256 d235e7d71294ac2cd3693c95f24b2e46d2b15023a7fd3793b10a39f78fadb371
SHA512 1d74a4d59171da9a342ba7560d80b2723bc6b93e34979fbe0eba4f435ad9921dcb0feaef39fba54f9a07b250fc2abbe01ce63cf8c82e26863668218a5ed9fe0c

C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 18efc8e0057a6de0aacd25e87eb2e1c7
SHA1 df3a7fb11888b56ff66d0715c08f07fb96da1b21
SHA256 575ca9f832799a7427bc0d5e5ffe17e97a8988392e1e8a9beadb0f9c6d6bdecd
SHA512 f21a4b616c4c8fffe0a044e34d414a39b32ae22e305c26f90f05ad8dee11679a5ad30286a84a9e1f47b4b1bff87a312b5e59be6e86d80f9f44cadb3101b9e9e3

C:\Users\Admin\AppData\Local\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 0aedd812ee0828972a85921724ae9b0e
SHA1 86eef9f14cc51b8af35b06f23c1103e178cd5264
SHA256 2da544593936fd0536777d46e3a3eba6717362b57fe6e8bb9c4f4543a9491439
SHA512 9e872d5919c09aa5b98a80d5ba4aed0fa1e8d6dd37618dabd5f704c724ebd5f48c68c1f36944ff14d9327fcc53280e4ee9ac1eede0e625691119cc29b98002ab

C:\Program Files (x86)\vxvchlkxszjkkpnmzrprpwbfer.tde

MD5 fe6d44f267ba627a096559bff139a53b
SHA1 a26f47476b8f73851cf2b0d34e85a300914b24b6
SHA256 574436636053582bdce3176235a3e89d6c25f918b1baddcef74f8f842117c89b
SHA512 e7192e98b4e458189c0713f87020bf9eb6918809213915d0f4e784e52402704a442d54685cd535ffcecedf94431e285e7a523af910d75ff0ddc1ad247201a659