Malware Analysis Report

2025-08-10 16:34

Sample ID 250422-yl1tdawtdt
Target JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52
SHA256 01de46a840296756d1f790f69c54859ecb26e8fb76b5f5f31436f8df6decb818
Tags
worm pykspa defense_evasion discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

01de46a840296756d1f790f69c54859ecb26e8fb76b5f5f31436f8df6decb818

Threat Level: Known bad

The file JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52 was found to be: Known bad.

Malicious Activity Summary

worm pykspa defense_evasion discovery persistence privilege_escalation trojan

UAC bypass

Pykspa family

Pykspa

Modifies WinLogon for persistence

Detect Pykspa worm

Detect Pykspa worm

Adds policy Run key to start application

Disables RegEdit via registry modification

Impair Defenses: Safe Mode Boot

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-22 19:53

Signatures

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Pykspa family

pykspa

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-22 19:53

Reported

2025-04-22 19:55

Platform

win10v2004-20250410-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "uphfaohcsjhvniqhily.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "uphfaohcsjhvniqhily.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\althswfqw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lzkbpwiwfpgn = "hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "uphfaohcsjhvniqhily.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "tlavnyogthcncuzn.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "hdwvrgawnfetmirjlpdz.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "tlavnyogthcncuzn.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "uphfaohcsjhvniqhily.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "hdwvrgawnfetmirjlpdz.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tlavnyogthcncuzn.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tlavnyogthcncuzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "jdurlyqkzpmzqkrhhj.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "hdwvrgawnfetmirjlpdz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wtnnkavskddtnkunqvkhb.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tfodpueqxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atjfykbuixtfvouji.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\oblboufsajz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jdurlyqkzpmzqkrhhj.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lbohxgukvhajwm = "jdurlyqkzpmzqkrhhj.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kzldsancmxpxj = "wtnnkavskddtnkunqvkhb.exe" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\oftneodugtnxlcg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\uphfaohcsjhvniqhily.exe ." C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\glnvaybgghpnpumnylinpxcad.ijr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File created C:\Windows\SysWOW64\glnvaybgghpnpumnylinpxcad.ijr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File opened for modification C:\Windows\SysWOW64\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File created C:\Windows\SysWOW64\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File created C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File opened for modification C:\Program Files (x86)\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File created C:\Program Files (x86)\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\glnvaybgghpnpumnylinpxcad.ijr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File created C:\Windows\glnvaybgghpnpumnylinpxcad.ijr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File opened for modification C:\Windows\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
File created C:\Windows\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hpufno.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Users\Admin\AppData\Local\Temp\hpufno.exe

"C:\Users\Admin\AppData\Local\Temp\hpufno.exe" "-"

C:\Users\Admin\AppData\Local\Temp\hpufno.exe

"C:\Users\Admin\AppData\Local\Temp\hpufno.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c uphfaohcsjhvniqhily.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tlavnyogthcncuzn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\hdwvrgawnfetmirjlpdz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\wtnnkavskddtnkunqvkhb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\jdurlyqkzpmzqkrhhj.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atjfykbuixtfvouji.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\uphfaohcsjhvniqhily.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.blogger.com udp
DE 142.251.209.137:80 www.blogger.com tcp
US 8.8.8.8:53 kgielb.info udp
DE 85.214.228.140:80 kgielb.info tcp
US 8.8.8.8:53 wkfitr.net udp
US 8.8.8.8:53 ukcwiagk.com udp
US 8.8.8.8:53 ejzmnye.info udp
US 8.8.8.8:53 qrjcyen.info udp
US 8.8.8.8:53 jsnjimf.com udp
US 8.8.8.8:53 qirwrkgoo.net udp
US 8.8.8.8:53 nozrzfph.net udp
US 8.8.8.8:53 walpnmyrw.net udp
SG 13.214.182.154:80 walpnmyrw.net tcp
US 8.8.8.8:53 vtkcieexmy.info udp
US 8.8.8.8:53 jknonyl.info udp
US 8.8.8.8:53 uoqgkqlb.net udp
US 8.8.8.8:53 knpogwrnfh.net udp
US 8.8.8.8:53 gyyowqqo.org udp
US 8.8.8.8:53 jexkhytfwddl.info udp
US 104.156.155.94:80 jexkhytfwddl.info tcp
US 8.8.8.8:53 kogmsguy.net udp
US 8.8.8.8:53 xzbajrqctvx.net udp
US 8.8.8.8:53 iijunloxzib.info udp
US 8.8.8.8:53 tjhkun.net udp
US 8.8.8.8:53 kshpvhxatz.info udp
US 8.8.8.8:53 eutwhgkantr.info udp
US 8.8.8.8:53 lzxijcnbax.net udp
US 8.8.8.8:53 grntlkhumpll.info udp
US 8.8.8.8:53 mnszge.net udp
US 8.8.8.8:53 mfiuvxoeyuls.info udp
US 8.8.8.8:53 isxknh.net udp
US 8.8.8.8:53 gqrorkjtfuo.net udp
US 8.8.8.8:53 djnlfkmx.info udp
US 8.8.8.8:53 qmzkmsbif.info udp
US 8.8.8.8:53 ieykyo.org udp
US 8.8.8.8:53 omjgaks.net udp
US 8.8.8.8:53 agdefyghx.net udp
US 8.8.8.8:53 aafmfeo.net udp
US 8.8.8.8:53 mqwogq.com udp
US 8.8.8.8:53 stpkhwhinol.info udp
US 8.8.8.8:53 sjprybamvq.net udp
US 8.8.8.8:53 twdwxepgn.info udp
US 8.8.8.8:53 imieeq.com udp
US 8.8.8.8:53 belahxzwz.org udp
US 8.8.8.8:53 gcaurjfroiq.net udp
US 8.8.8.8:53 yjgotmho.info udp
US 8.8.8.8:53 zlzkdgrna.net udp
US 8.8.8.8:53 sueama.com udp
US 8.8.8.8:53 dllvibvzyund.info udp
US 8.8.8.8:53 vgfsrnh.com udp
US 8.8.8.8:53 zbiperfllc.net udp
US 8.8.8.8:53 jodubsv.net udp
US 8.8.8.8:53 ouvyzhsr.info udp
US 8.8.8.8:53 lnwwnwusjfz.net udp
US 8.8.8.8:53 pnhnky.net udp
US 8.8.8.8:53 hipojjd.com udp
US 8.8.8.8:53 ftjafod.org udp
US 8.8.8.8:53 hfbawr.net udp
US 8.8.8.8:53 ailoffkw.net udp
US 8.8.8.8:53 zgpythnr.info udp
US 8.8.8.8:53 hchijtl.com udp
US 8.8.8.8:53 rahkbenilka.com udp
US 8.8.8.8:53 xpjxzyxntubm.net udp
US 8.8.8.8:53 vmbkkqxkz.com udp
US 8.8.8.8:53 chfoeuhqzmw.net udp
US 8.8.8.8:53 wygimoyakcuy.org udp
US 8.8.8.8:53 lfhzznvfnw.net udp
US 8.8.8.8:53 gglydgy.net udp
US 8.8.8.8:53 jnjjvgjmflfx.info udp
US 8.8.8.8:53 oplrterb.info udp
US 8.8.8.8:53 pwpidqfftma.net udp
US 8.8.8.8:53 hrieydzqbyx.com udp
US 8.8.8.8:53 fijjpuiixyn.net udp
US 8.8.8.8:53 wgftrz.info udp
US 8.8.8.8:53 bulcgs.net udp
US 8.8.8.8:53 kmmigl.net udp
US 8.8.8.8:53 pfzodsxt.info udp
US 8.8.8.8:53 jkkmhyk.info udp
US 8.8.8.8:53 liewnflqwe.info udp
US 8.8.8.8:53 uokdbewsv.info udp
US 8.8.8.8:53 ximidkr.info udp
US 8.8.8.8:53 kdnqpoh.info udp
US 8.8.8.8:53 mptahukwo.net udp
US 8.8.8.8:53 hcreoxwhxlzw.net udp
US 8.8.8.8:53 rupkvo.info udp
US 8.8.8.8:53 juosszwy.net udp
US 8.8.8.8:53 uixqyodhpkpn.net udp
US 8.8.8.8:53 mcogmo.org udp
US 8.8.8.8:53 zcwuiahdrgp.org udp
US 8.8.8.8:53 rwnlzy.net udp
US 8.8.8.8:53 uvndqsxhg.info udp
US 8.8.8.8:53 oowqfaa.info udp
US 8.8.8.8:53 iqnqftqedzs.info udp
US 8.8.8.8:53 okqnikgjoes.net udp
US 8.8.8.8:53 ouvcugpqe.net udp
US 8.8.8.8:53 kdfepafor.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 orpvpcxwu.info udp
US 8.8.8.8:53 xgsefzm.com udp
US 8.8.8.8:53 nwveeq.net udp
US 8.8.8.8:53 pvbieb.info udp
US 8.8.8.8:53 pojbbwswpfi.info udp
US 8.8.8.8:53 gzdolwx.net udp
US 8.8.8.8:53 ttgvztbl.net udp
US 8.8.8.8:53 thjufswg.net udp
US 8.8.8.8:53 onthrksn.net udp
US 8.8.8.8:53 cfvyfkaxh.net udp
US 8.8.8.8:53 vwtoxuzax.net udp
US 8.8.8.8:53 omeygqcqyucy.com udp
US 8.8.8.8:53 eddaveal.info udp
US 8.8.8.8:53 ttctlocxzt.info udp
US 8.8.8.8:53 dgrydww.info udp
US 8.8.8.8:53 jgjjpw.info udp
US 8.8.8.8:53 juxnnalwxerh.info udp
US 8.8.8.8:53 tupuxkqajod.com udp
US 8.8.8.8:53 azcgbhxyac.info udp
US 8.8.8.8:53 xavkbkfpa.net udp
US 8.8.8.8:53 miuqdbpy.info udp
US 8.8.8.8:53 wdzwvsy.net udp
US 8.8.8.8:53 cvbkdybqt.net udp
US 8.8.8.8:53 aeabsix.net udp
US 8.8.8.8:53 mozzbzwerk.info udp
US 8.8.8.8:53 omicum.com udp
US 8.8.8.8:53 wwmesiywyc.com udp
US 8.8.8.8:53 jrhutut.org udp
US 8.8.8.8:53 wlrplzl.info udp
US 8.8.8.8:53 uagasoao.com udp
US 8.8.8.8:53 bshkqyu.org udp
US 8.8.8.8:53 dxrlktsaxc.info udp
US 8.8.8.8:53 cqbzxmjkb.info udp
US 8.8.8.8:53 ucwmoumwymuc.com udp
US 8.8.8.8:53 dikgefvb.info udp
US 8.8.8.8:53 ajvukkfjbvt.info udp
US 8.8.8.8:53 bwpkdfd.com udp
US 8.8.8.8:53 wqeiccqamkec.org udp
US 8.8.8.8:53 ciwacksw.com udp
US 8.8.8.8:53 hgrchtg.net udp
US 8.8.8.8:53 nvhslkd.net udp
US 8.8.8.8:53 zakfvnuu.net udp
US 8.8.8.8:53 oqcelnv.info udp
US 8.8.8.8:53 kfkckz.net udp
US 8.8.8.8:53 hvorxknhyigo.info udp
US 8.8.8.8:53 nygqhmzun.info udp
US 8.8.8.8:53 kfacjnifpnyh.info udp
US 8.8.8.8:53 qcrgay.info udp
US 8.8.8.8:53 iuhmtjt.info udp
US 8.8.8.8:53 cumwjslkixl.net udp
US 8.8.8.8:53 tyoerep.com udp
US 8.8.8.8:53 okgccrvs.net udp
US 8.8.8.8:53 ystebiqsuj.info udp
US 8.8.8.8:53 jqbcyolmf.info udp
US 8.8.8.8:53 conuxqfqvuh.net udp
US 8.8.8.8:53 aqaocm.com udp
US 8.8.8.8:53 nyryptt.info udp
US 8.8.8.8:53 vtzmrqzbp.info udp
US 8.8.8.8:53 iupgmiw.info udp
US 8.8.8.8:53 gycilijbpof.info udp
US 8.8.8.8:53 fikabkhybxw.org udp
US 8.8.8.8:53 zycbehjggwke.info udp
US 8.8.8.8:53 sdgypj.info udp
US 8.8.8.8:53 ekvnznlov.info udp
US 8.8.8.8:53 tdembpduv.net udp
US 8.8.8.8:53 fhjevs.net udp
US 8.8.8.8:53 uawohwbfojd.info udp
US 8.8.8.8:53 uwqivof.net udp
US 8.8.8.8:53 bbxwjdlyb.net udp
US 8.8.8.8:53 ctilcy.net udp
US 8.8.8.8:53 uhjwry.info udp
US 8.8.8.8:53 vqlqxsnes.info udp
US 8.8.8.8:53 lvtyhqheccxw.net udp
US 8.8.8.8:53 kqrqvqw.info udp
US 8.8.8.8:53 fykwmkoxniwf.net udp
US 8.8.8.8:53 pyvpwmlefkv.org udp
US 8.8.8.8:53 dhsvcdhz.net udp
US 8.8.8.8:53 iimwksecasqg.com udp
US 8.8.8.8:53 jmrnfvo.org udp
US 8.8.8.8:53 utgydvjh.info udp
US 8.8.8.8:53 mcygkwqm.org udp
US 8.8.8.8:53 akiuiyqc.org udp
US 8.8.8.8:53 qaflrckpjwn.net udp
US 8.8.8.8:53 ciewkmugca.org udp
US 8.8.8.8:53 jxcsgestbkig.net udp
US 8.8.8.8:53 kcyowkao.com udp
US 8.8.8.8:53 mywkquqkuu.com udp
US 8.8.8.8:53 uvxwgvakbp.net udp
US 8.8.8.8:53 kwfddazlfbr.net udp
US 8.8.8.8:53 zmnprckzdsq.org udp
US 8.8.8.8:53 nqzcjqvyb.com udp
US 8.8.8.8:53 fgugue.net udp
US 8.8.8.8:53 dkhpinkmdflo.info udp
US 8.8.8.8:53 gykyuugqwwqm.org udp
US 8.8.8.8:53 ijevrjmd.net udp
US 8.8.8.8:53 zmhxpf.info udp
US 8.8.8.8:53 ssusyksw.org udp
US 8.8.8.8:53 uyzsxkbu.net udp
US 8.8.8.8:53 suaawe.org udp
US 8.8.8.8:53 iimuewua.com udp
US 8.8.8.8:53 cfybcawuwkbv.net udp
US 8.8.8.8:53 amwlzwksdlu.net udp
US 8.8.8.8:53 evleyaxongn.info udp
US 8.8.8.8:53 mhnnqyayup.info udp
US 8.8.8.8:53 nkvwdongy.net udp
US 8.8.8.8:53 aqiwmyai.org udp
US 8.8.8.8:53 oazqfkr.info udp
US 8.8.8.8:53 ghmggr.info udp
US 8.8.8.8:53 zlcppxwb.info udp
US 8.8.8.8:53 swlmkovddcp.net udp
US 8.8.8.8:53 qekawcukeuie.com udp
US 8.8.8.8:53 xqdersbedxp.net udp
US 8.8.8.8:53 viceyfxhdthe.net udp
US 8.8.8.8:53 sdbann.net udp
US 8.8.8.8:53 hzpybx.info udp
US 8.8.8.8:53 ookgcvfk.info udp
US 8.8.8.8:53 tcpbcllr.info udp
US 8.8.8.8:53 jakfpc.net udp
US 8.8.8.8:53 zutagbtdnoxk.net udp
US 8.8.8.8:53 gfxdruagt.net udp
US 8.8.8.8:53 innygp.net udp
US 8.8.8.8:53 dirqzbv.info udp
US 8.8.8.8:53 hfnqnekjrda.org udp
US 8.8.8.8:53 thvuqfop.net udp
US 8.8.8.8:53 euxmzvrkp.info udp
US 8.8.8.8:53 sagsmu.com udp
US 8.8.8.8:53 aftcbwl.net udp
US 8.8.8.8:53 zborti.info udp
US 8.8.8.8:53 tpaxrd.info udp
US 8.8.8.8:53 jinxlfpdld.net udp
US 8.8.8.8:53 fguceef.info udp
US 8.8.8.8:53 gunhuyefeoae.info udp
US 8.8.8.8:53 gnzpxs.net udp
US 8.8.8.8:53 mctvvewyfmm.net udp
US 8.8.8.8:53 pqfvrhmuydzw.net udp
US 8.8.8.8:53 ilopksbnsz.net udp
US 8.8.8.8:53 aiesasyk.org udp
US 8.8.8.8:53 mgkuekgq.com udp
US 8.8.8.8:53 ddalrgnchr.net udp
US 8.8.8.8:53 wmcauomiay.com udp
US 8.8.8.8:53 nczfdcdsxw.info udp
US 8.8.8.8:53 wktodg.info udp
US 8.8.8.8:53 hkhmgrdmb.net udp
US 8.8.8.8:53 njlmeodybmz.org udp
US 8.8.8.8:53 vosuvijyr.net udp
US 8.8.8.8:53 qurgxjvi.net udp
US 8.8.8.8:53 cqycylhynrd.net udp
US 8.8.8.8:53 dkgflxoe.net udp
US 8.8.8.8:53 wuxmmldt.net udp
US 8.8.8.8:53 qerofmbgxsy.info udp
US 8.8.8.8:53 myuqmckieq.org udp
US 8.8.8.8:53 susjohwila.info udp
US 8.8.8.8:53 uogicigmue.org udp
US 8.8.8.8:53 uvozgz.info udp
US 8.8.8.8:53 qhmxhx.net udp
US 8.8.8.8:53 gwfcwdn.net udp
US 8.8.8.8:53 mpwmvekw.info udp
US 8.8.8.8:53 ecaxpk.info udp
US 8.8.8.8:53 bmoyhg.net udp
US 8.8.8.8:53 eeowas.info udp
US 8.8.8.8:53 fodvrrfqtwy.net udp
US 8.8.8.8:53 pmkjtfqint.info udp
US 8.8.8.8:53 hoesempmfqz.com udp
US 8.8.8.8:53 pyvfdu.net udp
US 8.8.8.8:53 pfdhignj.net udp
US 8.8.8.8:53 hvoimzxepmnn.net udp
US 8.8.8.8:53 usgggwykyque.com udp
US 8.8.8.8:53 ckymoasocooo.org udp
US 8.8.8.8:53 gygetwtaf.info udp
US 8.8.8.8:53 bvbtig.info udp
US 8.8.8.8:53 tkvltrgf.net udp
US 8.8.8.8:53 waosmsuoqmiq.com udp
US 8.8.8.8:53 kbwibedgi.info udp
US 8.8.8.8:53 iaphnsbat.info udp
US 8.8.8.8:53 olijdrlmzb.net udp
US 8.8.8.8:53 hwnqtfpeheaz.net udp
US 8.8.8.8:53 cirsxyyaxqf.net udp
US 8.8.8.8:53 igokmsymkm.org udp
US 8.8.8.8:53 ljwhxvh.net udp
US 8.8.8.8:53 iudaiyiutga.net udp
US 8.8.8.8:53 qmmasgeisyga.org udp
US 8.8.8.8:53 vrzjngidhobq.net udp
US 8.8.8.8:53 xrdqzb.info udp
US 8.8.8.8:53 jcrelthtaat.net udp
US 8.8.8.8:53 qmgnqyayup.net udp
US 8.8.8.8:53 lpladpczah.net udp
US 8.8.8.8:53 gykmgwqc.org udp
US 8.8.8.8:53 olwwzvbjuvtp.info udp
US 8.8.8.8:53 ugiswgsiwy.com udp
US 8.8.8.8:53 ndhfgrucbg.net udp
US 8.8.8.8:53 yffbsbvpxj.net udp
US 8.8.8.8:53 jkdlubfs.info udp
US 8.8.8.8:53 csqfrkrpp.info udp
US 8.8.8.8:53 vghrznsx.info udp
US 8.8.8.8:53 cwialenrx.info udp
US 8.8.8.8:53 ysakmkee.com udp
US 8.8.8.8:53 pegsloz.info udp
US 8.8.8.8:53 ggnpzwloh.net udp
US 8.8.8.8:53 ojbwcofwhor.info udp
US 8.8.8.8:53 fkmohh.info udp
US 8.8.8.8:53 ndzupwa.com udp
US 8.8.8.8:53 jlzidx.info udp
US 8.8.8.8:53 uirtyiiehncz.info udp
US 8.8.8.8:53 zklqfdwcb.org udp
US 8.8.8.8:53 tpsiuh.net udp
US 8.8.8.8:53 fohdyo.info udp
US 8.8.8.8:53 uifyhmw.net udp
US 8.8.8.8:53 gzoyhi.net udp
US 8.8.8.8:53 tyboiku.net udp
US 8.8.8.8:53 vpshbvrar.com udp
US 8.8.8.8:53 wyrgmd.net udp
US 8.8.8.8:53 aooyesuikq.com udp
US 8.8.8.8:53 xefyzgvv.info udp
US 8.8.8.8:53 twpesi.info udp
US 8.8.8.8:53 ladhtrpbmvhl.net udp
US 8.8.8.8:53 zbehxkyftm.info udp
US 8.8.8.8:53 gajgdrt.net udp
US 8.8.8.8:53 unaycqj.info udp
US 8.8.8.8:53 vtefccu.org udp
US 8.8.8.8:53 bpzstgba.net udp
US 8.8.8.8:53 jqoatxo.com udp
US 8.8.8.8:53 mavqfznz.info udp
US 8.8.8.8:53 oalqtqzxdcr.info udp
US 8.8.8.8:53 gacabqjmesw.info udp
US 8.8.8.8:53 fccldj.info udp
US 8.8.8.8:53 cofxnvderwvc.info udp
US 8.8.8.8:53 gwgiim.org udp
US 8.8.8.8:53 fchghszex.net udp
US 8.8.8.8:53 nwrgrfdozs.info udp
US 8.8.8.8:53 pslddgzjsf.net udp
US 8.8.8.8:53 ukssiiycgi.com udp
US 8.8.8.8:53 gtkceyn.net udp
US 8.8.8.8:53 seiotsoe.info udp
US 8.8.8.8:53 epnerpt.info udp
US 8.8.8.8:53 znlfenovmt.info udp
US 8.8.8.8:53 azziayuho.info udp
US 8.8.8.8:53 bkcdpdaizcwx.info udp
US 8.8.8.8:53 vuacertp.net udp
US 8.8.8.8:53 mgfidekol.info udp
US 8.8.8.8:53 oiejxldbtkb.net udp
US 8.8.8.8:53 ahsanuzvower.net udp
US 8.8.8.8:53 fllhzyzvbsxw.net udp
US 8.8.8.8:53 swicacukmsao.org udp
US 8.8.8.8:53 nffqsfqtd.com udp
US 8.8.8.8:53 ccqoiciq.com udp
US 8.8.8.8:53 bzfuqzxsfz.net udp
US 8.8.8.8:53 hprerydzd.com udp
US 8.8.8.8:53 fssqtwxyefz.net udp
US 8.8.8.8:53 shpyfavaeyh.net udp
US 8.8.8.8:53 ltiljcqa.net udp
US 8.8.8.8:53 ohpsnmt.info udp
US 8.8.8.8:53 lckyvcpn.info udp
US 8.8.8.8:53 gehsuywdq.net udp
US 8.8.8.8:53 ztffudgwzlvu.info udp
US 8.8.8.8:53 jzrwjdlcaa.info udp
US 8.8.8.8:53 tkbemewmlcbv.info udp
US 8.8.8.8:53 tbqhixnsgl.info udp
US 8.8.8.8:53 puwioyvwh.com udp
US 8.8.8.8:53 ketrqfdreh.net udp
US 8.8.8.8:53 jpiauqrujtxf.net udp
US 8.8.8.8:53 nddagzwguh.net udp
US 8.8.8.8:53 ksaauwyksqoa.com udp
US 8.8.8.8:53 quoeii.info udp
US 8.8.8.8:53 xpnzneri.net udp
US 8.8.8.8:53 izdsxkwfw.info udp
US 8.8.8.8:53 nsvsiurumoi.org udp
US 8.8.8.8:53 dppayanib.info udp
US 8.8.8.8:53 esshflvxdp.info udp
US 8.8.8.8:53 avztdo.info udp
US 8.8.8.8:53 zoosdjduv.net udp
US 8.8.8.8:53 elsudrbfjxgx.net udp
US 8.8.8.8:53 ebzgbwb.net udp
US 8.8.8.8:53 tpdiradj.net udp
US 8.8.8.8:53 znnuiijx.info udp
US 8.8.8.8:53 iomatkiym.info udp
US 8.8.8.8:53 xiaaqgyv.net udp
US 8.8.8.8:53 tscidmuecrzw.net udp
US 8.8.8.8:53 dfwpwztisj.info udp
US 8.8.8.8:53 zrtypthhdj.net udp
US 8.8.8.8:53 fsqwpxtpx.com udp
US 8.8.8.8:53 cabcpoo.net udp
US 8.8.8.8:53 xsdwxmohbao.info udp
US 8.8.8.8:53 cysyyqwq.org udp
US 8.8.8.8:53 didolaqvxuh.net udp
US 8.8.8.8:53 ioaogmxcsld.net udp
US 8.8.8.8:53 qkiqmyiw.com udp
US 8.8.8.8:53 vspypxn.com udp
US 8.8.8.8:53 lwubnxnsrqa.org udp
US 8.8.8.8:53 kdhzwczvplfc.net udp
US 8.8.8.8:53 dgmrjhtt.net udp
US 8.8.8.8:53 tzlerpprd.info udp
US 8.8.8.8:53 jmmwaqznh.org udp
US 8.8.8.8:53 jkygffjpe.org udp
US 8.8.8.8:53 ewiycc.com udp
US 8.8.8.8:53 fllmbhbat.info udp
US 8.8.8.8:53 qgdodchepsj.info udp
US 8.8.8.8:53 dfsrtsqn.net udp
US 8.8.8.8:53 dzbabtpndtk.net udp
US 8.8.8.8:53 aqzuehezrodu.net udp
US 8.8.8.8:53 ggrireq.info udp
US 8.8.8.8:53 tjthlmxwycov.info udp
US 8.8.8.8:53 zgxgisd.info udp
US 8.8.8.8:53 iqhwnmqydmb.info udp
US 8.8.8.8:53 kiccmsgssi.org udp
US 8.8.8.8:53 budyocq.org udp
US 8.8.8.8:53 ggvlvnu.info udp
US 8.8.8.8:53 lbhmlmbgrtpy.net udp
US 8.8.8.8:53 vsxgrjr.info udp
US 8.8.8.8:53 ymmeaawq.org udp
US 8.8.8.8:53 ywysfqdnxwj.info udp
US 8.8.8.8:53 rsbkroygp.org udp
US 8.8.8.8:53 yhruxwwcog.info udp
US 8.8.8.8:53 uhnqpit.info udp
US 8.8.8.8:53 sazgfiaujqe.net udp
US 8.8.8.8:53 niegtihm.info udp
US 8.8.8.8:53 xqlgdhd.net udp
US 8.8.8.8:53 cuuhycziuspj.info udp
US 8.8.8.8:53 kggeaemy.com udp
US 8.8.8.8:53 npjeoantjqe.info udp
US 8.8.8.8:53 auykucggmgac.com udp
US 8.8.8.8:53 emzgrjh.net udp
US 8.8.8.8:53 zyrgndssnv.info udp
US 8.8.8.8:53 fgbgqvhlulxx.info udp
US 8.8.8.8:53 mswscyww.com udp
US 8.8.8.8:53 ouuumqhyv.info udp
US 8.8.8.8:53 vmzqeqdilzjm.info udp
US 8.8.8.8:53 omqgukoeyo.org udp
US 8.8.8.8:53 brlknql.org udp
US 8.8.8.8:53 kkeucuki.com udp
US 8.8.8.8:53 ocvtnvur.info udp
US 8.8.8.8:53 jswuncvvu.net udp
US 8.8.8.8:53 bndenikl.info udp
US 8.8.8.8:53 hfdsfjhkp.com udp
US 8.8.8.8:53 aoqehamscev.net udp
US 8.8.8.8:53 ygseegui.com udp
US 8.8.8.8:53 kxtrqr.info udp
US 8.8.8.8:53 zchvdwljyy.net udp
US 8.8.8.8:53 yiweciqeoe.org udp
US 8.8.8.8:53 oinkrjdalcu.net udp
US 8.8.8.8:53 wezwkfy.net udp
US 8.8.8.8:53 acyiyawiusoe.org udp
US 8.8.8.8:53 jwbddahptk.info udp
US 8.8.8.8:53 hoyoifgozk.info udp
US 8.8.8.8:53 zbbnrqcwxbxd.net udp
US 8.8.8.8:53 chnrelp.info udp
US 8.8.8.8:53 noqtfsdrvob.info udp
US 8.8.8.8:53 kdbetjmzql.net udp
US 8.8.8.8:53 zfrwxqr.info udp
US 8.8.8.8:53 nypdxxpyv.info udp
US 8.8.8.8:53 dxhkvden.info udp
US 8.8.8.8:53 uegelmp.net udp
US 8.8.8.8:53 eyinbpdyc.info udp
US 8.8.8.8:53 zcshdpigza.net udp
US 8.8.8.8:53 tbhyxkjfzfjc.net udp
US 8.8.8.8:53 birexkvuo.com udp
US 8.8.8.8:53 lgbjzutrf.com udp
US 8.8.8.8:53 golqfxdvybrw.info udp
US 8.8.8.8:53 umbengluyqt.info udp
US 8.8.8.8:53 vgbyxmbsg.net udp
US 8.8.8.8:53 huhomajfvcf.org udp
US 8.8.8.8:53 dhpdbozv.info udp
US 8.8.8.8:53 flzgajd.info udp
US 8.8.8.8:53 usymgcik.com udp
US 8.8.8.8:53 ramwjzzgl.net udp
US 8.8.8.8:53 aupdbyxv.net udp
US 8.8.8.8:53 jzuztayf.net udp
US 8.8.8.8:53 gwofrznaqlkb.info udp
US 8.8.8.8:53 nihjtmfpp.info udp
US 8.8.8.8:53 wbsunmlquwn.net udp
US 8.8.8.8:53 dgxmcj.info udp
US 8.8.8.8:53 kycswy.com udp
US 8.8.8.8:53 zsbcepztj.net udp
US 8.8.8.8:53 sxoelqf.info udp
US 8.8.8.8:53 ysfgysg.net udp
US 8.8.8.8:53 ajksoccldcly.info udp
US 8.8.8.8:53 munfhwxqbwc.net udp
US 8.8.8.8:53 aahazih.info udp
US 8.8.8.8:53 mwhfiijxus.net udp
US 8.8.8.8:53 qykwckce.org udp
US 8.8.8.8:53 kcpwgsa.net udp
US 8.8.8.8:53 hqxxoaxp.info udp
US 8.8.8.8:53 pulkkajehkk.info udp
US 8.8.8.8:53 skbkcd.info udp
US 8.8.8.8:53 ycflemdoxeuj.net udp
US 8.8.8.8:53 biponaky.info udp
US 8.8.8.8:53 nqnzpuwqgip.net udp
US 8.8.8.8:53 bedavojujqc.org udp
US 8.8.8.8:53 tqzqeunk.net udp
US 8.8.8.8:53 dxvzwxqute.net udp
US 8.8.8.8:53 lnxbduz.info udp
US 8.8.8.8:53 pjjchmjje.info udp
US 8.8.8.8:53 giadfmyz.info udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 qhkcfwttae.net udp
DE 142.250.181.195:80 c.pki.goog tcp
US 8.8.8.8:53 qlrjpd.info udp
US 8.8.8.8:53 tvxzbdflnp.net udp
US 8.8.8.8:53 vtgoquketuvm.info udp
US 8.8.8.8:53 bmacdaecl.org udp
US 8.8.8.8:53 xbdlvovopr.net udp
US 8.8.8.8:53 rrjfcqjxvsif.info udp
US 8.8.8.8:53 fohtnzomm.org udp
US 8.8.8.8:53 aganokn.net udp
US 8.8.8.8:53 vibtlp.info udp
US 8.8.8.8:53 xarqaybbvd.info udp
US 8.8.8.8:53 xwhmlab.net udp
US 8.8.8.8:53 borkjfgcivdi.info udp
US 8.8.8.8:53 lufmxmv.com udp
US 8.8.8.8:53 acvenev.info udp
US 8.8.8.8:53 trtenmbzfqb.com udp
US 8.8.8.8:53 auravkshl.info udp
US 8.8.8.8:53 rsktgqwp.info udp
US 8.8.8.8:53 sacyyemmmags.org udp
US 8.8.8.8:53 asilux.net udp
US 8.8.8.8:53 jxgjaulkxush.net udp
US 8.8.8.8:53 rcpsjsxwvoy.org udp
US 8.8.8.8:53 conadth.net udp
US 8.8.8.8:53 eywojjgnvmgx.info udp
US 8.8.8.8:53 ykemsgmyaymq.com udp
US 8.8.8.8:53 qnueqalae.net udp
US 8.8.8.8:53 tkzwwug.info udp
US 8.8.8.8:53 hixxfpbnrgzb.net udp
US 8.8.8.8:53 tautjujp.info udp
US 8.8.8.8:53 vmxuvcr.net udp
US 8.8.8.8:53 hxiirlcmnyd.org udp
US 8.8.8.8:53 aykysuce.org udp
US 8.8.8.8:53 kckikwcckk.com udp
US 8.8.8.8:53 kgyico.org udp
US 8.8.8.8:53 jjrjwtlrtv.info udp
US 8.8.8.8:53 wguioi.com udp
US 8.8.8.8:53 dwhusqrct.org udp
US 8.8.8.8:53 naereuvif.net udp
US 8.8.8.8:53 xfdioxjmdcn.org udp
US 8.8.8.8:53 hvdzuout.net udp
US 8.8.8.8:53 wwzsxwnqi.net udp
US 8.8.8.8:53 wqqcax.info udp
US 8.8.8.8:53 pxxaritsyifh.info udp
US 8.8.8.8:53 qkbidtazk.net udp
US 8.8.8.8:53 balyhmxcj.com udp
US 8.8.8.8:53 cznazzhul.info udp
US 8.8.8.8:53 ytpwlqvysof.net udp
US 8.8.8.8:53 zjgaqeiklplz.info udp
US 8.8.8.8:53 bucurizr.info udp
US 8.8.8.8:53 kdbirsncstof.net udp
US 8.8.8.8:53 wnrfdjxuv.net udp
US 8.8.8.8:53 rapcmavkxzz.net udp
US 8.8.8.8:53 fqilcp.info udp
US 8.8.8.8:53 ikokeoscqake.com udp
US 8.8.8.8:53 rxtqnt.net udp
US 8.8.8.8:53 gwtsdjvuqkv.net udp
US 8.8.8.8:53 kcsqymusqkko.org udp
US 8.8.8.8:53 fimmpk.info udp
US 8.8.8.8:53 dlvwlhxclem.org udp
US 8.8.8.8:53 yxhmfckxss.net udp
US 8.8.8.8:53 ukdmhhnybwt.info udp
US 8.8.8.8:53 pvzgxpbk.net udp
US 8.8.8.8:53 yawirqhuqtk.info udp
US 8.8.8.8:53 tgrxpghlkwb.com udp
US 8.8.8.8:53 rbhfhb.net udp
US 8.8.8.8:53 baoulox.com udp
US 8.8.8.8:53 imthnyvtsr.net udp
US 8.8.8.8:53 bfsortthjj.net udp
US 8.8.8.8:53 njxzkqdfwkat.net udp
US 8.8.8.8:53 psrgfpfxb.info udp
US 8.8.8.8:53 glukbvaoce.info udp
US 8.8.8.8:53 yelgxiiwm.info udp
US 8.8.8.8:53 wzvyvb.net udp
US 8.8.8.8:53 irzsud.net udp
US 8.8.8.8:53 uwkuouye.org udp
US 8.8.8.8:53 ocpebyvauif.net udp
US 8.8.8.8:53 rmavzxlefl.info udp
US 8.8.8.8:53 dftzojyyr.org udp
US 8.8.8.8:53 qsekog.com udp
US 8.8.8.8:53 slxcpozwv.info udp
US 8.8.8.8:53 uopubvyiebrz.info udp
US 8.8.8.8:53 debungdctiq.org udp
US 8.8.8.8:53 shjqjdj.net udp
US 8.8.8.8:53 oajyysyrvlp.net udp
US 8.8.8.8:53 wimicuoq.org udp
US 8.8.8.8:53 wmsecg.com udp
US 8.8.8.8:53 zflotqvoa.com udp
US 8.8.8.8:53 lrzvfuqenc.info udp
US 8.8.8.8:53 yhauzibing.info udp
US 8.8.8.8:53 kqyucgkaukie.com udp
US 8.8.8.8:53 louydqxghkb.info udp
US 8.8.8.8:53 nysriymvg.net udp
US 8.8.8.8:53 pmfoloiyw.info udp
US 8.8.8.8:53 vghtpdbdzwzy.net udp
US 8.8.8.8:53 rsihjdhhlc.net udp
US 8.8.8.8:53 tzgkjwj.net udp
US 8.8.8.8:53 twrxhwl.com udp
US 8.8.8.8:53 wshuyyz.info udp
US 8.8.8.8:53 fiiivwzuxoz.net udp
US 8.8.8.8:53 eojyrsr.info udp
US 8.8.8.8:53 ykxcuvriw.net udp
US 8.8.8.8:53 jtturk.net udp
US 8.8.8.8:53 dzlndsjynadz.net udp
US 8.8.8.8:53 ymjzvdl.net udp
US 8.8.8.8:53 jaxixctobw.info udp
US 8.8.8.8:53 potmhghdfyyy.net udp
US 8.8.8.8:53 nblyev.info udp
US 8.8.8.8:53 aetqlldkruk.net udp
US 8.8.8.8:53 tanifybor.info udp
US 8.8.8.8:53 huvusrl.net udp
US 8.8.8.8:53 xnvzxciv.info udp
US 8.8.8.8:53 hkbodh.info udp
US 8.8.8.8:53 yurkrbtp.net udp
US 8.8.8.8:53 qnvnjopvonhc.net udp
US 8.8.8.8:53 wejcfaten.info udp
US 8.8.8.8:53 crofytieqcyl.net udp
US 8.8.8.8:53 twsrgi.info udp
US 8.8.8.8:53 gsoswi.org udp
US 8.8.8.8:53 kfcyvkqzskfw.info udp
US 8.8.8.8:53 voijuuhsleg.org udp
US 8.8.8.8:53 fwhohgjcx.info udp
US 8.8.8.8:53 tsxsbvfgikg.org udp
US 8.8.8.8:53 ycguqwqemu.org udp
US 8.8.8.8:53 yqeaes.com udp
US 8.8.8.8:53 aqcbfxvjw.net udp
US 8.8.8.8:53 jnrkdybowyj.info udp
US 8.8.8.8:53 bkewpipqh.org udp
US 8.8.8.8:53 hmickfd.net udp
US 8.8.8.8:53 feridzfdvgf.info udp
US 8.8.8.8:53 hiuwaynmn.org udp
US 8.8.8.8:53 jddctcdsf.net udp
US 8.8.8.8:53 bybsubyhzqy.net udp
US 8.8.8.8:53 lmxgbgdmh.net udp
US 8.8.8.8:53 pwetdm.info udp
US 8.8.8.8:53 deabru.info udp
US 8.8.8.8:53 wyyaaskw.com udp
US 8.8.8.8:53 icogsz.info udp
US 8.8.8.8:53 nkrwclb.net udp
US 8.8.8.8:53 sgemmzd.net udp
US 8.8.8.8:53 xphkvoxyhzcm.net udp
US 8.8.8.8:53 ycyeqw.com udp
US 8.8.8.8:53 kcyvkwehlktd.info udp
US 8.8.8.8:53 rjxljplooa.info udp
US 8.8.8.8:53 yqtihqtfy.info udp
US 8.8.8.8:53 uhzerkvsz.net udp
US 8.8.8.8:53 casynozwl.net udp
US 8.8.8.8:53 hevclubqcmc.com udp
US 8.8.8.8:53 vfelmatb.net udp
US 8.8.8.8:53 dotslsvpp.com udp
US 8.8.8.8:53 aawycgkcwm.com udp
US 8.8.8.8:53 tqhchbsarin.org udp
US 8.8.8.8:53 ikysmgcqmqgu.org udp
US 8.8.8.8:53 gakbtko.net udp
US 8.8.8.8:53 earmnwvis.info udp
US 8.8.8.8:53 kxjokmho.net udp
US 8.8.8.8:53 hihmpbrvblay.info udp
US 8.8.8.8:53 pildcv.info udp
US 8.8.8.8:53 oqikyg.org udp
US 8.8.8.8:53 wmycui.org udp
US 8.8.8.8:53 omsctadfvkl.net udp
US 8.8.8.8:53 zslprn.net udp
US 8.8.8.8:53 oiawfcr.info udp
US 8.8.8.8:53 cumkjslye.info udp
US 8.8.8.8:53 zvglrkse.net udp
US 8.8.8.8:53 zkraclmnemme.info udp
US 8.8.8.8:53 eolkzqp.net udp
US 8.8.8.8:53 vtriyb.info udp
US 8.8.8.8:53 wogkyeqeke.org udp
US 8.8.8.8:53 dgpwvwz.net udp
US 8.8.8.8:53 tcpkgejobkh.net udp
US 8.8.8.8:53 gwnkxq.net udp
US 8.8.8.8:53 bibrbktnnyx.net udp
US 8.8.8.8:53 zofzuotujgu.info udp
US 8.8.8.8:53 suqldwpylage.net udp
US 8.8.8.8:53 hyahdazux.info udp
US 8.8.8.8:53 lqtlhptiaif.info udp
US 8.8.8.8:53 ugauxxfnob.info udp
US 8.8.8.8:53 qsqkwc.org udp
US 8.8.8.8:53 azdjdzqjqtui.net udp
US 8.8.8.8:53 vynwnoisdfj.info udp
US 8.8.8.8:53 lrpglzlr.net udp
US 8.8.8.8:53 stuyiskoftqb.info udp
US 8.8.8.8:53 odauoqd.info udp
US 8.8.8.8:53 qhlwbioieav.net udp
US 8.8.8.8:53 jhxiqz.info udp
US 8.8.8.8:53 rkqbmq.info udp
US 8.8.8.8:53 uicssgckkm.com udp
US 8.8.8.8:53 izhukfmyyyz.net udp
US 8.8.8.8:53 mmhfpd.net udp
US 8.8.8.8:53 bboyljrs.net udp
US 8.8.8.8:53 qedielgi.net udp
US 8.8.8.8:53 rxynkaaokphz.net udp
US 8.8.8.8:53 pfmgqefuf.info udp
US 8.8.8.8:53 hqhmzknpu.com udp
US 8.8.8.8:53 oageqc.com udp
US 8.8.8.8:53 zsrnhalwarn.net udp
US 8.8.8.8:53 yiioeuiywqws.com udp
US 8.8.8.8:53 tzrqvqhhveb.net udp
US 8.8.8.8:53 jbdkryrmz.info udp
US 8.8.8.8:53 gixxkky.net udp
US 8.8.8.8:53 itsjjmhudvm.net udp
US 8.8.8.8:53 uskmuqqoekqc.org udp
US 8.8.8.8:53 vhngmzee.info udp
US 8.8.8.8:53 lpkztmhavwo.net udp
US 8.8.8.8:53 uqvoniv.info udp
US 8.8.8.8:53 oohcfcw.info udp
US 8.8.8.8:53 iygsie.org udp
US 8.8.8.8:53 vsthpi.info udp
US 8.8.8.8:53 njtdpksqnhbo.info udp
US 8.8.8.8:53 jxzoxjeyi.net udp
US 8.8.8.8:53 ythjpklysc.net udp
US 8.8.8.8:53 asomuw.com udp
US 8.8.8.8:53 cbfgvvjw.net udp
US 8.8.8.8:53 pjqalclh.net udp
US 8.8.8.8:53 fguatetv.net udp
US 8.8.8.8:53 ueqiogioyg.com udp
US 8.8.8.8:53 cgfjbao.info udp
US 8.8.8.8:53 oajgbc.net udp
US 8.8.8.8:53 zijwfifij.com udp
US 8.8.8.8:53 ppxasj.net udp
US 8.8.8.8:53 iseiiz.net udp
US 8.8.8.8:53 rfegrwpsrpb.org udp
US 8.8.8.8:53 bcdzosrknuw.net udp
US 8.8.8.8:53 okemhgrj.info udp
US 8.8.8.8:53 iehhjbhzj.net udp
US 8.8.8.8:53 byorzmbnx.net udp
US 8.8.8.8:53 orkhgepxdfsx.info udp
US 8.8.8.8:53 krvbeiprbkg.net udp
US 8.8.8.8:53 tgrcrujgn.net udp
US 8.8.8.8:53 bktjdpl.com udp
US 8.8.8.8:53 hwjgveksfit.org udp
US 8.8.8.8:53 vopeczwcsst.info udp
US 8.8.8.8:53 zagpqjqags.info udp
US 8.8.8.8:53 iofmbqm.info udp
US 8.8.8.8:53 xvotaqhjhsqc.net udp
US 8.8.8.8:53 ygjofonnmij.info udp
US 8.8.8.8:53 qkyaoykequ.com udp
US 8.8.8.8:53 qybgvczfj.net udp
US 8.8.8.8:53 uckcswsayy.com udp
US 8.8.8.8:53 iifywsqcb.info udp
US 8.8.8.8:53 oytblya.info udp
US 8.8.8.8:53 hsswgqno.info udp
US 8.8.8.8:53 zqhaunsuqmy.info udp
US 8.8.8.8:53 flqvobysxucq.net udp
US 8.8.8.8:53 jmjrhupcq.net udp
US 8.8.8.8:53 xleqksl.com udp
US 8.8.8.8:53 igulgixnh.net udp
US 8.8.8.8:53 nlhlzihxv.net udp
US 8.8.8.8:53 ncvmbqxaqun.net udp
US 8.8.8.8:53 bxnzeh.net udp
US 8.8.8.8:53 vyjuleroeiv.net udp
US 8.8.8.8:53 fzrcbilll.org udp
US 8.8.8.8:53 gmhqtqqqxhe.info udp
US 8.8.8.8:53 vdfgrwbu.info udp
US 8.8.8.8:53 qukbfhv.info udp
US 8.8.8.8:53 wzngdnueebgn.net udp
US 8.8.8.8:53 tqxiwjs.com udp
US 8.8.8.8:53 okcvydkmleo.info udp
US 8.8.8.8:53 qmxilwcozeo.info udp
US 8.8.8.8:53 hsvfegxnfxhp.net udp
US 8.8.8.8:53 rytonhw.info udp
US 8.8.8.8:53 awxfarhavegg.info udp
US 8.8.8.8:53 xajqbmyxptg.net udp
US 8.8.8.8:53 msdwpikctjfm.net udp
US 8.8.8.8:53 mwurqbxq.info udp
US 8.8.8.8:53 ykhusrgw.info udp
US 8.8.8.8:53 wfscpqvq.info udp
US 8.8.8.8:53 poumlpfec.net udp
US 8.8.8.8:53 gktsoyvct.info udp
US 8.8.8.8:53 wowcgmlsc.net udp
US 8.8.8.8:53 yqnwfjtuzbme.net udp
US 8.8.8.8:53 srtask.info udp
US 8.8.8.8:53 mgheha.net udp
US 8.8.8.8:53 odpvzfteatse.net udp
US 8.8.8.8:53 ssiijnlj.info udp
US 8.8.8.8:53 torebox.org udp
US 8.8.8.8:53 ptfyyjctprrn.net udp
US 8.8.8.8:53 kcoyooukiisg.org udp
US 8.8.8.8:53 zgnnqizd.net udp
US 8.8.8.8:53 ypjmvfl.net udp
US 8.8.8.8:53 tkatzaqfeg.net udp
US 8.8.8.8:53 uucqsyeiywaw.com udp
US 8.8.8.8:53 bzcssrek.info udp
US 8.8.8.8:53 xzenfwptnint.info udp
US 8.8.8.8:53 qsvbfpxo.net udp
US 8.8.8.8:53 dwvorarulms.info udp
US 8.8.8.8:53 kusqys.com udp
US 8.8.8.8:53 kyalastnpwbd.net udp
US 8.8.8.8:53 fexytwcgh.net udp
US 8.8.8.8:53 oaxwyovofwa.info udp
US 8.8.8.8:53 znxwnatezh.net udp
US 8.8.8.8:53 hzpjccmddc.net udp
US 8.8.8.8:53 gajfphgrxc.net udp
US 8.8.8.8:53 mlqqdujby.net udp
US 8.8.8.8:53 jnimhlgamn.net udp
US 8.8.8.8:53 pkoojggqp.net udp
US 8.8.8.8:53 wcaqnx.info udp
US 8.8.8.8:53 ryzwfb.info udp
US 8.8.8.8:53 ygeuiicascey.org udp
US 8.8.8.8:53 rjdohuzyq.com udp
US 8.8.8.8:53 aqwgsiumioom.org udp
US 8.8.8.8:53 muwvaturqifi.net udp
US 8.8.8.8:53 frfidw.net udp
US 8.8.8.8:53 stzuoorw.info udp
US 8.8.8.8:53 bujoerlezux.com udp
US 8.8.8.8:53 ubkxdikuf.info udp
US 8.8.8.8:53 mgcefcd.net udp
US 8.8.8.8:53 queoysecmsos.org udp
US 8.8.8.8:53 ewiljj.net udp
US 8.8.8.8:53 nptdzdhq.info udp
US 8.8.8.8:53 hcqfqyp.net udp
US 8.8.8.8:53 kkzdzjxk.net udp
US 8.8.8.8:53 xgdcfnssnwl.org udp
US 8.8.8.8:53 czxutqo.info udp
US 8.8.8.8:53 esfjlz.info udp
US 8.8.8.8:53 invopgiohlk.info udp
US 8.8.8.8:53 nmtvou.net udp
US 8.8.8.8:53 ncqnmuxhxx.net udp
US 8.8.8.8:53 sewiuyik.com udp
US 8.8.8.8:53 borovj.net udp
US 8.8.8.8:53 lkfzhxnlaybv.info udp
US 8.8.8.8:53 dsbepwz.org udp
US 8.8.8.8:53 bmhujchsp.net udp
US 8.8.8.8:53 ouuwqmie.org udp
US 8.8.8.8:53 ohlsjgqzcgxs.info udp
US 8.8.8.8:53 xyzmjgmen.com udp
US 8.8.8.8:53 zadvdcbezr.info udp
US 8.8.8.8:53 ugykgokckeqi.com udp
US 8.8.8.8:53 vixhexyw.info udp
US 8.8.8.8:53 ywsuwo.org udp
US 8.8.8.8:53 hunzdmqo.info udp
US 8.8.8.8:53 fgfsoazj.net udp
US 8.8.8.8:53 pxzavoe.info udp
US 8.8.8.8:53 xpxqhspzpjiz.info udp
US 8.8.8.8:53 fwpstktkluq.info udp
US 8.8.8.8:53 ouwxjilqvwrv.info udp
US 8.8.8.8:53 bbfgzpnvwelu.net udp
US 8.8.8.8:53 voramyf.info udp
US 8.8.8.8:53 sqvgrvf.info udp
US 8.8.8.8:53 pfdcduzjx.com udp
US 8.8.8.8:53 wswygigkos.org udp
US 8.8.8.8:53 yieeptcycbx.info udp
US 8.8.8.8:53 sqjueubjb.info udp
US 8.8.8.8:53 kyyoeamm.com udp
US 8.8.8.8:53 wnqybadqzehs.info udp
US 8.8.8.8:53 aeuahyqamqvl.info udp
US 8.8.8.8:53 qhvahmeneh.net udp
US 8.8.8.8:53 yagkmytyhih.net udp
US 8.8.8.8:53 fokorjxn.info udp
US 8.8.8.8:53 sjlsaeb.net udp
US 8.8.8.8:53 iyibfabufql.info udp
US 8.8.8.8:53 rypsnsycsu.info udp
US 8.8.8.8:53 ehraokhcrtj.net udp
US 8.8.8.8:53 hwbehoquhsc.info udp
US 8.8.8.8:53 xpneqfbyroz.org udp
US 8.8.8.8:53 emiwfavycgt.net udp
US 8.8.8.8:53 rmkvpv.info udp
US 8.8.8.8:53 npxtgj.net udp
US 8.8.8.8:53 uhtnms.net udp
US 8.8.8.8:53 dptnfyvhag.net udp
US 8.8.8.8:53 ogwyaaeaea.org udp
US 8.8.8.8:53 wwaicm.com udp
US 8.8.8.8:53 rgptfocyvf.info udp
US 8.8.8.8:53 hrhhqmekwo.info udp
US 8.8.8.8:53 dcozwaknaizv.net udp
US 8.8.8.8:53 tstuugy.org udp
US 8.8.8.8:53 dnxcbyxia.info udp
US 8.8.8.8:53 lvlogvunrk.info udp
US 8.8.8.8:53 dspvjusc.info udp
US 8.8.8.8:53 pefbeyzgq.org udp
US 8.8.8.8:53 tkxuaovegav.net udp
US 8.8.8.8:53 rkycciyqiv.net udp
US 8.8.8.8:53 okhifimsibp.info udp
US 8.8.8.8:53 roazridswuy.info udp
US 8.8.8.8:53 ynxnva.net udp
US 8.8.8.8:53 rztqzdf.net udp
US 8.8.8.8:53 wwdbhmn.info udp
US 8.8.8.8:53 focyrc.net udp
US 8.8.8.8:53 xytwfmrlduw.com udp
US 8.8.8.8:53 ahzmzssgtqh.info udp
US 8.8.8.8:53 vtwdkzoibt.info udp
US 8.8.8.8:53 qtqyjsvdusp.net udp
US 8.8.8.8:53 bamcyave.info udp
US 8.8.8.8:53 vsksbmukvni.org udp
US 8.8.8.8:53 vqxratl.net udp
US 8.8.8.8:53 zsmqdpdequbo.net udp
US 8.8.8.8:53 cngudivka.net udp
US 8.8.8.8:53 gcxybrnmzkny.net udp

Files

C:\Users\Admin\AppData\Local\Temp\hpufno.exe

MD5 d1ca361a3095142de460726b262fbf7b
SHA1 f0f3f7ca1dba79755ba6869667160ebb51de99cd
SHA256 fae4fad367b4cdb332c50fa5fb8b3a4c0a7f756653469920a80280996245c3ef
SHA512 16c8bd013364e6ff83aae04e01fc505e73d3a8d744afd778c00c7ccdc15c1e3dc23b48b3b694486d91afc79f7b7a8b4d5f101fe8760b8c47fe6f03f23224738f

C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr

MD5 c5ba0f58943338a2260f59bc9979dc64
SHA1 ed189c36e762615fab7f848997abab9bf4a6c505
SHA256 58b5d25951df8aa767bf5b69af7054785e423f078aa0475f907b6f81848b0073
SHA512 176697ccdfaae5d3dd30237f91e32cff1e4be26ed6b3b2a0fcc47b04b1cc4a1d8d749a2a1d22eae9b62862218af8e2d6876ceddc3bf2d62b79e90a923126b75c

C:\Users\Admin\AppData\Local\lbohxgukvhajwmpbxvdtgzpymcnzsboehtpn.lyr

MD5 c761e7d3ec65e0915155396cf967c2ed
SHA1 d1c2620d7846feb67fc62fbdb6f5800929d7a7ee
SHA256 3d21de5b20677e59770a73fe68161d4940b4d8f69ceda46309413e257ecd642b
SHA512 1342a941571f7c569cf842c12f3990f0491d1ffc3c892b9020daa8ad57e41b3e04ef554a44cc359741eac95f423a0d7f069988c1299545a3ad26ce4587d433f1

C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr

MD5 d459ff9e5a47f0496c604d1012731e2c
SHA1 7b3a84cc6ba5ecf72b040d3cfc12f6d09cb57fb3
SHA256 6221a88039f51dbbdbe9274b0ce525521869367be2444f3d871d29ebc132f8bb
SHA512 3fc6606fba91c5cf0ae34bd4a57ab0927777d11213b5ea823e1fb20fa055dbea652f8c9a175a31ac2ff810165ed6890c476a577fd5095a547fa1b2de1cbc19cc

C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr

MD5 ca86d1ad17faf524899121a2742b3bad
SHA1 ad7d3493428c2bb8056a595b9169ddb0f1e4e91b
SHA256 55338ba5aaef0254786a94d03c5c31a58289f1740adbec7e540c9ae5be5d1e3e
SHA512 5c1a6ed008a859bbfea7c1ea0f924f30abc019001331538a87807c4632c088ca8bb37baa5754c27954e77f8b6a435e39e509cf9ce9945956a810024ff0c60555

C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr

MD5 24bc4b10dee749ffa4f9c3b767a613c0
SHA1 04a3d0143d7a07902eda92ee393c2625f0cb32b0
SHA256 41bb936a4837bafafbc707d5bd0060f80ae5844c42c915f39c4b04e6229a99f0
SHA512 074579645ec78eec067ee6ba9b1d01547126085e0a9cafa3ee7ae6be2e0e2bbd5de02e0b162a676bcfcb886aa66c7957d6fa13319fa92fe31477bff9e9e29597

C:\Program Files (x86)\glnvaybgghpnpumnylinpxcad.ijr

MD5 979fee17b9f7215b9d5b6e9afc93d64a
SHA1 fc5864bfdd0816edf3999b6284cac7b0d6d57ea9
SHA256 f83c605083fe60625018f1369a89df8c4d6646f3f02074dfffe932ff6547c001
SHA512 9939be7347ff182b861d43ebe1f72becaef3c3c9fcacf3c1ba9cc163abb45e704302b104e206ebabc0ca5b0baca7d3716d9d720818687aa30b3c190ac0471da5

C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr

MD5 41ed5b57317aea5a47eeb45744fe32e6
SHA1 1a6024df272b023358c0821d4eab7ea115b282d2
SHA256 76c69905ebf3e8876b4776b5bd464e8c10c7699cc08b108b7320131cf16bc4d2
SHA512 eb52bfd6082ab3259013fd510074b4b3270cb165c6d73931c30832669892fd2ba2c876d04ab124dd6c06ea1606cc09c76c755926be4317446611cd45df3789be

C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr

MD5 d93b1f34af6fd395b5a9e750a43feccd
SHA1 99dafb8a429fef4c0ae7cc724727cf641975c025
SHA256 3f6f17f769829f55dd4525a1c99f6798df57bd090bb509526bed26419a824046
SHA512 3164fe177a0928b93360f57d02bcf0772bffcb36a217f08ad895aa29c621ae275b549367703f433bd6bde97334d1fc866321b6301f713f26b9fbdfc58bae4f96

C:\Users\Admin\AppData\Local\glnvaybgghpnpumnylinpxcad.ijr

MD5 ef60008bc71d4c21d7d3a386e0d159a2
SHA1 62571b4a570b711ce52d03342eda0000cdd29b5b
SHA256 e2b23ccfa82bbc527109d16abb72cd7b4e3efbe68188d7c2e9a6e34c118344f9
SHA512 d78f0c1b87ce0e84c24c247a18a5a19b3fcc24463aefbf9168ddf27d0990a9d4069dfe792fdafe00d9b8117159c4ecc2505b97ebd2987e4cdaf9616b2ecee991

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-22 19:53

Reported

2025-04-22 19:55

Platform

win11-20250410-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tylamxhvgjf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyogvjwnbhgfjd = "bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "bqnmidxvqdjpabvfzrpeb.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "oauqjbsnfpsvdbszqf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "zmheyrjfyjnrazrzrhd.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "yiaulbqjzhijplaf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "zmheyrjfyjnrazrzrhd.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "zmheyrjfyjnrazrzrhd.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "yiaulbqjzhijplaf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "zmheyrjfyjnrazrzrhd.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmheyrjfyjnrazrzrhd.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "yiaulbqjzhijplaf.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\oauqjbsnfpsvdbszqf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "bqnmidxvqdjpabvfzrpeb.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqjewndxoxzbifvbr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqnmidxvqdjpabvfzrpeb.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "bqnmidxvqdjpabvfzrpeb.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oauqjbsnfpsvdbszqf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yiaulbqjzhijplaf = "oauqjbsnfpsvdbszqf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\tctmcrfxmtttyth = "yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mawupjcztfkpzzsbuliw.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yiaulbqjzhijplaf.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwkanzkzlpmj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwlcqdpfsxvtw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqjewndxoxzbifvbr.exe ." C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\gcgmprsxztgtltulmlqmqwzb.hjd C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File created C:\Windows\SysWOW64\gcgmprsxztgtltulmlqmqwzb.hjd C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File opened for modification C:\Windows\SysWOW64\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File created C:\Windows\SysWOW64\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File created C:\Program Files (x86)\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File opened for modification C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File created C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\gcgmprsxztgtltulmlqmqwzb.hjd C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File created C:\Windows\gcgmprsxztgtltulmlqmqwzb.hjd C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File opened for modification C:\Windows\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
File created C:\Windows\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2627618461-2240074273-3604016983-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zajucjp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cf6315a04080fc61fa1bcc006d0dbb52.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Users\Admin\AppData\Local\Temp\zajucjp.exe

"C:\Users\Admin\AppData\Local\Temp\zajucjp.exe" "-"

C:\Users\Admin\AppData\Local\Temp\zajucjp.exe

"C:\Users\Admin\AppData\Local\Temp\zajucjp.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zmheyrjfyjnrazrzrhd.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\mawupjcztfkpzzsbuliw.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zmheyrjfyjnrazrzrhd.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c fqjewndxoxzbifvbr.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c mawupjcztfkpzzsbuliw.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c bqnmidxvqdjpabvfzrpeb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\yiaulbqjzhijplaf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\oauqjbsnfpsvdbszqf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\fqjewndxoxzbifvbr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
DE 142.251.209.137:80 www.blogger.com tcp
DE 85.214.228.140:80 kgielb.info tcp
SG 13.214.182.154:80 walpnmyrw.net tcp
US 104.156.155.94:80 jexkhytfwddl.info tcp
US 8.8.8.8:53 yxinwkoanlhn.net udp
US 8.8.8.8:53 iuhmtjt.info udp
US 8.8.8.8:53 ftletche.net udp
US 8.8.8.8:53 asbqvjb.net udp
US 8.8.8.8:53 ptrzybpqvo.info udp
US 8.8.8.8:53 gwyeog.com udp
US 8.8.8.8:53 rfklnyczu.info udp
US 8.8.8.8:53 aqiwmyai.org udp
US 8.8.8.8:53 gssbvlrssfog.net udp
US 8.8.8.8:53 pswrtsjyw.org udp
US 8.8.8.8:53 nebbbqqermn.com udp
US 8.8.8.8:53 rnzmulakwj.info udp
US 8.8.8.8:53 pkwouolzrdn.info udp
US 8.8.8.8:53 rdfyhzvyxajx.net udp
US 8.8.8.8:53 oalqtqzxdcr.info udp
US 8.8.8.8:53 hprerydzd.com udp
US 8.8.8.8:53 xsdwxmohbao.info udp
US 8.8.8.8:53 jkygffjpe.org udp
US 8.8.8.8:53 zchvdwljyy.net udp
US 8.8.8.8:53 hmoqpqj.info udp
US 8.8.8.8:53 guoyqk.com udp
US 8.8.8.8:53 uzjrry.net udp
US 8.8.8.8:53 hxxynales.net udp
US 8.8.8.8:53 munfhwxqbwc.net udp
US 8.8.8.8:53 zcfdaadkp.net udp
US 8.8.8.8:53 sgpkecdbreh.net udp
US 8.8.8.8:53 simmxur.info udp
US 8.8.8.8:53 oejgjj.net udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 qnvnjopvonhc.net udp
US 8.8.8.8:53 kpxhfru.info udp
US 8.8.8.8:53 qeezccnz.net udp
US 8.8.8.8:53 pwetdm.info udp
US 8.8.8.8:53 dmzgqufcw.net udp
US 8.8.8.8:53 prjnlycx.net udp
US 8.8.8.8:53 kmzrkmbkg.info udp
US 8.8.8.8:53 yiioeuiywqws.com udp
US 8.8.8.8:53 pplwbgj.org udp
US 8.8.8.8:53 ibneriq.info udp
US 8.8.8.8:53 pqgnxn.net udp
US 8.8.8.8:53 pxzavoe.info udp
US 8.8.8.8:53 zudmdcspymi.com udp
US 8.8.8.8:53 jsdtfj.info udp
US 8.8.8.8:53 xumsdsbotvl.net udp
US 8.8.8.8:53 hchovdealkz.org udp
US 8.8.8.8:53 gqogaeqsismi.org udp
US 8.8.8.8:53 rvjbii.info udp
US 8.8.8.8:53 uorhrwboxar.net udp
US 8.8.8.8:53 rwulpllndd.net udp
US 8.8.8.8:53 thludypk.net udp
DE 85.214.228.140:80 kgielb.info tcp
SG 13.214.182.154:80 walpnmyrw.net tcp
US 104.156.155.94:80 jexkhytfwddl.info tcp
US 8.8.8.8:53 guzpfnrczjij.info udp
US 8.8.8.8:53 jwnrbqg.info udp
US 8.8.8.8:53 phdjxxjkt.info udp
US 8.8.8.8:53 xccydkfsdcr.info udp
US 8.8.8.8:53 ymsyqokk.com udp
US 8.8.8.8:53 xtjwbbsox.com udp
US 8.8.8.8:53 cfvyfkaxh.net udp
US 8.8.8.8:53 omeygqcqyucy.com udp
US 8.8.8.8:53 wpleaihaa.net udp
US 8.8.8.8:53 tvnihctd.info udp
US 8.8.8.8:53 tupuxkqajod.com udp
US 8.8.8.8:53 hfbpfkl.org udp
US 8.8.8.8:53 tpautct.org udp
US 8.8.8.8:53 wkauricsf.net udp
US 8.8.8.8:53 cvnpzd.net udp
US 8.8.8.8:53 cgosfk.info udp
US 8.8.8.8:53 jurcrixczwq.com udp
US 8.8.8.8:53 pwzwbmjck.org udp
US 8.8.8.8:53 uijsjroqq.info udp
US 8.8.8.8:53 aeabsix.net udp

Files

C:\Users\Admin\AppData\Local\Temp\zajucjp.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\zajucjp.exe

MD5 a230e65b65f4ecc78c2f57dcb83d52da
SHA1 766d2fe9937d8f1ee207dcc5acf9d5231055eded
SHA256 ad10a1fd08d65185ec4a6ce01accc9c06b6ce358e92dc0d7c867c77b97c689b1
SHA512 054c0247fdccadd46fb34534c4e8501955782747d7f82cc632d08d4b91ae01ffb9f108e5c31532147eb29c3d0244c4d070968c602c5e0b52dcda764f651b99ad

C:\Users\Admin\AppData\Local\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 28bb6159343d936c2d60d6a292824a0c
SHA1 8b06a7c5f4fc836eb87f8ac7aec1946c198b53e7
SHA256 af419d26e576c40acaab1f28c86b6702fc5450930995519d75ca74b4ca765a1f
SHA512 fce9cbe66fda8c80e8c7fd1e960d98c92aa04ce7c37c8dfa534a8e2740cabad89fbafcebef7d2f28b4fdbe479f2db9e9bac0e8fbf4034ef2074f05fe8045cb2b

C:\Users\Admin\AppData\Local\pwlcqdpfsxvtwpbdpzpwlcqdpfsxvtwpbdp.pwl

MD5 bcaea745cafa929d8bb71f6a32b0bf20
SHA1 9fe2bd5a2af9ff22757e90611371e8cb7a69a455
SHA256 68b5baab15b51b6838c259ca4942b813604a5c7a4822e85c881479d126df4159
SHA512 472631fcfcf55c33b6fd86ac12c730fe51cc3ea4f69d00f3822c54eb89810573572685ed3339b25caca75d110d54934a06333be824ee17030f31ee55b53cfa6d

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 f44d2b791f28986c5e705e6993e1e09e
SHA1 0760eb3966b20acf2f706aa0c7872bb1f6e0c486
SHA256 26aab8cb6dc3adadfa28e4095131a125e03409fc5de3b158ab01f70e6fc0ccf0
SHA512 bd48ef352b6989f53ebeaf9dc9ff3c18f4a93d938e849c1b3ecc582876885dc1b2c60678e9a5d6d21c9eaf1e04164d8327e1304a3677ae47fc2302996fd73865

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 3e3730a8bc543879b55b272fe81fbaa1
SHA1 88f60a76f789f3b202ff4d3a14f40f79966d9c39
SHA256 a77562009bcc91391776a1360fd0e431b285ed0ca7775d6d8d3694a1d030b272
SHA512 e0126d0ab0c5850ddd3c4d18659b559fc715ed98ed831ed1fa050f7ea9033f30d55d7a21356ca5442217c64c9a793ead4ed108dfaaf9d1cf2f4f4b39bd9a3391

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 3445fa7c173ffdbdbb914e417eac7f9e
SHA1 61b0fde832be854f7c88c83c41cea9ad6be13e1e
SHA256 41bd5a6cf0d49a29689c8289c36c1f31a5a92e0a920e4cfb9d6ab484f9422c07
SHA512 ab2e7996186fd33102a2c58e9986288127e127f2e2a70b4b9fbae8d2b6300b8a932882df17151004673147e076449ff15c07ee4d4e16050de59195131f2a734b

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 121382bd20bc1c619d234fa0a041d3a0
SHA1 adb91f000da4d2f53bc01475b76aa838e7efefd2
SHA256 8ed9da938753b8d5d4427f2868cb30ce4be845d75bbc745ce42f89047023395e
SHA512 dec97bfd8f9523ec6f576791da552da8745fa668950a9199260b4cf1e21843c77142581a68cab253e9b329cba0320fec84029d4dae33964280bdadeb3a742507

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 09a2aec5073f12c1368259ac906d8462
SHA1 f8010cca90adb8b1cef9a89524d4fb4468409f02
SHA256 0cf5d4c4a870ec88b8d837b87369f7cdee998ae471b8fb26f71f489dbbc58fd8
SHA512 b4ea65f8cfdd2cb168e0c076d25ea229671dd6b80e0ff8512424fb3f2172708597e49dfb2865a5e1f0bbc3afc4782a0bb5967a351f5744509602d5d5ebc0ec4a

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 819c70becf33b3e8b688faee9623b8d1
SHA1 091be6859dcb5b997b31c9d6b995e2cc5ac3de7c
SHA256 07fcea2eb4dd55cf13ed76de46b1ce32fc4efbbb90394ce2778905418cdd7907
SHA512 4e16cba6e08f088c9711418cad8582ab8ab3aa7d9fea0c9b1f8c5594d42c54c28bb7ca391b353828cc62950d76f3bce4ee2aa23ccb57ced91c4d4eae6cf91114

C:\Program Files (x86)\gcgmprsxztgtltulmlqmqwzb.hjd

MD5 2e20891b2614993920bd77e9e75c73d5
SHA1 5841f75dcddf0ec02b2a82ee9801846c8958325f
SHA256 6dcdb4c5edc34dcfad5cda57cff95b4b5dff6309d32135164e8f68da3f9c24c0
SHA512 1c4143e969afec11f0ca7360b7b0550ebb6ac8514d7e7f7ef8158dd24796bb9a11036c7b378654dbad2d5a5ec5c0274ab5640261fa87d4fa76b73ff1bf2db54d