Analysis Overview
SHA256
9b3e40cd1dcd17e8ae2b31e6aa5b0d6f10ed4bc800ad7c72ded563069a68da6c
Threat Level: Known bad
The file JaffaCakes118_c7ccedb70155d9567bc63477af344089 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Detect Pykspa worm
Pykspa family
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Checks computer location settings
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
System policy modification
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-21 04:40
Signatures
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pykspa family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-21 04:40
Reported
2025-04-21 04:43
Platform
win10v2004-20250314-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "azlnibxolfqhglpehoonz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "azlnibxolfqhglpehoonz.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzynvbko = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajfrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "yvffypjytlujgjlyzec.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "ezhfwldqjzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "ezhfwldqjzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "azlnibxolfqhglpehoonz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "yvffypjytlujgjlyzec.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ezhfwldqjzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "azlnibxolfqhglpehoonz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "azlnibxolfqhglpehoonz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "yvffypjytlujgjlyzec.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "xryvlzqcujpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "xryvlzqcujpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "xryvlzqcujpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "njsrjzsgarznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "njsrjzsgarznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "njsrjzsgarznjlmyyc.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "njsrjzsgarznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lvsflp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvffypjytlujgjlyzec.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezhfwldqjzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ljuvphcsohrhfjmacihf.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\pfibnxksgrtb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xryvlzqcujpbvvue.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "yvffypjytlujgjlyzec.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "azlnibxolfqhglpehoonz.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lvsflp = "ljuvphcsohrhfjmacihf.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xlmdnvgmyh = "njsrjzsgarznjlmyyc.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjhvchp = "ezhfwldqjzgtoppaz.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shjbmvhoblm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azlnibxolfqhglpehoonz.exe ." | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\errhqxhmx = "azlnibxolfqhglpehoonz.exe" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File created | C:\Windows\SysWOW64\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File created | C:\Windows\SysWOW64\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File created | C:\Program Files (x86)\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File created | C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File opened for modification | C:\Windows\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File created | C:\Windows\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| File opened for modification | C:\Windows\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\lvsflp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .
C:\Users\Admin\AppData\Local\Temp\lvsflp.exe
"C:\Users\Admin\AppData\Local\Temp\lvsflp.exe" "-"
C:\Users\Admin\AppData\Local\Temp\lvsflp.exe
"C:\Users\Admin\AppData\Local\Temp\lvsflp.exe" "-"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c xryvlzqcujpbvvue.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yvffypjytlujgjlyzec.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yvffypjytlujgjlyzec.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ljuvphcsohrhfjmacihf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ezhfwldqjzgtoppaz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c azlnibxolfqhglpehoonz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ezhfwldqjzgtoppaz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xryvlzqcujpbvvue.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\njsrjzsgarznjlmyyc.exe .
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.imdb.com | udp |
| NL | 18.239.68.108:80 | www.imdb.com | tcp |
| US | 8.8.8.8:53 | gyuuym.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | tanhfenl.net | udp |
| US | 8.8.8.8:53 | nlqwurdxjqv.info | udp |
| US | 8.8.8.8:53 | qaomseou.org | udp |
| US | 8.8.8.8:53 | unxfuild.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | tfbcbmggk.com | udp |
| US | 8.8.8.8:53 | lgqgeoppr.net | udp |
| US | 8.8.8.8:53 | qimsqaekuiay.com | udp |
| US | 8.8.8.8:53 | rsrmzgr.net | udp |
| US | 8.8.8.8:53 | zgjnxthpviz.info | udp |
| US | 8.8.8.8:53 | lhhearep.net | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | ytiurgi.info | udp |
| US | 8.8.8.8:53 | fgfvvep.com | udp |
| US | 8.8.8.8:53 | wtrgfdfov.net | udp |
| US | 8.8.8.8:53 | tpndjd.net | udp |
| US | 8.8.8.8:53 | gjtsbntbaatr.info | udp |
| US | 8.8.8.8:53 | bbajrallgqn.org | udp |
| US | 8.8.8.8:53 | itbbsqt.info | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | jksfafxq.net | udp |
| US | 8.8.8.8:53 | okceoguo.org | udp |
| US | 8.8.8.8:53 | kyokyukskecc.com | udp |
| US | 8.8.8.8:53 | zvzhyopf.net | udp |
| US | 8.8.8.8:53 | hyrqlot.com | udp |
| US | 8.8.8.8:53 | ygoukmwg.org | udp |
| US | 8.8.8.8:53 | lofosfv.org | udp |
| US | 8.8.8.8:53 | kqvlronf.net | udp |
| US | 8.8.8.8:53 | cwnqtkz.info | udp |
| US | 8.8.8.8:53 | wnqgvizupdd.info | udp |
| US | 8.8.8.8:53 | cydlrge.info | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | jnriyhzkb.org | udp |
| US | 8.8.8.8:53 | mrgoxwhor.info | udp |
| US | 8.8.8.8:53 | ndxhfqifgl.info | udp |
| US | 8.8.8.8:53 | lqzygynoxcd.net | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | lsismqr.org | udp |
| US | 8.8.8.8:53 | zerezevn.net | udp |
| US | 8.8.8.8:53 | aqxiyzx.net | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | kyrkgudcgqf.net | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | llpqhgzuoqp.net | udp |
| US | 8.8.8.8:53 | xrasmu.net | udp |
| US | 8.8.8.8:53 | rktljt.info | udp |
| US | 8.8.8.8:53 | mjzofpr.info | udp |
| US | 8.8.8.8:53 | imeqcuqaeg.com | udp |
| US | 8.8.8.8:53 | lsqudtvmy.org | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | nwurgctyfqt.info | udp |
| US | 8.8.8.8:53 | rcrldhsg.net | udp |
| US | 8.8.8.8:53 | wkdsgqewz.net | udp |
| US | 8.8.8.8:53 | deftzaf.info | udp |
| US | 8.8.8.8:53 | iauaqkoc.org | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | bxhqfzui.net | udp |
| US | 8.8.8.8:53 | iexvjblcbgf.net | udp |
| US | 8.8.8.8:53 | qeeyuwws.com | udp |
| US | 8.8.8.8:53 | zrwvwriu.net | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | obnipydqdyr.info | udp |
| US | 8.8.8.8:53 | acksqp.net | udp |
| US | 8.8.8.8:53 | wffnkpyv.info | udp |
| US | 8.8.8.8:53 | ummsvlki.info | udp |
| US | 8.8.8.8:53 | uzlcviv.net | udp |
| US | 8.8.8.8:53 | gnwvjvjc.net | udp |
| US | 8.8.8.8:53 | tgkkkwrea.info | udp |
| US | 8.8.8.8:53 | itgsirpkoprl.info | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | pypovyqkzwd.com | udp |
| US | 8.8.8.8:53 | rjnedmzepik.net | udp |
| US | 8.8.8.8:53 | lmywfue.net | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | ljqdfv.info | udp |
| US | 8.8.8.8:53 | yxrgsuldud.net | udp |
| US | 8.8.8.8:53 | ioqyyaasss.org | udp |
| US | 8.8.8.8:53 | hcuqpwz.info | udp |
| US | 8.8.8.8:53 | hibrmst.com | udp |
| US | 8.8.8.8:53 | jmgmbhbzp.com | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | gieyoq.org | udp |
| US | 8.8.8.8:53 | mqqacewyyg.org | udp |
| US | 8.8.8.8:53 | csicqeeckooo.org | udp |
| US | 8.8.8.8:53 | ttzkuuqan.com | udp |
| US | 8.8.8.8:53 | xvdvfjdkzfyw.info | udp |
| US | 8.8.8.8:53 | mzlmurwjyc.info | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | jctssigifd.info | udp |
| US | 8.8.8.8:53 | reokep.net | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | sywaxjkitnd.net | udp |
| US | 8.8.8.8:53 | ahhwewn.info | udp |
| US | 8.8.8.8:53 | sugaiu.org | udp |
| US | 8.8.8.8:53 | mmyyusriz.info | udp |
| US | 8.8.8.8:53 | wowcaomy.com | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | bqlobbdmr.net | udp |
| US | 8.8.8.8:53 | uygaai.org | udp |
| US | 8.8.8.8:53 | igyscm.org | udp |
| US | 8.8.8.8:53 | zgxcaotuvs.net | udp |
| US | 8.8.8.8:53 | todiyvu.net | udp |
| US | 8.8.8.8:53 | lyxmnybibg.info | udp |
| US | 8.8.8.8:53 | aegsao.com | udp |
| US | 8.8.8.8:53 | klsrtchpis.info | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | kqcgkskgeqac.com | udp |
| US | 8.8.8.8:53 | myzmjev.net | udp |
| US | 8.8.8.8:53 | agjcakvmlnd.net | udp |
| US | 8.8.8.8:53 | ksmarutuxrs.net | udp |
| US | 8.8.8.8:53 | bnjktptmpppn.info | udp |
| US | 8.8.8.8:53 | oahisgpny.net | udp |
| US | 8.8.8.8:53 | hmdcvmcjb.org | udp |
| US | 8.8.8.8:53 | tyagpkb.com | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | hlgbdj.info | udp |
| US | 8.8.8.8:53 | tmrxbkhwgeb.net | udp |
| US | 8.8.8.8:53 | fzbhbpln.info | udp |
| US | 8.8.8.8:53 | zyfitez.info | udp |
| US | 8.8.8.8:53 | dpzdbigpebql.info | udp |
| US | 8.8.8.8:53 | toxgdwxht.org | udp |
| US | 8.8.8.8:53 | bytaxnn.info | udp |
| US | 8.8.8.8:53 | wbkedyr.net | udp |
| US | 8.8.8.8:53 | guzufuh.info | udp |
| US | 8.8.8.8:53 | yqyaswkseesc.com | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | nevkhattkpaq.info | udp |
| US | 8.8.8.8:53 | aeckouaegw.org | udp |
| US | 8.8.8.8:53 | wgpjzuslft.net | udp |
| US | 8.8.8.8:53 | aaloxcv.net | udp |
| US | 8.8.8.8:53 | usmigdwecnhf.net | udp |
| US | 8.8.8.8:53 | whoynoeupg.net | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | vexdwrsodp.info | udp |
| US | 8.8.8.8:53 | bneliplyxm.net | udp |
| US | 8.8.8.8:53 | syqwqwucqaos.com | udp |
| US | 8.8.8.8:53 | vnhwrc.info | udp |
| US | 8.8.8.8:53 | irvzwlkmxjfk.info | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | qzkeygi.info | udp |
| US | 8.8.8.8:53 | zgrjrexb.net | udp |
| US | 8.8.8.8:53 | ywvxkkjen.net | udp |
| US | 8.8.8.8:53 | zqtkfybandh.info | udp |
| US | 8.8.8.8:53 | qwqfotyh.info | udp |
| US | 8.8.8.8:53 | igvhdg.info | udp |
| US | 8.8.8.8:53 | hqdfoyqgis.info | udp |
| US | 8.8.8.8:53 | swvslkzmoqt.net | udp |
| US | 8.8.8.8:53 | qohprejwrcl.net | udp |
| US | 8.8.8.8:53 | ldyykbfwwu.net | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | drssbxrt.net | udp |
| US | 8.8.8.8:53 | kwdmcuq.info | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | pkkcjueov.com | udp |
| US | 8.8.8.8:53 | zjxlmutdnu.net | udp |
| US | 8.8.8.8:53 | tjaekycwivr.net | udp |
| US | 8.8.8.8:53 | gckusi.com | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | pdgjpshqss.net | udp |
| US | 8.8.8.8:53 | yghkqyr.info | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | jrnpkb.info | udp |
| US | 8.8.8.8:53 | oesxyfvfjipi.info | udp |
| US | 8.8.8.8:53 | jxsugjbgxhbg.info | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | yutesnh.info | udp |
| US | 8.8.8.8:53 | lqxihuhexi.net | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | fmjzdbjrrszp.info | udp |
| US | 8.8.8.8:53 | qmshrcz.net | udp |
| US | 8.8.8.8:53 | jmpiceeynvh.info | udp |
| US | 8.8.8.8:53 | faqhlyk.net | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | jltgdovfk.info | udp |
| US | 8.8.8.8:53 | fquecmld.info | udp |
| US | 8.8.8.8:53 | noejxj.info | udp |
| US | 8.8.8.8:53 | blpmnakpk.info | udp |
| US | 8.8.8.8:53 | aaekeomu.com | udp |
| US | 8.8.8.8:53 | dwfkeogzvhjn.info | udp |
| US | 8.8.8.8:53 | odlgqao.info | udp |
| US | 8.8.8.8:53 | vdbnvvhbvhxr.info | udp |
| US | 8.8.8.8:53 | lmpmhhwonyj.info | udp |
| US | 8.8.8.8:53 | mkwmeyik.org | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | zmywzotmdcv.org | udp |
| US | 8.8.8.8:53 | bmbezdhpzd.info | udp |
| US | 8.8.8.8:53 | pyypbmnlku.net | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | tnzjdtdkzeqo.info | udp |
| US | 8.8.8.8:53 | fexwjup.com | udp |
| US | 8.8.8.8:53 | cnvmduwy.net | udp |
| US | 8.8.8.8:53 | endkxfdb.info | udp |
| US | 8.8.8.8:53 | vsfidvt.org | udp |
| US | 8.8.8.8:53 | dreytp.net | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | zkmowr.net | udp |
| US | 8.8.8.8:53 | kgsagywu.org | udp |
| US | 8.8.8.8:53 | gwymyy.com | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | qdpcjtxwj.net | udp |
| US | 8.8.8.8:53 | wanmhobzh.net | udp |
| US | 8.8.8.8:53 | esffxqbwfxix.net | udp |
| US | 8.8.8.8:53 | lclydqrcii.net | udp |
| US | 8.8.8.8:53 | whfovqustcb.net | udp |
| US | 8.8.8.8:53 | uglkawz.net | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | kqahpuxzzu.info | udp |
| US | 8.8.8.8:53 | emzszod.info | udp |
| US | 8.8.8.8:53 | rclmpobqtae.org | udp |
| US | 8.8.8.8:53 | wuqiqciaae.com | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | auprzuycnqo.info | udp |
| US | 8.8.8.8:53 | aazinwdqtuu.info | udp |
| US | 8.8.8.8:53 | euyikyke.org | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | aajcnwbhc.net | udp |
| US | 8.8.8.8:53 | eqosgy.info | udp |
| US | 8.8.8.8:53 | qbqgcw.net | udp |
| US | 8.8.8.8:53 | ykpfseyq.info | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | lkchapfm.info | udp |
| US | 8.8.8.8:53 | ikwcawsq.org | udp |
| US | 8.8.8.8:53 | ymvghpvq.info | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | vcmpdreyxm.info | udp |
| US | 8.8.8.8:53 | xcigfkjzv.net | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | rathwubqm.info | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | miiptaxctqm.info | udp |
| US | 8.8.8.8:53 | scmmkioymc.com | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | furmxvnudsz.com | udp |
| US | 8.8.8.8:53 | rshzdgx.info | udp |
| US | 8.8.8.8:53 | nurrdlrfvkd.net | udp |
| US | 8.8.8.8:53 | gkqatkzarxd.info | udp |
| US | 8.8.8.8:53 | fxctpxdlnljf.info | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | zalbqswic.net | udp |
| US | 8.8.8.8:53 | gdpetyh.net | udp |
| US | 8.8.8.8:53 | zyfhnhdhty.info | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | lmtslir.org | udp |
| US | 8.8.8.8:53 | ykwyswek.org | udp |
| US | 8.8.8.8:53 | xkuixjqtf.net | udp |
| US | 8.8.8.8:53 | xnpnvhjaoyys.net | udp |
| US | 8.8.8.8:53 | zppzqixxdgfw.net | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | rgzazowajhgd.net | udp |
| US | 8.8.8.8:53 | nszyfrpuxp.info | udp |
| US | 8.8.8.8:53 | ismqceyewi.com | udp |
| US | 8.8.8.8:53 | yakwqa.com | udp |
| US | 8.8.8.8:53 | kwpnwxoftfik.info | udp |
| US | 8.8.8.8:53 | ruyqfrxuo.net | udp |
| US | 8.8.8.8:53 | nanukipwtth.info | udp |
| US | 8.8.8.8:53 | fmhrxirb.info | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | jqebzcpxn.org | udp |
| US | 8.8.8.8:53 | crvmamdh.info | udp |
| US | 8.8.8.8:53 | ocehzftzwpij.info | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | xmfezgkmkif.info | udp |
| US | 8.8.8.8:53 | owtqlma.info | udp |
| US | 8.8.8.8:53 | kjskvzf.info | udp |
| US | 8.8.8.8:53 | emgsqo.com | udp |
| US | 8.8.8.8:53 | hkjnpaw.net | udp |
| US | 8.8.8.8:53 | waahcubsrd.net | udp |
| US | 8.8.8.8:53 | kmchgsifuz.info | udp |
| US | 8.8.8.8:53 | lapyocj.info | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | gyxhzefypfd.net | udp |
| US | 8.8.8.8:53 | dubeyyv.net | udp |
| US | 8.8.8.8:53 | dkzzrsrkt.org | udp |
| US | 8.8.8.8:53 | fytsnqpoxcd.com | udp |
| US | 8.8.8.8:53 | vhmqxif.org | udp |
| US | 8.8.8.8:53 | qshgtkxcv.net | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | kaojqumxvg.net | udp |
| US | 8.8.8.8:53 | novgbgyc.net | udp |
| US | 8.8.8.8:53 | vdaathtnbigk.net | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | ismojml.info | udp |
| US | 8.8.8.8:53 | oyamsucomkys.com | udp |
| US | 8.8.8.8:53 | bydhdtp.org | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | tybftlzzjm.net | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | wkakceugke.com | udp |
| US | 8.8.8.8:53 | htpeqjognnpm.info | udp |
| US | 8.8.8.8:53 | scmvpklqphm.net | udp |
| US | 8.8.8.8:53 | scgmey.org | udp |
| US | 8.8.8.8:53 | eavgvlsanxqd.net | udp |
| US | 8.8.8.8:53 | pauhrr.net | udp |
| US | 8.8.8.8:53 | tepvtuyg.info | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | gcyqzsyy.info | udp |
| US | 8.8.8.8:53 | kitujpxkwqh.net | udp |
| US | 8.8.8.8:53 | xlvqlmnzywa.org | udp |
| US | 8.8.8.8:53 | zbdispgco.info | udp |
| US | 8.8.8.8:53 | esuyoyqmyokq.org | udp |
| US | 8.8.8.8:53 | vwywpjuybkw.org | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | ckclvib.info | udp |
| US | 8.8.8.8:53 | veziosb.org | udp |
| US | 8.8.8.8:53 | dykwknvmdfdj.info | udp |
| US | 8.8.8.8:53 | ougwwykg.org | udp |
| US | 8.8.8.8:53 | xjozkqup.info | udp |
| US | 8.8.8.8:53 | wydanuycryf.info | udp |
| US | 8.8.8.8:53 | fuvqefhql.org | udp |
| US | 8.8.8.8:53 | lnnppmtvtpir.net | udp |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | yhtacgkc.net | udp |
| US | 8.8.8.8:53 | vvnicwvcyy.net | udp |
| US | 8.8.8.8:53 | uwapoaowjxiu.net | udp |
| US | 8.8.8.8:53 | dgbcfz.net | udp |
| US | 8.8.8.8:53 | ughkxehixvj.info | udp |
| US | 8.8.8.8:53 | eypsfmkq.net | udp |
| US | 8.8.8.8:53 | lczoradauoz.net | udp |
| US | 8.8.8.8:53 | fysqbsfsc.info | udp |
| US | 8.8.8.8:53 | qxdzzoic.info | udp |
| US | 8.8.8.8:53 | cevulwwrv.info | udp |
| US | 8.8.8.8:53 | kyocyq.org | udp |
| US | 8.8.8.8:53 | zhbqaq.info | udp |
| US | 8.8.8.8:53 | jxvhedguyxpf.net | udp |
| US | 8.8.8.8:53 | zynreu.net | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | uswcmwyi.com | udp |
| US | 8.8.8.8:53 | vcfrgtioy.org | udp |
| US | 8.8.8.8:53 | iakciwaoegi.info | udp |
| US | 8.8.8.8:53 | negkdsyg.info | udp |
| US | 8.8.8.8:53 | mceeebycfg.net | udp |
| US | 8.8.8.8:53 | jzthxr.net | udp |
| US | 8.8.8.8:53 | stgqxpdanr.net | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | lllkmpksv.net | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | uklobnrezupj.info | udp |
| US | 8.8.8.8:53 | vcbmxup.info | udp |
| US | 8.8.8.8:53 | ocdwrpceh.net | udp |
| US | 8.8.8.8:53 | bocxabsnoe.info | udp |
| US | 8.8.8.8:53 | bivduajotcn.org | udp |
| US | 8.8.8.8:53 | onknbqkesx.info | udp |
| US | 8.8.8.8:53 | agfpkyw.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | yxsglrb.net | udp |
| US | 8.8.8.8:53 | ownfnwfuh.net | udp |
| US | 8.8.8.8:53 | ronponqjnncp.info | udp |
| US | 8.8.8.8:53 | miwgsiaswsck.com | udp |
| US | 8.8.8.8:53 | texellasd.info | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | safktjlgtjc.net | udp |
| US | 8.8.8.8:53 | kvlsnlw.info | udp |
| US | 8.8.8.8:53 | hykhtsw.info | udp |
| US | 8.8.8.8:53 | yctkpkp.net | udp |
| US | 8.8.8.8:53 | qotmoonghyu.info | udp |
| US | 8.8.8.8:53 | yeqgoyygmaiq.org | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | ailvemtmx.info | udp |
| US | 8.8.8.8:53 | lgdccev.com | udp |
| US | 8.8.8.8:53 | zdylnwxis.com | udp |
| US | 8.8.8.8:53 | corgrblef.info | udp |
| US | 8.8.8.8:53 | llbptzfcjs.info | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | fwtkbojqm.info | udp |
| US | 8.8.8.8:53 | bunyzexwh.net | udp |
| US | 8.8.8.8:53 | aararuzmj.info | udp |
| US | 8.8.8.8:53 | imeliqr.net | udp |
| US | 8.8.8.8:53 | pctkgplslwl.net | udp |
| US | 8.8.8.8:53 | jkdtznzqrwr.com | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | mmrbnacljy.net | udp |
| US | 8.8.8.8:53 | ntyxjqttxk.net | udp |
| US | 8.8.8.8:53 | cuwthzid.info | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | dasqeyxvq.com | udp |
| US | 8.8.8.8:53 | hlbgmiai.info | udp |
| US | 8.8.8.8:53 | vurojxpmuk.info | udp |
| US | 8.8.8.8:53 | nkviukd.info | udp |
| US | 8.8.8.8:53 | wgicnuf.net | udp |
| US | 8.8.8.8:53 | oileomhwn.net | udp |
| US | 8.8.8.8:53 | paiqatxz.net | udp |
| US | 8.8.8.8:53 | hgwbpof.org | udp |
| US | 8.8.8.8:53 | xirrwm.net | udp |
| US | 8.8.8.8:53 | ivewnr.info | udp |
| US | 8.8.8.8:53 | jzyovelelyo.info | udp |
| US | 8.8.8.8:53 | nqxijbihvn.info | udp |
| US | 8.8.8.8:53 | jxdbeqtcuf.info | udp |
| US | 8.8.8.8:53 | yspynbdonzn.net | udp |
| US | 8.8.8.8:53 | oeisiywiuies.org | udp |
| US | 8.8.8.8:53 | jafqlghzhsj.info | udp |
| US | 8.8.8.8:53 | xrctizgjhu.net | udp |
| US | 8.8.8.8:53 | jdmubeenph.info | udp |
| US | 8.8.8.8:53 | xrhnlywk.info | udp |
| US | 8.8.8.8:53 | rfcqjgcwrllk.info | udp |
| US | 8.8.8.8:53 | rnuccnpt.net | udp |
| US | 8.8.8.8:53 | gjaiahemfnuj.net | udp |
| US | 8.8.8.8:53 | bqufjvrurwty.info | udp |
| US | 8.8.8.8:53 | mbmszvvcjh.net | udp |
| US | 8.8.8.8:53 | ooewwc.org | udp |
| US | 8.8.8.8:53 | iawsusiycg.org | udp |
| US | 8.8.8.8:53 | bfswvevrvsjr.info | udp |
| US | 8.8.8.8:53 | osjnliuhkql.net | udp |
| US | 8.8.8.8:53 | narqbbzwh.info | udp |
| US | 8.8.8.8:53 | awoqqoqicc.com | udp |
| US | 8.8.8.8:53 | jypigkw.net | udp |
| US | 8.8.8.8:53 | xvylyizcpyr.info | udp |
| US | 8.8.8.8:53 | dyxetlqsigz.com | udp |
| US | 8.8.8.8:53 | igepaxxj.net | udp |
| US | 8.8.8.8:53 | gmwccsicmg.org | udp |
| US | 8.8.8.8:53 | tuxmdzywfstr.info | udp |
| US | 8.8.8.8:53 | jphhtgd.com | udp |
| US | 8.8.8.8:53 | oivfpvbljqez.net | udp |
| US | 8.8.8.8:53 | omierhazkhgw.net | udp |
| US | 8.8.8.8:53 | emuidm.info | udp |
| US | 8.8.8.8:53 | nziywbmvsfyp.net | udp |
| US | 8.8.8.8:53 | kwdrqyzrhd.net | udp |
| US | 8.8.8.8:53 | iklmlfpumrp.info | udp |
| US | 8.8.8.8:53 | yjdxxwodpnr.net | udp |
| US | 8.8.8.8:53 | zqhwwsv.net | udp |
| US | 8.8.8.8:53 | yaerjtjgtbyu.net | udp |
| US | 8.8.8.8:53 | xrjmbmgmisvh.info | udp |
| US | 8.8.8.8:53 | onvyfeuejgx.info | udp |
| US | 8.8.8.8:53 | dfqcnqul.info | udp |
| US | 8.8.8.8:53 | ndwywrsr.net | udp |
| US | 8.8.8.8:53 | eeiciyma.org | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | mbqewyw.net | udp |
| US | 8.8.8.8:53 | fibdoitctev.com | udp |
| US | 8.8.8.8:53 | ccwawkuo.org | udp |
| US | 8.8.8.8:53 | lvliwxsju.net | udp |
| US | 8.8.8.8:53 | wengrewlpxd.info | udp |
| US | 8.8.8.8:53 | muctjtjnvi.net | udp |
| US | 8.8.8.8:53 | wcgcuuiu.org | udp |
| US | 8.8.8.8:53 | nhmyomxjv.info | udp |
| US | 8.8.8.8:53 | jzhopw.info | udp |
| US | 8.8.8.8:53 | zscmnepij.net | udp |
| US | 8.8.8.8:53 | tyzkrdhyl.info | udp |
| US | 8.8.8.8:53 | vyvijbihvn.info | udp |
| US | 8.8.8.8:53 | wqcplogzx.net | udp |
| US | 8.8.8.8:53 | akqkwsuuee.org | udp |
| US | 8.8.8.8:53 | hsrofavrq.net | udp |
| US | 8.8.8.8:53 | czbbfkq.net | udp |
| US | 8.8.8.8:53 | hpngll.net | udp |
| US | 8.8.8.8:53 | uqnekurpp.info | udp |
| US | 8.8.8.8:53 | dwdmbfhj.net | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | sigatvyhhoxj.net | udp |
| US | 8.8.8.8:53 | nmtoayembv.info | udp |
| US | 8.8.8.8:53 | fdkrpdfhhi.net | udp |
| US | 8.8.8.8:53 | vgdbzmryemn.info | udp |
| US | 8.8.8.8:53 | bctwfgikb.org | udp |
| US | 8.8.8.8:53 | vvcoyo.net | udp |
| US | 8.8.8.8:53 | ouygio.com | udp |
| US | 8.8.8.8:53 | uzjarnydbk.net | udp |
| US | 8.8.8.8:53 | fzqqksnzg.net | udp |
| US | 8.8.8.8:53 | jhvfrcqympsb.info | udp |
| US | 8.8.8.8:53 | yscamq.org | udp |
| US | 8.8.8.8:53 | wjoktuwynom.net | udp |
| US | 8.8.8.8:53 | xmlymtnez.org | udp |
| US | 8.8.8.8:53 | wskvjmbse.net | udp |
| US | 8.8.8.8:53 | zbzjdwlav.net | udp |
| US | 8.8.8.8:53 | ztahpesbeaeb.info | udp |
| US | 8.8.8.8:53 | odzbrjqoy.info | udp |
| US | 8.8.8.8:53 | bzqmuszrsucp.net | udp |
| US | 8.8.8.8:53 | qsaiqm.org | udp |
| US | 8.8.8.8:53 | gswuea.com | udp |
| US | 8.8.8.8:53 | aalijqi.info | udp |
| US | 8.8.8.8:53 | yodxdhh.net | udp |
| US | 8.8.8.8:53 | xhbbzydhfn.info | udp |
| US | 8.8.8.8:53 | odqisf.info | udp |
| US | 8.8.8.8:53 | xsbwfymqggo.info | udp |
| US | 8.8.8.8:53 | fahxdyb.com | udp |
| US | 8.8.8.8:53 | iefclctifgm.net | udp |
| US | 8.8.8.8:53 | ncpmyszzt.info | udp |
| US | 8.8.8.8:53 | lmpufmqec.net | udp |
| US | 8.8.8.8:53 | roxitunlgpt.com | udp |
| US | 8.8.8.8:53 | goqdjjefcy.info | udp |
| US | 8.8.8.8:53 | tayfpan.org | udp |
| US | 8.8.8.8:53 | avxcbp.net | udp |
| US | 8.8.8.8:53 | kutfvgvox.net | udp |
| US | 8.8.8.8:53 | yyzvxxpsxu.info | udp |
| US | 8.8.8.8:53 | amjzsuba.net | udp |
| US | 8.8.8.8:53 | tgticatwwkz.com | udp |
| US | 8.8.8.8:53 | ybxsqlwexbnh.info | udp |
| US | 8.8.8.8:53 | tlferwgyjo.info | udp |
| US | 8.8.8.8:53 | idzjwimtvzu.net | udp |
| US | 8.8.8.8:53 | fclwwjlgh.com | udp |
| US | 8.8.8.8:53 | olfetmkgkk.net | udp |
| US | 8.8.8.8:53 | iuhlylu.net | udp |
| US | 8.8.8.8:53 | ivwqbocy.net | udp |
| US | 8.8.8.8:53 | kkiamiym.com | udp |
| US | 8.8.8.8:53 | avzqwzrobu.net | udp |
| US | 8.8.8.8:53 | rgjohyhqo.info | udp |
| US | 8.8.8.8:53 | cmiucq.com | udp |
| US | 8.8.8.8:53 | rvxetshwfbrx.net | udp |
| US | 8.8.8.8:53 | iymgqaeuoy.org | udp |
| US | 8.8.8.8:53 | khxaduhppamj.info | udp |
| US | 8.8.8.8:53 | dawguco.net | udp |
| US | 8.8.8.8:53 | jatdaajehomt.net | udp |
| US | 8.8.8.8:53 | hqievqxgtad.com | udp |
| US | 8.8.8.8:53 | ecwgcqqg.org | udp |
| US | 8.8.8.8:53 | bgxyppqzimol.net | udp |
| US | 8.8.8.8:53 | mwgkuyee.org | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| NL | 173.194.69.94:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | btaqfemenxuk.net | udp |
| US | 8.8.8.8:53 | nlqstmhthkbs.net | udp |
| US | 8.8.8.8:53 | jvctnbemzhai.net | udp |
| US | 8.8.8.8:53 | uiceesz.info | udp |
| US | 8.8.8.8:53 | estonwgm.net | udp |
| US | 8.8.8.8:53 | zafomhl.info | udp |
| US | 8.8.8.8:53 | hvueiypiyig.info | udp |
| US | 8.8.8.8:53 | mknpzkstfq.info | udp |
| US | 8.8.8.8:53 | mfvkegxgl.info | udp |
| US | 8.8.8.8:53 | gcjlxo.info | udp |
| US | 8.8.8.8:53 | bzaydhbkyko.info | udp |
| US | 8.8.8.8:53 | gufgzcx.info | udp |
| US | 8.8.8.8:53 | jrzfazkgnr.info | udp |
| US | 8.8.8.8:53 | yywgwoyw.org | udp |
| US | 8.8.8.8:53 | sozkgy.info | udp |
| US | 8.8.8.8:53 | hcoaccviae.info | udp |
| US | 8.8.8.8:53 | pnaskdbpy.net | udp |
| US | 8.8.8.8:53 | uoxjsmld.info | udp |
| US | 8.8.8.8:53 | xwkstabzfh.net | udp |
| US | 8.8.8.8:53 | nabznqkq.info | udp |
| US | 8.8.8.8:53 | fsbmhsdct.com | udp |
| US | 8.8.8.8:53 | gmnxtrevpvzj.net | udp |
| US | 8.8.8.8:53 | fmjknldyjgb.info | udp |
| US | 8.8.8.8:53 | ewiuauieao.com | udp |
| US | 8.8.8.8:53 | lcihrnyv.info | udp |
| US | 8.8.8.8:53 | hrxefrcvgpme.net | udp |
| US | 8.8.8.8:53 | acbzzym.net | udp |
| US | 8.8.8.8:53 | cemafgbtcgnu.net | udp |
| US | 8.8.8.8:53 | swmkgw.org | udp |
| US | 8.8.8.8:53 | emzejypsael.info | udp |
| US | 8.8.8.8:53 | sotqdtuot.info | udp |
| US | 8.8.8.8:53 | hhqmxcesyyr.net | udp |
| US | 8.8.8.8:53 | aqaosgkymw.org | udp |
| US | 8.8.8.8:53 | oewcyawa.com | udp |
| US | 8.8.8.8:53 | rrlydco.info | udp |
| US | 8.8.8.8:53 | bjpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | iocqkmqyuioi.org | udp |
| US | 8.8.8.8:53 | spfwsedczv.info | udp |
| US | 8.8.8.8:53 | imwkkoik.com | udp |
| US | 8.8.8.8:53 | sewuvwb.net | udp |
| US | 8.8.8.8:53 | ygoqeiocsmem.com | udp |
| US | 8.8.8.8:53 | moisvbn.net | udp |
| US | 8.8.8.8:53 | oaewcmmi.com | udp |
| US | 8.8.8.8:53 | goyawimuasye.org | udp |
| US | 8.8.8.8:53 | ispupghcr.net | udp |
| US | 8.8.8.8:53 | hraqtyieyj.info | udp |
| US | 8.8.8.8:53 | qgvjjoyeu.net | udp |
| US | 8.8.8.8:53 | geeumkooeoyw.org | udp |
| US | 8.8.8.8:53 | oalwpcngx.info | udp |
| US | 8.8.8.8:53 | dvrkwaclckkv.info | udp |
| US | 8.8.8.8:53 | hjxomtbwdgra.net | udp |
| US | 8.8.8.8:53 | xcrfxbihvn.info | udp |
| US | 8.8.8.8:53 | qcassg.org | udp |
| US | 8.8.8.8:53 | qklrvmclbyd.info | udp |
| US | 8.8.8.8:53 | pvesxitaordl.info | udp |
| US | 8.8.8.8:53 | vgvrpag.org | udp |
| US | 8.8.8.8:53 | htryvemghf.net | udp |
| US | 8.8.8.8:53 | rbjqbqi.info | udp |
| US | 8.8.8.8:53 | hfsddkn.net | udp |
| US | 8.8.8.8:53 | dzrmxez.com | udp |
| US | 8.8.8.8:53 | hfibyocobw.net | udp |
| US | 8.8.8.8:53 | irzfbaq.net | udp |
| US | 8.8.8.8:53 | mhxxlwxd.net | udp |
| US | 8.8.8.8:53 | kxldwaoqfn.info | udp |
| US | 8.8.8.8:53 | iikdkih.info | udp |
| US | 8.8.8.8:53 | xoqgyyf.net | udp |
| US | 8.8.8.8:53 | pljwxqnddncy.info | udp |
| US | 8.8.8.8:53 | zajgyyn.net | udp |
| US | 8.8.8.8:53 | xxbuvavqnao.net | udp |
| US | 8.8.8.8:53 | akvekjv.info | udp |
| US | 8.8.8.8:53 | gkgoeuummumq.com | udp |
| US | 8.8.8.8:53 | tgzzsilpuoyu.info | udp |
| US | 8.8.8.8:53 | mgtjnqruxwb.info | udp |
| US | 8.8.8.8:53 | sijwngcggon.net | udp |
| US | 8.8.8.8:53 | dkzizdvw.info | udp |
| US | 8.8.8.8:53 | winhxeuupcm.info | udp |
| US | 8.8.8.8:53 | mklknyp.info | udp |
| US | 8.8.8.8:53 | bwbrgqp.org | udp |
| US | 8.8.8.8:53 | rejwrwpoa.info | udp |
| US | 8.8.8.8:53 | jfpbcqkzferp.info | udp |
| US | 8.8.8.8:53 | mexuptfmmgfv.info | udp |
| US | 8.8.8.8:53 | smewsswuso.com | udp |
| US | 8.8.8.8:53 | slgxxbcv.net | udp |
| US | 8.8.8.8:53 | jmuyzwjxj.net | udp |
| US | 8.8.8.8:53 | uugvhxxki.net | udp |
| US | 8.8.8.8:53 | ovzwikhuf.net | udp |
| US | 8.8.8.8:53 | ilwwnklvcntn.net | udp |
| US | 8.8.8.8:53 | kyfaxrzizo.net | udp |
| US | 8.8.8.8:53 | rirctqxkx.org | udp |
| US | 8.8.8.8:53 | lzwgpqnxhy.net | udp |
| US | 8.8.8.8:53 | vmjgfqdipgvm.info | udp |
| US | 8.8.8.8:53 | syuqii.com | udp |
| US | 8.8.8.8:53 | azcenwi.info | udp |
| US | 8.8.8.8:53 | lgzwnevncuh.org | udp |
| US | 8.8.8.8:53 | wrcbbswcjh.net | udp |
| US | 8.8.8.8:53 | jehyhpbob.com | udp |
| US | 8.8.8.8:53 | cmjkqmddd.info | udp |
| US | 8.8.8.8:53 | dizswsm.org | udp |
| US | 8.8.8.8:53 | rydsbvywfdni.net | udp |
| US | 8.8.8.8:53 | vzlnzllkgbry.info | udp |
| US | 8.8.8.8:53 | zfbgjtyjexjh.info | udp |
| US | 8.8.8.8:53 | snxppmougs.info | udp |
| US | 8.8.8.8:53 | luaiurlae.info | udp |
| US | 8.8.8.8:53 | edxewgiml.info | udp |
| US | 8.8.8.8:53 | qqjpvykf.net | udp |
| US | 8.8.8.8:53 | nwccgwnz.info | udp |
| US | 8.8.8.8:53 | xgpgbxmflurt.net | udp |
| US | 8.8.8.8:53 | ppgcpczfr.info | udp |
| US | 8.8.8.8:53 | yrnmbqmvdtx.info | udp |
| US | 8.8.8.8:53 | hsfspwfirsr.org | udp |
| US | 8.8.8.8:53 | tktjlkwr.net | udp |
| US | 8.8.8.8:53 | lrypdp.net | udp |
| US | 8.8.8.8:53 | synuakvsdov.info | udp |
| US | 8.8.8.8:53 | cgaess.org | udp |
| US | 8.8.8.8:53 | fumvct.net | udp |
| US | 8.8.8.8:53 | swiaumgkoyeg.org | udp |
| US | 8.8.8.8:53 | loudtif.net | udp |
| US | 8.8.8.8:53 | bgzyhghlpiw.info | udp |
| US | 8.8.8.8:53 | dnyidwf.info | udp |
| US | 8.8.8.8:53 | awgktaycbob.net | udp |
| US | 8.8.8.8:53 | locudknie.net | udp |
| US | 8.8.8.8:53 | khbvvflj.net | udp |
| US | 8.8.8.8:53 | eqgpbk.net | udp |
| US | 8.8.8.8:53 | yadxtkefpqdf.net | udp |
| US | 8.8.8.8:53 | msthhmfa.info | udp |
| US | 8.8.8.8:53 | hkbackombqp.net | udp |
| US | 8.8.8.8:53 | nkdjbov.com | udp |
| US | 8.8.8.8:53 | qngitmingp.net | udp |
| US | 8.8.8.8:53 | dvxszirxb.info | udp |
| US | 8.8.8.8:53 | ncxhymlgm.com | udp |
| US | 8.8.8.8:53 | dyoboi.info | udp |
| US | 8.8.8.8:53 | bkehogzrr.net | udp |
| US | 8.8.8.8:53 | ulwprsdpevsj.info | udp |
| US | 8.8.8.8:53 | rpzujviopllx.info | udp |
| US | 8.8.8.8:53 | ronekakzba.info | udp |
| US | 8.8.8.8:53 | mkusaq.com | udp |
| US | 8.8.8.8:53 | tkmmjyrkzrp.net | udp |
| US | 8.8.8.8:53 | qyjxvcif.net | udp |
| US | 8.8.8.8:53 | vdpcdq.net | udp |
| US | 8.8.8.8:53 | wctoomp.info | udp |
| US | 8.8.8.8:53 | vcyrsdie.net | udp |
| US | 8.8.8.8:53 | lexelcafssp.com | udp |
| US | 8.8.8.8:53 | mqgmmcoywm.org | udp |
| US | 8.8.8.8:53 | rkwlhccy.info | udp |
| US | 8.8.8.8:53 | eyuskoec.com | udp |
| US | 8.8.8.8:53 | mmruzmtnzat.info | udp |
| US | 8.8.8.8:53 | nthafgeqx.org | udp |
| US | 8.8.8.8:53 | aojgmuvrvoh.info | udp |
| US | 8.8.8.8:53 | vbfpzrjegij.com | udp |
| US | 8.8.8.8:53 | eaeysk.org | udp |
| US | 8.8.8.8:53 | upuvuzufzo.net | udp |
| US | 8.8.8.8:53 | vibshiiel.net | udp |
| US | 8.8.8.8:53 | zxlqldfnjdbs.net | udp |
| US | 8.8.8.8:53 | vvnkzhkwzmp.net | udp |
| US | 8.8.8.8:53 | oqggyiskigaa.com | udp |
| US | 8.8.8.8:53 | gkhsvev.net | udp |
| US | 8.8.8.8:53 | hklyqcbpff.net | udp |
| US | 8.8.8.8:53 | xfpmjou.org | udp |
| US | 8.8.8.8:53 | jjqtpeerkb.net | udp |
| US | 8.8.8.8:53 | xuness.info | udp |
| US | 8.8.8.8:53 | mqvqfihbl.info | udp |
| US | 8.8.8.8:53 | pudvrqrmjak.com | udp |
| US | 8.8.8.8:53 | uxpaodbiz.net | udp |
| US | 8.8.8.8:53 | urkcltobhpwf.net | udp |
| US | 8.8.8.8:53 | zjvhci.net | udp |
| US | 8.8.8.8:53 | oismai.com | udp |
| US | 8.8.8.8:53 | hwvuhkyytif.com | udp |
| US | 8.8.8.8:53 | gegaky.org | udp |
| US | 8.8.8.8:53 | oyymzwqkion.info | udp |
| US | 8.8.8.8:53 | eheflhppvg.net | udp |
| US | 8.8.8.8:53 | obpucj.info | udp |
| US | 8.8.8.8:53 | nijapocyhys.info | udp |
| US | 8.8.8.8:53 | cpbqqerajqf.info | udp |
| US | 8.8.8.8:53 | cykogcgqqcuu.com | udp |
| US | 8.8.8.8:53 | mutovev.info | udp |
| US | 8.8.8.8:53 | ojupacimgb.info | udp |
| US | 8.8.8.8:53 | gmqmckca.com | udp |
| US | 8.8.8.8:53 | wunidwv.info | udp |
| US | 8.8.8.8:53 | ugjyfpgfl.net | udp |
| US | 8.8.8.8:53 | obcshibxdmg.info | udp |
| US | 8.8.8.8:53 | vedbasto.info | udp |
| US | 8.8.8.8:53 | bqasdoykdlp.org | udp |
| US | 8.8.8.8:53 | oaoqmgiq.org | udp |
| US | 8.8.8.8:53 | jypofbeepwt.org | udp |
| US | 8.8.8.8:53 | zwmihaso.net | udp |
| US | 8.8.8.8:53 | kqzskjpzdm.info | udp |
| US | 8.8.8.8:53 | lclyzmy.info | udp |
| US | 8.8.8.8:53 | kcauwo.com | udp |
| US | 8.8.8.8:53 | qugcky.com | udp |
| US | 8.8.8.8:53 | rlighujsccpa.info | udp |
| US | 8.8.8.8:53 | mpkbfsgyp.info | udp |
| US | 8.8.8.8:53 | bozwcsbzj.org | udp |
| US | 8.8.8.8:53 | xritjwtbvduz.info | udp |
| US | 8.8.8.8:53 | rcwfqunuax.info | udp |
| US | 8.8.8.8:53 | aiqywmyyyw.org | udp |
| US | 8.8.8.8:53 | mrqhvym.info | udp |
| US | 8.8.8.8:53 | qseoumkkca.org | udp |
| US | 8.8.8.8:53 | iugocmwm.org | udp |
| US | 8.8.8.8:53 | mpxsugukgjjb.info | udp |
| US | 8.8.8.8:53 | djwmfgacfh.net | udp |
| US | 8.8.8.8:53 | zcvnnbju.info | udp |
| US | 8.8.8.8:53 | dgnxrpzgfcrj.info | udp |
| US | 8.8.8.8:53 | qdnmhgdyrit.net | udp |
| US | 8.8.8.8:53 | kklwjszot.net | udp |
| US | 8.8.8.8:53 | vnavmrlogw.net | udp |
| US | 8.8.8.8:53 | sisousmeksyk.org | udp |
| US | 8.8.8.8:53 | xevksubshwz.net | udp |
| US | 8.8.8.8:53 | qyqigk.com | udp |
| US | 8.8.8.8:53 | sksdpepi.info | udp |
| US | 8.8.8.8:53 | fuzykayfcy.net | udp |
| US | 8.8.8.8:53 | fyaylmbcb.net | udp |
| US | 8.8.8.8:53 | tejtuy.info | udp |
| US | 8.8.8.8:53 | lynggnvpvgt.info | udp |
| US | 8.8.8.8:53 | nuivzibvxev.org | udp |
| US | 8.8.8.8:53 | sdgctiop.info | udp |
| US | 8.8.8.8:53 | thgzavmgjmhe.net | udp |
| US | 8.8.8.8:53 | ouyoyu.com | udp |
| US | 8.8.8.8:53 | soqqnal.net | udp |
| US | 8.8.8.8:53 | guxodymmpe.net | udp |
| US | 8.8.8.8:53 | ddnquwi.net | udp |
| US | 8.8.8.8:53 | ekqaao.com | udp |
| US | 8.8.8.8:53 | roduedhajimn.net | udp |
| US | 8.8.8.8:53 | vlnxjesvhuhm.net | udp |
| US | 8.8.8.8:53 | qklmniaynri.net | udp |
| US | 8.8.8.8:53 | ykcumk.org | udp |
| US | 8.8.8.8:53 | rvlahacwud.info | udp |
| US | 8.8.8.8:53 | rkjyfrxybqd.net | udp |
| US | 8.8.8.8:53 | xixxhrcfvi.info | udp |
| US | 8.8.8.8:53 | pxdosgtdhdzx.net | udp |
| US | 8.8.8.8:53 | dduwpgojsllf.info | udp |
| US | 8.8.8.8:53 | hjfdpmp.org | udp |
| US | 8.8.8.8:53 | xsnypsl.net | udp |
| US | 8.8.8.8:53 | nucwtagoibk.org | udp |
| US | 8.8.8.8:53 | utbceo.info | udp |
| US | 8.8.8.8:53 | eslbfecyyiwj.net | udp |
| US | 8.8.8.8:53 | jwwqnfzzfe.net | udp |
| US | 8.8.8.8:53 | rjbifug.net | udp |
| US | 8.8.8.8:53 | putzvt.net | udp |
| US | 8.8.8.8:53 | tmbufrzwi.com | udp |
| US | 8.8.8.8:53 | djjhzmcl.net | udp |
| US | 8.8.8.8:53 | yqdindvszcl.info | udp |
| US | 8.8.8.8:53 | rluvnbhd.info | udp |
| US | 8.8.8.8:53 | wvbknf.info | udp |
| US | 8.8.8.8:53 | ldlrgk.info | udp |
| US | 8.8.8.8:53 | fdjvdgtk.net | udp |
| US | 8.8.8.8:53 | pqphpf.info | udp |
| US | 8.8.8.8:53 | dvlcdtcq.info | udp |
| US | 8.8.8.8:53 | jsrdxfvxvddo.info | udp |
| US | 8.8.8.8:53 | owtumceqt.info | udp |
| US | 8.8.8.8:53 | gurllgd.net | udp |
| US | 8.8.8.8:53 | wiupjyjvr.info | udp |
| US | 8.8.8.8:53 | vjxntrymhef.info | udp |
| US | 8.8.8.8:53 | coterzuxgt.info | udp |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | wbxghgbab.net | udp |
| US | 8.8.8.8:53 | tcmxmunjjlll.info | udp |
| US | 8.8.8.8:53 | thxxrwbgqm.net | udp |
| US | 8.8.8.8:53 | emnuniy.info | udp |
| US | 8.8.8.8:53 | lgwqohokbfxl.net | udp |
| US | 8.8.8.8:53 | eeieetb.net | udp |
| US | 8.8.8.8:53 | grqaiztnkd.net | udp |
| US | 8.8.8.8:53 | skqsiiae.org | udp |
| US | 8.8.8.8:53 | ogkomcwwyeyi.org | udp |
| US | 8.8.8.8:53 | yzxboedll.info | udp |
| US | 8.8.8.8:53 | knwgzqzz.net | udp |
| US | 8.8.8.8:53 | alyypvemovoc.net | udp |
| US | 8.8.8.8:53 | xgjozijwo.org | udp |
| US | 8.8.8.8:53 | ceshnpngelqx.info | udp |
| US | 8.8.8.8:53 | dsbkuunbmkl.net | udp |
| US | 8.8.8.8:53 | lscnjcue.info | udp |
| US | 8.8.8.8:53 | ssgbnkrwuhqo.info | udp |
| US | 8.8.8.8:53 | qlstpgkhcjbu.net | udp |
| US | 8.8.8.8:53 | tuxavitqztdz.info | udp |
| US | 8.8.8.8:53 | xsmharskx.com | udp |
| US | 8.8.8.8:53 | ukompusmn.net | udp |
| US | 8.8.8.8:53 | ukpsuavkg.net | udp |
| US | 8.8.8.8:53 | nzitfaav.info | udp |
| US | 8.8.8.8:53 | eyyeasseeuqa.com | udp |
| US | 8.8.8.8:53 | sctpzrcp.net | udp |
| US | 8.8.8.8:53 | drxsve.info | udp |
| US | 8.8.8.8:53 | pcmdzmjzp.info | udp |
| US | 8.8.8.8:53 | pnrqwpwa.net | udp |
| US | 8.8.8.8:53 | lktcrbw.com | udp |
| US | 8.8.8.8:53 | pprxluszwgxc.info | udp |
| US | 8.8.8.8:53 | hyjodgw.info | udp |
| US | 8.8.8.8:53 | rfpndz.info | udp |
| US | 8.8.8.8:53 | ksoascwi.com | udp |
| US | 8.8.8.8:53 | aoukguou.com | udp |
| US | 8.8.8.8:53 | mjdegyp.net | udp |
| US | 8.8.8.8:53 | cuyywvdbeh.net | udp |
| US | 8.8.8.8:53 | dkdczgl.info | udp |
| US | 8.8.8.8:53 | gfcyibbfymqt.net | udp |
| US | 8.8.8.8:53 | wcqork.info | udp |
| US | 8.8.8.8:53 | gshujucdlud.net | udp |
| US | 8.8.8.8:53 | eaictyqxc.info | udp |
| US | 8.8.8.8:53 | zmrdhmhshwa.info | udp |
| US | 8.8.8.8:53 | fjarizxdf.org | udp |
| US | 8.8.8.8:53 | fmqewgqb.info | udp |
| US | 8.8.8.8:53 | caokeaeyukye.org | udp |
| US | 8.8.8.8:53 | vgqxvqngngx.info | udp |
| US | 8.8.8.8:53 | tgxezlwrbcx.net | udp |
| US | 8.8.8.8:53 | mkselelszfr.net | udp |
| US | 8.8.8.8:53 | andofozgn.net | udp |
| US | 8.8.8.8:53 | yhnglxdg.net | udp |
| US | 8.8.8.8:53 | cgzqtowog.info | udp |
| US | 8.8.8.8:53 | cbpylinkdqt.net | udp |
| US | 8.8.8.8:53 | fgoudtyfcsfs.net | udp |
| US | 8.8.8.8:53 | qeasooggkkye.org | udp |
| US | 8.8.8.8:53 | nyhkzqkvmqj.net | udp |
| US | 8.8.8.8:53 | glvataq.info | udp |
| US | 8.8.8.8:53 | unlyshxmrote.net | udp |
| US | 8.8.8.8:53 | zpvpjox.org | udp |
| US | 8.8.8.8:53 | tqqciiiixyn.net | udp |
| US | 8.8.8.8:53 | muvqxeenruc.net | udp |
| US | 8.8.8.8:53 | gdiecndz.net | udp |
| US | 8.8.8.8:53 | scsmnwl.net | udp |
| US | 8.8.8.8:53 | buuqaspmlhu.net | udp |
| US | 8.8.8.8:53 | opuwwx.info | udp |
| US | 8.8.8.8:53 | jrnmzxzen.com | udp |
| US | 8.8.8.8:53 | dobgqct.info | udp |
| US | 8.8.8.8:53 | babireoyvbx.org | udp |
| US | 8.8.8.8:53 | esnphkg.net | udp |
| US | 8.8.8.8:53 | xtruvapagyu.info | udp |
| US | 8.8.8.8:53 | pozwwbor.info | udp |
| US | 8.8.8.8:53 | wsbnropkshuz.info | udp |
| US | 8.8.8.8:53 | sqnflwkj.info | udp |
| US | 8.8.8.8:53 | kcryxrris.info | udp |
| US | 8.8.8.8:53 | cizqgzjgzb.info | udp |
| US | 8.8.8.8:53 | dhzzjmbcp.net | udp |
| US | 8.8.8.8:53 | mvqbeqp.net | udp |
| US | 8.8.8.8:53 | agcrlapowm.info | udp |
| US | 8.8.8.8:53 | iexqhav.net | udp |
| US | 8.8.8.8:53 | giekgyskeiik.org | udp |
| US | 8.8.8.8:53 | fddpzlyxftlc.info | udp |
| US | 8.8.8.8:53 | knlbsf.net | udp |
| US | 8.8.8.8:53 | tucejr.info | udp |
| US | 8.8.8.8:53 | xbeenjtinopt.info | udp |
| US | 8.8.8.8:53 | tnhydszy.net | udp |
| US | 8.8.8.8:53 | bavppixu.net | udp |
| US | 8.8.8.8:53 | ikocelpkx.net | udp |
| US | 8.8.8.8:53 | fkgritslx.org | udp |
| US | 8.8.8.8:53 | ntpohnlnfb.info | udp |
| US | 8.8.8.8:53 | fqgqiqzpkex.org | udp |
| US | 8.8.8.8:53 | puixztxq.net | udp |
| US | 8.8.8.8:53 | ptpwnlreeaxo.net | udp |
| US | 8.8.8.8:53 | eulufkb.info | udp |
| US | 8.8.8.8:53 | vthnjumbihsj.net | udp |
| US | 8.8.8.8:53 | nilnejqcaoeh.net | udp |
| US | 8.8.8.8:53 | eqquouoamuiw.com | udp |
| US | 8.8.8.8:53 | tcpclcveqmzk.net | udp |
| US | 8.8.8.8:53 | eqvobsahvihr.net | udp |
| US | 8.8.8.8:53 | eeeiusoc.com | udp |
| US | 8.8.8.8:53 | mkslaklz.net | udp |
| US | 8.8.8.8:53 | tvtbfknz.info | udp |
| US | 8.8.8.8:53 | dyenlklax.net | udp |
| US | 8.8.8.8:53 | mcyyiq.org | udp |
| US | 8.8.8.8:53 | juxhrcwcbop.org | udp |
| US | 8.8.8.8:53 | dtstyn.net | udp |
| US | 8.8.8.8:53 | segwgmecmugy.com | udp |
| US | 8.8.8.8:53 | aihmqscsp.net | udp |
| US | 8.8.8.8:53 | zbqtpeerkb.net | udp |
| US | 8.8.8.8:53 | bwoudgunbic.net | udp |
| US | 8.8.8.8:53 | qecmngj.info | udp |
| US | 8.8.8.8:53 | zuwrljtqss.net | udp |
| US | 8.8.8.8:53 | umawquoa.com | udp |
| US | 8.8.8.8:53 | ayjygof.info | udp |
| US | 8.8.8.8:53 | arkoul.info | udp |
| US | 8.8.8.8:53 | fyfllknkxqr.net | udp |
| US | 8.8.8.8:53 | msaeugqyakco.org | udp |
| US | 8.8.8.8:53 | qhgkslypnstf.info | udp |
| US | 8.8.8.8:53 | ycuouwkm.org | udp |
| US | 8.8.8.8:53 | tmrxnmjrkb.net | udp |
| US | 8.8.8.8:53 | boffzqawkr.net | udp |
| US | 8.8.8.8:53 | cgqgyuewqy.com | udp |
| US | 8.8.8.8:53 | sqxgtcu.net | udp |
| US | 8.8.8.8:53 | uomieuwsgywa.com | udp |
| US | 8.8.8.8:53 | fzkrxmam.info | udp |
| US | 8.8.8.8:53 | okcoky.com | udp |
| US | 8.8.8.8:53 | bfxkrtjjbqhu.info | udp |
| US | 8.8.8.8:53 | perwmabvjaz.net | udp |
| US | 8.8.8.8:53 | fixijml.org | udp |
| US | 8.8.8.8:53 | mcooso.org | udp |
| US | 8.8.8.8:53 | nttldxgxni.info | udp |
| US | 8.8.8.8:53 | flxcxav.com | udp |
| US | 8.8.8.8:53 | cwkqutf.info | udp |
| US | 8.8.8.8:53 | yanopiip.net | udp |
| US | 8.8.8.8:53 | bvrlxiawb.net | udp |
| US | 8.8.8.8:53 | qwozfvqbzn.net | udp |
| US | 8.8.8.8:53 | uuxzags.info | udp |
| US | 8.8.8.8:53 | pjpmlr.info | udp |
| US | 8.8.8.8:53 | bujydax.net | udp |
| US | 8.8.8.8:53 | wyvulzriy.info | udp |
| US | 8.8.8.8:53 | sxsydftugfl.net | udp |
| US | 8.8.8.8:53 | uuecmgawgeqm.com | udp |
| US | 8.8.8.8:53 | psdgvkxnh.info | udp |
| US | 8.8.8.8:53 | harhboauozpe.info | udp |
| US | 8.8.8.8:53 | sjyjdgocz.net | udp |
| US | 8.8.8.8:53 | dtppzh.net | udp |
| US | 8.8.8.8:53 | ofsgiipylcn.net | udp |
| US | 8.8.8.8:53 | wicceoumgk.com | udp |
| US | 8.8.8.8:53 | tluikpymh.info | udp |
| US | 8.8.8.8:53 | msoiygcw.org | udp |
| US | 8.8.8.8:53 | sxnddev.info | udp |
| US | 8.8.8.8:53 | quaskeqc.org | udp |
| US | 8.8.8.8:53 | jntxuexoq.net | udp |
| US | 8.8.8.8:53 | gklfoatqfmn.net | udp |
| US | 8.8.8.8:53 | lqtsuwfzoy.net | udp |
| US | 8.8.8.8:53 | bnpqik.net | udp |
| US | 8.8.8.8:53 | uxseokraf.info | udp |
| US | 8.8.8.8:53 | ieaiwsp.info | udp |
| US | 8.8.8.8:53 | ywyucquu.com | udp |
| US | 8.8.8.8:53 | szjvpgaq.net | udp |
| US | 8.8.8.8:53 | eiwgoewg.org | udp |
| US | 8.8.8.8:53 | frxklo.net | udp |
| US | 8.8.8.8:53 | ejpdqikairvo.info | udp |
| US | 8.8.8.8:53 | ugsqkiysuymg.com | udp |
| US | 8.8.8.8:53 | iyoivcknn.info | udp |
| US | 8.8.8.8:53 | ssgqsckw.com | udp |
| US | 8.8.8.8:53 | cxritgbkwiqj.net | udp |
| US | 8.8.8.8:53 | eqtgeiour.net | udp |
| US | 8.8.8.8:53 | wutqlbfgt.net | udp |
| US | 8.8.8.8:53 | xflrdxdu.net | udp |
| US | 8.8.8.8:53 | jkknfwlaj.info | udp |
| US | 8.8.8.8:53 | mlvsxcgccez.info | udp |
| US | 8.8.8.8:53 | datqdbhkjmh.net | udp |
| US | 8.8.8.8:53 | yabgjuiyvpj.net | udp |
| US | 8.8.8.8:53 | iuyiqmwa.org | udp |
| US | 8.8.8.8:53 | qwmcuc.com | udp |
| US | 8.8.8.8:53 | yqtafgfohsp.net | udp |
| US | 8.8.8.8:53 | kyimsspmwr.info | udp |
| US | 8.8.8.8:53 | ehmkhp.net | udp |
| US | 8.8.8.8:53 | daxdmack.net | udp |
| US | 8.8.8.8:53 | yyeysgkock.com | udp |
| US | 8.8.8.8:53 | nrpqjt.info | udp |
| US | 8.8.8.8:53 | ycwktpff.net | udp |
| US | 8.8.8.8:53 | qteqdsbcj.net | udp |
| US | 8.8.8.8:53 | fvqyfimtluav.net | udp |
| US | 8.8.8.8:53 | fenstuz.com | udp |
| US | 8.8.8.8:53 | dxllnf.info | udp |
| US | 8.8.8.8:53 | gcxdxbfm.info | udp |
| US | 8.8.8.8:53 | vhfrpklxxrs.info | udp |
| US | 8.8.8.8:53 | lkngjoezjnq.com | udp |
| US | 8.8.8.8:53 | zkhowqliqkb.net | udp |
| US | 8.8.8.8:53 | biuehdf.net | udp |
| US | 8.8.8.8:53 | wrbgtg.info | udp |
| US | 8.8.8.8:53 | lppvlk.info | udp |
| US | 8.8.8.8:53 | zmukxsnim.info | udp |
| US | 8.8.8.8:53 | xbfhtyff.info | udp |
| US | 8.8.8.8:53 | vesijwpmv.info | udp |
| US | 8.8.8.8:53 | dezdzedov.net | udp |
| US | 8.8.8.8:53 | cseomiaumgcq.com | udp |
| US | 8.8.8.8:53 | nnlsggbskcc.net | udp |
| US | 8.8.8.8:53 | kiywaweqaw.org | udp |
| US | 8.8.8.8:53 | wrrufsb.info | udp |
| US | 8.8.8.8:53 | nlbqys.net | udp |
| US | 8.8.8.8:53 | vsswekgnat.info | udp |
| US | 8.8.8.8:53 | jyvqzndfbpsy.net | udp |
| US | 8.8.8.8:53 | owtfoyw.info | udp |
| US | 8.8.8.8:53 | kqucgw.org | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| US | 8.8.8.8:53 | vypwjfs.net | udp |
| US | 8.8.8.8:53 | fofghyx.info | udp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | azmypsj.info | udp |
| US | 8.8.8.8:53 | utuqvnnogcp.net | udp |
| US | 8.8.8.8:53 | rsrmzgr.net | udp |
| US | 8.8.8.8:53 | ggoiukqgsikq.org | udp |
| US | 8.8.8.8:53 | dagegqggpgf.org | udp |
| US | 8.8.8.8:53 | odwidb.net | udp |
| US | 8.8.8.8:53 | yeiwucwi.org | udp |
| US | 8.8.8.8:53 | krfhhgrotx.net | udp |
| US | 8.8.8.8:53 | ioinrhtuqekc.info | udp |
| US | 8.8.8.8:53 | udzdjiddn.net | udp |
| US | 8.8.8.8:53 | sefkpec.net | udp |
| US | 8.8.8.8:53 | eoovwv.net | udp |
| US | 8.8.8.8:53 | cunixsvufiv.net | udp |
| US | 8.8.8.8:53 | esgqqqogqq.com | udp |
| US | 8.8.8.8:53 | njstzc.net | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | osemeomioqcq.org | udp |
| US | 8.8.8.8:53 | whdjhz.info | udp |
| US | 8.8.8.8:53 | mjotpzfbosdh.info | udp |
| US | 8.8.8.8:53 | ycwrehlg.info | udp |
| US | 8.8.8.8:53 | luvehemiri.info | udp |
| US | 8.8.8.8:53 | piolqmruy.info | udp |
| US | 8.8.8.8:53 | eeaikaks.com | udp |
| US | 8.8.8.8:53 | cpmitifzk.net | udp |
| US | 8.8.8.8:53 | jipyjkmqb.com | udp |
| US | 8.8.8.8:53 | bfuald.info | udp |
| US | 8.8.8.8:53 | lalckpw.org | udp |
| US | 8.8.8.8:53 | mqihxnjodctj.info | udp |
| US | 8.8.8.8:53 | kqtaaeg.net | udp |
| US | 8.8.8.8:53 | zglihizaz.net | udp |
| US | 8.8.8.8:53 | hmfurcniz.info | udp |
| US | 8.8.8.8:53 | ddpobim.org | udp |
| US | 8.8.8.8:53 | luhgzktxs.info | udp |
| US | 8.8.8.8:53 | wgcdfqodml.net | udp |
| US | 8.8.8.8:53 | bbdhjljo.info | udp |
| US | 8.8.8.8:53 | ewhqxezcwwc.net | udp |
| US | 8.8.8.8:53 | lmtahqeud.com | udp |
| US | 8.8.8.8:53 | fcpubgxuu.com | udp |
| US | 8.8.8.8:53 | jyxmlwrihgt.info | udp |
| US | 8.8.8.8:53 | xxyorhhb.info | udp |
| US | 8.8.8.8:53 | itgsirpkoprl.info | udp |
| US | 8.8.8.8:53 | yoaoooewyeeo.com | udp |
| US | 8.8.8.8:53 | xpgwfipglow.com | udp |
| US | 8.8.8.8:53 | temxlwtdoh.net | udp |
| US | 8.8.8.8:53 | mosouquuecgq.com | udp |
| US | 8.8.8.8:53 | jprpfxzxzaan.info | udp |
| US | 8.8.8.8:53 | mdhpuesj.net | udp |
| US | 8.8.8.8:53 | bwnefyeen.com | udp |
| US | 8.8.8.8:53 | dejqqqjrtx.info | udp |
| US | 8.8.8.8:53 | psjotqnwvnm.com | udp |
| US | 8.8.8.8:53 | dqjrswwie.com | udp |
| US | 8.8.8.8:53 | qmlqirwwofza.net | udp |
| US | 8.8.8.8:53 | sfmsdit.net | udp |
| US | 8.8.8.8:53 | vrxmprngmlhk.net | udp |
| US | 8.8.8.8:53 | kosxeagvdp.net | udp |
| US | 8.8.8.8:53 | icogbbzdxmb.net | udp |
| US | 8.8.8.8:53 | vwpihwd.info | udp |
| US | 8.8.8.8:53 | vndosnicpotw.info | udp |
| US | 8.8.8.8:53 | isbulgf.net | udp |
| US | 8.8.8.8:53 | eznabol.net | udp |
| US | 8.8.8.8:53 | apvmpcpi.net | udp |
| US | 8.8.8.8:53 | tpfknyyqhkng.net | udp |
| US | 8.8.8.8:53 | klqmnybibg.net | udp |
| US | 8.8.8.8:53 | yomsggss.org | udp |
| US | 8.8.8.8:53 | fonpavis.info | udp |
| US | 8.8.8.8:53 | ujyqtwnlfj.info | udp |
| US | 8.8.8.8:53 | ridsraz.com | udp |
| US | 8.8.8.8:53 | xvzumiq.org | udp |
| US | 8.8.8.8:53 | nttlxa.net | udp |
| US | 8.8.8.8:53 | dlfmofbismv.net | udp |
| US | 8.8.8.8:53 | tyvisiyh.net | udp |
| US | 8.8.8.8:53 | dkouvubcpovf.info | udp |
| US | 8.8.8.8:53 | smoasausig.com | udp |
| US | 8.8.8.8:53 | mqqihbpaumu.info | udp |
| US | 8.8.8.8:53 | yapmng.net | udp |
| US | 8.8.8.8:53 | omuscigooi.com | udp |
| US | 8.8.8.8:53 | kgucribs.info | udp |
| US | 8.8.8.8:53 | ypaknyklftfb.net | udp |
| US | 8.8.8.8:53 | icfyaovdjihs.info | udp |
| US | 8.8.8.8:53 | hilvhpqwsef.net | udp |
| US | 8.8.8.8:53 | qyocwgemiygm.org | udp |
| US | 8.8.8.8:53 | okomgk.com | udp |
| US | 8.8.8.8:53 | wbkedyr.net | udp |
| US | 8.8.8.8:53 | leqdurjb.net | udp |
| US | 8.8.8.8:53 | fevrliawvgi.net | udp |
| US | 8.8.8.8:53 | dxikspgshgbk.info | udp |
| US | 8.8.8.8:53 | cyprfwskcsw.info | udp |
| US | 8.8.8.8:53 | wtbaxcmouvr.info | udp |
| US | 8.8.8.8:53 | lebapefdnwn.net | udp |
| US | 8.8.8.8:53 | juatzbzwfkv.com | udp |
| US | 8.8.8.8:53 | jaighwbau.info | udp |
| US | 8.8.8.8:53 | lgmwshpwdp.net | udp |
| US | 8.8.8.8:53 | ckawakyuseea.org | udp |
| US | 8.8.8.8:53 | qpsefhqszjl.net | udp |
| US | 8.8.8.8:53 | bttcney.com | udp |
| US | 8.8.8.8:53 | kqxefj.net | udp |
| US | 8.8.8.8:53 | icxjhmtudne.net | udp |
| US | 8.8.8.8:53 | takghwqz.net | udp |
| US | 8.8.8.8:53 | eeueccewmeem.com | udp |
| US | 8.8.8.8:53 | fwnjtxbv.info | udp |
| US | 8.8.8.8:53 | osaggcoeey.org | udp |
| US | 8.8.8.8:53 | ntfbxwnepjnu.net | udp |
| US | 8.8.8.8:53 | fndvwmcy.info | udp |
| US | 8.8.8.8:53 | fmhrfhpd.net | udp |
| US | 8.8.8.8:53 | vuyoril.org | udp |
| US | 8.8.8.8:53 | gqowmg.org | udp |
| US | 8.8.8.8:53 | gthoprfe.net | udp |
| US | 8.8.8.8:53 | sccrxtxk.net | udp |
| US | 8.8.8.8:53 | cetgcbfg.net | udp |
| US | 8.8.8.8:53 | cmuoukeo.info | udp |
| US | 8.8.8.8:53 | tfjocstyu.org | udp |
| US | 8.8.8.8:53 | vlpxze.info | udp |
| US | 8.8.8.8:53 | ehyjky.net | udp |
| US | 8.8.8.8:53 | ivfhpkzdak.info | udp |
| US | 8.8.8.8:53 | aueyycam.org | udp |
| US | 8.8.8.8:53 | skywyumxq.net | udp |
| US | 8.8.8.8:53 | shzcpbmg.info | udp |
| US | 8.8.8.8:53 | maypnv.net | udp |
| US | 8.8.8.8:53 | ciimzihuz.net | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | lqxihuhexi.net | udp |
| US | 8.8.8.8:53 | oydihhhi.info | udp |
| US | 8.8.8.8:53 | nshdioh.net | udp |
| US | 8.8.8.8:53 | tfgpla.info | udp |
| US | 8.8.8.8:53 | pojfyohzyh.info | udp |
| US | 8.8.8.8:53 | qajsxumkz.info | udp |
| US | 8.8.8.8:53 | qdkxhb.info | udp |
| US | 8.8.8.8:53 | iqfqrqzcj.info | udp |
| US | 8.8.8.8:53 | ekqqcc.org | udp |
| US | 8.8.8.8:53 | blpmnakpk.info | udp |
| US | 8.8.8.8:53 | ihvqrzy.net | udp |
| US | 8.8.8.8:53 | kudpkkk.info | udp |
| US | 8.8.8.8:53 | usrgbaezriu.net | udp |
| US | 8.8.8.8:53 | nourksdqhdb.com | udp |
| US | 8.8.8.8:53 | jlvcpshgqu.net | udp |
| US | 8.8.8.8:53 | bwscpkkbv.com | udp |
| US | 8.8.8.8:53 | nudpglooydmy.net | udp |
| US | 8.8.8.8:53 | dflqknsl.net | udp |
| US | 8.8.8.8:53 | bckzjxqs.net | udp |
| US | 8.8.8.8:53 | klbdjifm.net | udp |
| US | 8.8.8.8:53 | ibbjtwcethv.info | udp |
| US | 8.8.8.8:53 | rycnsbxy.net | udp |
| US | 8.8.8.8:53 | jhyqbmyjoxp.net | udp |
| US | 8.8.8.8:53 | qtgqqinahbp.info | udp |
| US | 8.8.8.8:53 | nqoklhwl.info | udp |
| US | 8.8.8.8:53 | mwbgoyhhjfa.net | udp |
| US | 8.8.8.8:53 | qyitzzdxog.info | udp |
| US | 8.8.8.8:53 | syzqyub.info | udp |
| US | 8.8.8.8:53 | afczxh.net | udp |
| US | 8.8.8.8:53 | lythnsgzjn.info | udp |
| US | 8.8.8.8:53 | tcvuvhjwh.info | udp |
| US | 8.8.8.8:53 | cnvmduwy.net | udp |
| US | 8.8.8.8:53 | yyrwpeomdyt.info | udp |
| US | 8.8.8.8:53 | ctdqtav.net | udp |
| US | 8.8.8.8:53 | xwkiaur.net | udp |
| US | 8.8.8.8:53 | jubvpax.info | udp |
| US | 8.8.8.8:53 | coemcakgbpj.info | udp |
| US | 8.8.8.8:53 | oqfqdqnit.net | udp |
| US | 8.8.8.8:53 | vlwycp.info | udp |
| US | 8.8.8.8:53 | cafcwkorm.info | udp |
| US | 8.8.8.8:53 | aknsgwkcl.net | udp |
| US | 8.8.8.8:53 | dcqybxb.net | udp |
| US | 8.8.8.8:53 | siclbmnprlv.info | udp |
| US | 8.8.8.8:53 | xofgirtgga.info | udp |
| US | 8.8.8.8:53 | ecbwysbz.info | udp |
| US | 8.8.8.8:53 | kiwksc.org | udp |
| US | 8.8.8.8:53 | pmgwfwjqq.org | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | akokes.com | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | pqlmktdmd.com | udp |
| US | 8.8.8.8:53 | iiqiqecueu.com | udp |
| US | 8.8.8.8:53 | cgwmmgseue.org | udp |
| US | 8.8.8.8:53 | erbzhagrsz.net | udp |
| US | 8.8.8.8:53 | xihmluvce.info | udp |
| US | 8.8.8.8:53 | euiaokakgaeq.org | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | jerjpetrt.net | udp |
| US | 8.8.8.8:53 | xwmhlk.info | udp |
| US | 8.8.8.8:53 | mopdjlsprl.info | udp |
| US | 8.8.8.8:53 | mysgmkwy.com | udp |
| US | 8.8.8.8:53 | wcsbrpz.net | udp |
| US | 8.8.8.8:53 | mkbmhjnuukd.info | udp |
| US | 8.8.8.8:53 | rqriisz.com | udp |
| US | 8.8.8.8:53 | uwcuws.org | udp |
| US | 8.8.8.8:53 | lszkbxx.net | udp |
| US | 8.8.8.8:53 | fxgewmuikxza.net | udp |
| US | 8.8.8.8:53 | tipqoa.info | udp |
| US | 8.8.8.8:53 | kwfspcccwhp.net | udp |
| US | 8.8.8.8:53 | mepdzdtue.info | udp |
| US | 8.8.8.8:53 | vagchapoj.info | udp |
| US | 8.8.8.8:53 | azlfou.info | udp |
| US | 8.8.8.8:53 | jahgka.info | udp |
| US | 8.8.8.8:53 | krtalmdkfyz.net | udp |
| US | 8.8.8.8:53 | jsplcicklch.com | udp |
| US | 8.8.8.8:53 | scmmkioymc.com | udp |
| US | 8.8.8.8:53 | umyicieyee.org | udp |
| US | 8.8.8.8:53 | rshzdgx.info | udp |
| US | 8.8.8.8:53 | ocuepejey.info | udp |
| US | 8.8.8.8:53 | sqzkoevloz.net | udp |
| US | 8.8.8.8:53 | ywtpfaf.net | udp |
| US | 8.8.8.8:53 | vcsuct.net | udp |
| US | 8.8.8.8:53 | lagawopiz.com | udp |
| US | 8.8.8.8:53 | yohixcn.net | udp |
| US | 8.8.8.8:53 | nptkczhpnkd.org | udp |
| US | 8.8.8.8:53 | hdjyryfdxp.net | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | ikiyoesqis.org | udp |
| US | 8.8.8.8:53 | pgfmpqrtskdn.info | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | kcpklmfl.info | udp |
| US | 8.8.8.8:53 | rzvonilhdv.info | udp |
| US | 8.8.8.8:53 | wawqao.org | udp |
| US | 8.8.8.8:53 | jdzcvwdgd.info | udp |
| US | 8.8.8.8:53 | zonbrelv.info | udp |
| US | 8.8.8.8:53 | wueysyqiyg.org | udp |
| US | 8.8.8.8:53 | foqnfxeksd.net | udp |
| US | 8.8.8.8:53 | pwjbbn.info | udp |
| US | 8.8.8.8:53 | cgumqu.com | udp |
| US | 8.8.8.8:53 | jjrefkv.net | udp |
| US | 8.8.8.8:53 | jgnzlulox.com | udp |
| US | 8.8.8.8:53 | cyhbjdlapt.info | udp |
| US | 8.8.8.8:53 | mijtdrczck.info | udp |
| US | 8.8.8.8:53 | msomovxumq.info | udp |
| US | 8.8.8.8:53 | wxejmlnl.info | udp |
| US | 8.8.8.8:53 | znlnvoxoa.info | udp |
| US | 8.8.8.8:53 | lzbjkx.info | udp |
| US | 8.8.8.8:53 | hgcursbonhd.info | udp |
| US | 8.8.8.8:53 | xrplxivj.net | udp |
| US | 8.8.8.8:53 | yrhqflsko.net | udp |
| US | 8.8.8.8:53 | gclmzanerwm.net | udp |
| US | 8.8.8.8:53 | mefypua.info | udp |
| US | 8.8.8.8:53 | mbfsjumkq.info | udp |
| US | 8.8.8.8:53 | blriytvijot.com | udp |
| US | 8.8.8.8:53 | kyilnx.net | udp |
| US | 8.8.8.8:53 | gaqkygwq.org | udp |
| US | 8.8.8.8:53 | zhkntvjtiw.info | udp |
| US | 8.8.8.8:53 | egwhlklqogo.info | udp |
| US | 8.8.8.8:53 | tgiiohnytsah.info | udp |
| US | 8.8.8.8:53 | jrbulad.info | udp |
| US | 8.8.8.8:53 | tlhsfagcn.org | udp |
| US | 8.8.8.8:53 | zpnqizgofa.net | udp |
| US | 8.8.8.8:53 | xhypyuxj.info | udp |
| US | 8.8.8.8:53 | jvbghgocf.info | udp |
| US | 8.8.8.8:53 | cyeeymejr.net | udp |
| US | 8.8.8.8:53 | vcjilwf.info | udp |
| US | 8.8.8.8:53 | bpzorpfuhtf.org | udp |
| US | 8.8.8.8:53 | ckyawq.com | udp |
| US | 8.8.8.8:53 | tidocoh.org | udp |
| US | 8.8.8.8:53 | fwuvrz.net | udp |
| US | 8.8.8.8:53 | xellsqrpec.info | udp |
| US | 8.8.8.8:53 | bkngmvgi.net | udp |
| US | 8.8.8.8:53 | bqdindvszcl.com | udp |
| US | 8.8.8.8:53 | hgivhoh.info | udp |
| US | 8.8.8.8:53 | vadnkhw.org | udp |
| US | 8.8.8.8:53 | dhdynol.net | udp |
| US | 8.8.8.8:53 | dykwknvmdfdj.info | udp |
| US | 8.8.8.8:53 | eaoeysyyya.com | udp |
| US | 8.8.8.8:53 | aiygzkf.info | udp |
| US | 8.8.8.8:53 | beyufkgj.net | udp |
| US | 8.8.8.8:53 | wawaoiyk.com | udp |
| US | 8.8.8.8:53 | weuyuqqsus.com | udp |
| US | 8.8.8.8:53 | uwgcms.com | udp |
| US | 8.8.8.8:53 | yzzymmp.net | udp |
| US | 8.8.8.8:53 | luwnvllps.info | udp |
| US | 8.8.8.8:53 | iblzdqxoja.net | udp |
| US | 8.8.8.8:53 | lczoradauoz.net | udp |
| US | 8.8.8.8:53 | puyarlt.net | udp |
| US | 8.8.8.8:53 | eeqeyhic.net | udp |
| US | 8.8.8.8:53 | dazulnj.org | udp |
| US | 8.8.8.8:53 | shacll.net | udp |
| US | 8.8.8.8:53 | olxublyd.info | udp |
| US | 8.8.8.8:53 | ogwmvel.info | udp |
| US | 8.8.8.8:53 | xgluvxji.net | udp |
| US | 8.8.8.8:53 | iegqcmgc.org | udp |
| US | 8.8.8.8:53 | jzthxr.net | udp |
| US | 8.8.8.8:53 | drylhuaoqof.net | udp |
| US | 8.8.8.8:53 | pnnqtdsk.net | udp |
| US | 8.8.8.8:53 | uyrslxxflyx.net | udp |
| US | 8.8.8.8:53 | notezrk.com | udp |
| US | 8.8.8.8:53 | xhndrbmenams.net | udp |
| US | 8.8.8.8:53 | fjusznt.com | udp |
| US | 8.8.8.8:53 | jyiikooxrp.info | udp |
| US | 8.8.8.8:53 | zommurjdbywg.net | udp |
| US | 8.8.8.8:53 | boltraal.info | udp |
| US | 8.8.8.8:53 | ditcdinghlv.info | udp |
| US | 8.8.8.8:53 | sojotwg.net | udp |
| US | 8.8.8.8:53 | dbtjdo.info | udp |
| US | 8.8.8.8:53 | zuhmapbot.net | udp |
| US | 8.8.8.8:53 | giueysakwo.com | udp |
| US | 8.8.8.8:53 | nidfgko.net | udp |
| US | 8.8.8.8:53 | ocdwrpceh.net | udp |
| US | 8.8.8.8:53 | ebjvifxuc.info | udp |
| US | 8.8.8.8:53 | agfpkyw.net | udp |
| US | 8.8.8.8:53 | vjvlnnztmb.net | udp |
| US | 8.8.8.8:53 | juaeswacfgfl.info | udp |
| US | 8.8.8.8:53 | tyyxuxjevwr.org | udp |
| US | 8.8.8.8:53 | xalepyhaxcjc.info | udp |
| US | 8.8.8.8:53 | xmmfhrpcneiy.info | udp |
| US | 8.8.8.8:53 | yojkaljecqs.info | udp |
| US | 8.8.8.8:53 | obxczqswb.info | udp |
| US | 8.8.8.8:53 | vmovellwztvz.net | udp |
| US | 8.8.8.8:53 | zfjoqc.net | udp |
| US | 8.8.8.8:53 | ahjsrslfb.info | udp |
| US | 8.8.8.8:53 | woumugucww.com | udp |
| US | 8.8.8.8:53 | ljodhjf.org | udp |
| US | 8.8.8.8:53 | ecegeakc.org | udp |
| US | 8.8.8.8:53 | vhkfkyenhv.net | udp |
| US | 8.8.8.8:53 | kqnmysnuj.net | udp |
| US | 8.8.8.8:53 | gehozgdfpko.info | udp |
| US | 8.8.8.8:53 | ootkjdzphd.net | udp |
| US | 8.8.8.8:53 | rhegwpnlfp.net | udp |
| US | 8.8.8.8:53 | xgpgvwh.com | udp |
| US | 8.8.8.8:53 | zrizzt.net | udp |
| US | 8.8.8.8:53 | bduiglzvpvue.info | udp |
| US | 8.8.8.8:53 | rzrcfct.com | udp |
| US | 8.8.8.8:53 | zkuvnm.net | udp |
| US | 8.8.8.8:53 | eqicmwme.com | udp |
| US | 8.8.8.8:53 | yizijcpwfgo.info | udp |
| US | 8.8.8.8:53 | irzbbqlbzep.info | udp |
| US | 8.8.8.8:53 | iulapl.info | udp |
| US | 8.8.8.8:53 | jafaegj.net | udp |
| US | 8.8.8.8:53 | nsjnpn.net | udp |
| US | 8.8.8.8:53 | pgtwag.info | udp |
| US | 8.8.8.8:53 | flxxbrsgdj.info | udp |
| US | 8.8.8.8:53 | qqlycigtjsl.info | udp |
Files
C:\Users\Admin\AppData\Local\Temp\lvsflp.exe
| MD5 | 5c4f3910f73c61d89053631ee72567cb |
| SHA1 | 819e2360594bc5406b6f8f4f6c05d6ad4066a4ad |
| SHA256 | d8d15b5b34281b16aa69450c7ea342784b6991a1946e95879bcb1d6f917ac7f3 |
| SHA512 | 3e540fa8eb2c9b9d0e5eb8ace010ec42de9ffa1f43c48c0fc059bbd6896c9974d16cb80355ad5c3c7626a2962d2415987839ae7bc597562c0def9af5e822bff3 |
C:\Users\Admin\AppData\Local\xryvlzqcujpbvvueceztaxnbsewlrdxxwgegbv.zpd
| MD5 | 86796864b2f45f3a44a1e47bc199a855 |
| SHA1 | 3722e91f5539dbaaca208f916160bfa5e9d553f2 |
| SHA256 | 98da304233c4800b8a444dacbb7833e08bb2a49491243570a01247905040d4e4 |
| SHA512 | bf40c12b96f1d9fe9d37023299dfed45da0af0343d69c60eb8a67990cc9a1e3210ef8b3ab0554c6f9f5d75f896bce7ccadc43bcb6674f17ef0fa4c156fec62a8 |
C:\Users\Admin\AppData\Local\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | f58fbbebd26bc046cd570ac315ef5a82 |
| SHA1 | 5441ab573c80aeadd8ce05eccf9f5b055275cf8d |
| SHA256 | 1de3919b19e2671c812e006e3d1163ed4bcd4bb2afeff95939ecc2c153bb436b |
| SHA512 | 67bf38261e6b9e91bd13781ed84273be417961a50210bfc65c231569bfe3e5429f39e7c175cb30459bce80692ff7de9670e9688c46d153bdb753c718856ac6fe |
C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | f992badab473f64912df18611911bbf8 |
| SHA1 | 9111da03a6a39320bab011beef4c0cbd7e423c9a |
| SHA256 | 900afc76550351fa2ce7aad2e3d2c4a7eaff947868e261f77b6dfd44868c5f52 |
| SHA512 | 37b3e82dea53f7b6ae568d79fb642dbb4c05745afe22ac030410df94e285f7d4b84e23925535de99abe884e791bc4ca340f734b00b635ac9bb14377f54aa13e1 |
C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | 3d3f16903ffec420d9bdd9f041bfa145 |
| SHA1 | cd249700b07118050ae2afbc506e0205df653eb9 |
| SHA256 | 3c2860796cfd3eab909a52c6b751c1bfdf556aa9901af9668f0ae6c2b11ff5d0 |
| SHA512 | caaffd639dfba0c0a33a38531b348201a4f7f57c90615c5d24d56efd0cfd8ed10d97ac8f2ae7a74caf575052806d54289a166bb6499cc5431e8b13c861da7430 |
C:\Users\Admin\AppData\Local\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | 6f06cf158b651693ab708e360a35c7fd |
| SHA1 | a171dfbd5f9e9311ec6fc0d7b3775565476952d5 |
| SHA256 | 322daf6fba63384b9ab288ad8848c0a20d64056545751642929dd310a02d9f51 |
| SHA512 | c139c2ed3018a42b042cb2c04db6fac26c7443b08a21a9e28671b9fcc5054f56c006a2c20e5c9f5391bfe42c0470e262f2caa019690224b823193a3a04ec61e5 |
C:\Users\Admin\AppData\Local\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | d8251feda9c020a5ca51dc06d8e4bd1f |
| SHA1 | 2182d5c73de032d6a2e7c22888769f04356b6e0a |
| SHA256 | f0c9218bf1da221947f089b8e6e22b75ef27b08e5b1cbbb6f3ebcbc25eb1cc15 |
| SHA512 | 7fd163a320a50473d045e4fb4cd401222e203b8a2d4582c11116662325a667f872dd3b8d4bea6fa4cd7fae523f582ee0efdaeec3af163b84376e10c5910e2030 |
C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | c73184efdd6761c599047960780699de |
| SHA1 | 7877644417944a2a80ef492dca6462cb71cfc077 |
| SHA256 | aa84c84a51d0d428ad5b05ef047b3f3e26ed512e8d88409771c83c2360405f2c |
| SHA512 | cb43aafa171f4f5063946756c854d19e708a2597b2326e05998f2c5e944628fd3d44ff72fcf050601e8305658cd0a66e0c7a1fd41f4a4fd18250f43cfe686726 |
C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | d7672171349832756788ef8aca70761e |
| SHA1 | 95b03fbb4f521f52c3d6f6dfd4c9b4c2073f1228 |
| SHA256 | ae1790c5f40b3d1d93ce34a33b46449ab366c9ee539d3bd80c83b15edebf6dbe |
| SHA512 | d6260c0a707c78e7c56441740f5b3294b1e6a7206407d9aaa9e370b34fcb211f3c367807c0d25c3684c01c4be4cb03db19ea1df05778facb274391eba8bc21e6 |
C:\Program Files (x86)\ajfrwzfgnrmnwlzylcmvrdilrsz.yzi
| MD5 | 8ed5513aac211c7f83a65e449e0b9d74 |
| SHA1 | b3e1cb63b5d0eee9642de7e29ae777a76d830661 |
| SHA256 | 89c72e5eeab48bbc1fcf28c2e0c9648c1fff83732b0b98c2622a318d29933d2e |
| SHA512 | db29d7492d33095810c26793e48c7a7b28d6f431c39fe16e63e1e6c7466fee129763c70c0374404bbea39afb6c9517476bf05bef2c264c9fc7ebe5649ca4448c |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-21 04:40
Reported
2025-04-21 04:43
Platform
win11-20250410-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bajrzio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acozkwfrzh = "aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "aiariaphvjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "bmhbvqidullehaynywf.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "aiariaphvjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "hqjbtmcvkzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "hqjbtmcvkzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "hqjbtmcvkzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "oawrmibxphicgazpbakw.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "hqjbtmcvkzxopgcpy.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmhbvqidullehaynywf.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqjbtmcvkzxopgcpy.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "oawrmibxphicgazpbakw.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hitdnygry = "dqnjfcwtmfhchcctggreb.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qaungarlbrqikcznxu.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qqajscjt = "aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swkxkyjxhrkw = "qaungarlbrqikcznxu.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Run\vylxjwgtcld = "dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwlzncodoztgd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oawrmibxphicgazpbakw.exe ." | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aiariaphvjgwwmht.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\syodsivlxjesqe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqnjfcwtmfhchcctggreb.exe" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\dahntaelordixcmnkupmtzfmqxa.puj | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File created | C:\Windows\SysWOW64\dahntaelordixcmnkupmtzfmqxa.puj | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File created | C:\Windows\SysWOW64\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File created | C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File opened for modification | C:\Program Files (x86)\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File created | C:\Program Files (x86)\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File opened for modification | C:\Windows\dahntaelordixcmnkupmtzfmqxa.puj | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File created | C:\Windows\dahntaelordixcmnkupmtzfmqxa.puj | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| File opened for modification | C:\Windows\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bajrzio.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7ccedb70155d9567bc63477af344089.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Users\Admin\AppData\Local\Temp\bajrzio.exe
"C:\Users\Admin\AppData\Local\Temp\bajrzio.exe" "-"
C:\Users\Admin\AppData\Local\Temp\bajrzio.exe
"C:\Users\Admin\AppData\Local\Temp\bajrzio.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hqjbtmcvkzxopgcpy.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hqjbtmcvkzxopgcpy.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\qaungarlbrqikcznxu.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c aiariaphvjgwwmht.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oawrmibxphicgazpbakw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\aiariaphvjgwwmht.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oawrmibxphicgazpbakw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bmhbvqidullehaynywf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c dqnjfcwtmfhchcctggreb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| NL | 142.251.31.191:80 | www.blogger.com | tcp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 8.8.8.8:53 | njstzc.net | udp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | uvesvllsmbyk.info | udp |
| US | 8.8.8.8:53 | lszsurt.net | udp |
| US | 8.8.8.8:53 | gqsocwwwug.com | udp |
| US | 8.8.8.8:53 | lwrifcbkm.org | udp |
| US | 8.8.8.8:53 | egsmyysc.org | udp |
| US | 8.8.8.8:53 | fsyczawoha.info | udp |
| US | 8.8.8.8:53 | atkzfclhbift.info | udp |
| US | 8.8.8.8:53 | hgcursbonhd.info | udp |
| US | 8.8.8.8:53 | tqwdahtmglvn.info | udp |
| US | 8.8.8.8:53 | vabhrvoq.info | udp |
| US | 8.8.8.8:53 | ccfkncpzbvr.net | udp |
| US | 8.8.8.8:53 | aznmjsnsb.net | udp |
| US | 8.8.8.8:53 | vurojxpmuk.info | udp |
| US | 8.8.8.8:53 | jqtenkdayoy.org | udp |
| US | 8.8.8.8:53 | cgdyemtfcbd.info | udp |
| US | 8.8.8.8:53 | wgvrfgfnb.info | udp |
| US | 8.8.8.8:53 | ppwcfqlh.info | udp |
| US | 8.8.8.8:53 | llpwlrlwpx.net | udp |
| US | 8.8.8.8:53 | hetrfsbax.com | udp |
| US | 8.8.8.8:53 | myhwvevsn.net | udp |
| US | 8.8.8.8:53 | icwhjpogrcz.net | udp |
| US | 8.8.8.8:53 | wedsguzygla.info | udp |
| US | 8.8.8.8:53 | voykhdz.org | udp |
| US | 8.8.8.8:53 | hvuiaxgf.net | udp |
| US | 8.8.8.8:53 | iijfpiwpfe.net | udp |
| GB | 185.77.97.175:80 | egmsys.com | tcp |
| HK | 154.92.74.26:80 | wcmsgs.com | tcp |
| US | 8.8.8.8:53 | fyaylmbcb.net | udp |
| US | 8.8.8.8:53 | jibmddrqbbf.org | udp |
| US | 8.8.8.8:53 | meupre.info | udp |
| US | 8.8.8.8:53 | sgdzhklkvfso.info | udp |
| US | 8.8.8.8:53 | bmuigbnakot.org | udp |
| US | 8.8.8.8:53 | bwoudgunbic.net | udp |
| US | 8.8.8.8:53 | nvnkfchmxmq.net | udp |
| US | 8.8.8.8:53 | eocgucgg.com | udp |
| US | 8.8.8.8:53 | xvhllxrbtrmq.net | udp |
| DE | 85.214.228.140:80 | gyuuym.org | tcp |
| SG | 18.142.91.111:80 | unxfuild.info | tcp |
| US | 104.156.155.94:80 | cydlrge.info | tcp |
| US | 8.8.8.8:53 | lzqdusve.net | udp |
| US | 8.8.8.8:53 | kgdwgil.net | udp |
| US | 8.8.8.8:53 | crnvfkbzhoh.net | udp |
| US | 8.8.8.8:53 | vhbbcbnq.net | udp |
| US | 8.8.8.8:53 | ewtufevuojml.info | udp |
| US | 8.8.8.8:53 | cwicpfdgpol.net | udp |
| US | 8.8.8.8:53 | njmyupro.net | udp |
| US | 8.8.8.8:53 | uazmiuofx.info | udp |
| US | 8.8.8.8:53 | lapmshbxz.com | udp |
| US | 8.8.8.8:53 | kronfccksau.net | udp |
| US | 8.8.8.8:53 | ckqkwqey.com | udp |
| US | 8.8.8.8:53 | xrpwmsl.info | udp |
| US | 8.8.8.8:53 | zkuila.info | udp |
| US | 8.8.8.8:53 | qjtxbu.info | udp |
| US | 8.8.8.8:53 | deouswz.com | udp |
| US | 8.8.8.8:53 | qbqgcw.net | udp |
| US | 8.8.8.8:53 | eihhykbeu.info | udp |
| US | 8.8.8.8:53 | ykpfseyq.info | udp |
| US | 8.8.8.8:53 | iusioomq.org | udp |
| US | 8.8.8.8:53 | tvycqzlbrr.net | udp |
| US | 8.8.8.8:53 | dadbxsi.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\bajrzio.exe
| MD5 | 261b1e4b300000dbd70589cc4f646461 |
| SHA1 | 90834449df4c522d5ecf60e463ad1ec2b1994e78 |
| SHA256 | d0d402fa0f1f1890d1db0d7a6f13f5e011c6ff692fefba3796fc34897f91133c |
| SHA512 | 5332daad2e746e69f194024aacbafdc712078c3cf6d153679bedaa526dae25ca02f5d61f410932f151a0f7ea61624240aea8fabd6b659eea3554b5e4f96c7d6f |
C:\Users\Admin\AppData\Local\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 93ebc7d7ecd9bca1cbc7bff55ec9b213 |
| SHA1 | af130de64ac1d4de9d9cccaaceff12eb9b4a2817 |
| SHA256 | a21a5ba5219c11cccacd2a01e59a40506488a66737e87464c7b17113930445cb |
| SHA512 | 93361be667d842d949a5154fe9c5f253a160d9878c7368e44413c12baef36658b687de110f21859f7ee80072d8171bd20f767b2386734c13a956ae8959ea33a2 |
C:\Users\Admin\AppData\Local\aiariaphvjgwwmhtbwckctkcrjxliyyojvdyem.vme
| MD5 | d95f94b43d2e0d744c8b574ed5bed888 |
| SHA1 | 103a094f27b6315934de20f1570ed710bf061f4a |
| SHA256 | 32fce51116e4f9d0317f8c8af64ef8d29dff731fd940e51a1894235cbcf4ade5 |
| SHA512 | 6544b662c1606d1d7060e40c8f686aa0b95bf044c282e4e4c640e9a7d4836fca4e2458daf37d6af792d153baf3fd65feca99b989de824c89345e4d67dcb2be63 |
C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | ab62dfd3f2896d53b64a58d635938607 |
| SHA1 | 2d940343296cb0d48766ccd2bba52e528d55b82c |
| SHA256 | cb47a44f6429a8846c85a3c59ac4834e116210e3ce798c748f2704cb83c9d2b6 |
| SHA512 | 2793d0175953852ca09ab96d5ea9b601a2e48df681f4da0b7aa62fde4dde3f07a77d6b3c66f33de9dce7079ca654bef4d7381a35485a01a008be893c9a5f33f4 |
C:\Users\Admin\AppData\Local\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 542a6b81f7fdbbf85ecff1e6e210781f |
| SHA1 | b6bcba9a5699e21c59603e61146bc6106df760da |
| SHA256 | 71c02e3c31234de208cb39866cb21f69cc16c630819c8673b09d442434e94aba |
| SHA512 | 40bd72b1d714db9cf221d29766dcc6f37eff84fe535d758d7584d4b263426c71fa059bf2d17164da13792835d83aa9c3c2519e78c244022e9d945fe23e8cb9e4 |
C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 8fc31d189460c9f780773c5cf2d77576 |
| SHA1 | 2f91ef74397d0696891f2c364fe7e7dcc4064e32 |
| SHA256 | b9e82f1dae0840648cb2d0da24bc114b766d372e97f01d5e7b8d38816a77843b |
| SHA512 | 37777f719e5ebcb91343af5955f7eb9a0a88b98537620769cf0ade6185fa4bcd9bff808b77e9591ed2b6027dca8fc65e0441301f1fd18c0973e570ff4b72e9fb |
C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 321022ab706c6500b03cda74f3dc3512 |
| SHA1 | 933af544f58e0b62d353f853fb3ce323550f0aa7 |
| SHA256 | b45e74e56d79fa80f1b72b63237120e57aa0bd4b9d5a9e0959bba72c8b8fac84 |
| SHA512 | c170a5d2e29c2ae0b0395c913ea7334628c84d0467e1749d785e50ce9401168b06126f7d4cd227c5057da3f64a058f91982ab677fa1b9eb126ea13718626abd6 |
C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 961e99b4680e62cf8e3ec0a237f4a2e6 |
| SHA1 | 7cb574a72de997245f825fbf6554d4977b50ad28 |
| SHA256 | e8622ddeef4a26d8775e045f429c8f7b01b13aeb756f7c1e63a85040d0f5f9aa |
| SHA512 | 38a5d5eca0460fa9cddfd65a1bea852bcd56972dba88eeb68313eefecfc3124d19f02a0a5599a8d885f3355c41f5644bdf9d3c737d7194a34ec04a1cbbe99771 |
C:\Program Files (x86)\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 7ebb217ed39d006309f3abbb16934ee2 |
| SHA1 | 3fcf773d5c468bb2a793ac9aab32a50785811f8c |
| SHA256 | 84ebb01fd3f0d5d9187508d5fc220cd1e44f78a5116a02a4e1f8113aa1f323b3 |
| SHA512 | 972d5f8003c05b28b2d269774bcdca43347f79e73bbab7d96deb177d1419a42573f74c126fdf06721b0666adf8e1371dc3f6b600686b7f2c858a5759ad3098cb |
C:\Users\Admin\AppData\Local\dahntaelordixcmnkupmtzfmqxa.puj
| MD5 | 253d88f77c87fb8c6c696534f08a8be4 |
| SHA1 | 3807ff9a7c851b14990109cea00d12c55a812904 |
| SHA256 | 9a209e84bbd3ef5a5c9cee408fbd94b341334cd4e3b87aa63b33471ae34963e7 |
| SHA512 | 4143cfb7cec2bb324efe8d9ff267bbc32a81f871d74e719eb6cfe1e1e82c4d7c06e8566a0ae85dee34dedfb6aa2c65f0089a9088750ef83444fa1d68215e87b4 |