Analysis Overview
SHA256
01de46a840296756d1f790f69c54859ecb26e8fb76b5f5f31436f8df6decb818
Threat Level: Known bad
The file JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Pykspa family
Pykspa
Modifies WinLogon for persistence
Detect Pykspa worm
Detect Pykspa worm
Adds policy Run key to start application
Disables RegEdit via registry modification
Impair Defenses: Safe Mode Boot
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
System policy modification
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-04-22 19:53
Signatures
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pykspa family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-04-22 19:53
Reported
2025-04-22 19:55
Platform
win10v2004-20250410-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "uphfaohcsjhvniqhily.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "uphfaohcsjhvniqhily.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "uphfaohcsjhvniqhily.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "tlavnyogthcncuzn.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "hdwvrgawnfetmirjlpdz.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "tlavnyogthcncuzn.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "uphfaohcsjhvniqhily.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "hdwvrgawnfetmirjlpdz.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "jdurlyqkzpmzqkrhhj.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "hdwvrgawnfetmirjlpdz.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "jdurlyqkzpmzqkrhhj.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "wtnnkavskddtnkunqvkhb.exe" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\glnvaybgghpnpumnylinpxcad.ijr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File created | C:\Windows\SysWOW64\glnvaybgghpnpumnylinpxcad.ijr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File created | C:\Windows\SysWOW64\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File created | C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File opened for modification | C:\Program Files (x86)\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File created | C:\Program Files (x86)\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\glnvaybgghpnpumnylinpxcad.ijr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File created | C:\Windows\glnvaybgghpnpumnylinpxcad.ijr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File opened for modification | C:\Windows\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| File created | C:\Windows\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hpufno.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Users\Admin\AppData\Local\Temp\hpufno.exe
"C:\Users\Admin\AppData\Local\Temp\hpufno.exe" "-"
C:\Users\Admin\AppData\Local\Temp\hpufno.exe
"C:\Users\Admin\AppData\Local\Temp\hpufno.exe" "-"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.blogger.com | udp |
| DE | 142.251.209.137:80 | www.blogger.com | tcp |
| US | 8.8.8.8:53 | kgielb.info | udp |
| DE | 85.214.228.140:80 | kgielb.info | tcp |
| US | 8.8.8.8:53 | wkfitr.net | udp |
| US | 8.8.8.8:53 | ukcwiagk.com | udp |
| US | 8.8.8.8:53 | ejzmnye.info | udp |
| US | 8.8.8.8:53 | qrjcyen.info | udp |
| US | 8.8.8.8:53 | jsnjimf.com | udp |
| US | 8.8.8.8:53 | qirwrkgoo.net | udp |
| US | 8.8.8.8:53 | nozrzfph.net | udp |
| US | 8.8.8.8:53 | walpnmyrw.net | udp |
| SG | 13.214.182.154:80 | walpnmyrw.net | tcp |
| US | 8.8.8.8:53 | vtkcieexmy.info | udp |
| US | 8.8.8.8:53 | jknonyl.info | udp |
| US | 8.8.8.8:53 | uoqgkqlb.net | udp |
| US | 8.8.8.8:53 | knpogwrnfh.net | udp |
| US | 8.8.8.8:53 | gyyowqqo.org | udp |
| US | 8.8.8.8:53 | jexkhytfwddl.info | udp |
| US | 104.156.155.94:80 | jexkhytfwddl.info | tcp |
| US | 8.8.8.8:53 | kogmsguy.net | udp |
| US | 8.8.8.8:53 | xzbajrqctvx.net | udp |
| US | 8.8.8.8:53 | iijunloxzib.info | udp |
| US | 8.8.8.8:53 | tjhkun.net | udp |
| US | 8.8.8.8:53 | kshpvhxatz.info | udp |
| US | 8.8.8.8:53 | eutwhgkantr.info | udp |
| US | 8.8.8.8:53 | lzxijcnbax.net | udp |
| US | 8.8.8.8:53 | grntlkhumpll.info | udp |
| US | 8.8.8.8:53 | mnszge.net | udp |
| US | 8.8.8.8:53 | mfiuvxoeyuls.info | udp |
| US | 8.8.8.8:53 | isxknh.net | udp |
| US | 8.8.8.8:53 | gqrorkjtfuo.net | udp |
| US | 8.8.8.8:53 | djnlfkmx.info | udp |
| US | 8.8.8.8:53 | qmzkmsbif.info | udp |
| US | 8.8.8.8:53 | ieykyo.org | udp |
| US | 8.8.8.8:53 | omjgaks.net | udp |
| US | 8.8.8.8:53 | agdefyghx.net | udp |
| US | 8.8.8.8:53 | aafmfeo.net | udp |
| US | 8.8.8.8:53 | mqwogq.com | udp |
| US | 8.8.8.8:53 | stpkhwhinol.info | udp |
| US | 8.8.8.8:53 | sjprybamvq.net | udp |
| US | 8.8.8.8:53 | twdwxepgn.info | udp |
| US | 8.8.8.8:53 | imieeq.com | udp |
| US | 8.8.8.8:53 | belahxzwz.org | udp |
| US | 8.8.8.8:53 | gcaurjfroiq.net | udp |
| US | 8.8.8.8:53 | yjgotmho.info | udp |
| US | 8.8.8.8:53 | zlzkdgrna.net | udp |
| US | 8.8.8.8:53 | sueama.com | udp |
| US | 8.8.8.8:53 | dllvibvzyund.info | udp |
| US | 8.8.8.8:53 | vgfsrnh.com | udp |
| US | 8.8.8.8:53 | zbiperfllc.net | udp |
| US | 8.8.8.8:53 | jodubsv.net | udp |
| US | 8.8.8.8:53 | ouvyzhsr.info | udp |
| US | 8.8.8.8:53 | lnwwnwusjfz.net | udp |
| US | 8.8.8.8:53 | pnhnky.net | udp |
| US | 8.8.8.8:53 | hipojjd.com | udp |
| US | 8.8.8.8:53 | ftjafod.org | udp |
| US | 8.8.8.8:53 | hfbawr.net | udp |
| US | 8.8.8.8:53 | ailoffkw.net | udp |
| US | 8.8.8.8:53 | zgpythnr.info | udp |
| US | 8.8.8.8:53 | hchijtl.com | udp |
| US | 8.8.8.8:53 | rahkbenilka.com | udp |
| US | 8.8.8.8:53 | xpjxzyxntubm.net | udp |
| US | 8.8.8.8:53 | vmbkkqxkz.com | udp |
| US | 8.8.8.8:53 | chfoeuhqzmw.net | udp |
| US | 8.8.8.8:53 | wygimoyakcuy.org | udp |
| US | 8.8.8.8:53 | lfhzznvfnw.net | udp |
| US | 8.8.8.8:53 | gglydgy.net | udp |
| US | 8.8.8.8:53 | jnjjvgjmflfx.info | udp |
| US | 8.8.8.8:53 | oplrterb.info | udp |
| US | 8.8.8.8:53 | pwpidqfftma.net | udp |
| US | 8.8.8.8:53 | hrieydzqbyx.com | udp |
| US | 8.8.8.8:53 | fijjpuiixyn.net | udp |
| US | 8.8.8.8:53 | wgftrz.info | udp |
| US | 8.8.8.8:53 | bulcgs.net | udp |
| US | 8.8.8.8:53 | kmmigl.net | udp |
| US | 8.8.8.8:53 | pfzodsxt.info | udp |
| US | 8.8.8.8:53 | jkkmhyk.info | udp |
| US | 8.8.8.8:53 | liewnflqwe.info | udp |
| US | 8.8.8.8:53 | uokdbewsv.info | udp |
| US | 8.8.8.8:53 | ximidkr.info | udp |
| US | 8.8.8.8:53 | kdnqpoh.info | udp |
| US | 8.8.8.8:53 | mptahukwo.net | udp |
| US | 8.8.8.8:53 | hcreoxwhxlzw.net | udp |
| US | 8.8.8.8:53 | rupkvo.info | udp |
| US | 8.8.8.8:53 | juosszwy.net | udp |
| US | 8.8.8.8:53 | uixqyodhpkpn.net | udp |
| US | 8.8.8.8:53 | mcogmo.org | udp |
| US | 8.8.8.8:53 | zcwuiahdrgp.org | udp |
| US | 8.8.8.8:53 | rwnlzy.net | udp |
| US | 8.8.8.8:53 | uvndqsxhg.info | udp |
| US | 8.8.8.8:53 | oowqfaa.info | udp |
| US | 8.8.8.8:53 | iqnqftqedzs.info | udp |
| US | 8.8.8.8:53 | okqnikgjoes.net | udp |
| US | 8.8.8.8:53 | ouvcugpqe.net | udp |
| US | 8.8.8.8:53 | kdfepafor.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | orpvpcxwu.info | udp |
| US | 8.8.8.8:53 | xgsefzm.com | udp |
| US | 8.8.8.8:53 | nwveeq.net | udp |
| US | 8.8.8.8:53 | pvbieb.info | udp |
| US | 8.8.8.8:53 | pojbbwswpfi.info | udp |
| US | 8.8.8.8:53 | gzdolwx.net | udp |
| US | 8.8.8.8:53 | ttgvztbl.net | udp |
| US | 8.8.8.8:53 | thjufswg.net | udp |
| US | 8.8.8.8:53 | onthrksn.net | udp |
| US | 8.8.8.8:53 | cfvyfkaxh.net | udp |
| US | 8.8.8.8:53 | vwtoxuzax.net | udp |
| US | 8.8.8.8:53 | omeygqcqyucy.com | udp |
| US | 8.8.8.8:53 | eddaveal.info | udp |
| US | 8.8.8.8:53 | ttctlocxzt.info | udp |
| US | 8.8.8.8:53 | dgrydww.info | udp |
| US | 8.8.8.8:53 | jgjjpw.info | udp |
| US | 8.8.8.8:53 | juxnnalwxerh.info | udp |
| US | 8.8.8.8:53 | tupuxkqajod.com | udp |
| US | 8.8.8.8:53 | azcgbhxyac.info | udp |
| US | 8.8.8.8:53 | xavkbkfpa.net | udp |
| US | 8.8.8.8:53 | miuqdbpy.info | udp |
| US | 8.8.8.8:53 | wdzwvsy.net | udp |
| US | 8.8.8.8:53 | cvbkdybqt.net | udp |
| US | 8.8.8.8:53 | aeabsix.net | udp |
| US | 8.8.8.8:53 | mozzbzwerk.info | udp |
| US | 8.8.8.8:53 | omicum.com | udp |
| US | 8.8.8.8:53 | wwmesiywyc.com | udp |
| US | 8.8.8.8:53 | jrhutut.org | udp |
| US | 8.8.8.8:53 | wlrplzl.info | udp |
| US | 8.8.8.8:53 | uagasoao.com | udp |
| US | 8.8.8.8:53 | bshkqyu.org | udp |
| US | 8.8.8.8:53 | dxrlktsaxc.info | udp |
| US | 8.8.8.8:53 | cqbzxmjkb.info | udp |
| US | 8.8.8.8:53 | ucwmoumwymuc.com | udp |
| US | 8.8.8.8:53 | dikgefvb.info | udp |
| US | 8.8.8.8:53 | ajvukkfjbvt.info | udp |
| US | 8.8.8.8:53 | bwpkdfd.com | udp |
| US | 8.8.8.8:53 | wqeiccqamkec.org | udp |
| US | 8.8.8.8:53 | ciwacksw.com | udp |
| US | 8.8.8.8:53 | hgrchtg.net | udp |
| US | 8.8.8.8:53 | nvhslkd.net | udp |
| US | 8.8.8.8:53 | zakfvnuu.net | udp |
| US | 8.8.8.8:53 | oqcelnv.info | udp |
| US | 8.8.8.8:53 | kfkckz.net | udp |
| US | 8.8.8.8:53 | hvorxknhyigo.info | udp |
| US | 8.8.8.8:53 | nygqhmzun.info | udp |
| US | 8.8.8.8:53 | kfacjnifpnyh.info | udp |
| US | 8.8.8.8:53 | qcrgay.info | udp |
| US | 8.8.8.8:53 | iuhmtjt.info | udp |
| US | 8.8.8.8:53 | cumwjslkixl.net | udp |
| US | 8.8.8.8:53 | tyoerep.com | udp |
| US | 8.8.8.8:53 | okgccrvs.net | udp |
| US | 8.8.8.8:53 | ystebiqsuj.info | udp |
| US | 8.8.8.8:53 | jqbcyolmf.info | udp |
| US | 8.8.8.8:53 | conuxqfqvuh.net | udp |
| US | 8.8.8.8:53 | aqaocm.com | udp |
| US | 8.8.8.8:53 | nyryptt.info | udp |
| US | 8.8.8.8:53 | vtzmrqzbp.info | udp |
| US | 8.8.8.8:53 | iupgmiw.info | udp |
| US | 8.8.8.8:53 | gycilijbpof.info | udp |
| US | 8.8.8.8:53 | fikabkhybxw.org | udp |
| US | 8.8.8.8:53 | zycbehjggwke.info | udp |
| US | 8.8.8.8:53 | sdgypj.info | udp |
| US | 8.8.8.8:53 | ekvnznlov.info | udp |
| US | 8.8.8.8:53 | tdembpduv.net | udp |
| US | 8.8.8.8:53 | fhjevs.net | udp |
| US | 8.8.8.8:53 | uawohwbfojd.info | udp |
| US | 8.8.8.8:53 | uwqivof.net | udp |
| US | 8.8.8.8:53 | bbxwjdlyb.net | udp |
| US | 8.8.8.8:53 | ctilcy.net | udp |
| US | 8.8.8.8:53 | uhjwry.info | udp |
| US | 8.8.8.8:53 | vqlqxsnes.info | udp |
| US | 8.8.8.8:53 | lvtyhqheccxw.net | udp |
| US | 8.8.8.8:53 | kqrqvqw.info | udp |
| US | 8.8.8.8:53 | fykwmkoxniwf.net | udp |
| US | 8.8.8.8:53 | pyvpwmlefkv.org | udp |
| US | 8.8.8.8:53 | dhsvcdhz.net | udp |
| US | 8.8.8.8:53 | iimwksecasqg.com | udp |
| US | 8.8.8.8:53 | jmrnfvo.org | udp |
| US | 8.8.8.8:53 | utgydvjh.info | udp |
| US | 8.8.8.8:53 | mcygkwqm.org | udp |
| US | 8.8.8.8:53 | akiuiyqc.org | udp |
| US | 8.8.8.8:53 | qaflrckpjwn.net | udp |
| US | 8.8.8.8:53 | ciewkmugca.org | udp |
| US | 8.8.8.8:53 | jxcsgestbkig.net | udp |
| US | 8.8.8.8:53 | kcyowkao.com | udp |
| US | 8.8.8.8:53 | mywkquqkuu.com | udp |
| US | 8.8.8.8:53 | uvxwgvakbp.net | udp |
| US | 8.8.8.8:53 | kwfddazlfbr.net | udp |
| US | 8.8.8.8:53 | zmnprckzdsq.org | udp |
| US | 8.8.8.8:53 | nqzcjqvyb.com | udp |
| US | 8.8.8.8:53 | fgugue.net | udp |
| US | 8.8.8.8:53 | dkhpinkmdflo.info | udp |
| US | 8.8.8.8:53 | gykyuugqwwqm.org | udp |
| US | 8.8.8.8:53 | ijevrjmd.net | udp |
| US | 8.8.8.8:53 | zmhxpf.info | udp |
| US | 8.8.8.8:53 | ssusyksw.org | udp |
| US | 8.8.8.8:53 | uyzsxkbu.net | udp |
| US | 8.8.8.8:53 | suaawe.org | udp |
| US | 8.8.8.8:53 | iimuewua.com | udp |
| US | 8.8.8.8:53 | cfybcawuwkbv.net | udp |
| US | 8.8.8.8:53 | amwlzwksdlu.net | udp |
| US | 8.8.8.8:53 | evleyaxongn.info | udp |
| US | 8.8.8.8:53 | mhnnqyayup.info | udp |
| US | 8.8.8.8:53 | nkvwdongy.net | udp |
| US | 8.8.8.8:53 | aqiwmyai.org | udp |
| US | 8.8.8.8:53 | oazqfkr.info | udp |
| US | 8.8.8.8:53 | ghmggr.info | udp |
| US | 8.8.8.8:53 | zlcppxwb.info | udp |
| US | 8.8.8.8:53 | swlmkovddcp.net | udp |
| US | 8.8.8.8:53 | qekawcukeuie.com | udp |
| US | 8.8.8.8:53 | xqdersbedxp.net | udp |
| US | 8.8.8.8:53 | viceyfxhdthe.net | udp |
| US | 8.8.8.8:53 | sdbann.net | udp |
| US | 8.8.8.8:53 | hzpybx.info | udp |
| US | 8.8.8.8:53 | ookgcvfk.info | udp |
| US | 8.8.8.8:53 | tcpbcllr.info | udp |
| US | 8.8.8.8:53 | jakfpc.net | udp |
| US | 8.8.8.8:53 | zutagbtdnoxk.net | udp |
| US | 8.8.8.8:53 | gfxdruagt.net | udp |
| US | 8.8.8.8:53 | innygp.net | udp |
| US | 8.8.8.8:53 | dirqzbv.info | udp |
| US | 8.8.8.8:53 | hfnqnekjrda.org | udp |
| US | 8.8.8.8:53 | thvuqfop.net | udp |
| US | 8.8.8.8:53 | euxmzvrkp.info | udp |
| US | 8.8.8.8:53 | sagsmu.com | udp |
| US | 8.8.8.8:53 | aftcbwl.net | udp |
| US | 8.8.8.8:53 | zborti.info | udp |
| US | 8.8.8.8:53 | tpaxrd.info | udp |
| US | 8.8.8.8:53 | jinxlfpdld.net | udp |
| US | 8.8.8.8:53 | fguceef.info | udp |
| US | 8.8.8.8:53 | gunhuyefeoae.info | udp |
| US | 8.8.8.8:53 | gnzpxs.net | udp |
| US | 8.8.8.8:53 | mctvvewyfmm.net | udp |
| US | 8.8.8.8:53 | pqfvrhmuydzw.net | udp |
| US | 8.8.8.8:53 | ilopksbnsz.net | udp |
| US | 8.8.8.8:53 | aiesasyk.org | udp |
| US | 8.8.8.8:53 | mgkuekgq.com | udp |
| US | 8.8.8.8:53 | ddalrgnchr.net | udp |
| US | 8.8.8.8:53 | wmcauomiay.com | udp |
| US | 8.8.8.8:53 | nczfdcdsxw.info | udp |
| US | 8.8.8.8:53 | wktodg.info | udp |
| US | 8.8.8.8:53 | hkhmgrdmb.net | udp |
| US | 8.8.8.8:53 | njlmeodybmz.org | udp |
| US | 8.8.8.8:53 | vosuvijyr.net | udp |
| US | 8.8.8.8:53 | qurgxjvi.net | udp |
| US | 8.8.8.8:53 | cqycylhynrd.net | udp |
| US | 8.8.8.8:53 | dkgflxoe.net | udp |
| US | 8.8.8.8:53 | wuxmmldt.net | udp |
| US | 8.8.8.8:53 | qerofmbgxsy.info | udp |
| US | 8.8.8.8:53 | myuqmckieq.org | udp |
| US | 8.8.8.8:53 | susjohwila.info | udp |
| US | 8.8.8.8:53 | uogicigmue.org | udp |
| US | 8.8.8.8:53 | uvozgz.info | udp |
| US | 8.8.8.8:53 | qhmxhx.net | udp |
| US | 8.8.8.8:53 | gwfcwdn.net | udp |
| US | 8.8.8.8:53 | mpwmvekw.info | udp |
| US | 8.8.8.8:53 | ecaxpk.info | udp |
| US | 8.8.8.8:53 | bmoyhg.net | udp |
| US | 8.8.8.8:53 | eeowas.info | udp |
| US | 8.8.8.8:53 | fodvrrfqtwy.net | udp |
| US | 8.8.8.8:53 | pmkjtfqint.info | udp |
| US | 8.8.8.8:53 | hoesempmfqz.com | udp |
| US | 8.8.8.8:53 | pyvfdu.net | udp |
| US | 8.8.8.8:53 | pfdhignj.net | udp |
| US | 8.8.8.8:53 | hvoimzxepmnn.net | udp |
| US | 8.8.8.8:53 | usgggwykyque.com | udp |
| US | 8.8.8.8:53 | ckymoasocooo.org | udp |
| US | 8.8.8.8:53 | gygetwtaf.info | udp |
| US | 8.8.8.8:53 | bvbtig.info | udp |
| US | 8.8.8.8:53 | tkvltrgf.net | udp |
| US | 8.8.8.8:53 | waosmsuoqmiq.com | udp |
| US | 8.8.8.8:53 | kbwibedgi.info | udp |
| US | 8.8.8.8:53 | iaphnsbat.info | udp |
| US | 8.8.8.8:53 | olijdrlmzb.net | udp |
| US | 8.8.8.8:53 | hwnqtfpeheaz.net | udp |
| US | 8.8.8.8:53 | cirsxyyaxqf.net | udp |
| US | 8.8.8.8:53 | igokmsymkm.org | udp |
| US | 8.8.8.8:53 | ljwhxvh.net | udp |
| US | 8.8.8.8:53 | iudaiyiutga.net | udp |
| US | 8.8.8.8:53 | qmmasgeisyga.org | udp |
| US | 8.8.8.8:53 | vrzjngidhobq.net | udp |
| US | 8.8.8.8:53 | xrdqzb.info | udp |
| US | 8.8.8.8:53 | jcrelthtaat.net | udp |
| US | 8.8.8.8:53 | qmgnqyayup.net | udp |
| US | 8.8.8.8:53 | lpladpczah.net | udp |
| US | 8.8.8.8:53 | gykmgwqc.org | udp |
| US | 8.8.8.8:53 | olwwzvbjuvtp.info | udp |
| US | 8.8.8.8:53 | ugiswgsiwy.com | udp |
| US | 8.8.8.8:53 | ndhfgrucbg.net | udp |
| US | 8.8.8.8:53 | yffbsbvpxj.net | udp |
| US | 8.8.8.8:53 | jkdlubfs.info | udp |
| US | 8.8.8.8:53 | csqfrkrpp.info | udp |
| US | 8.8.8.8:53 | vghrznsx.info | udp |
| US | 8.8.8.8:53 | cwialenrx.info | udp |
| US | 8.8.8.8:53 | ysakmkee.com | udp |
| US | 8.8.8.8:53 | pegsloz.info | udp |
| US | 8.8.8.8:53 | ggnpzwloh.net | udp |
| US | 8.8.8.8:53 | ojbwcofwhor.info | udp |
| US | 8.8.8.8:53 | fkmohh.info | udp |
| US | 8.8.8.8:53 | ndzupwa.com | udp |
| US | 8.8.8.8:53 | jlzidx.info | udp |
| US | 8.8.8.8:53 | uirtyiiehncz.info | udp |
| US | 8.8.8.8:53 | zklqfdwcb.org | udp |
| US | 8.8.8.8:53 | tpsiuh.net | udp |
| US | 8.8.8.8:53 | fohdyo.info | udp |
| US | 8.8.8.8:53 | uifyhmw.net | udp |
| US | 8.8.8.8:53 | gzoyhi.net | udp |
| US | 8.8.8.8:53 | tyboiku.net | udp |
| US | 8.8.8.8:53 | vpshbvrar.com | udp |
| US | 8.8.8.8:53 | wyrgmd.net | udp |
| US | 8.8.8.8:53 | aooyesuikq.com | udp |
| US | 8.8.8.8:53 | xefyzgvv.info | udp |
| US | 8.8.8.8:53 | twpesi.info | udp |
| US | 8.8.8.8:53 | ladhtrpbmvhl.net | udp |
| US | 8.8.8.8:53 | zbehxkyftm.info | udp |
| US | 8.8.8.8:53 | gajgdrt.net | udp |
| US | 8.8.8.8:53 | unaycqj.info | udp |
| US | 8.8.8.8:53 | vtefccu.org | udp |
| US | 8.8.8.8:53 | bpzstgba.net | udp |
| US | 8.8.8.8:53 | jqoatxo.com | udp |
| US | 8.8.8.8:53 | mavqfznz.info | udp |
| US | 8.8.8.8:53 | oalqtqzxdcr.info | udp |
| US | 8.8.8.8:53 | gacabqjmesw.info | udp |
| US | 8.8.8.8:53 | fccldj.info | udp |
| US | 8.8.8.8:53 | cofxnvderwvc.info | udp |
| US | 8.8.8.8:53 | gwgiim.org | udp |
| US | 8.8.8.8:53 | fchghszex.net | udp |
| US | 8.8.8.8:53 | nwrgrfdozs.info | udp |
| US | 8.8.8.8:53 | pslddgzjsf.net | udp |
| US | 8.8.8.8:53 | ukssiiycgi.com | udp |
| US | 8.8.8.8:53 | gtkceyn.net | udp |
| US | 8.8.8.8:53 | seiotsoe.info | udp |
| US | 8.8.8.8:53 | epnerpt.info | udp |
| US | 8.8.8.8:53 | znlfenovmt.info | udp |
| US | 8.8.8.8:53 | azziayuho.info | udp |
| US | 8.8.8.8:53 | bkcdpdaizcwx.info | udp |
| US | 8.8.8.8:53 | vuacertp.net | udp |
| US | 8.8.8.8:53 | mgfidekol.info | udp |
| US | 8.8.8.8:53 | oiejxldbtkb.net | udp |
| US | 8.8.8.8:53 | ahsanuzvower.net | udp |
| US | 8.8.8.8:53 | fllhzyzvbsxw.net | udp |
| US | 8.8.8.8:53 | swicacukmsao.org | udp |
| US | 8.8.8.8:53 | nffqsfqtd.com | udp |
| US | 8.8.8.8:53 | ccqoiciq.com | udp |
| US | 8.8.8.8:53 | bzfuqzxsfz.net | udp |
| US | 8.8.8.8:53 | hprerydzd.com | udp |
| US | 8.8.8.8:53 | fssqtwxyefz.net | udp |
| US | 8.8.8.8:53 | shpyfavaeyh.net | udp |
| US | 8.8.8.8:53 | ltiljcqa.net | udp |
| US | 8.8.8.8:53 | ohpsnmt.info | udp |
| US | 8.8.8.8:53 | lckyvcpn.info | udp |
| US | 8.8.8.8:53 | gehsuywdq.net | udp |
| US | 8.8.8.8:53 | ztffudgwzlvu.info | udp |
| US | 8.8.8.8:53 | jzrwjdlcaa.info | udp |
| US | 8.8.8.8:53 | tkbemewmlcbv.info | udp |
| US | 8.8.8.8:53 | tbqhixnsgl.info | udp |
| US | 8.8.8.8:53 | puwioyvwh.com | udp |
| US | 8.8.8.8:53 | ketrqfdreh.net | udp |
| US | 8.8.8.8:53 | jpiauqrujtxf.net | udp |
| US | 8.8.8.8:53 | nddagzwguh.net | udp |
| US | 8.8.8.8:53 | ksaauwyksqoa.com | udp |
| US | 8.8.8.8:53 | quoeii.info | udp |
| US | 8.8.8.8:53 | xpnzneri.net | udp |
| US | 8.8.8.8:53 | izdsxkwfw.info | udp |
| US | 8.8.8.8:53 | nsvsiurumoi.org | udp |
| US | 8.8.8.8:53 | dppayanib.info | udp |
| US | 8.8.8.8:53 | esshflvxdp.info | udp |
| US | 8.8.8.8:53 | avztdo.info | udp |
| US | 8.8.8.8:53 | zoosdjduv.net | udp |
| US | 8.8.8.8:53 | elsudrbfjxgx.net | udp |
| US | 8.8.8.8:53 | ebzgbwb.net | udp |
| US | 8.8.8.8:53 | tpdiradj.net | udp |
| US | 8.8.8.8:53 | znnuiijx.info | udp |
| US | 8.8.8.8:53 | iomatkiym.info | udp |
| US | 8.8.8.8:53 | xiaaqgyv.net | udp |
| US | 8.8.8.8:53 | tscidmuecrzw.net | udp |
| US | 8.8.8.8:53 | dfwpwztisj.info | udp |
| US | 8.8.8.8:53 | zrtypthhdj.net | udp |
| US | 8.8.8.8:53 | fsqwpxtpx.com | udp |
| US | 8.8.8.8:53 | cabcpoo.net | udp |
| US | 8.8.8.8:53 | xsdwxmohbao.info | udp |
| US | 8.8.8.8:53 | cysyyqwq.org | udp |
| US | 8.8.8.8:53 | didolaqvxuh.net | udp |
| US | 8.8.8.8:53 | ioaogmxcsld.net | udp |
| US | 8.8.8.8:53 | qkiqmyiw.com | udp |
| US | 8.8.8.8:53 | vspypxn.com | udp |
| US | 8.8.8.8:53 | lwubnxnsrqa.org | udp |
| US | 8.8.8.8:53 | kdhzwczvplfc.net | udp |
| US | 8.8.8.8:53 | dgmrjhtt.net | udp |
| US | 8.8.8.8:53 | tzlerpprd.info | udp |
| US | 8.8.8.8:53 | jmmwaqznh.org | udp |
| US | 8.8.8.8:53 | jkygffjpe.org | udp |
| US | 8.8.8.8:53 | ewiycc.com | udp |
| US | 8.8.8.8:53 | fllmbhbat.info | udp |
| US | 8.8.8.8:53 | qgdodchepsj.info | udp |
| US | 8.8.8.8:53 | dfsrtsqn.net | udp |
| US | 8.8.8.8:53 | dzbabtpndtk.net | udp |
| US | 8.8.8.8:53 | aqzuehezrodu.net | udp |
| US | 8.8.8.8:53 | ggrireq.info | udp |
| US | 8.8.8.8:53 | tjthlmxwycov.info | udp |
| US | 8.8.8.8:53 | zgxgisd.info | udp |
| US | 8.8.8.8:53 | iqhwnmqydmb.info | udp |
| US | 8.8.8.8:53 | kiccmsgssi.org | udp |
| US | 8.8.8.8:53 | budyocq.org | udp |
| US | 8.8.8.8:53 | ggvlvnu.info | udp |
| US | 8.8.8.8:53 | lbhmlmbgrtpy.net | udp |
| US | 8.8.8.8:53 | vsxgrjr.info | udp |
| US | 8.8.8.8:53 | ymmeaawq.org | udp |
| US | 8.8.8.8:53 | ywysfqdnxwj.info | udp |
| US | 8.8.8.8:53 | rsbkroygp.org | udp |
| US | 8.8.8.8:53 | yhruxwwcog.info | udp |
| US | 8.8.8.8:53 | uhnqpit.info | udp |
| US | 8.8.8.8:53 | sazgfiaujqe.net | udp |
| US | 8.8.8.8:53 | niegtihm.info | udp |
| US | 8.8.8.8:53 | xqlgdhd.net | udp |
| US | 8.8.8.8:53 | cuuhycziuspj.info | udp |
| US | 8.8.8.8:53 | kggeaemy.com | udp |
| US | 8.8.8.8:53 | npjeoantjqe.info | udp |
| US | 8.8.8.8:53 | auykucggmgac.com | udp |
| US | 8.8.8.8:53 | emzgrjh.net | udp |
| US | 8.8.8.8:53 | zyrgndssnv.info | udp |
| US | 8.8.8.8:53 | fgbgqvhlulxx.info | udp |
| US | 8.8.8.8:53 | mswscyww.com | udp |
| US | 8.8.8.8:53 | ouuumqhyv.info | udp |
| US | 8.8.8.8:53 | vmzqeqdilzjm.info | udp |
| US | 8.8.8.8:53 | omqgukoeyo.org | udp |
| US | 8.8.8.8:53 | brlknql.org | udp |
| US | 8.8.8.8:53 | kkeucuki.com | udp |
| US | 8.8.8.8:53 | ocvtnvur.info | udp |
| US | 8.8.8.8:53 | jswuncvvu.net | udp |
| US | 8.8.8.8:53 | bndenikl.info | udp |
| US | 8.8.8.8:53 | hfdsfjhkp.com | udp |
| US | 8.8.8.8:53 | aoqehamscev.net | udp |
| US | 8.8.8.8:53 | ygseegui.com | udp |
| US | 8.8.8.8:53 | kxtrqr.info | udp |
| US | 8.8.8.8:53 | zchvdwljyy.net | udp |
| US | 8.8.8.8:53 | yiweciqeoe.org | udp |
| US | 8.8.8.8:53 | oinkrjdalcu.net | udp |
| US | 8.8.8.8:53 | wezwkfy.net | udp |
| US | 8.8.8.8:53 | acyiyawiusoe.org | udp |
| US | 8.8.8.8:53 | jwbddahptk.info | udp |
| US | 8.8.8.8:53 | hoyoifgozk.info | udp |
| US | 8.8.8.8:53 | zbbnrqcwxbxd.net | udp |
| US | 8.8.8.8:53 | chnrelp.info | udp |
| US | 8.8.8.8:53 | noqtfsdrvob.info | udp |
| US | 8.8.8.8:53 | kdbetjmzql.net | udp |
| US | 8.8.8.8:53 | zfrwxqr.info | udp |
| US | 8.8.8.8:53 | nypdxxpyv.info | udp |
| US | 8.8.8.8:53 | dxhkvden.info | udp |
| US | 8.8.8.8:53 | uegelmp.net | udp |
| US | 8.8.8.8:53 | eyinbpdyc.info | udp |
| US | 8.8.8.8:53 | zcshdpigza.net | udp |
| US | 8.8.8.8:53 | tbhyxkjfzfjc.net | udp |
| US | 8.8.8.8:53 | birexkvuo.com | udp |
| US | 8.8.8.8:53 | lgbjzutrf.com | udp |
| US | 8.8.8.8:53 | golqfxdvybrw.info | udp |
| US | 8.8.8.8:53 | umbengluyqt.info | udp |
| US | 8.8.8.8:53 | vgbyxmbsg.net | udp |
| US | 8.8.8.8:53 | huhomajfvcf.org | udp |
| US | 8.8.8.8:53 | dhpdbozv.info | udp |
| US | 8.8.8.8:53 | flzgajd.info | udp |
| US | 8.8.8.8:53 | usymgcik.com | udp |
| US | 8.8.8.8:53 | ramwjzzgl.net | udp |
| US | 8.8.8.8:53 | aupdbyxv.net | udp |
| US | 8.8.8.8:53 | jzuztayf.net | udp |
| US | 8.8.8.8:53 | gwofrznaqlkb.info | udp |
| US | 8.8.8.8:53 | nihjtmfpp.info | udp |
| US | 8.8.8.8:53 | wbsunmlquwn.net | udp |
| US | 8.8.8.8:53 | dgxmcj.info | udp |
| US | 8.8.8.8:53 | kycswy.com | udp |
| US | 8.8.8.8:53 | zsbcepztj.net | udp |
| US | 8.8.8.8:53 | sxoelqf.info | udp |
| US | 8.8.8.8:53 | ysfgysg.net | udp |
| US | 8.8.8.8:53 | ajksoccldcly.info | udp |
| US | 8.8.8.8:53 | munfhwxqbwc.net | udp |
| US | 8.8.8.8:53 | aahazih.info | udp |
| US | 8.8.8.8:53 | mwhfiijxus.net | udp |
| US | 8.8.8.8:53 | qykwckce.org | udp |
| US | 8.8.8.8:53 | kcpwgsa.net | udp |
| US | 8.8.8.8:53 | hqxxoaxp.info | udp |
| US | 8.8.8.8:53 | pulkkajehkk.info | udp |
| US | 8.8.8.8:53 | skbkcd.info | udp |
| US | 8.8.8.8:53 | ycflemdoxeuj.net | udp |
| US | 8.8.8.8:53 | biponaky.info | udp |
| US | 8.8.8.8:53 | nqnzpuwqgip.net | udp |
| US | 8.8.8.8:53 | bedavojujqc.org | udp |
| US | 8.8.8.8:53 | tqzqeunk.net | udp |
| US | 8.8.8.8:53 | dxvzwxqute.net | udp |
| US | 8.8.8.8:53 | lnxbduz.info | udp |
| US | 8.8.8.8:53 | pjjchmjje.info | udp |
| US | 8.8.8.8:53 | giadfmyz.info | udp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| US | 8.8.8.8:53 | qhkcfwttae.net | udp |
| DE | 142.250.181.195:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | qlrjpd.info | udp |
| US | 8.8.8.8:53 | tvxzbdflnp.net | udp |
| US | 8.8.8.8:53 | vtgoquketuvm.info | udp |
| US | 8.8.8.8:53 | bmacdaecl.org | udp |
| US | 8.8.8.8:53 | xbdlvovopr.net | udp |
| US | 8.8.8.8:53 | rrjfcqjxvsif.info | udp |
| US | 8.8.8.8:53 | fohtnzomm.org | udp |
| US | 8.8.8.8:53 | aganokn.net | udp |
| US | 8.8.8.8:53 | vibtlp.info | udp |
| US | 8.8.8.8:53 | xarqaybbvd.info | udp |
| US | 8.8.8.8:53 | xwhmlab.net | udp |
| US | 8.8.8.8:53 | borkjfgcivdi.info | udp |
| US | 8.8.8.8:53 | lufmxmv.com | udp |
| US | 8.8.8.8:53 | acvenev.info | udp |
| US | 8.8.8.8:53 | trtenmbzfqb.com | udp |
| US | 8.8.8.8:53 | auravkshl.info | udp |
| US | 8.8.8.8:53 | rsktgqwp.info | udp |
| US | 8.8.8.8:53 | sacyyemmmags.org | udp |
| US | 8.8.8.8:53 | asilux.net | udp |
| US | 8.8.8.8:53 | jxgjaulkxush.net | udp |
| US | 8.8.8.8:53 | rcpsjsxwvoy.org | udp |
| US | 8.8.8.8:53 | conadth.net | udp |
| US | 8.8.8.8:53 | eywojjgnvmgx.info | udp |
| US | 8.8.8.8:53 | ykemsgmyaymq.com | udp |
| US | 8.8.8.8:53 | qnueqalae.net | udp |
| US | 8.8.8.8:53 | tkzwwug.info | udp |
| US | 8.8.8.8:53 | hixxfpbnrgzb.net | udp |
| US | 8.8.8.8:53 | tautjujp.info | udp |
| US | 8.8.8.8:53 | vmxuvcr.net | udp |
| US | 8.8.8.8:53 | hxiirlcmnyd.org | udp |
| US | 8.8.8.8:53 | aykysuce.org | udp |
| US | 8.8.8.8:53 | kckikwcckk.com | udp |
| US | 8.8.8.8:53 | kgyico.org | udp |
| US | 8.8.8.8:53 | jjrjwtlrtv.info | udp |
| US | 8.8.8.8:53 | wguioi.com | udp |
| US | 8.8.8.8:53 | dwhusqrct.org | udp |
| US | 8.8.8.8:53 | naereuvif.net | udp |
| US | 8.8.8.8:53 | xfdioxjmdcn.org | udp |
| US | 8.8.8.8:53 | hvdzuout.net | udp |
| US | 8.8.8.8:53 | wwzsxwnqi.net | udp |
| US | 8.8.8.8:53 | wqqcax.info | udp |
| US | 8.8.8.8:53 | pxxaritsyifh.info | udp |
| US | 8.8.8.8:53 | qkbidtazk.net | udp |
| US | 8.8.8.8:53 | balyhmxcj.com | udp |
| US | 8.8.8.8:53 | cznazzhul.info | udp |
| US | 8.8.8.8:53 | ytpwlqvysof.net | udp |
| US | 8.8.8.8:53 | zjgaqeiklplz.info | udp |
| US | 8.8.8.8:53 | bucurizr.info | udp |
| US | 8.8.8.8:53 | kdbirsncstof.net | udp |
| US | 8.8.8.8:53 | wnrfdjxuv.net | udp |
| US | 8.8.8.8:53 | rapcmavkxzz.net | udp |
| US | 8.8.8.8:53 | fqilcp.info | udp |
| US | 8.8.8.8:53 | ikokeoscqake.com | udp |
| US | 8.8.8.8:53 | rxtqnt.net | udp |
| US | 8.8.8.8:53 | gwtsdjvuqkv.net | udp |
| US | 8.8.8.8:53 | kcsqymusqkko.org | udp |
| US | 8.8.8.8:53 | fimmpk.info | udp |
| US | 8.8.8.8:53 | dlvwlhxclem.org | udp |
| US | 8.8.8.8:53 | yxhmfckxss.net | udp |
| US | 8.8.8.8:53 | ukdmhhnybwt.info | udp |
| US | 8.8.8.8:53 | pvzgxpbk.net | udp |
| US | 8.8.8.8:53 | yawirqhuqtk.info | udp |
| US | 8.8.8.8:53 | tgrxpghlkwb.com | udp |
| US | 8.8.8.8:53 | rbhfhb.net | udp |
| US | 8.8.8.8:53 | baoulox.com | udp |
| US | 8.8.8.8:53 | imthnyvtsr.net | udp |
| US | 8.8.8.8:53 | bfsortthjj.net | udp |
| US | 8.8.8.8:53 | njxzkqdfwkat.net | udp |
| US | 8.8.8.8:53 | psrgfpfxb.info | udp |
| US | 8.8.8.8:53 | glukbvaoce.info | udp |
| US | 8.8.8.8:53 | yelgxiiwm.info | udp |
| US | 8.8.8.8:53 | wzvyvb.net | udp |
| US | 8.8.8.8:53 | irzsud.net | udp |
| US | 8.8.8.8:53 | uwkuouye.org | udp |
| US | 8.8.8.8:53 | ocpebyvauif.net | udp |
| US | 8.8.8.8:53 | rmavzxlefl.info | udp |
| US | 8.8.8.8:53 | dftzojyyr.org | udp |
| US | 8.8.8.8:53 | qsekog.com | udp |
| US | 8.8.8.8:53 | slxcpozwv.info | udp |
| US | 8.8.8.8:53 | uopubvyiebrz.info | udp |
| US | 8.8.8.8:53 | debungdctiq.org | udp |
| US | 8.8.8.8:53 | shjqjdj.net | udp |
| US | 8.8.8.8:53 | oajyysyrvlp.net | udp |
| US | 8.8.8.8:53 | wimicuoq.org | udp |
| US | 8.8.8.8:53 | wmsecg.com | udp |
| US | 8.8.8.8:53 | zflotqvoa.com | udp |
| US | 8.8.8.8:53 | lrzvfuqenc.info | udp |
| US | 8.8.8.8:53 | yhauzibing.info | udp |
| US | 8.8.8.8:53 | kqyucgkaukie.com | udp |
| US | 8.8.8.8:53 | louydqxghkb.info | udp |
| US | 8.8.8.8:53 | nysriymvg.net | udp |
| US | 8.8.8.8:53 | pmfoloiyw.info | udp |
| US | 8.8.8.8:53 | vghtpdbdzwzy.net | udp |
| US | 8.8.8.8:53 | rsihjdhhlc.net | udp |
| US | 8.8.8.8:53 | tzgkjwj.net | udp |
| US | 8.8.8.8:53 | twrxhwl.com | udp |
| US | 8.8.8.8:53 | wshuyyz.info | udp |
| US | 8.8.8.8:53 | fiiivwzuxoz.net | udp |
| US | 8.8.8.8:53 | eojyrsr.info | udp |
| US | 8.8.8.8:53 | ykxcuvriw.net | udp |
| US | 8.8.8.8:53 | jtturk.net | udp |
| US | 8.8.8.8:53 | dzlndsjynadz.net | udp |
| US | 8.8.8.8:53 | ymjzvdl.net | udp |
| US | 8.8.8.8:53 | jaxixctobw.info | udp |
| US | 8.8.8.8:53 | potmhghdfyyy.net | udp |
| US | 8.8.8.8:53 | nblyev.info | udp |
| US | 8.8.8.8:53 | aetqlldkruk.net | udp |
| US | 8.8.8.8:53 | tanifybor.info | udp |
| US | 8.8.8.8:53 | huvusrl.net | udp |
| US | 8.8.8.8:53 | xnvzxciv.info | udp |
| US | 8.8.8.8:53 | hkbodh.info | udp |
| US | 8.8.8.8:53 | yurkrbtp.net | udp |
| US | 8.8.8.8:53 | qnvnjopvonhc.net | udp |
| US | 8.8.8.8:53 | wejcfaten.info | udp |
| US | 8.8.8.8:53 | crofytieqcyl.net | udp |
| US | 8.8.8.8:53 | twsrgi.info | udp |
| US | 8.8.8.8:53 | gsoswi.org | udp |
| US | 8.8.8.8:53 | kfcyvkqzskfw.info | udp |
| US | 8.8.8.8:53 | voijuuhsleg.org | udp |
| US | 8.8.8.8:53 | fwhohgjcx.info | udp |
| US | 8.8.8.8:53 | tsxsbvfgikg.org | udp |
| US | 8.8.8.8:53 | ycguqwqemu.org | udp |
| US | 8.8.8.8:53 | yqeaes.com | udp |
| US | 8.8.8.8:53 | aqcbfxvjw.net | udp |
| US | 8.8.8.8:53 | jnrkdybowyj.info | udp |
| US | 8.8.8.8:53 | bkewpipqh.org | udp |
| US | 8.8.8.8:53 | hmickfd.net | udp |
| US | 8.8.8.8:53 | feridzfdvgf.info | udp |
| US | 8.8.8.8:53 | hiuwaynmn.org | udp |
| US | 8.8.8.8:53 | jddctcdsf.net | udp |
| US | 8.8.8.8:53 | bybsubyhzqy.net | udp |
| US | 8.8.8.8:53 | lmxgbgdmh.net | udp |
| US | 8.8.8.8:53 | pwetdm.info | udp |
| US | 8.8.8.8:53 | deabru.info | udp |
| US | 8.8.8.8:53 | wyyaaskw.com | udp |
| US | 8.8.8.8:53 | icogsz.info | udp |
| US | 8.8.8.8:53 | nkrwclb.net | udp |
| US | 8.8.8.8:53 | sgemmzd.net | udp |
| US | 8.8.8.8:53 | xphkvoxyhzcm.net | udp |
| US | 8.8.8.8:53 | ycyeqw.com | udp |
| US | 8.8.8.8:53 | kcyvkwehlktd.info | udp |
| US | 8.8.8.8:53 | rjxljplooa.info | udp |
| US | 8.8.8.8:53 | yqtihqtfy.info | udp |
| US | 8.8.8.8:53 | uhzerkvsz.net | udp |
| US | 8.8.8.8:53 | casynozwl.net | udp |
| US | 8.8.8.8:53 | hevclubqcmc.com | udp |
| US | 8.8.8.8:53 | vfelmatb.net | udp |
| US | 8.8.8.8:53 | dotslsvpp.com | udp |
| US | 8.8.8.8:53 | aawycgkcwm.com | udp |
| US | 8.8.8.8:53 | tqhchbsarin.org | udp |
| US | 8.8.8.8:53 | ikysmgcqmqgu.org | udp |
| US | 8.8.8.8:53 | gakbtko.net | udp |
| US | 8.8.8.8:53 | earmnwvis.info | udp |
| US | 8.8.8.8:53 | kxjokmho.net | udp |
| US | 8.8.8.8:53 | hihmpbrvblay.info | udp |
| US | 8.8.8.8:53 | pildcv.info | udp |
| US | 8.8.8.8:53 | oqikyg.org | udp |
| US | 8.8.8.8:53 | wmycui.org | udp |
| US | 8.8.8.8:53 | omsctadfvkl.net | udp |
| US | 8.8.8.8:53 | zslprn.net | udp |
| US | 8.8.8.8:53 | oiawfcr.info | udp |
| US | 8.8.8.8:53 | cumkjslye.info | udp |
| US | 8.8.8.8:53 | zvglrkse.net | udp |
| US | 8.8.8.8:53 | zkraclmnemme.info | udp |
| US | 8.8.8.8:53 | eolkzqp.net | udp |
| US | 8.8.8.8:53 | vtriyb.info | udp |
| US | 8.8.8.8:53 | wogkyeqeke.org | udp |
| US | 8.8.8.8:53 | dgpwvwz.net | udp |
| US | 8.8.8.8:53 | tcpkgejobkh.net | udp |
| US | 8.8.8.8:53 | gwnkxq.net | udp |
| US | 8.8.8.8:53 | bibrbktnnyx.net | udp |
| US | 8.8.8.8:53 | zofzuotujgu.info | udp |
| US | 8.8.8.8:53 | suqldwpylage.net | udp |
| US | 8.8.8.8:53 | hyahdazux.info | udp |
| US | 8.8.8.8:53 | lqtlhptiaif.info | udp |
| US | 8.8.8.8:53 | ugauxxfnob.info | udp |
| US | 8.8.8.8:53 | qsqkwc.org | udp |
| US | 8.8.8.8:53 | azdjdzqjqtui.net | udp |
| US | 8.8.8.8:53 | vynwnoisdfj.info | udp |
| US | 8.8.8.8:53 | lrpglzlr.net | udp |
| US | 8.8.8.8:53 | stuyiskoftqb.info | udp |
| US | 8.8.8.8:53 | odauoqd.info | udp |
| US | 8.8.8.8:53 | qhlwbioieav.net | udp |
| US | 8.8.8.8:53 | jhxiqz.info | udp |
| US | 8.8.8.8:53 | rkqbmq.info | udp |
| US | 8.8.8.8:53 | uicssgckkm.com | udp |
| US | 8.8.8.8:53 | izhukfmyyyz.net | udp |
| US | 8.8.8.8:53 | mmhfpd.net | udp |
| US | 8.8.8.8:53 | bboyljrs.net | udp |
| US | 8.8.8.8:53 | qedielgi.net | udp |
| US | 8.8.8.8:53 | rxynkaaokphz.net | udp |
| US | 8.8.8.8:53 | pfmgqefuf.info | udp |
| US | 8.8.8.8:53 | hqhmzknpu.com | udp |
| US | 8.8.8.8:53 | oageqc.com | udp |
| US | 8.8.8.8:53 | zsrnhalwarn.net | udp |
| US | 8.8.8.8:53 | yiioeuiywqws.com | udp |
| US | 8.8.8.8:53 | tzrqvqhhveb.net | udp |
| US | 8.8.8.8:53 | jbdkryrmz.info | udp |
| US | 8.8.8.8:53 | gixxkky.net | udp |
| US | 8.8.8.8:53 | itsjjmhudvm.net | udp |
| US | 8.8.8.8:53 | uskmuqqoekqc.org | udp |
| US | 8.8.8.8:53 | vhngmzee.info | udp |
| US | 8.8.8.8:53 | lpkztmhavwo.net | udp |
| US | 8.8.8.8:53 | uqvoniv.info | udp |
| US | 8.8.8.8:53 | oohcfcw.info | udp |
| US | 8.8.8.8:53 | iygsie.org | udp |
| US | 8.8.8.8:53 | vsthpi.info | udp |
| US | 8.8.8.8:53 | njtdpksqnhbo.info | udp |
| US | 8.8.8.8:53 | jxzoxjeyi.net | udp |
| US | 8.8.8.8:53 | ythjpklysc.net | udp |
| US | 8.8.8.8:53 | asomuw.com | udp |
| US | 8.8.8.8:53 | cbfgvvjw.net | udp |
| US | 8.8.8.8:53 | pjqalclh.net | udp |
| US | 8.8.8.8:53 | fguatetv.net | udp |
| US | 8.8.8.8:53 | ueqiogioyg.com | udp |
| US | 8.8.8.8:53 | cgfjbao.info | udp |
| US | 8.8.8.8:53 | oajgbc.net | udp |
| US | 8.8.8.8:53 | zijwfifij.com | udp |
| US | 8.8.8.8:53 | ppxasj.net | udp |
| US | 8.8.8.8:53 | iseiiz.net | udp |
| US | 8.8.8.8:53 | rfegrwpsrpb.org | udp |
| US | 8.8.8.8:53 | bcdzosrknuw.net | udp |
| US | 8.8.8.8:53 | okemhgrj.info | udp |
| US | 8.8.8.8:53 | iehhjbhzj.net | udp |
| US | 8.8.8.8:53 | byorzmbnx.net | udp |
| US | 8.8.8.8:53 | orkhgepxdfsx.info | udp |
| US | 8.8.8.8:53 | krvbeiprbkg.net | udp |
| US | 8.8.8.8:53 | tgrcrujgn.net | udp |
| US | 8.8.8.8:53 | bktjdpl.com | udp |
| US | 8.8.8.8:53 | hwjgveksfit.org | udp |
| US | 8.8.8.8:53 | vopeczwcsst.info | udp |
| US | 8.8.8.8:53 | zagpqjqags.info | udp |
| US | 8.8.8.8:53 | iofmbqm.info | udp |
| US | 8.8.8.8:53 | xvotaqhjhsqc.net | udp |
| US | 8.8.8.8:53 | ygjofonnmij.info | udp |
| US | 8.8.8.8:53 | qkyaoykequ.com | udp |
| US | 8.8.8.8:53 | qybgvczfj.net | udp |
| US | 8.8.8.8:53 | uckcswsayy.com | udp |
| US | 8.8.8.8:53 | iifywsqcb.info | udp |
| US | 8.8.8.8:53 | oytblya.info | udp |
| US | 8.8.8.8:53 | hsswgqno.info | udp |
| US | 8.8.8.8:53 | zqhaunsuqmy.info | udp |
| US | 8.8.8.8:53 | flqvobysxucq.net | udp |
| US | 8.8.8.8:53 | jmjrhupcq.net | udp |
| US | 8.8.8.8:53 | xleqksl.com | udp |
| US | 8.8.8.8:53 | igulgixnh.net | udp |
| US | 8.8.8.8:53 | nlhlzihxv.net | udp |
| US | 8.8.8.8:53 | ncvmbqxaqun.net | udp |
| US | 8.8.8.8:53 | bxnzeh.net | udp |
| US | 8.8.8.8:53 | vyjuleroeiv.net | udp |
| US | 8.8.8.8:53 | fzrcbilll.org | udp |
| US | 8.8.8.8:53 | gmhqtqqqxhe.info | udp |
| US | 8.8.8.8:53 | vdfgrwbu.info | udp |
| US | 8.8.8.8:53 | qukbfhv.info | udp |
| US | 8.8.8.8:53 | wzngdnueebgn.net | udp |
| US | 8.8.8.8:53 | tqxiwjs.com | udp |
| US | 8.8.8.8:53 | okcvydkmleo.info | udp |
| US | 8.8.8.8:53 | qmxilwcozeo.info | udp |
| US | 8.8.8.8:53 | hsvfegxnfxhp.net | udp |
| US | 8.8.8.8:53 | rytonhw.info | udp |
| US | 8.8.8.8:53 | awxfarhavegg.info | udp |
| US | 8.8.8.8:53 | xajqbmyxptg.net | udp |
| US | 8.8.8.8:53 | msdwpikctjfm.net | udp |
| US | 8.8.8.8:53 | mwurqbxq.info | udp |
| US | 8.8.8.8:53 | ykhusrgw.info | udp |
| US | 8.8.8.8:53 | wfscpqvq.info | udp |
| US | 8.8.8.8:53 | poumlpfec.net | udp |
| US | 8.8.8.8:53 | gktsoyvct.info | udp |
| US | 8.8.8.8:53 | wowcgmlsc.net | udp |
| US | 8.8.8.8:53 | yqnwfjtuzbme.net | udp |
| US | 8.8.8.8:53 | srtask.info | udp |
| US | 8.8.8.8:53 | mgheha.net | udp |
| US | 8.8.8.8:53 | odpvzfteatse.net | udp |
| US | 8.8.8.8:53 | ssiijnlj.info | udp |
| US | 8.8.8.8:53 | torebox.org | udp |
| US | 8.8.8.8:53 | ptfyyjctprrn.net | udp |
| US | 8.8.8.8:53 | kcoyooukiisg.org | udp |
| US | 8.8.8.8:53 | zgnnqizd.net | udp |
| US | 8.8.8.8:53 | ypjmvfl.net | udp |
| US | 8.8.8.8:53 | tkatzaqfeg.net | udp |
| US | 8.8.8.8:53 | uucqsyeiywaw.com | udp |
| US | 8.8.8.8:53 | bzcssrek.info | udp |
| US | 8.8.8.8:53 | xzenfwptnint.info | udp |
| US | 8.8.8.8:53 | qsvbfpxo.net | udp |
| US | 8.8.8.8:53 | dwvorarulms.info | udp |
| US | 8.8.8.8:53 | kusqys.com | udp |
| US | 8.8.8.8:53 | kyalastnpwbd.net | udp |
| US | 8.8.8.8:53 | fexytwcgh.net | udp |
| US | 8.8.8.8:53 | oaxwyovofwa.info | udp |
| US | 8.8.8.8:53 | znxwnatezh.net | udp |
| US | 8.8.8.8:53 | hzpjccmddc.net | udp |
| US | 8.8.8.8:53 | gajfphgrxc.net | udp |
| US | 8.8.8.8:53 | mlqqdujby.net | udp |
| US | 8.8.8.8:53 | jnimhlgamn.net | udp |
| US | 8.8.8.8:53 | pkoojggqp.net | udp |
| US | 8.8.8.8:53 | wcaqnx.info | udp |
| US | 8.8.8.8:53 | ryzwfb.info | udp |
| US | 8.8.8.8:53 | ygeuiicascey.org | udp |
| US | 8.8.8.8:53 | rjdohuzyq.com | udp |
| US | 8.8.8.8:53 | aqwgsiumioom.org | udp |
| US | 8.8.8.8:53 | muwvaturqifi.net | udp |
| US | 8.8.8.8:53 | frfidw.net | udp |
| US | 8.8.8.8:53 | stzuoorw.info | udp |
| US | 8.8.8.8:53 | bujoerlezux.com | udp |
| US | 8.8.8.8:53 | ubkxdikuf.info | udp |
| US | 8.8.8.8:53 | mgcefcd.net | udp |
| US | 8.8.8.8:53 | queoysecmsos.org | udp |
| US | 8.8.8.8:53 | ewiljj.net | udp |
| US | 8.8.8.8:53 | nptdzdhq.info | udp |
| US | 8.8.8.8:53 | hcqfqyp.net | udp |
| US | 8.8.8.8:53 | kkzdzjxk.net | udp |
| US | 8.8.8.8:53 | xgdcfnssnwl.org | udp |
| US | 8.8.8.8:53 | czxutqo.info | udp |
| US | 8.8.8.8:53 | esfjlz.info | udp |
| US | 8.8.8.8:53 | invopgiohlk.info | udp |
| US | 8.8.8.8:53 | nmtvou.net | udp |
| US | 8.8.8.8:53 | ncqnmuxhxx.net | udp |
| US | 8.8.8.8:53 | sewiuyik.com | udp |
| US | 8.8.8.8:53 | borovj.net | udp |
| US | 8.8.8.8:53 | lkfzhxnlaybv.info | udp |
| US | 8.8.8.8:53 | dsbepwz.org | udp |
| US | 8.8.8.8:53 | bmhujchsp.net | udp |
| US | 8.8.8.8:53 | ouuwqmie.org | udp |
| US | 8.8.8.8:53 | ohlsjgqzcgxs.info | udp |
| US | 8.8.8.8:53 | xyzmjgmen.com | udp |
| US | 8.8.8.8:53 | zadvdcbezr.info | udp |
| US | 8.8.8.8:53 | ugykgokckeqi.com | udp |
| US | 8.8.8.8:53 | vixhexyw.info | udp |
| US | 8.8.8.8:53 | ywsuwo.org | udp |
| US | 8.8.8.8:53 | hunzdmqo.info | udp |
| US | 8.8.8.8:53 | fgfsoazj.net | udp |
| US | 8.8.8.8:53 | pxzavoe.info | udp |
| US | 8.8.8.8:53 | xpxqhspzpjiz.info | udp |
| US | 8.8.8.8:53 | fwpstktkluq.info | udp |
| US | 8.8.8.8:53 | ouwxjilqvwrv.info | udp |
| US | 8.8.8.8:53 | bbfgzpnvwelu.net | udp |
| US | 8.8.8.8:53 | voramyf.info | udp |
| US | 8.8.8.8:53 | sqvgrvf.info | udp |
| US | 8.8.8.8:53 | pfdcduzjx.com | udp |
| US | 8.8.8.8:53 | wswygigkos.org | udp |
| US | 8.8.8.8:53 | yieeptcycbx.info | udp |
| US | 8.8.8.8:53 | sqjueubjb.info | udp |
| US | 8.8.8.8:53 | kyyoeamm.com | udp |
| US | 8.8.8.8:53 | wnqybadqzehs.info | udp |
| US | 8.8.8.8:53 | aeuahyqamqvl.info | udp |
| US | 8.8.8.8:53 | qhvahmeneh.net | udp |
| US | 8.8.8.8:53 | yagkmytyhih.net | udp |
| US | 8.8.8.8:53 | fokorjxn.info | udp |
| US | 8.8.8.8:53 | sjlsaeb.net | udp |
| US | 8.8.8.8:53 | iyibfabufql.info | udp |
| US | 8.8.8.8:53 | rypsnsycsu.info | udp |
| US | 8.8.8.8:53 | ehraokhcrtj.net | udp |
| US | 8.8.8.8:53 | hwbehoquhsc.info | udp |
| US | 8.8.8.8:53 | xpneqfbyroz.org | udp |
| US | 8.8.8.8:53 | emiwfavycgt.net | udp |
| US | 8.8.8.8:53 | rmkvpv.info | udp |
| US | 8.8.8.8:53 | npxtgj.net | udp |
| US | 8.8.8.8:53 | uhtnms.net | udp |
| US | 8.8.8.8:53 | dptnfyvhag.net | udp |
| US | 8.8.8.8:53 | ogwyaaeaea.org | udp |
| US | 8.8.8.8:53 | wwaicm.com | udp |
| US | 8.8.8.8:53 | rgptfocyvf.info | udp |
| US | 8.8.8.8:53 | hrhhqmekwo.info | udp |
| US | 8.8.8.8:53 | dcozwaknaizv.net | udp |
| US | 8.8.8.8:53 | tstuugy.org | udp |
| US | 8.8.8.8:53 | dnxcbyxia.info | udp |
| US | 8.8.8.8:53 | lvlogvunrk.info | udp |
| US | 8.8.8.8:53 | dspvjusc.info | udp |
| US | 8.8.8.8:53 | pefbeyzgq.org | udp |
| US | 8.8.8.8:53 | tkxuaovegav.net | udp |
| US | 8.8.8.8:53 | rkycciyqiv.net | udp |
| US | 8.8.8.8:53 | okhifimsibp.info | udp |
| US | 8.8.8.8:53 | roazridswuy.info | udp |
| US | 8.8.8.8:53 | ynxnva.net | udp |
| US | 8.8.8.8:53 | rztqzdf.net | udp |
| US | 8.8.8.8:53 | wwdbhmn.info | udp |
| US | 8.8.8.8:53 | focyrc.net | udp |
| US | 8.8.8.8:53 | xytwfmrlduw.com | udp |
| US | 8.8.8.8:53 | ahzmzssgtqh.info | udp |
| US | 8.8.8.8:53 | vtwdkzoibt.info | udp |
| US | 8.8.8.8:53 | qtqyjsvdusp.net | udp |
| US | 8.8.8.8:53 | bamcyave.info | udp |
| US | 8.8.8.8:53 | vsksbmukvni.org | udp |
| US | 8.8.8.8:53 | vqxratl.net | udp |
| US | 8.8.8.8:53 | zsmqdpdequbo.net | udp |
| US | 8.8.8.8:53 | cngudivka.net | udp |
| US | 8.8.8.8:53 | gcxybrnmzkny.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\hpufno.exe
| MD5 | d1ca361a3095142de460726b262fbf7b |
| SHA1 | f0f3f7ca1dba79755ba6869667160ebb51de99cd |
| SHA256 | fae4fad367b4cdb332c50fa5fb8b3a4c0a7f756653469920a80280996245c3ef |
| SHA512 | 16c8bd013364e6ff83aae04e01fc505e73d3a8d744afd778c00c7ccdc15c1e3dc23b48b3b694486d91afc79f7b7a8b4d5f101fe8760b8c47fe6f03f23224738f |
C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | c5ba0f58943338a2260f59bc9979dc64 |
| SHA1 | ed189c36e762615fab7f848997abab9bf4a6c505 |
| SHA256 | 58b5d25951df8aa767bf5b69af7054785e423f078aa0475f907b6f81848b0073 |
| SHA512 | 176697ccdfaae5d3dd30237f91e32cff1e4be26ed6b3b2a0fcc47b04b1cc4a1d8d749a2a1d22eae9b62862218af8e2d6876ceddc3bf2d62b79e90a923126b75c |
C:\Users\Admin\AppData\Local\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr
| MD5 | c761e7d3ec65e0915155396cf967c2ed |
| SHA1 | d1c2620d7846feb67fc62fbdb6f5800929d7a7ee |
| SHA256 | 3d21de5b20677e59770a73fe68161d4940b4d8f69ceda46309413e257ecd642b |
| SHA512 | 1342a941571f7c569cf842c12f3990f0491d1ffc3c892b9020daa8ad57e41b3e04ef554a44cc359741eac95f423a0d7f069988c1299545a3ad26ce4587d433f1 |
C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | d459ff9e5a47f0496c604d1012731e2c |
| SHA1 | 7b3a84cc6ba5ecf72b040d3cfc12f6d09cb57fb3 |
| SHA256 | 6221a88039f51dbbdbe9274b0ce525521869367be2444f3d871d29ebc132f8bb |
| SHA512 | 3fc6606fba91c5cf0ae34bd4a57ab0927777d11213b5ea823e1fb20fa055dbea652f8c9a175a31ac2ff810165ed6890c476a577fd5095a547fa1b2de1cbc19cc |
C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | ca86d1ad17faf524899121a2742b3bad |
| SHA1 | ad7d3493428c2bb8056a595b9169ddb0f1e4e91b |
| SHA256 | 55338ba5aaef0254786a94d03c5c31a58289f1740adbec7e540c9ae5be5d1e3e |
| SHA512 | 5c1a6ed008a859bbfea7c1ea0f924f30abc019001331538a87807c4632c088ca8bb37baa5754c27954e77f8b6a435e39e509cf9ce9945956a810024ff0c60555 |
C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | 24bc4b10dee749ffa4f9c3b767a613c0 |
| SHA1 | 04a3d0143d7a07902eda92ee393c2625f0cb32b0 |
| SHA256 | 41bb936a4837bafafbc707d5bd0060f80ae5844c42c915f39c4b04e6229a99f0 |
| SHA512 | 074579645ec78eec067ee6ba9b1d01547126085e0a9cafa3ee7ae6be2e0e2bbd5de02e0b162a676bcfcb886aa66c7957d6fa13319fa92fe31477bff9e9e29597 |
C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | 979fee17b9f7215b9d5b6e9afc93d64a |
| SHA1 | fc5864bfdd0816edf3999b6284cac7b0d6d57ea9 |
| SHA256 | f83c605083fe60625018f1369a89df8c4d6646f3f02074dfffe932ff6547c001 |
| SHA512 | 9939be7347ff182b861d43ebe1f72becaef3c3c9fcacf3c1ba9cc163abb45e704302b104e206ebabc0ca5b0baca7d3716d9d720818687aa30b3c190ac0471da5 |
C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | 41ed5b57317aea5a47eeb45744fe32e6 |
| SHA1 | 1a6024df272b023358c0821d4eab7ea115b282d2 |
| SHA256 | 76c69905ebf3e8876b4776b5bd464e8c10c7699cc08b108b7320131cf16bc4d2 |
| SHA512 | eb52bfd6082ab3259013fd510074b4b3270cb165c6d73931c30832669892fd2ba2c876d04ab124dd6c06ea1606cc09c76c755926be4317446611cd45df3789be |
C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | d93b1f34af6fd395b5a9e750a43feccd |
| SHA1 | 99dafb8a429fef4c0ae7cc724727cf641975c025 |
| SHA256 | 3f6f17f769829f55dd4525a1c99f6798df57bd090bb509526bed26419a824046 |
| SHA512 | 3164fe177a0928b93360f57d02bcf0772bffcb36a217f08ad895aa29c621ae275b549367703f433bd6bde97334d1fc866321b6301f713f26b9fbdfc58bae4f96 |
C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr
| MD5 | ef60008bc71d4c21d7d3a386e0d159a2 |
| SHA1 | 62571b4a570b711ce52d03342eda0000cdd29b5b |
| SHA256 | e2b23ccfa82bbc527109d16abb72cd7b4e3efbe68188d7c2e9a6e34c118344f9 |
| SHA512 | d78f0c1b87ce0e84c24c247a18a5a19b3fcc24463aefbf9168ddf27d0990a9d4069dfe792fdafe00d9b8117159c4ecc2505b97ebd2987e4cdaf9616b2ecee991 |
Analysis: behavioral2
Detonation Overview
Submitted
2025-04-22 19:53
Reported
2025-04-22 19:55
Platform
win11-20250410-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "bqnmidxvqdjpabvfzrpeb.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "oauqjbsnfpsvdbszqf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "zmheyrjfyjnrazrzrhd.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "yiaulbqjzhijplaf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "zmheyrjfyjnrazrzrhd.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "zmheyrjfyjnrazrzrhd.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "yiaulbqjzhijplaf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "zmheyrjfyjnrazrzrhd.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "yiaulbqjzhijplaf.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "bqnmidxvqdjpabvfzrpeb.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "bqnmidxvqdjpabvfzrpeb.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "oauqjbsnfpsvdbszqf.exe ." | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\gcgmprsxztgtltulmlqmqwzb.hjd | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File created | C:\Windows\SysWOW64\gcgmprsxztgtltulmlqmqwzb.hjd | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File created | C:\Windows\SysWOW64\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File created | C:\Program Files (x86)\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File created | C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\gcgmprsxztgtltulmlqmqwzb.hjd | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File created | C:\Windows\gcgmprsxztgtltulmlqmqwzb.hjd | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File opened for modification | C:\Windows\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| File created | C:\Windows\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zajucjp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Users\Admin\AppData\Local\Temp\zajucjp.exe
"C:\Users\Admin\AppData\Local\Temp\zajucjp.exe" "-"
C:\Users\Admin\AppData\Local\Temp\zajucjp.exe
"C:\Users\Admin\AppData\Local\Temp\zajucjp.exe" "-"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.66.40.87:80 | www.whatismyip.com | tcp |
| DE | 142.251.209.137:80 | www.blogger.com | tcp |
| DE | 85.214.228.140:80 | kgielb.info | tcp |
| SG | 13.214.182.154:80 | walpnmyrw.net | tcp |
| US | 104.156.155.94:80 | jexkhytfwddl.info | tcp |
| US | 8.8.8.8:53 | yxinwkoanlhn.net | udp |
| US | 8.8.8.8:53 | iuhmtjt.info | udp |
| US | 8.8.8.8:53 | ftletche.net | udp |
| US | 8.8.8.8:53 | asbqvjb.net | udp |
| US | 8.8.8.8:53 | ptrzybpqvo.info | udp |
| US | 8.8.8.8:53 | gwyeog.com | udp |
| US | 8.8.8.8:53 | rfklnyczu.info | udp |
| US | 8.8.8.8:53 | aqiwmyai.org | udp |
| US | 8.8.8.8:53 | gssbvlrssfog.net | udp |
| US | 8.8.8.8:53 | pswrtsjyw.org | udp |
| US | 8.8.8.8:53 | nebbbqqermn.com | udp |
| US | 8.8.8.8:53 | rnzmulakwj.info | udp |
| US | 8.8.8.8:53 | pkwouolzrdn.info | udp |
| US | 8.8.8.8:53 | rdfyhzvyxajx.net | udp |
| US | 8.8.8.8:53 | oalqtqzxdcr.info | udp |
| US | 8.8.8.8:53 | hprerydzd.com | udp |
| US | 8.8.8.8:53 | xsdwxmohbao.info | udp |
| US | 8.8.8.8:53 | jkygffjpe.org | udp |
| US | 8.8.8.8:53 | zchvdwljyy.net | udp |
| US | 8.8.8.8:53 | hmoqpqj.info | udp |
| US | 8.8.8.8:53 | guoyqk.com | udp |
| US | 8.8.8.8:53 | uzjrry.net | udp |
| US | 8.8.8.8:53 | hxxynales.net | udp |
| US | 8.8.8.8:53 | munfhwxqbwc.net | udp |
| US | 8.8.8.8:53 | zcfdaadkp.net | udp |
| US | 8.8.8.8:53 | sgpkecdbreh.net | udp |
| US | 8.8.8.8:53 | simmxur.info | udp |
| US | 8.8.8.8:53 | oejgjj.net | udp |
| US | 52.111.229.48:443 | tcp | |
| US | 8.8.8.8:53 | qnvnjopvonhc.net | udp |
| US | 8.8.8.8:53 | kpxhfru.info | udp |
| US | 8.8.8.8:53 | qeezccnz.net | udp |
| US | 8.8.8.8:53 | pwetdm.info | udp |
| US | 8.8.8.8:53 | dmzgqufcw.net | udp |
| US | 8.8.8.8:53 | prjnlycx.net | udp |
| US | 8.8.8.8:53 | kmzrkmbkg.info | udp |
| US | 8.8.8.8:53 | yiioeuiywqws.com | udp |
| US | 8.8.8.8:53 | pplwbgj.org | udp |
| US | 8.8.8.8:53 | ibneriq.info | udp |
| US | 8.8.8.8:53 | pqgnxn.net | udp |
| US | 8.8.8.8:53 | pxzavoe.info | udp |
| US | 8.8.8.8:53 | zudmdcspymi.com | udp |
| US | 8.8.8.8:53 | jsdtfj.info | udp |
| US | 8.8.8.8:53 | xumsdsbotvl.net | udp |
| US | 8.8.8.8:53 | hchovdealkz.org | udp |
| US | 8.8.8.8:53 | gqogaeqsismi.org | udp |
| US | 8.8.8.8:53 | rvjbii.info | udp |
| US | 8.8.8.8:53 | uorhrwboxar.net | udp |
| US | 8.8.8.8:53 | rwulpllndd.net | udp |
| US | 8.8.8.8:53 | thludypk.net | udp |
| DE | 85.214.228.140:80 | kgielb.info | tcp |
| SG | 13.214.182.154:80 | walpnmyrw.net | tcp |
| US | 104.156.155.94:80 | jexkhytfwddl.info | tcp |
| US | 8.8.8.8:53 | guzpfnrczjij.info | udp |
| US | 8.8.8.8:53 | jwnrbqg.info | udp |
| US | 8.8.8.8:53 | phdjxxjkt.info | udp |
| US | 8.8.8.8:53 | xccydkfsdcr.info | udp |
| US | 8.8.8.8:53 | ymsyqokk.com | udp |
| US | 8.8.8.8:53 | xtjwbbsox.com | udp |
| US | 8.8.8.8:53 | cfvyfkaxh.net | udp |
| US | 8.8.8.8:53 | omeygqcqyucy.com | udp |
| US | 8.8.8.8:53 | wpleaihaa.net | udp |
| US | 8.8.8.8:53 | tvnihctd.info | udp |
| US | 8.8.8.8:53 | tupuxkqajod.com | udp |
| US | 8.8.8.8:53 | hfbpfkl.org | udp |
| US | 8.8.8.8:53 | tpautct.org | udp |
| US | 8.8.8.8:53 | wkauricsf.net | udp |
| US | 8.8.8.8:53 | cvnpzd.net | udp |
| US | 8.8.8.8:53 | cgosfk.info | udp |
| US | 8.8.8.8:53 | jurcrixczwq.com | udp |
| US | 8.8.8.8:53 | pwzwbmjck.org | udp |
| US | 8.8.8.8:53 | uijsjroqq.info | udp |
| US | 8.8.8.8:53 | aeabsix.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\zajucjp.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\zajucjp.exe
| MD5 | a230e65b65f4ecc78c2f57dcb83d52da |
| SHA1 | 766d2fe9937d8f1ee207dcc5acf9d5231055eded |
| SHA256 | ad10a1fd08d65185ec4a6ce01accc9c06b6ce358e92dc0d7c867c77b97c689b1 |
| SHA512 | 054c0247fdccadd46fb34534c4e8501955782747d7f82cc632d08d4b91ae01ffb9f108e5c31532147eb29c3d0244c4d070968c602c5e0b52dcda764f651b99ad |
C:\Users\Admin\AppData\Local\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 28bb6159343d936c2d60d6a292824a0c |
| SHA1 | 8b06a7c5f4fc836eb87f8ac7aec1946c198b53e7 |
| SHA256 | af419d26e576c40acaab1f28c86b6702fc5450930995519d75ca74b4ca765a1f |
| SHA512 | fce9cbe66fda8c80e8c7fd1e960d98c92aa04ce7c37c8dfa534a8e2740cabad89fbafcebef7d2f28b4fdbe479f2db9e9bac0e8fbf4034ef2074f05fe8045cb2b |
C:\Users\Admin\AppData\Local\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl
| MD5 | bcaea745cafa929d8bb71f6a32b0bf20 |
| SHA1 | 9fe2bd5a2af9ff22757e90611371e8cb7a69a455 |
| SHA256 | 68b5baab15b51b6838c259ca4942b813604a5c7a4822e85c881479d126df4159 |
| SHA512 | 472631fcfcf55c33b6fd86ac12c730fe51cc3ea4f69d00f3822c54eb89810573572685ed3339b25caca75d110d54934a06333be824ee17030f31ee55b53cfa6d |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | f44d2b791f28986c5e705e6993e1e09e |
| SHA1 | 0760eb3966b20acf2f706aa0c7872bb1f6e0c486 |
| SHA256 | 26aab8cb6dc3adadfa28e4095131a125e03409fc5de3b158ab01f70e6fc0ccf0 |
| SHA512 | bd48ef352b6989f53ebeaf9dc9ff3c18f4a93d938e849c1b3ecc582876885dc1b2c60678e9a5d6d21c9eaf1e04164d8327e1304a3677ae47fc2302996fd73865 |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 3e3730a8bc543879b55b272fe81fbaa1 |
| SHA1 | 88f60a76f789f3b202ff4d3a14f40f79966d9c39 |
| SHA256 | a77562009bcc91391776a1360fd0e431b285ed0ca7775d6d8d3694a1d030b272 |
| SHA512 | e0126d0ab0c5850ddd3c4d18659b559fc715ed98ed831ed1fa050f7ea9033f30d55d7a21356ca5442217c64c9a793ead4ed108dfaaf9d1cf2f4f4b39bd9a3391 |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 3445fa7c173ffdbdbb914e417eac7f9e |
| SHA1 | 61b0fde832be854f7c88c83c41cea9ad6be13e1e |
| SHA256 | 41bd5a6cf0d49a29689c8289c36c1f31a5a92e0a920e4cfb9d6ab484f9422c07 |
| SHA512 | ab2e7996186fd33102a2c58e9986288127e127f2e2a70b4b9fbae8d2b6300b8a932882df17151004673147e076449ff15c07ee4d4e16050de59195131f2a734b |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 121382bd20bc1c619d234fa0a041d3a0 |
| SHA1 | adb91f000da4d2f53bc01475b76aa838e7efefd2 |
| SHA256 | 8ed9da938753b8d5d4427f2868cb30ce4be845d75bbc745ce42f89047023395e |
| SHA512 | dec97bfd8f9523ec6f576791da552da8745fa668950a9199260b4cf1e21843c77142581a68cab253e9b329cba0320fec84029d4dae33964280bdadeb3a742507 |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 09a2aec5073f12c1368259ac906d8462 |
| SHA1 | f8010cca90adb8b1cef9a89524d4fb4468409f02 |
| SHA256 | 0cf5d4c4a870ec88b8d837b87369f7cdee998ae471b8fb26f71f489dbbc58fd8 |
| SHA512 | b4ea65f8cfdd2cb168e0c076d25ea229671dd6b80e0ff8512424fb3f2172708597e49dfb2865a5e1f0bbc3afc4782a0bb5967a351f5744509602d5d5ebc0ec4a |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 819c70becf33b3e8b688faee9623b8d1 |
| SHA1 | 091be6859dcb5b997b31c9d6b995e2cc5ac3de7c |
| SHA256 | 07fcea2eb4dd55cf13ed76de46b1ce32fc4efbbb90394ce2778905418cdd7907 |
| SHA512 | 4e16cba6e08f088c9711418cad8582ab8ab3aa7d9fea0c9b1f8c5594d42c54c28bb7ca391b353828cc62950d76f3bce4ee2aa23ccb57ced91c4d4eae6cf91114 |
C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd
| MD5 | 2e20891b2614993920bd77e9e75c73d5 |
| SHA1 | 5841f75dcddf0ec02b2a82ee9801846c8958325f |
| SHA256 | 6dcdb4c5edc34dcfad5cda57cff95b4b5dff6309d32135164e8f68da3f9c24c0 |
| SHA512 | 1c4143e969afec11f0ca7360b7b0550ebb6ac8514d7e7f7ef8158dd24796bb9a11036c7b378654dbad2d5a5ec5c0274ab5640261fa87d4fa76b73ff1bf2db54d |