Malware Analysis Report

2025-08-10 16:33

Sample ID 250421-fat8castay
Target JaffaCakes118_c7ccedb70155d9567bc63477af344089
SHA256 9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c
Tags
worm pykspa defense_evasion discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c

Threat Level: Known bad

The file JaffaCakes118_c7ccedb70155d9567bc63477af344089 was found to be: Known bad.

Malicious Activity Summary

worm pykspa defense_evasion discovery persistence privilege_escalation trojan

Modifies WinLogon for persistence

Detect Pykspa worm

Pykspa family

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Checks computer location settings

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-21 04:40

Signatures

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Pykspa family

pykspa

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-21 04:40

Reported

2025-04-21 04:43

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "azlnibxolfqhglpehoonz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "azlnibxolfqhglpehoonz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "yvffypjytlujgjlyzec.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "ezhfwldqjzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "ezhfwldqjzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "azlnibxolfqhglpehoonz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "yvffypjytlujgjlyzec.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ezhfwldqjzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "azlnibxolfqhglpehoonz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "azlnibxolfqhglpehoonz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "yvffypjytlujgjlyzec.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "xryvlzqcujpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "xryvlzqcujpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "xryvlzqcujpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "njsrjzsgarznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "njsrjzsgarznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "njsrjzsgarznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ljuvphcsohrhfjmacihf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "yvffypjytlujgjlyzec.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "azlnibxolfqhglpehoonz.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "ljuvphcsohrhfjmacihf.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "njsrjzsgarznjlmyyc.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ezhfwldqjzgtoppaz.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe ." C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "azlnibxolfqhglpehoonz.exe" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File created C:\Windows\SysWOW64\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File opened for modification C:\Windows\SysWOW64\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File created C:\Windows\SysWOW64\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File created C:\Program Files (x86)\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File opened for modification C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File created C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File opened for modification C:\Windows\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File created C:\Windows\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
File opened for modification C:\Windows\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\lvsflp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .

C:\Users\Admin\AppData\Local\Temp\lvsflp.exe

"C:\Users\Admin\AppData\Local\Temp\lvsflp.exe" "-"

C:\Users\Admin\AppData\Local\Temp\lvsflp.exe

"C:\Users\Admin\AppData\Local\Temp\lvsflp.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.imdb.com udp
NL 18.239.68.108:80 www.imdb.com tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 tanhfenl.net udp
US 8.8.8.8:53 nlqwurdxjqv.info udp
US 8.8.8.8:53 qaomseou.org udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 tfbcbmggk.com udp
US 8.8.8.8:53 lgqgeoppr.net udp
US 8.8.8.8:53 qimsqaekuiay.com udp
US 8.8.8.8:53 rsrmzgr.net udp
US 8.8.8.8:53 zgjnxthpviz.info udp
US 8.8.8.8:53 lhhearep.net udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 ytiurgi.info udp
US 8.8.8.8:53 fgfvvep.com udp
US 8.8.8.8:53 wtrgfdfov.net udp
US 8.8.8.8:53 tpndjd.net udp
US 8.8.8.8:53 gjtsbntbaatr.info udp
US 8.8.8.8:53 bbajrallgqn.org udp
US 8.8.8.8:53 itbbsqt.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 jksfafxq.net udp
US 8.8.8.8:53 okceoguo.org udp
US 8.8.8.8:53 kyokyukskecc.com udp
US 8.8.8.8:53 zvzhyopf.net udp
US 8.8.8.8:53 hyrqlot.com udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 lofosfv.org udp
US 8.8.8.8:53 kqvlronf.net udp
US 8.8.8.8:53 cwnqtkz.info udp
US 8.8.8.8:53 wnqgvizupdd.info udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 jnriyhzkb.org udp
US 8.8.8.8:53 mrgoxwhor.info udp
US 8.8.8.8:53 ndxhfqifgl.info udp
US 8.8.8.8:53 lqzygynoxcd.net udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 lsismqr.org udp
US 8.8.8.8:53 zerezevn.net udp
US 8.8.8.8:53 aqxiyzx.net udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 kyrkgudcgqf.net udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 llpqhgzuoqp.net udp
US 8.8.8.8:53 xrasmu.net udp
US 8.8.8.8:53 rktljt.info udp
US 8.8.8.8:53 mjzofpr.info udp
US 8.8.8.8:53 imeqcuqaeg.com udp
US 8.8.8.8:53 lsqudtvmy.org udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 nwurgctyfqt.info udp
US 8.8.8.8:53 rcrldhsg.net udp
US 8.8.8.8:53 wkdsgqewz.net udp
US 8.8.8.8:53 deftzaf.info udp
US 8.8.8.8:53 iauaqkoc.org udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 bxhqfzui.net udp
US 8.8.8.8:53 iexvjblcbgf.net udp
US 8.8.8.8:53 qeeyuwws.com udp
US 8.8.8.8:53 zrwvwriu.net udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 obnipydqdyr.info udp
US 8.8.8.8:53 acksqp.net udp
US 8.8.8.8:53 wffnkpyv.info udp
US 8.8.8.8:53 ummsvlki.info udp
US 8.8.8.8:53 uzlcviv.net udp
US 8.8.8.8:53 gnwvjvjc.net udp
US 8.8.8.8:53 tgkkkwrea.info udp
US 8.8.8.8:53 itgsirpkoprl.info udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 pypovyqkzwd.com udp
US 8.8.8.8:53 rjnedmzepik.net udp
US 8.8.8.8:53 lmywfue.net udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 ljqdfv.info udp
US 8.8.8.8:53 yxrgsuldud.net udp
US 8.8.8.8:53 ioqyyaasss.org udp
US 8.8.8.8:53 hcuqpwz.info udp
US 8.8.8.8:53 hibrmst.com udp
US 8.8.8.8:53 jmgmbhbzp.com udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 gieyoq.org udp
US 8.8.8.8:53 mqqacewyyg.org udp
US 8.8.8.8:53 csicqeeckooo.org udp
US 8.8.8.8:53 ttzkuuqan.com udp
US 8.8.8.8:53 xvdvfjdkzfyw.info udp
US 8.8.8.8:53 mzlmurwjyc.info udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 jctssigifd.info udp
US 8.8.8.8:53 reokep.net udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 sywaxjkitnd.net udp
US 8.8.8.8:53 ahhwewn.info udp
US 8.8.8.8:53 sugaiu.org udp
US 8.8.8.8:53 mmyyusriz.info udp
US 8.8.8.8:53 wowcaomy.com udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 bqlobbdmr.net udp
US 8.8.8.8:53 uygaai.org udp
US 8.8.8.8:53 igyscm.org udp
US 8.8.8.8:53 zgxcaotuvs.net udp
US 8.8.8.8:53 todiyvu.net udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 aegsao.com udp
US 8.8.8.8:53 klsrtchpis.info udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 kqcgkskgeqac.com udp
US 8.8.8.8:53 myzmjev.net udp
US 8.8.8.8:53 agjcakvmlnd.net udp
US 8.8.8.8:53 ksmarutuxrs.net udp
US 8.8.8.8:53 bnjktptmpppn.info udp
US 8.8.8.8:53 oahisgpny.net udp
US 8.8.8.8:53 hmdcvmcjb.org udp
US 8.8.8.8:53 tyagpkb.com udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 hlgbdj.info udp
US 8.8.8.8:53 tmrxbkhwgeb.net udp
US 8.8.8.8:53 fzbhbpln.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 dpzdbigpebql.info udp
US 8.8.8.8:53 toxgdwxht.org udp
US 8.8.8.8:53 bytaxnn.info udp
US 8.8.8.8:53 wbkedyr.net udp
US 8.8.8.8:53 guzufuh.info udp
US 8.8.8.8:53 yqyaswkseesc.com udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 nevkhattkpaq.info udp
US 8.8.8.8:53 aeckouaegw.org udp
US 8.8.8.8:53 wgpjzuslft.net udp
US 8.8.8.8:53 aaloxcv.net udp
US 8.8.8.8:53 usmigdwecnhf.net udp
US 8.8.8.8:53 whoynoeupg.net udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 vexdwrsodp.info udp
US 8.8.8.8:53 bneliplyxm.net udp
US 8.8.8.8:53 syqwqwucqaos.com udp
US 8.8.8.8:53 vnhwrc.info udp
US 8.8.8.8:53 irvzwlkmxjfk.info udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 qzkeygi.info udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 ywvxkkjen.net udp
US 8.8.8.8:53 zqtkfybandh.info udp
US 8.8.8.8:53 qwqfotyh.info udp
US 8.8.8.8:53 igvhdg.info udp
US 8.8.8.8:53 hqdfoyqgis.info udp
US 8.8.8.8:53 swvslkzmoqt.net udp
US 8.8.8.8:53 qohprejwrcl.net udp
US 8.8.8.8:53 ldyykbfwwu.net udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 drssbxrt.net udp
US 8.8.8.8:53 kwdmcuq.info udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 pkkcjueov.com udp
US 8.8.8.8:53 zjxlmutdnu.net udp
US 8.8.8.8:53 tjaekycwivr.net udp
US 8.8.8.8:53 gckusi.com udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 pdgjpshqss.net udp
US 8.8.8.8:53 yghkqyr.info udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 jrnpkb.info udp
US 8.8.8.8:53 oesxyfvfjipi.info udp
US 8.8.8.8:53 jxsugjbgxhbg.info udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 yutesnh.info udp
US 8.8.8.8:53 lqxihuhexi.net udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 fmjzdbjrrszp.info udp
US 8.8.8.8:53 qmshrcz.net udp
US 8.8.8.8:53 jmpiceeynvh.info udp
US 8.8.8.8:53 faqhlyk.net udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 jltgdovfk.info udp
US 8.8.8.8:53 fquecmld.info udp
US 8.8.8.8:53 noejxj.info udp
US 8.8.8.8:53 blpmnakpk.info udp
US 8.8.8.8:53 aaekeomu.com udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 odlgqao.info udp
US 8.8.8.8:53 vdbnvvhbvhxr.info udp
US 8.8.8.8:53 lmpmhhwonyj.info udp
US 8.8.8.8:53 mkwmeyik.org udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 zmywzotmdcv.org udp
US 8.8.8.8:53 bmbezdhpzd.info udp
US 8.8.8.8:53 pyypbmnlku.net udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 tnzjdtdkzeqo.info udp
US 8.8.8.8:53 fexwjup.com udp
US 8.8.8.8:53 cnvmduwy.net udp
US 8.8.8.8:53 endkxfdb.info udp
US 8.8.8.8:53 vsfidvt.org udp
US 8.8.8.8:53 dreytp.net udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 zkmowr.net udp
US 8.8.8.8:53 kgsagywu.org udp
US 8.8.8.8:53 gwymyy.com udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 qdpcjtxwj.net udp
US 8.8.8.8:53 wanmhobzh.net udp
US 8.8.8.8:53 esffxqbwfxix.net udp
US 8.8.8.8:53 lclydqrcii.net udp
US 8.8.8.8:53 whfovqustcb.net udp
US 8.8.8.8:53 uglkawz.net udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 kqahpuxzzu.info udp
US 8.8.8.8:53 emzszod.info udp
US 8.8.8.8:53 rclmpobqtae.org udp
US 8.8.8.8:53 wuqiqciaae.com udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 auprzuycnqo.info udp
US 8.8.8.8:53 aazinwdqtuu.info udp
US 8.8.8.8:53 euyikyke.org udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 aajcnwbhc.net udp
US 8.8.8.8:53 eqosgy.info udp
US 8.8.8.8:53 qbqgcw.net udp
US 8.8.8.8:53 ykpfseyq.info udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 lkchapfm.info udp
US 8.8.8.8:53 ikwcawsq.org udp
US 8.8.8.8:53 ymvghpvq.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 vcmpdreyxm.info udp
US 8.8.8.8:53 xcigfkjzv.net udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 rathwubqm.info udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 miiptaxctqm.info udp
US 8.8.8.8:53 scmmkioymc.com udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 furmxvnudsz.com udp
US 8.8.8.8:53 rshzdgx.info udp
US 8.8.8.8:53 nurrdlrfvkd.net udp
US 8.8.8.8:53 gkqatkzarxd.info udp
US 8.8.8.8:53 fxctpxdlnljf.info udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 zalbqswic.net udp
US 8.8.8.8:53 gdpetyh.net udp
US 8.8.8.8:53 zyfhnhdhty.info udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 lmtslir.org udp
US 8.8.8.8:53 ykwyswek.org udp
US 8.8.8.8:53 xkuixjqtf.net udp
US 8.8.8.8:53 xnpnvhjaoyys.net udp
US 8.8.8.8:53 zppzqixxdgfw.net udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 rgzazowajhgd.net udp
US 8.8.8.8:53 nszyfrpuxp.info udp
US 8.8.8.8:53 ismqceyewi.com udp
US 8.8.8.8:53 yakwqa.com udp
US 8.8.8.8:53 kwpnwxoftfik.info udp
US 8.8.8.8:53 ruyqfrxuo.net udp
US 8.8.8.8:53 nanukipwtth.info udp
US 8.8.8.8:53 fmhrxirb.info udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 jqebzcpxn.org udp
US 8.8.8.8:53 crvmamdh.info udp
US 8.8.8.8:53 ocehzftzwpij.info udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 xmfezgkmkif.info udp
US 8.8.8.8:53 owtqlma.info udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 emgsqo.com udp
US 8.8.8.8:53 hkjnpaw.net udp
US 8.8.8.8:53 waahcubsrd.net udp
US 8.8.8.8:53 kmchgsifuz.info udp
US 8.8.8.8:53 lapyocj.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 gyxhzefypfd.net udp
US 8.8.8.8:53 dubeyyv.net udp
US 8.8.8.8:53 dkzzrsrkt.org udp
US 8.8.8.8:53 fytsnqpoxcd.com udp
US 8.8.8.8:53 vhmqxif.org udp
US 8.8.8.8:53 qshgtkxcv.net udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 kaojqumxvg.net udp
US 8.8.8.8:53 novgbgyc.net udp
US 8.8.8.8:53 vdaathtnbigk.net udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 ismojml.info udp
US 8.8.8.8:53 oyamsucomkys.com udp
US 8.8.8.8:53 bydhdtp.org udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 tybftlzzjm.net udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 wkakceugke.com udp
US 8.8.8.8:53 htpeqjognnpm.info udp
US 8.8.8.8:53 scmvpklqphm.net udp
US 8.8.8.8:53 scgmey.org udp
US 8.8.8.8:53 eavgvlsanxqd.net udp
US 8.8.8.8:53 pauhrr.net udp
US 8.8.8.8:53 tepvtuyg.info udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 gcyqzsyy.info udp
US 8.8.8.8:53 kitujpxkwqh.net udp
US 8.8.8.8:53 xlvqlmnzywa.org udp
US 8.8.8.8:53 zbdispgco.info udp
US 8.8.8.8:53 esuyoyqmyokq.org udp
US 8.8.8.8:53 vwywpjuybkw.org udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 ckclvib.info udp
US 8.8.8.8:53 veziosb.org udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 ougwwykg.org udp
US 8.8.8.8:53 xjozkqup.info udp
US 8.8.8.8:53 wydanuycryf.info udp
US 8.8.8.8:53 fuvqefhql.org udp
US 8.8.8.8:53 lnnppmtvtpir.net udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 yhtacgkc.net udp
US 8.8.8.8:53 vvnicwvcyy.net udp
US 8.8.8.8:53 uwapoaowjxiu.net udp
US 8.8.8.8:53 dgbcfz.net udp
US 8.8.8.8:53 ughkxehixvj.info udp
US 8.8.8.8:53 eypsfmkq.net udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 fysqbsfsc.info udp
US 8.8.8.8:53 qxdzzoic.info udp
US 8.8.8.8:53 cevulwwrv.info udp
US 8.8.8.8:53 kyocyq.org udp
US 8.8.8.8:53 zhbqaq.info udp
US 8.8.8.8:53 jxvhedguyxpf.net udp
US 8.8.8.8:53 zynreu.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 uswcmwyi.com udp
US 8.8.8.8:53 vcfrgtioy.org udp
US 8.8.8.8:53 iakciwaoegi.info udp
US 8.8.8.8:53 negkdsyg.info udp
US 8.8.8.8:53 mceeebycfg.net udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 stgqxpdanr.net udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 lllkmpksv.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 uklobnrezupj.info udp
US 8.8.8.8:53 vcbmxup.info udp
US 8.8.8.8:53 ocdwrpceh.net udp
US 8.8.8.8:53 bocxabsnoe.info udp
US 8.8.8.8:53 bivduajotcn.org udp
US 8.8.8.8:53 onknbqkesx.info udp
US 8.8.8.8:53 agfpkyw.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 yxsglrb.net udp
US 8.8.8.8:53 ownfnwfuh.net udp
US 8.8.8.8:53 ronponqjnncp.info udp
US 8.8.8.8:53 miwgsiaswsck.com udp
US 8.8.8.8:53 texellasd.info udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 safktjlgtjc.net udp
US 8.8.8.8:53 kvlsnlw.info udp
US 8.8.8.8:53 hykhtsw.info udp
US 8.8.8.8:53 yctkpkp.net udp
US 8.8.8.8:53 qotmoonghyu.info udp
US 8.8.8.8:53 yeqgoyygmaiq.org udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 ailvemtmx.info udp
US 8.8.8.8:53 lgdccev.com udp
US 8.8.8.8:53 zdylnwxis.com udp
US 8.8.8.8:53 corgrblef.info udp
US 8.8.8.8:53 llbptzfcjs.info udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 fwtkbojqm.info udp
US 8.8.8.8:53 bunyzexwh.net udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 imeliqr.net udp
US 8.8.8.8:53 pctkgplslwl.net udp
US 8.8.8.8:53 jkdtznzqrwr.com udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 mmrbnacljy.net udp
US 8.8.8.8:53 ntyxjqttxk.net udp
US 8.8.8.8:53 cuwthzid.info udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 dasqeyxvq.com udp
US 8.8.8.8:53 hlbgmiai.info udp
US 8.8.8.8:53 vurojxpmuk.info udp
US 8.8.8.8:53 nkviukd.info udp
US 8.8.8.8:53 wgicnuf.net udp
US 8.8.8.8:53 oileomhwn.net udp
US 8.8.8.8:53 paiqatxz.net udp
US 8.8.8.8:53 hgwbpof.org udp
US 8.8.8.8:53 xirrwm.net udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 jzyovelelyo.info udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 jxdbeqtcuf.info udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 oeisiywiuies.org udp
US 8.8.8.8:53 jafqlghzhsj.info udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 jdmubeenph.info udp
US 8.8.8.8:53 xrhnlywk.info udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 rnuccnpt.net udp
US 8.8.8.8:53 gjaiahemfnuj.net udp
US 8.8.8.8:53 bqufjvrurwty.info udp
US 8.8.8.8:53 mbmszvvcjh.net udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 iawsusiycg.org udp
US 8.8.8.8:53 bfswvevrvsjr.info udp
US 8.8.8.8:53 osjnliuhkql.net udp
US 8.8.8.8:53 narqbbzwh.info udp
US 8.8.8.8:53 awoqqoqicc.com udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 xvylyizcpyr.info udp
US 8.8.8.8:53 dyxetlqsigz.com udp
US 8.8.8.8:53 igepaxxj.net udp
US 8.8.8.8:53 gmwccsicmg.org udp
US 8.8.8.8:53 tuxmdzywfstr.info udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 oivfpvbljqez.net udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 emuidm.info udp
US 8.8.8.8:53 nziywbmvsfyp.net udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 iklmlfpumrp.info udp
US 8.8.8.8:53 yjdxxwodpnr.net udp
US 8.8.8.8:53 zqhwwsv.net udp
US 8.8.8.8:53 yaerjtjgtbyu.net udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 onvyfeuejgx.info udp
US 8.8.8.8:53 dfqcnqul.info udp
US 8.8.8.8:53 ndwywrsr.net udp
US 8.8.8.8:53 eeiciyma.org udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 mbqewyw.net udp
US 8.8.8.8:53 fibdoitctev.com udp
US 8.8.8.8:53 ccwawkuo.org udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 wengrewlpxd.info udp
US 8.8.8.8:53 muctjtjnvi.net udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 jzhopw.info udp
US 8.8.8.8:53 zscmnepij.net udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 wqcplogzx.net udp
US 8.8.8.8:53 akqkwsuuee.org udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 czbbfkq.net udp
US 8.8.8.8:53 hpngll.net udp
US 8.8.8.8:53 uqnekurpp.info udp
US 8.8.8.8:53 dwdmbfhj.net udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 sigatvyhhoxj.net udp
US 8.8.8.8:53 nmtoayembv.info udp
US 8.8.8.8:53 fdkrpdfhhi.net udp
US 8.8.8.8:53 vgdbzmryemn.info udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 vvcoyo.net udp
US 8.8.8.8:53 ouygio.com udp
US 8.8.8.8:53 uzjarnydbk.net udp
US 8.8.8.8:53 fzqqksnzg.net udp
US 8.8.8.8:53 jhvfrcqympsb.info udp
US 8.8.8.8:53 yscamq.org udp
US 8.8.8.8:53 wjoktuwynom.net udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 wskvjmbse.net udp
US 8.8.8.8:53 zbzjdwlav.net udp
US 8.8.8.8:53 ztahpesbeaeb.info udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 bzqmuszrsucp.net udp
US 8.8.8.8:53 qsaiqm.org udp
US 8.8.8.8:53 gswuea.com udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 yodxdhh.net udp
US 8.8.8.8:53 xhbbzydhfn.info udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 xsbwfymqggo.info udp
US 8.8.8.8:53 fahxdyb.com udp
US 8.8.8.8:53 iefclctifgm.net udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 lmpufmqec.net udp
US 8.8.8.8:53 roxitunlgpt.com udp
US 8.8.8.8:53 goqdjjefcy.info udp
US 8.8.8.8:53 tayfpan.org udp
US 8.8.8.8:53 avxcbp.net udp
US 8.8.8.8:53 kutfvgvox.net udp
US 8.8.8.8:53 yyzvxxpsxu.info udp
US 8.8.8.8:53 amjzsuba.net udp
US 8.8.8.8:53 tgticatwwkz.com udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 tlferwgyjo.info udp
US 8.8.8.8:53 idzjwimtvzu.net udp
US 8.8.8.8:53 fclwwjlgh.com udp
US 8.8.8.8:53 olfetmkgkk.net udp
US 8.8.8.8:53 iuhlylu.net udp
US 8.8.8.8:53 ivwqbocy.net udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 avzqwzrobu.net udp
US 8.8.8.8:53 rgjohyhqo.info udp
US 8.8.8.8:53 cmiucq.com udp
US 8.8.8.8:53 rvxetshwfbrx.net udp
US 8.8.8.8:53 iymgqaeuoy.org udp
US 8.8.8.8:53 khxaduhppamj.info udp
US 8.8.8.8:53 dawguco.net udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 hqievqxgtad.com udp
US 8.8.8.8:53 ecwgcqqg.org udp
US 8.8.8.8:53 bgxyppqzimol.net udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 c.pki.goog udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 btaqfemenxuk.net udp
US 8.8.8.8:53 nlqstmhthkbs.net udp
US 8.8.8.8:53 jvctnbemzhai.net udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 estonwgm.net udp
US 8.8.8.8:53 zafomhl.info udp
US 8.8.8.8:53 hvueiypiyig.info udp
US 8.8.8.8:53 mknpzkstfq.info udp
US 8.8.8.8:53 mfvkegxgl.info udp
US 8.8.8.8:53 gcjlxo.info udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 gufgzcx.info udp
US 8.8.8.8:53 jrzfazkgnr.info udp
US 8.8.8.8:53 yywgwoyw.org udp
US 8.8.8.8:53 sozkgy.info udp
US 8.8.8.8:53 hcoaccviae.info udp
US 8.8.8.8:53 pnaskdbpy.net udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 xwkstabzfh.net udp
US 8.8.8.8:53 nabznqkq.info udp
US 8.8.8.8:53 fsbmhsdct.com udp
US 8.8.8.8:53 gmnxtrevpvzj.net udp
US 8.8.8.8:53 fmjknldyjgb.info udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 lcihrnyv.info udp
US 8.8.8.8:53 hrxefrcvgpme.net udp
US 8.8.8.8:53 acbzzym.net udp
US 8.8.8.8:53 cemafgbtcgnu.net udp
US 8.8.8.8:53 swmkgw.org udp
US 8.8.8.8:53 emzejypsael.info udp
US 8.8.8.8:53 sotqdtuot.info udp
US 8.8.8.8:53 hhqmxcesyyr.net udp
US 8.8.8.8:53 aqaosgkymw.org udp
US 8.8.8.8:53 oewcyawa.com udp
US 8.8.8.8:53 rrlydco.info udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 iocqkmqyuioi.org udp
US 8.8.8.8:53 spfwsedczv.info udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 ygoqeiocsmem.com udp
US 8.8.8.8:53 moisvbn.net udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 goyawimuasye.org udp
US 8.8.8.8:53 ispupghcr.net udp
US 8.8.8.8:53 hraqtyieyj.info udp
US 8.8.8.8:53 qgvjjoyeu.net udp
US 8.8.8.8:53 geeumkooeoyw.org udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 dvrkwaclckkv.info udp
US 8.8.8.8:53 hjxomtbwdgra.net udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 qcassg.org udp
US 8.8.8.8:53 qklrvmclbyd.info udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 vgvrpag.org udp
US 8.8.8.8:53 htryvemghf.net udp
US 8.8.8.8:53 rbjqbqi.info udp
US 8.8.8.8:53 hfsddkn.net udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 hfibyocobw.net udp
US 8.8.8.8:53 irzfbaq.net udp
US 8.8.8.8:53 mhxxlwxd.net udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 iikdkih.info udp
US 8.8.8.8:53 xoqgyyf.net udp
US 8.8.8.8:53 pljwxqnddncy.info udp
US 8.8.8.8:53 zajgyyn.net udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 akvekjv.info udp
US 8.8.8.8:53 gkgoeuummumq.com udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 mgtjnqruxwb.info udp
US 8.8.8.8:53 sijwngcggon.net udp
US 8.8.8.8:53 dkzizdvw.info udp
US 8.8.8.8:53 winhxeuupcm.info udp
US 8.8.8.8:53 mklknyp.info udp
US 8.8.8.8:53 bwbrgqp.org udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 jfpbcqkzferp.info udp
US 8.8.8.8:53 mexuptfmmgfv.info udp
US 8.8.8.8:53 smewsswuso.com udp
US 8.8.8.8:53 slgxxbcv.net udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 uugvhxxki.net udp
US 8.8.8.8:53 ovzwikhuf.net udp
US 8.8.8.8:53 ilwwnklvcntn.net udp
US 8.8.8.8:53 kyfaxrzizo.net udp
US 8.8.8.8:53 rirctqxkx.org udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 vmjgfqdipgvm.info udp
US 8.8.8.8:53 syuqii.com udp
US 8.8.8.8:53 azcenwi.info udp
US 8.8.8.8:53 lgzwnevncuh.org udp
US 8.8.8.8:53 wrcbbswcjh.net udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 cmjkqmddd.info udp
US 8.8.8.8:53 dizswsm.org udp
US 8.8.8.8:53 rydsbvywfdni.net udp
US 8.8.8.8:53 vzlnzllkgbry.info udp
US 8.8.8.8:53 zfbgjtyjexjh.info udp
US 8.8.8.8:53 snxppmougs.info udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 edxewgiml.info udp
US 8.8.8.8:53 qqjpvykf.net udp
US 8.8.8.8:53 nwccgwnz.info udp
US 8.8.8.8:53 xgpgbxmflurt.net udp
US 8.8.8.8:53 ppgcpczfr.info udp
US 8.8.8.8:53 yrnmbqmvdtx.info udp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 tktjlkwr.net udp
US 8.8.8.8:53 lrypdp.net udp
US 8.8.8.8:53 synuakvsdov.info udp
US 8.8.8.8:53 cgaess.org udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 swiaumgkoyeg.org udp
US 8.8.8.8:53 loudtif.net udp
US 8.8.8.8:53 bgzyhghlpiw.info udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 awgktaycbob.net udp
US 8.8.8.8:53 locudknie.net udp
US 8.8.8.8:53 khbvvflj.net udp
US 8.8.8.8:53 eqgpbk.net udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 msthhmfa.info udp
US 8.8.8.8:53 hkbackombqp.net udp
US 8.8.8.8:53 nkdjbov.com udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 dvxszirxb.info udp
US 8.8.8.8:53 ncxhymlgm.com udp
US 8.8.8.8:53 dyoboi.info udp
US 8.8.8.8:53 bkehogzrr.net udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 rpzujviopllx.info udp
US 8.8.8.8:53 ronekakzba.info udp
US 8.8.8.8:53 mkusaq.com udp
US 8.8.8.8:53 tkmmjyrkzrp.net udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 vdpcdq.net udp
US 8.8.8.8:53 wctoomp.info udp
US 8.8.8.8:53 vcyrsdie.net udp
US 8.8.8.8:53 lexelcafssp.com udp
US 8.8.8.8:53 mqgmmcoywm.org udp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 eyuskoec.com udp
US 8.8.8.8:53 mmruzmtnzat.info udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 aojgmuvrvoh.info udp
US 8.8.8.8:53 vbfpzrjegij.com udp
US 8.8.8.8:53 eaeysk.org udp
US 8.8.8.8:53 upuvuzufzo.net udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 zxlqldfnjdbs.net udp
US 8.8.8.8:53 vvnkzhkwzmp.net udp
US 8.8.8.8:53 oqggyiskigaa.com udp
US 8.8.8.8:53 gkhsvev.net udp
US 8.8.8.8:53 hklyqcbpff.net udp
US 8.8.8.8:53 xfpmjou.org udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 xuness.info udp
US 8.8.8.8:53 mqvqfihbl.info udp
US 8.8.8.8:53 pudvrqrmjak.com udp
US 8.8.8.8:53 uxpaodbiz.net udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 zjvhci.net udp
US 8.8.8.8:53 oismai.com udp
US 8.8.8.8:53 hwvuhkyytif.com udp
US 8.8.8.8:53 gegaky.org udp
US 8.8.8.8:53 oyymzwqkion.info udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 obpucj.info udp
US 8.8.8.8:53 nijapocyhys.info udp
US 8.8.8.8:53 cpbqqerajqf.info udp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 mutovev.info udp
US 8.8.8.8:53 ojupacimgb.info udp
US 8.8.8.8:53 gmqmckca.com udp
US 8.8.8.8:53 wunidwv.info udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 obcshibxdmg.info udp
US 8.8.8.8:53 vedbasto.info udp
US 8.8.8.8:53 bqasdoykdlp.org udp
US 8.8.8.8:53 oaoqmgiq.org udp
US 8.8.8.8:53 jypofbeepwt.org udp
US 8.8.8.8:53 zwmihaso.net udp
US 8.8.8.8:53 kqzskjpzdm.info udp
US 8.8.8.8:53 lclyzmy.info udp
US 8.8.8.8:53 kcauwo.com udp
US 8.8.8.8:53 qugcky.com udp
US 8.8.8.8:53 rlighujsccpa.info udp
US 8.8.8.8:53 mpkbfsgyp.info udp
US 8.8.8.8:53 bozwcsbzj.org udp
US 8.8.8.8:53 xritjwtbvduz.info udp
US 8.8.8.8:53 rcwfqunuax.info udp
US 8.8.8.8:53 aiqywmyyyw.org udp
US 8.8.8.8:53 mrqhvym.info udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 iugocmwm.org udp
US 8.8.8.8:53 mpxsugukgjjb.info udp
US 8.8.8.8:53 djwmfgacfh.net udp
US 8.8.8.8:53 zcvnnbju.info udp
US 8.8.8.8:53 dgnxrpzgfcrj.info udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 kklwjszot.net udp
US 8.8.8.8:53 vnavmrlogw.net udp
US 8.8.8.8:53 sisousmeksyk.org udp
US 8.8.8.8:53 xevksubshwz.net udp
US 8.8.8.8:53 qyqigk.com udp
US 8.8.8.8:53 sksdpepi.info udp
US 8.8.8.8:53 fuzykayfcy.net udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 tejtuy.info udp
US 8.8.8.8:53 lynggnvpvgt.info udp
US 8.8.8.8:53 nuivzibvxev.org udp
US 8.8.8.8:53 sdgctiop.info udp
US 8.8.8.8:53 thgzavmgjmhe.net udp
US 8.8.8.8:53 ouyoyu.com udp
US 8.8.8.8:53 soqqnal.net udp
US 8.8.8.8:53 guxodymmpe.net udp
US 8.8.8.8:53 ddnquwi.net udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 roduedhajimn.net udp
US 8.8.8.8:53 vlnxjesvhuhm.net udp
US 8.8.8.8:53 qklmniaynri.net udp
US 8.8.8.8:53 ykcumk.org udp
US 8.8.8.8:53 rvlahacwud.info udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 xixxhrcfvi.info udp
US 8.8.8.8:53 pxdosgtdhdzx.net udp
US 8.8.8.8:53 dduwpgojsllf.info udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 xsnypsl.net udp
US 8.8.8.8:53 nucwtagoibk.org udp
US 8.8.8.8:53 utbceo.info udp
US 8.8.8.8:53 eslbfecyyiwj.net udp
US 8.8.8.8:53 jwwqnfzzfe.net udp
US 8.8.8.8:53 rjbifug.net udp
US 8.8.8.8:53 putzvt.net udp
US 8.8.8.8:53 tmbufrzwi.com udp
US 8.8.8.8:53 djjhzmcl.net udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 rluvnbhd.info udp
US 8.8.8.8:53 wvbknf.info udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 fdjvdgtk.net udp
US 8.8.8.8:53 pqphpf.info udp
US 8.8.8.8:53 dvlcdtcq.info udp
US 8.8.8.8:53 jsrdxfvxvddo.info udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 gurllgd.net udp
US 8.8.8.8:53 wiupjyjvr.info udp
US 8.8.8.8:53 vjxntrymhef.info udp
US 8.8.8.8:53 coterzuxgt.info udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 wbxghgbab.net udp
US 8.8.8.8:53 tcmxmunjjlll.info udp
US 8.8.8.8:53 thxxrwbgqm.net udp
US 8.8.8.8:53 emnuniy.info udp
US 8.8.8.8:53 lgwqohokbfxl.net udp
US 8.8.8.8:53 eeieetb.net udp
US 8.8.8.8:53 grqaiztnkd.net udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 ogkomcwwyeyi.org udp
US 8.8.8.8:53 yzxboedll.info udp
US 8.8.8.8:53 knwgzqzz.net udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 xgjozijwo.org udp
US 8.8.8.8:53 ceshnpngelqx.info udp
US 8.8.8.8:53 dsbkuunbmkl.net udp
US 8.8.8.8:53 lscnjcue.info udp
US 8.8.8.8:53 ssgbnkrwuhqo.info udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 tuxavitqztdz.info udp
US 8.8.8.8:53 xsmharskx.com udp
US 8.8.8.8:53 ukompusmn.net udp
US 8.8.8.8:53 ukpsuavkg.net udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 eyyeasseeuqa.com udp
US 8.8.8.8:53 sctpzrcp.net udp
US 8.8.8.8:53 drxsve.info udp
US 8.8.8.8:53 pcmdzmjzp.info udp
US 8.8.8.8:53 pnrqwpwa.net udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 pprxluszwgxc.info udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 rfpndz.info udp
US 8.8.8.8:53 ksoascwi.com udp
US 8.8.8.8:53 aoukguou.com udp
US 8.8.8.8:53 mjdegyp.net udp
US 8.8.8.8:53 cuyywvdbeh.net udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 gfcyibbfymqt.net udp
US 8.8.8.8:53 wcqork.info udp
US 8.8.8.8:53 gshujucdlud.net udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 zmrdhmhshwa.info udp
US 8.8.8.8:53 fjarizxdf.org udp
US 8.8.8.8:53 fmqewgqb.info udp
US 8.8.8.8:53 caokeaeyukye.org udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 tgxezlwrbcx.net udp
US 8.8.8.8:53 mkselelszfr.net udp
US 8.8.8.8:53 andofozgn.net udp
US 8.8.8.8:53 yhnglxdg.net udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 cbpylinkdqt.net udp
US 8.8.8.8:53 fgoudtyfcsfs.net udp
US 8.8.8.8:53 qeasooggkkye.org udp
US 8.8.8.8:53 nyhkzqkvmqj.net udp
US 8.8.8.8:53 glvataq.info udp
US 8.8.8.8:53 unlyshxmrote.net udp
US 8.8.8.8:53 zpvpjox.org udp
US 8.8.8.8:53 tqqciiiixyn.net udp
US 8.8.8.8:53 muvqxeenruc.net udp
US 8.8.8.8:53 gdiecndz.net udp
US 8.8.8.8:53 scsmnwl.net udp
US 8.8.8.8:53 buuqaspmlhu.net udp
US 8.8.8.8:53 opuwwx.info udp
US 8.8.8.8:53 jrnmzxzen.com udp
US 8.8.8.8:53 dobgqct.info udp
US 8.8.8.8:53 babireoyvbx.org udp
US 8.8.8.8:53 esnphkg.net udp
US 8.8.8.8:53 xtruvapagyu.info udp
US 8.8.8.8:53 pozwwbor.info udp
US 8.8.8.8:53 wsbnropkshuz.info udp
US 8.8.8.8:53 sqnflwkj.info udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 cizqgzjgzb.info udp
US 8.8.8.8:53 dhzzjmbcp.net udp
US 8.8.8.8:53 mvqbeqp.net udp
US 8.8.8.8:53 agcrlapowm.info udp
US 8.8.8.8:53 iexqhav.net udp
US 8.8.8.8:53 giekgyskeiik.org udp
US 8.8.8.8:53 fddpzlyxftlc.info udp
US 8.8.8.8:53 knlbsf.net udp
US 8.8.8.8:53 tucejr.info udp
US 8.8.8.8:53 xbeenjtinopt.info udp
US 8.8.8.8:53 tnhydszy.net udp
US 8.8.8.8:53 bavppixu.net udp
US 8.8.8.8:53 ikocelpkx.net udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 ntpohnlnfb.info udp
US 8.8.8.8:53 fqgqiqzpkex.org udp
US 8.8.8.8:53 puixztxq.net udp
US 8.8.8.8:53 ptpwnlreeaxo.net udp
US 8.8.8.8:53 eulufkb.info udp
US 8.8.8.8:53 vthnjumbihsj.net udp
US 8.8.8.8:53 nilnejqcaoeh.net udp
US 8.8.8.8:53 eqquouoamuiw.com udp
US 8.8.8.8:53 tcpclcveqmzk.net udp
US 8.8.8.8:53 eqvobsahvihr.net udp
US 8.8.8.8:53 eeeiusoc.com udp
US 8.8.8.8:53 mkslaklz.net udp
US 8.8.8.8:53 tvtbfknz.info udp
US 8.8.8.8:53 dyenlklax.net udp
US 8.8.8.8:53 mcyyiq.org udp
US 8.8.8.8:53 juxhrcwcbop.org udp
US 8.8.8.8:53 dtstyn.net udp
US 8.8.8.8:53 segwgmecmugy.com udp
US 8.8.8.8:53 aihmqscsp.net udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 bwoudgunbic.net udp
US 8.8.8.8:53 qecmngj.info udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 umawquoa.com udp
US 8.8.8.8:53 ayjygof.info udp
US 8.8.8.8:53 arkoul.info udp
US 8.8.8.8:53 fyfllknkxqr.net udp
US 8.8.8.8:53 msaeugqyakco.org udp
US 8.8.8.8:53 qhgkslypnstf.info udp
US 8.8.8.8:53 ycuouwkm.org udp
US 8.8.8.8:53 tmrxnmjrkb.net udp
US 8.8.8.8:53 boffzqawkr.net udp
US 8.8.8.8:53 cgqgyuewqy.com udp
US 8.8.8.8:53 sqxgtcu.net udp
US 8.8.8.8:53 uomieuwsgywa.com udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 okcoky.com udp
US 8.8.8.8:53 bfxkrtjjbqhu.info udp
US 8.8.8.8:53 perwmabvjaz.net udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 mcooso.org udp
US 8.8.8.8:53 nttldxgxni.info udp
US 8.8.8.8:53 flxcxav.com udp
US 8.8.8.8:53 cwkqutf.info udp
US 8.8.8.8:53 yanopiip.net udp
US 8.8.8.8:53 bvrlxiawb.net udp
US 8.8.8.8:53 qwozfvqbzn.net udp
US 8.8.8.8:53 uuxzags.info udp
US 8.8.8.8:53 pjpmlr.info udp
US 8.8.8.8:53 bujydax.net udp
US 8.8.8.8:53 wyvulzriy.info udp
US 8.8.8.8:53 sxsydftugfl.net udp
US 8.8.8.8:53 uuecmgawgeqm.com udp
US 8.8.8.8:53 psdgvkxnh.info udp
US 8.8.8.8:53 harhboauozpe.info udp
US 8.8.8.8:53 sjyjdgocz.net udp
US 8.8.8.8:53 dtppzh.net udp
US 8.8.8.8:53 ofsgiipylcn.net udp
US 8.8.8.8:53 wicceoumgk.com udp
US 8.8.8.8:53 tluikpymh.info udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 sxnddev.info udp
US 8.8.8.8:53 quaskeqc.org udp
US 8.8.8.8:53 jntxuexoq.net udp
US 8.8.8.8:53 gklfoatqfmn.net udp
US 8.8.8.8:53 lqtsuwfzoy.net udp
US 8.8.8.8:53 bnpqik.net udp
US 8.8.8.8:53 uxseokraf.info udp
US 8.8.8.8:53 ieaiwsp.info udp
US 8.8.8.8:53 ywyucquu.com udp
US 8.8.8.8:53 szjvpgaq.net udp
US 8.8.8.8:53 eiwgoewg.org udp
US 8.8.8.8:53 frxklo.net udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 ugsqkiysuymg.com udp
US 8.8.8.8:53 iyoivcknn.info udp
US 8.8.8.8:53 ssgqsckw.com udp
US 8.8.8.8:53 cxritgbkwiqj.net udp
US 8.8.8.8:53 eqtgeiour.net udp
US 8.8.8.8:53 wutqlbfgt.net udp
US 8.8.8.8:53 xflrdxdu.net udp
US 8.8.8.8:53 jkknfwlaj.info udp
US 8.8.8.8:53 mlvsxcgccez.info udp
US 8.8.8.8:53 datqdbhkjmh.net udp
US 8.8.8.8:53 yabgjuiyvpj.net udp
US 8.8.8.8:53 iuyiqmwa.org udp
US 8.8.8.8:53 qwmcuc.com udp
US 8.8.8.8:53 yqtafgfohsp.net udp
US 8.8.8.8:53 kyimsspmwr.info udp
US 8.8.8.8:53 ehmkhp.net udp
US 8.8.8.8:53 daxdmack.net udp
US 8.8.8.8:53 yyeysgkock.com udp
US 8.8.8.8:53 nrpqjt.info udp
US 8.8.8.8:53 ycwktpff.net udp
US 8.8.8.8:53 qteqdsbcj.net udp
US 8.8.8.8:53 fvqyfimtluav.net udp
US 8.8.8.8:53 fenstuz.com udp
US 8.8.8.8:53 dxllnf.info udp
US 8.8.8.8:53 gcxdxbfm.info udp
US 8.8.8.8:53 vhfrpklxxrs.info udp
US 8.8.8.8:53 lkngjoezjnq.com udp
US 8.8.8.8:53 zkhowqliqkb.net udp
US 8.8.8.8:53 biuehdf.net udp
US 8.8.8.8:53 wrbgtg.info udp
US 8.8.8.8:53 lppvlk.info udp
US 8.8.8.8:53 zmukxsnim.info udp
US 8.8.8.8:53 xbfhtyff.info udp
US 8.8.8.8:53 vesijwpmv.info udp
US 8.8.8.8:53 dezdzedov.net udp
US 8.8.8.8:53 cseomiaumgcq.com udp
US 8.8.8.8:53 nnlsggbskcc.net udp
US 8.8.8.8:53 kiywaweqaw.org udp
US 8.8.8.8:53 wrrufsb.info udp
US 8.8.8.8:53 nlbqys.net udp
US 8.8.8.8:53 vsswekgnat.info udp
US 8.8.8.8:53 jyvqzndfbpsy.net udp
US 8.8.8.8:53 owtfoyw.info udp
US 8.8.8.8:53 kqucgw.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 vypwjfs.net udp
US 8.8.8.8:53 fofghyx.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 azmypsj.info udp
US 8.8.8.8:53 utuqvnnogcp.net udp
US 8.8.8.8:53 rsrmzgr.net udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 dagegqggpgf.org udp
US 8.8.8.8:53 odwidb.net udp
US 8.8.8.8:53 yeiwucwi.org udp
US 8.8.8.8:53 krfhhgrotx.net udp
US 8.8.8.8:53 ioinrhtuqekc.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 sefkpec.net udp
US 8.8.8.8:53 eoovwv.net udp
US 8.8.8.8:53 cunixsvufiv.net udp
US 8.8.8.8:53 esgqqqogqq.com udp
US 8.8.8.8:53 njstzc.net udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 osemeomioqcq.org udp
US 8.8.8.8:53 whdjhz.info udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 ycwrehlg.info udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 piolqmruy.info udp
US 8.8.8.8:53 eeaikaks.com udp
US 8.8.8.8:53 cpmitifzk.net udp
US 8.8.8.8:53 jipyjkmqb.com udp
US 8.8.8.8:53 bfuald.info udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 mqihxnjodctj.info udp
US 8.8.8.8:53 kqtaaeg.net udp
US 8.8.8.8:53 zglihizaz.net udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 luhgzktxs.info udp
US 8.8.8.8:53 wgcdfqodml.net udp
US 8.8.8.8:53 bbdhjljo.info udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 lmtahqeud.com udp
US 8.8.8.8:53 fcpubgxuu.com udp
US 8.8.8.8:53 jyxmlwrihgt.info udp
US 8.8.8.8:53 xxyorhhb.info udp
US 8.8.8.8:53 itgsirpkoprl.info udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 xpgwfipglow.com udp
US 8.8.8.8:53 temxlwtdoh.net udp
US 8.8.8.8:53 mosouquuecgq.com udp
US 8.8.8.8:53 jprpfxzxzaan.info udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 bwnefyeen.com udp
US 8.8.8.8:53 dejqqqjrtx.info udp
US 8.8.8.8:53 psjotqnwvnm.com udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 qmlqirwwofza.net udp
US 8.8.8.8:53 sfmsdit.net udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 kosxeagvdp.net udp
US 8.8.8.8:53 icogbbzdxmb.net udp
US 8.8.8.8:53 vwpihwd.info udp
US 8.8.8.8:53 vndosnicpotw.info udp
US 8.8.8.8:53 isbulgf.net udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 apvmpcpi.net udp
US 8.8.8.8:53 tpfknyyqhkng.net udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 yomsggss.org udp
US 8.8.8.8:53 fonpavis.info udp
US 8.8.8.8:53 ujyqtwnlfj.info udp
US 8.8.8.8:53 ridsraz.com udp
US 8.8.8.8:53 xvzumiq.org udp
US 8.8.8.8:53 nttlxa.net udp
US 8.8.8.8:53 dlfmofbismv.net udp
US 8.8.8.8:53 tyvisiyh.net udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 smoasausig.com udp
US 8.8.8.8:53 mqqihbpaumu.info udp
US 8.8.8.8:53 yapmng.net udp
US 8.8.8.8:53 omuscigooi.com udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 ypaknyklftfb.net udp
US 8.8.8.8:53 icfyaovdjihs.info udp
US 8.8.8.8:53 hilvhpqwsef.net udp
US 8.8.8.8:53 qyocwgemiygm.org udp
US 8.8.8.8:53 okomgk.com udp
US 8.8.8.8:53 wbkedyr.net udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 fevrliawvgi.net udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 cyprfwskcsw.info udp
US 8.8.8.8:53 wtbaxcmouvr.info udp
US 8.8.8.8:53 lebapefdnwn.net udp
US 8.8.8.8:53 juatzbzwfkv.com udp
US 8.8.8.8:53 jaighwbau.info udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 ckawakyuseea.org udp
US 8.8.8.8:53 qpsefhqszjl.net udp
US 8.8.8.8:53 bttcney.com udp
US 8.8.8.8:53 kqxefj.net udp
US 8.8.8.8:53 icxjhmtudne.net udp
US 8.8.8.8:53 takghwqz.net udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 fwnjtxbv.info udp
US 8.8.8.8:53 osaggcoeey.org udp
US 8.8.8.8:53 ntfbxwnepjnu.net udp
US 8.8.8.8:53 fndvwmcy.info udp
US 8.8.8.8:53 fmhrfhpd.net udp
US 8.8.8.8:53 vuyoril.org udp
US 8.8.8.8:53 gqowmg.org udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 sccrxtxk.net udp
US 8.8.8.8:53 cetgcbfg.net udp
US 8.8.8.8:53 cmuoukeo.info udp
US 8.8.8.8:53 tfjocstyu.org udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 ehyjky.net udp
US 8.8.8.8:53 ivfhpkzdak.info udp
US 8.8.8.8:53 aueyycam.org udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 shzcpbmg.info udp
US 8.8.8.8:53 maypnv.net udp
US 8.8.8.8:53 ciimzihuz.net udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 lqxihuhexi.net udp
US 8.8.8.8:53 oydihhhi.info udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 tfgpla.info udp
US 8.8.8.8:53 pojfyohzyh.info udp
US 8.8.8.8:53 qajsxumkz.info udp
US 8.8.8.8:53 qdkxhb.info udp
US 8.8.8.8:53 iqfqrqzcj.info udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 blpmnakpk.info udp
US 8.8.8.8:53 ihvqrzy.net udp
US 8.8.8.8:53 kudpkkk.info udp
US 8.8.8.8:53 usrgbaezriu.net udp
US 8.8.8.8:53 nourksdqhdb.com udp
US 8.8.8.8:53 jlvcpshgqu.net udp
US 8.8.8.8:53 bwscpkkbv.com udp
US 8.8.8.8:53 nudpglooydmy.net udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 bckzjxqs.net udp
US 8.8.8.8:53 klbdjifm.net udp
US 8.8.8.8:53 ibbjtwcethv.info udp
US 8.8.8.8:53 rycnsbxy.net udp
US 8.8.8.8:53 jhyqbmyjoxp.net udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 nqoklhwl.info udp
US 8.8.8.8:53 mwbgoyhhjfa.net udp
US 8.8.8.8:53 qyitzzdxog.info udp
US 8.8.8.8:53 syzqyub.info udp
US 8.8.8.8:53 afczxh.net udp
US 8.8.8.8:53 lythnsgzjn.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 cnvmduwy.net udp
US 8.8.8.8:53 yyrwpeomdyt.info udp
US 8.8.8.8:53 ctdqtav.net udp
US 8.8.8.8:53 xwkiaur.net udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 coemcakgbpj.info udp
US 8.8.8.8:53 oqfqdqnit.net udp
US 8.8.8.8:53 vlwycp.info udp
US 8.8.8.8:53 cafcwkorm.info udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 dcqybxb.net udp
US 8.8.8.8:53 siclbmnprlv.info udp
US 8.8.8.8:53 xofgirtgga.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 kiwksc.org udp
US 8.8.8.8:53 pmgwfwjqq.org udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 akokes.com udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 pqlmktdmd.com udp
US 8.8.8.8:53 iiqiqecueu.com udp
US 8.8.8.8:53 cgwmmgseue.org udp
US 8.8.8.8:53 erbzhagrsz.net udp
US 8.8.8.8:53 xihmluvce.info udp
US 8.8.8.8:53 euiaokakgaeq.org udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 jerjpetrt.net udp
US 8.8.8.8:53 xwmhlk.info udp
US 8.8.8.8:53 mopdjlsprl.info udp
US 8.8.8.8:53 mysgmkwy.com udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 mkbmhjnuukd.info udp
US 8.8.8.8:53 rqriisz.com udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 lszkbxx.net udp
US 8.8.8.8:53 fxgewmuikxza.net udp
US 8.8.8.8:53 tipqoa.info udp
US 8.8.8.8:53 kwfspcccwhp.net udp
US 8.8.8.8:53 mepdzdtue.info udp
US 8.8.8.8:53 vagchapoj.info udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 jahgka.info udp
US 8.8.8.8:53 krtalmdkfyz.net udp
US 8.8.8.8:53 jsplcicklch.com udp
US 8.8.8.8:53 scmmkioymc.com udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 rshzdgx.info udp
US 8.8.8.8:53 ocuepejey.info udp
US 8.8.8.8:53 sqzkoevloz.net udp
US 8.8.8.8:53 ywtpfaf.net udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 lagawopiz.com udp
US 8.8.8.8:53 yohixcn.net udp
US 8.8.8.8:53 nptkczhpnkd.org udp
US 8.8.8.8:53 hdjyryfdxp.net udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 ikiyoesqis.org udp
US 8.8.8.8:53 pgfmpqrtskdn.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 kcpklmfl.info udp
US 8.8.8.8:53 rzvonilhdv.info udp
US 8.8.8.8:53 wawqao.org udp
US 8.8.8.8:53 jdzcvwdgd.info udp
US 8.8.8.8:53 zonbrelv.info udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 foqnfxeksd.net udp
US 8.8.8.8:53 pwjbbn.info udp
US 8.8.8.8:53 cgumqu.com udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 jgnzlulox.com udp
US 8.8.8.8:53 cyhbjdlapt.info udp
US 8.8.8.8:53 mijtdrczck.info udp
US 8.8.8.8:53 msomovxumq.info udp
US 8.8.8.8:53 wxejmlnl.info udp
US 8.8.8.8:53 znlnvoxoa.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 hgcursbonhd.info udp
US 8.8.8.8:53 xrplxivj.net udp
US 8.8.8.8:53 yrhqflsko.net udp
US 8.8.8.8:53 gclmzanerwm.net udp
US 8.8.8.8:53 mefypua.info udp
US 8.8.8.8:53 mbfsjumkq.info udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 zhkntvjtiw.info udp
US 8.8.8.8:53 egwhlklqogo.info udp
US 8.8.8.8:53 tgiiohnytsah.info udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 tlhsfagcn.org udp
US 8.8.8.8:53 zpnqizgofa.net udp
US 8.8.8.8:53 xhypyuxj.info udp
US 8.8.8.8:53 jvbghgocf.info udp
US 8.8.8.8:53 cyeeymejr.net udp
US 8.8.8.8:53 vcjilwf.info udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 ckyawq.com udp
US 8.8.8.8:53 tidocoh.org udp
US 8.8.8.8:53 fwuvrz.net udp
US 8.8.8.8:53 xellsqrpec.info udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 hgivhoh.info udp
US 8.8.8.8:53 vadnkhw.org udp
US 8.8.8.8:53 dhdynol.net udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 eaoeysyyya.com udp
US 8.8.8.8:53 aiygzkf.info udp
US 8.8.8.8:53 beyufkgj.net udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 weuyuqqsus.com udp
US 8.8.8.8:53 uwgcms.com udp
US 8.8.8.8:53 yzzymmp.net udp
US 8.8.8.8:53 luwnvllps.info udp
US 8.8.8.8:53 iblzdqxoja.net udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 puyarlt.net udp
US 8.8.8.8:53 eeqeyhic.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 shacll.net udp
US 8.8.8.8:53 olxublyd.info udp
US 8.8.8.8:53 ogwmvel.info udp
US 8.8.8.8:53 xgluvxji.net udp
US 8.8.8.8:53 iegqcmgc.org udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 drylhuaoqof.net udp
US 8.8.8.8:53 pnnqtdsk.net udp
US 8.8.8.8:53 uyrslxxflyx.net udp
US 8.8.8.8:53 notezrk.com udp
US 8.8.8.8:53 xhndrbmenams.net udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 jyiikooxrp.info udp
US 8.8.8.8:53 zommurjdbywg.net udp
US 8.8.8.8:53 boltraal.info udp
US 8.8.8.8:53 ditcdinghlv.info udp
US 8.8.8.8:53 sojotwg.net udp
US 8.8.8.8:53 dbtjdo.info udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 giueysakwo.com udp
US 8.8.8.8:53 nidfgko.net udp
US 8.8.8.8:53 ocdwrpceh.net udp
US 8.8.8.8:53 ebjvifxuc.info udp
US 8.8.8.8:53 agfpkyw.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 juaeswacfgfl.info udp
US 8.8.8.8:53 tyyxuxjevwr.org udp
US 8.8.8.8:53 xalepyhaxcjc.info udp
US 8.8.8.8:53 xmmfhrpcneiy.info udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 obxczqswb.info udp
US 8.8.8.8:53 vmovellwztvz.net udp
US 8.8.8.8:53 zfjoqc.net udp
US 8.8.8.8:53 ahjsrslfb.info udp
US 8.8.8.8:53 woumugucww.com udp
US 8.8.8.8:53 ljodhjf.org udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 vhkfkyenhv.net udp
US 8.8.8.8:53 kqnmysnuj.net udp
US 8.8.8.8:53 gehozgdfpko.info udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 rhegwpnlfp.net udp
US 8.8.8.8:53 xgpgvwh.com udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 bduiglzvpvue.info udp
US 8.8.8.8:53 rzrcfct.com udp
US 8.8.8.8:53 zkuvnm.net udp
US 8.8.8.8:53 eqicmwme.com udp
US 8.8.8.8:53 yizijcpwfgo.info udp
US 8.8.8.8:53 irzbbqlbzep.info udp
US 8.8.8.8:53 iulapl.info udp
US 8.8.8.8:53 jafaegj.net udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 pgtwag.info udp
US 8.8.8.8:53 flxxbrsgdj.info udp
US 8.8.8.8:53 qqlycigtjsl.info udp

Files

C:\Users\Admin\AppData\Local\Temp\lvsflp.exe

MD5 5c4f3910f73c61d89053631ee72567cb
SHA1 819e2360594bc5406b6f8f4f6c05d6ad4066a4ad
SHA256 d8d15b5b34281b16aa69450c7ea342784b6991a1946e95879bcb1d6f917ac7f3
SHA512 3e540fa8eb2c9b9d0e5eb8ace010ec42de9ffa1f43c48c0fc059bbd6896c9974d16cb80355ad5c3c7626a2962d2415987839ae7bc597562c0def9af5e822bff3

C:\Users\Admin\AppData\Local\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd

MD5 86796864b2f45f3a44a1e47bc199a855
SHA1 3722e91f5539dbaaca208f916160bfa5e9d553f2
SHA256 98da304233c4800b8a444dacbb7833e08bb2a49491243570a01247905040d4e4
SHA512 bf40c12b96f1d9fe9d37023299dfed45da0af0343d69c60eb8a67990cc9a1e3210ef8b3ab0554c6f9f5d75f896bce7ccadc43bcb6674f17ef0fa4c156fec62a8

C:\Users\Admin\AppData\Local\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 f58fbbebd26bc046cd570ac315ef5a82
SHA1 5441ab573c80aeadd8ce05eccf9f5b055275cf8d
SHA256 1de3919b19e2671c812e006e3d1163ed4bcd4bb2afeff95939ecc2c153bb436b
SHA512 67bf38261e6b9e91bd13781ed84273be417961a50210bfc65c231569bfe3e5429f39e7c175cb30459bce80692ff7de9670e9688c46d153bdb753c718856ac6fe

C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 f992badab473f64912df18611911bbf8
SHA1 9111da03a6a39320bab011beef4c0cbd7e423c9a
SHA256 900afc76550351fa2ce7aad2e3d2c4a7eaff947868e261f77b6dfd44868c5f52
SHA512 37b3e82dea53f7b6ae568d79fb642dbb4c05745afe22ac030410df94e285f7d4b84e23925535de99abe884e791bc4ca340f734b00b635ac9bb14377f54aa13e1

C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 3d3f16903ffec420d9bdd9f041bfa145
SHA1 cd249700b07118050ae2afbc506e0205df653eb9
SHA256 3c2860796cfd3eab909a52c6b751c1bfdf556aa9901af9668f0ae6c2b11ff5d0
SHA512 caaffd639dfba0c0a33a38531b348201a4f7f57c90615c5d24d56efd0cfd8ed10d97ac8f2ae7a74caf575052806d54289a166bb6499cc5431e8b13c861da7430

C:\Users\Admin\AppData\Local\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 6f06cf158b651693ab708e360a35c7fd
SHA1 a171dfbd5f9e9311ec6fc0d7b3775565476952d5
SHA256 322daf6fba63384b9ab288ad8848c0a20d64056545751642929dd310a02d9f51
SHA512 c139c2ed3018a42b042cb2c04db6fac26c7443b08a21a9e28671b9fcc5054f56c006a2c20e5c9f5391bfe42c0470e262f2caa019690224b823193a3a04ec61e5

C:\Users\Admin\AppData\Local\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 d8251feda9c020a5ca51dc06d8e4bd1f
SHA1 2182d5c73de032d6a2e7c22888769f04356b6e0a
SHA256 f0c9218bf1da221947f089b8e6e22b75ef27b08e5b1cbbb6f3ebcbc25eb1cc15
SHA512 7fd163a320a50473d045e4fb4cd401222e203b8a2d4582c11116662325a667f872dd3b8d4bea6fa4cd7fae523f582ee0efdaeec3af163b84376e10c5910e2030

C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 c73184efdd6761c599047960780699de
SHA1 7877644417944a2a80ef492dca6462cb71cfc077
SHA256 aa84c84a51d0d428ad5b05ef047b3f3e26ed512e8d88409771c83c2360405f2c
SHA512 cb43aafa171f4f5063946756c854d19e708a2597b2326e05998f2c5e944628fd3d44ff72fcf050601e8305658cd0a66e0c7a1fd41f4a4fd18250f43cfe686726

C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 d7672171349832756788ef8aca70761e
SHA1 95b03fbb4f521f52c3d6f6dfd4c9b4c2073f1228
SHA256 ae1790c5f40b3d1d93ce34a33b46449ab366c9ee539d3bd80c83b15edebf6dbe
SHA512 d6260c0a707c78e7c56441740f5b3294b1e6a7206407d9aaa9e370b34fcb211f3c367807c0d25c3684c01c4be4cb03db19ea1df05778facb274391eba8bc21e6

C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi

MD5 8ed5513aac211c7f83a65e449e0b9d74
SHA1 b3e1cb63b5d0eee9642de7e29ae777a76d830661
SHA256 89c72e5eeab48bbc1fcf28c2e0c9648c1fff83732b0b98c2622a318d29933d2e
SHA512 db29d7492d33095810c26793e48c7a7b28d6f431c39fe16e63e1e6c7466fee129763c70c0374404bbea39afb6c9517476bf05bef2c264c9fc7ebe5649ca4448c

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-21 04:40

Reported

2025-04-21 04:43

Platform

win11-20250410-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "aiariaphvjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "bmhbvqidullehaynywf.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "aiariaphvjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "hqjbtmcvkzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "hqjbtmcvkzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "hqjbtmcvkzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "oawrmibxphicgazpbakw.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "hqjbtmcvkzxopgcpy.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "oawrmibxphicgazpbakw.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "dqnjfcwtmfhchcctggreb.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "qaungarlbrqikcznxu.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\dahntaelordixcmnkupmtzfmqxa.puj C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File created C:\Windows\SysWOW64\dahntaelordixcmnkupmtzfmqxa.puj C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File opened for modification C:\Windows\SysWOW64\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File created C:\Windows\SysWOW64\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File created C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File opened for modification C:\Program Files (x86)\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File created C:\Program Files (x86)\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File opened for modification C:\Windows\dahntaelordixcmnkupmtzfmqxa.puj C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File created C:\Windows\dahntaelordixcmnkupmtzfmqxa.puj C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
File opened for modification C:\Windows\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bajrzio.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Users\Admin\AppData\Local\Temp\bajrzio.exe

"C:\Users\Admin\AppData\Local\Temp\bajrzio.exe" "-"

C:\Users\Admin\AppData\Local\Temp\bajrzio.exe

"C:\Users\Admin\AppData\Local\Temp\bajrzio.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
NL 142.251.31.191:80 www.blogger.com tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 njstzc.net udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 uvesvllsmbyk.info udp
US 8.8.8.8:53 lszsurt.net udp
US 8.8.8.8:53 gqsocwwwug.com udp
US 8.8.8.8:53 lwrifcbkm.org udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 hgcursbonhd.info udp
US 8.8.8.8:53 tqwdahtmglvn.info udp
US 8.8.8.8:53 vabhrvoq.info udp
US 8.8.8.8:53 ccfkncpzbvr.net udp
US 8.8.8.8:53 aznmjsnsb.net udp
US 8.8.8.8:53 vurojxpmuk.info udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 cgdyemtfcbd.info udp
US 8.8.8.8:53 wgvrfgfnb.info udp
US 8.8.8.8:53 ppwcfqlh.info udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 hetrfsbax.com udp
US 8.8.8.8:53 myhwvevsn.net udp
US 8.8.8.8:53 icwhjpogrcz.net udp
US 8.8.8.8:53 wedsguzygla.info udp
US 8.8.8.8:53 voykhdz.org udp
US 8.8.8.8:53 hvuiaxgf.net udp
US 8.8.8.8:53 iijfpiwpfe.net udp
GB 185.77.97.175:80 egmsys.com tcp
HK 154.92.74.26:80 wcmsgs.com tcp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 jibmddrqbbf.org udp
US 8.8.8.8:53 meupre.info udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 bmuigbnakot.org udp
US 8.8.8.8:53 bwoudgunbic.net udp
US 8.8.8.8:53 nvnkfchmxmq.net udp
US 8.8.8.8:53 eocgucgg.com udp
US 8.8.8.8:53 xvhllxrbtrmq.net udp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 lzqdusve.net udp
US 8.8.8.8:53 kgdwgil.net udp
US 8.8.8.8:53 crnvfkbzhoh.net udp
US 8.8.8.8:53 vhbbcbnq.net udp
US 8.8.8.8:53 ewtufevuojml.info udp
US 8.8.8.8:53 cwicpfdgpol.net udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 uazmiuofx.info udp
US 8.8.8.8:53 lapmshbxz.com udp
US 8.8.8.8:53 kronfccksau.net udp
US 8.8.8.8:53 ckqkwqey.com udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 zkuila.info udp
US 8.8.8.8:53 qjtxbu.info udp
US 8.8.8.8:53 deouswz.com udp
US 8.8.8.8:53 qbqgcw.net udp
US 8.8.8.8:53 eihhykbeu.info udp
US 8.8.8.8:53 ykpfseyq.info udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 tvycqzlbrr.net udp
US 8.8.8.8:53 dadbxsi.org udp

Files

C:\Users\Admin\AppData\Local\Temp\bajrzio.exe

MD5 261b1e4b300000dbd70589cc4f646461
SHA1 90834449df4c522d5ecf60e463ad1ec2b1994e78
SHA256 d0d402fa0f1f1890d1db0d7a6f13f5e011c6ff692fefba3796fc34897f91133c
SHA512 5332daad2e746e69f194024aacbafdc712078c3cf6d153679bedaa526dae25ca02f5d61f410932f151a0f7ea61624240aea8fabd6b659eea3554b5e4f96c7d6f

C:\Users\Admin\AppData\Local\dahntaelordixcmnkupmtzfmqxa.puj

MD5 93ebc7d7ecd9bca1cbc7bff55ec9b213
SHA1 af130de64ac1d4de9d9cccaaceff12eb9b4a2817
SHA256 a21a5ba5219c11cccacd2a01e59a40506488a66737e87464c7b17113930445cb
SHA512 93361be667d842d949a5154fe9c5f253a160d9878c7368e44413c12baef36658b687de110f21859f7ee80072d8171bd20f767b2386734c13a956ae8959ea33a2

C:\Users\Admin\AppData\Local\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme

MD5 d95f94b43d2e0d744c8b574ed5bed888
SHA1 103a094f27b6315934de20f1570ed710bf061f4a
SHA256 32fce51116e4f9d0317f8c8af64ef8d29dff731fd940e51a1894235cbcf4ade5
SHA512 6544b662c1606d1d7060e40c8f686aa0b95bf044c282e4e4c640e9a7d4836fca4e2458daf37d6af792d153baf3fd65feca99b989de824c89345e4d67dcb2be63

C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj

MD5 ab62dfd3f2896d53b64a58d635938607
SHA1 2d940343296cb0d48766ccd2bba52e528d55b82c
SHA256 cb47a44f6429a8846c85a3c59ac4834e116210e3ce798c748f2704cb83c9d2b6
SHA512 2793d0175953852ca09ab96d5ea9b601a2e48df681f4da0b7aa62fde4dde3f07a77d6b3c66f33de9dce7079ca654bef4d7381a35485a01a008be893c9a5f33f4

C:\Users\Admin\AppData\Local\dahntaelordixcmnkupmtzfmqxa.puj

MD5 542a6b81f7fdbbf85ecff1e6e210781f
SHA1 b6bcba9a5699e21c59603e61146bc6106df760da
SHA256 71c02e3c31234de208cb39866cb21f69cc16c630819c8673b09d442434e94aba
SHA512 40bd72b1d714db9cf221d29766dcc6f37eff84fe535d758d7584d4b263426c71fa059bf2d17164da13792835d83aa9c3c2519e78c244022e9d945fe23e8cb9e4

C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj

MD5 8fc31d189460c9f780773c5cf2d77576
SHA1 2f91ef74397d0696891f2c364fe7e7dcc4064e32
SHA256 b9e82f1dae0840648cb2d0da24bc114b766d372e97f01d5e7b8d38816a77843b
SHA512 37777f719e5ebcb91343af5955f7eb9a0a88b98537620769cf0ade6185fa4bcd9bff808b77e9591ed2b6027dca8fc65e0441301f1fd18c0973e570ff4b72e9fb

C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj

MD5 321022ab706c6500b03cda74f3dc3512
SHA1 933af544f58e0b62d353f853fb3ce323550f0aa7
SHA256 b45e74e56d79fa80f1b72b63237120e57aa0bd4b9d5a9e0959bba72c8b8fac84
SHA512 c170a5d2e29c2ae0b0395c913ea7334628c84d0467e1749d785e50ce9401168b06126f7d4cd227c5057da3f64a058f91982ab677fa1b9eb126ea13718626abd6

C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj

MD5 961e99b4680e62cf8e3ec0a237f4a2e6
SHA1 7cb574a72de997245f825fbf6554d4977b50ad28
SHA256 e8622ddeef4a26d8775e045f429c8f7b01b13aeb756f7c1e63a85040d0f5f9aa
SHA512 38a5d5eca0460fa9cddfd65a1bea852bcd56972dba88eeb68313eefecfc3124d19f02a0a5599a8d885f3355c41f5644bdf9d3c737d7194a34ec04a1cbbe99771

C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj

MD5 7ebb217ed39d006309f3abbb16934ee2
SHA1 3fcf773d5c468bb2a793ac9aab32a50785811f8c
SHA256 84ebb01fd3f0d5d9187508d5fc220cd1e44f78a5116a02a4e1f8113aa1f323b3
SHA512 972d5f8003c05b28b2d269774bcdca43347f79e73bbab7d96deb177d1419a42573f74c126fdf06721b0666adf8e1371dc3f6b600686b7f2c858a5759ad3098cb

C:\Users\Admin\AppData\Local\dahntaelordixcmnkupmtzfmqxa.puj

MD5 253d88f77c87fb8c6c696534f08a8be4
SHA1 3807ff9a7c851b14990109cea00d12c55a812904
SHA256 9a209e84bbd3ef5a5c9cee408fbd94b341334cd4e3b87aa63b33471ae34963e7
SHA512 4143cfb7cec2bb324efe8d9ff267bbc32a81f871d74e719eb6cfe1e1e82c4d7c06e8566a0ae85dee34dedfb6aa2c65f0089a9088750ef83444fa1d68215e87b4