Analysis Overview
SHA256
c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4
Threat Level: Known bad
The file 10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Disables RegEdit via registry modification
Adds policy Run key to start application
Executes dropped EXE
Checks computer location settings
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
System policy modification
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 05:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 05:32
Reported
2024-06-26 05:34
Platform
win7-20240220-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "dxnkbwspoflqdhghsgrlb.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "hxjcpgyrmzbcllgdk.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "dxnkbwspoflqdhghsgrlb.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "bthcrkezwlpsdfcbkwf.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "hxjcpgyrmzbcllgdk.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "dxnkbwspoflqdhghsgrlb.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "qhuocunhdruwghdbju.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "dxnkbwspoflqdhghsgrlb.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "ohwsicxtrhmqcfddnakd.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "dxnkbwspoflqdhghsgrlb.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "bthcrkezwlpsdfcbkwf.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "bthcrkezwlpsdfcbkwf.exe" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "ohwsicxtrhmqcfddnakd.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "apaseuldxjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | C:\Windows\SysWOW64\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\edyawwxzdzkumvzfvoedya.wxz | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | C:\Windows\SysWOW64\edyawwxzdzkumvzfvoedya.wxz | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Program Files (x86)\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | C:\Program Files (x86)\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | C:\Windows\edyawwxzdzkumvzfvoedya.wxz | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\edyawwxzdzkumvzfvoedya.wxz | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File created | C:\Windows\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\hxjcpgyrmzbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\upgewspnnfmsgllnzoavmk.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\ohwsicxtrhmqcfddnakd.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\bthcrkezwlpsdfcbkwf.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\dxnkbwspoflqdhghsgrlb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\qhuocunhdruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| File opened for modification | C:\Windows\apaseuldxjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\otucek.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\otucek.exe
"C:\Users\Admin\AppData\Local\Temp\otucek.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\otucek.exe
"C:\Users\Admin\AppData\Local\Temp\otucek.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.adobe.com | udp |
| BE | 23.14.90.107:80 | www.adobe.com | tcp |
| US | 8.8.8.8:53 | www.myspace.com | udp |
| US | 34.111.176.156:80 | www.myspace.com | tcp |
| BG | 94.236.143.231:36236 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | raxidorxnox.org | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | cmgsihuolav.net | udp |
| LT | 78.57.175.59:16129 | tcp | |
| US | 8.8.8.8:53 | uuzqrv.net | udp |
| US | 8.8.8.8:53 | upmclqneoy.net | udp |
| US | 8.8.8.8:53 | zkmgpbhgj.com | udp |
| PL | 93.181.153.49:40155 | tcp | |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | hsjifjv.org | udp |
| BG | 89.215.244.86:24620 | tcp | |
| US | 8.8.8.8:53 | xjldbuxospwl.info | udp |
| US | 8.8.8.8:53 | prdtgxaz.info | udp |
| US | 8.8.8.8:53 | uepeffnqt.info | udp |
| US | 8.8.8.8:53 | umckwaoo.com | udp |
| BG | 84.252.53.197:15885 | tcp | |
| US | 8.8.8.8:53 | texrnn.info | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | hodrooyim.org | udp |
| BG | 94.101.198.196:32651 | tcp | |
| US | 8.8.8.8:53 | ixtltfwj.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| DE | 87.121.29.254:26345 | tcp | |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | yyvdirmqjhbg.net | udp |
| US | 8.8.8.8:53 | wdnjotcjyy.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | tgdtwkjaafc.com | udp |
| BG | 213.214.69.53:14181 | tcp | |
| US | 8.8.8.8:53 | ouumqemi.com | udp |
| US | 8.8.8.8:53 | rhnjtqtf.info | udp |
| BG | 88.87.9.36:21855 | tcp | |
| US | 8.8.8.8:53 | vhmdjypgv.net | udp |
| US | 8.8.8.8:53 | hcjdhnebfc.net | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | rfdrzkhqh.com | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
Files
memory/2908-0-0x0000000000400000-0x0000000000489000-memory.dmp
\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
| MD5 | 365fb539069341a0f697861998460dc1 |
| SHA1 | 33fc5eebf788a3319a5c355ec8414c380105fc24 |
| SHA256 | b5643a7d0fe6085506e23f0f7a8ffdd41f0cb91aef9c4348dd724a5f743be5b9 |
| SHA512 | 74250cd72b8cef32b7e75f75ff36a63f4482268e103ea4038b56b10aeae0b91b3b4418c7a1d8771702ec377e8266150d9074f9d81687e74cb2d4cf23f9074a02 |
C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe
| MD5 | 10e2e4a7f16b729bfaa9630c1146569f |
| SHA1 | 2d2781b1290c8c50a98abed0c57033f0339d69bf |
| SHA256 | c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4 |
| SHA512 | d0cc92bbb54e1f9e969998c99385f37a5d0fd37af006117b914f038cc9a809058a997ffe039f601325efc7f933a23aed750b3d287333cf9d168955451b99fef0 |
\Users\Admin\AppData\Local\Temp\otucek.exe
| MD5 | 9af079c5e2aae2ec3e47b74b4eff7fbc |
| SHA1 | 08f707e82b31e925c3cf7451fed6a0554a47bfad |
| SHA256 | 22739d9ec4b69c262b7a441a292232fca52b2740d77dc17c5c299f26f8807ce4 |
| SHA512 | 36ff8dd79ba95364d3d6615ef77fef497db91214e434a271c745204a4516cf62d2c5db4a5991551566ddaa5076f7ebcf0c2ee5ab1c85991af4feb3904e576227 |
C:\Users\Admin\AppData\Local\edyawwxzdzkumvzfvoedya.wxz
| MD5 | 397272189dc22035a4368934ffe2aca5 |
| SHA1 | d5f6d44d7031ae516bafc661a34f3c416b97f0e7 |
| SHA256 | 51c4d985366e2febd2723ae46a2f98538ec43b6eb71daa6d911108ab0ae92af8 |
| SHA512 | 8e43809ccbc9e66933b29ea6efe2fff79dbde2e86760a91b96abbd0b115d88cba543f5b2285d895bff792ea12a43ea6780c6bb14ef9f59b2a899ba49b348bf6e |
C:\Users\Admin\AppData\Local\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab
| MD5 | a1caed5be299d32899002087559db5ed |
| SHA1 | 615b886c7d6113a0a37e288c984c6f9a4a2a091f |
| SHA256 | 42b51b186037388dd72cef3cfa72cccccc5d170af1926ab2e2669f66be73e7e4 |
| SHA512 | 8f752c3649de0d4c7ed15f7d6e5ab9f23ed886fe2c7e79fbbbd922b7ce2a7439f9f0adc32a4ca246fa74c4615554e0883c57d8a925d427788b1317cd11ba9caa |
C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz
| MD5 | 004fa85752df32656f6bf0d82161fea4 |
| SHA1 | 17468cb5f046c1d6318d7127fe1d925208618f08 |
| SHA256 | ba7529a3a870a3db77eae89ee046cccc67ba78692d5a3826dd41525887e581d3 |
| SHA512 | 55d2ac19361e6d812966d45eddffbb1f08c22661b10d33db3861626af57808d8964047822c2b40b43406579cc379687d4089c0257d9f22c322769f92fe9a0c60 |
C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz
| MD5 | 07197db388558d0c2eabfff13d841e3e |
| SHA1 | 0c062c9075e59790609824197b5eb3150d8ab0a3 |
| SHA256 | 70a227d930f702300949bfa6a95f092107f181a1c9e2c31b62407c0f311b59ed |
| SHA512 | 94e887d8bce5971907501b31f61bbced35ddee206cf71e568ca87e3763b73b0161b04d29676c72f07bc94b799671a39bb5ca63de39caaf8a9653e052b7dbcb4b |
C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz
| MD5 | 86851bf27f61853e8a3b5268c672a312 |
| SHA1 | 7981362ac1f4e25cabf993811a4096143989298b |
| SHA256 | dfa3e7c578a1314e384606aa9a7a0641a60c9648f441695e399e257d8dae89a3 |
| SHA512 | 911291d97f99a9cc8e4bd182f51b11d6b8527e96e974450db1a2d8d1c32f448e696adae6bace265fe53d83dcb5617e4ada9eeb08059f795062d71ef17974c264 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 05:32
Reported
2024-06-26 05:34
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "zvpzumzpjzykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvpzumzpjzykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "zvpzumzpjzykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "zvpzumzpjzykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "zvpzumzpjzykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvpzumzpjzykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "gfcpniyrohjysqjscocb.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "ifalhaofarrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "gfcpniyrohjysqjscocb.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "sngpjambujhsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "trnzwqfxtlmatqiqzkx.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "trnzwqfxtlmatqiqzkx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvpzumzpjzykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "trnzwqfxtlmatqiqzkx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "ifalhaofarrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "gfcpniyrohjysqjscocb.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "zvpzumzpjzykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "zvpzumzpjzykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "zvpzumzpjzykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "sngpjambujhsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "vvthgctnlfiytsmwhujjh.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | C:\Windows\SysWOW64\ahmhnqopuvfceklcuokrwrxa.zef | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ahmhnqopuvfceklcuokrwrxa.zef | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Program Files (x86)\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | C:\Program Files (x86)\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\ahmhnqopuvfceklcuokrwrxa.zef | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\mnmbbyqlkfjawwrcocstsh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\gfcpniyrohjysqjscocb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | C:\Windows\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\ifalhaofarrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File created | C:\Windows\ahmhnqopuvfceklcuokrwrxa.zef | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\vvthgctnlfiytsmwhujjh.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\trnzwqfxtlmatqiqzkx.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\zvpzumzpjzykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| File opened for modification | C:\Windows\sngpjambujhsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\tfppail.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\tfppail.exe
"C:\Users\Admin\AppData\Local\Temp\tfppail.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\tfppail.exe
"C:\Users\Admin\AppData\Local\Temp\tfppail.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2904,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| HK | 103.235.47.188:80 | www.baidu.com | tcp |
| BG | 77.77.47.140:37401 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 188.47.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | czuaxrjwz.info | udp |
| US | 8.8.8.8:53 | jpohvi.info | udp |
| US | 8.8.8.8:53 | ykqitdlzoafl.info | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | wciccoaqgywi.org | udp |
| US | 8.8.8.8:53 | nechuv.net | udp |
| US | 8.8.8.8:53 | nohmaysdqlnm.info | udp |
| US | 8.8.8.8:53 | aoieqa.org | udp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| IE | 92.251.196.67:17384 | tcp | |
| US | 8.8.8.8:53 | tumezwbjaz.net | udp |
| US | 8.8.8.8:53 | zkmgpbhgj.com | udp |
| US | 8.8.8.8:53 | uipqwsmpjgh.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | mkbwfgfja.info | udp |
| US | 8.8.8.8:53 | prdtgxaz.info | udp |
| US | 8.8.8.8:53 | retvxe.net | udp |
| US | 8.8.8.8:53 | fcterrg.net | udp |
| US | 8.8.8.8:53 | jkvaba.net | udp |
| US | 8.8.8.8:53 | uimescouwmsm.com | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | lebcyqd.com | udp |
| US | 8.8.8.8:53 | wckioakwsu.org | udp |
| US | 8.8.8.8:53 | mowyegya.org | udp |
| US | 8.8.8.8:53 | tknysgkzt.net | udp |
| US | 8.8.8.8:53 | gfpinqbmbmx.info | udp |
| US | 8.8.8.8:53 | hbywrbnrjgrc.net | udp |
| US | 8.8.8.8:53 | wdqzak.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| BG | 95.87.198.136:27153 | tcp | |
| US | 8.8.8.8:53 | mahkshj.info | udp |
| US | 8.8.8.8:53 | ceoawsgi.org | udp |
| US | 8.8.8.8:53 | ngodfstltvni.net | udp |
| US | 8.8.8.8:53 | wiqoaqmaayqs.org | udp |
| US | 8.8.8.8:53 | guxujsy.info | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | mgdozpxkn.net | udp |
| US | 8.8.8.8:53 | cmdifezujkr.info | udp |
| US | 8.8.8.8:53 | qkbonwbfvup.net | udp |
| US | 8.8.8.8:53 | wywvyk.info | udp |
| US | 8.8.8.8:53 | hkzpou.net | udp |
| US | 8.8.8.8:53 | zxnatqlcynt.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | fehhbmeyim.net | udp |
| US | 8.8.8.8:53 | dcsepizll.info | udp |
| US | 8.8.8.8:53 | ykkmmsoi.org | udp |
| US | 8.8.8.8:53 | mskiumkecmce.org | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | kgwfhsfg.net | udp |
| US | 8.8.8.8:53 | bynkxn.net | udp |
| US | 8.8.8.8:53 | bsqotgivphh.org | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | psgcvgr.net | udp |
| US | 8.8.8.8:53 | bktmnxjujuh.info | udp |
| US | 8.8.8.8:53 | fphezgrudwy.com | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | atierp.info | udp |
| US | 8.8.8.8:53 | rktqewv.com | udp |
| US | 8.8.8.8:53 | cktstug.net | udp |
| US | 8.8.8.8:53 | fmllrsnh.info | udp |
| US | 8.8.8.8:53 | gcjcpcv.net | udp |
| US | 8.8.8.8:53 | cgioigqcyk.com | udp |
| US | 8.8.8.8:53 | fcbghgzuhfd.net | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | bkbqosd.org | udp |
| US | 8.8.8.8:53 | bnvmvujbf.com | udp |
| US | 8.8.8.8:53 | hmjyzgfadan.net | udp |
| US | 8.8.8.8:53 | yenhhbn.info | udp |
| US | 8.8.8.8:53 | elnwxj.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qkvarwtkpmi.info | udp |
| US | 8.8.8.8:53 | lriyqqd.com | udp |
| US | 8.8.8.8:53 | yuemqo.org | udp |
| US | 8.8.8.8:53 | fmjldgh.info | udp |
| US | 8.8.8.8:53 | wqnwbmrdh.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | aakpyygkspxf.info | udp |
| US | 8.8.8.8:53 | misasuzsp.net | udp |
| US | 8.8.8.8:53 | qeatvxdoucf.info | udp |
| US | 8.8.8.8:53 | nbsqtv.info | udp |
| US | 8.8.8.8:53 | ashmtyrlb.info | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | kexabpklup.net | udp |
| US | 8.8.8.8:53 | ruympenybac.info | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| LT | 78.62.180.134:28865 | tcp | |
| US | 8.8.8.8:53 | ywjgnaz.net | udp |
| US | 8.8.8.8:53 | xsqsbw.info | udp |
| US | 8.8.8.8:53 | dyhqdnradr.info | udp |
| US | 8.8.8.8:53 | pzeibgmqtiy.com | udp |
| US | 8.8.8.8:53 | ppfspir.net | udp |
| US | 8.8.8.8:53 | rmbzvoskrbt.org | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | zoiktio.net | udp |
| US | 8.8.8.8:53 | qeykgznjofov.net | udp |
| US | 8.8.8.8:53 | xkcepmhcc.org | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | gqhggzzsso.net | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | mmaygygsiiwo.org | udp |
| US | 8.8.8.8:53 | maihbinhfbnf.info | udp |
| US | 8.8.8.8:53 | wrurbikhe.net | udp |
| US | 8.8.8.8:53 | xoygdbaqf.net | udp |
| US | 8.8.8.8:53 | ifbuuucojssb.info | udp |
| US | 8.8.8.8:53 | vetbckh.net | udp |
| US | 8.8.8.8:53 | narmbyptrnb.info | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| LT | 78.62.234.73:14384 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | smccjmjcfki.net | udp |
| US | 8.8.8.8:53 | wfkoosj.info | udp |
| US | 8.8.8.8:53 | bswzaji.info | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | tpxkao.net | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | ghzsfps.net | udp |
| US | 8.8.8.8:53 | rvkudwamt.info | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | azwzvzkuvl.net | udp |
| US | 8.8.8.8:53 | ssumtm.info | udp |
| US | 8.8.8.8:53 | bilscbgutyf.com | udp |
| US | 8.8.8.8:53 | qszmjmvrkmd.net | udp |
| US | 8.8.8.8:53 | haimrtkp.info | udp |
| US | 8.8.8.8:53 | hyottqfwzub.info | udp |
| US | 89.117.21.117:45245 | tcp | |
| US | 8.8.8.8:53 | qzwehqy.info | udp |
| US | 8.8.8.8:53 | eppizju.info | udp |
| US | 8.8.8.8:53 | giioceskecgw.com | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | bgbtfyrujy.net | udp |
| US | 8.8.8.8:53 | dbvyftictgas.net | udp |
| US | 8.8.8.8:53 | cxvpmijmjz.info | udp |
| US | 8.8.8.8:53 | niytwdcltppi.net | udp |
| US | 8.8.8.8:53 | zjswuwos.info | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | kojxtgf.net | udp |
| US | 8.8.8.8:53 | cqerrsddcncp.net | udp |
| US | 8.8.8.8:53 | wkhsvnlbjmb.info | udp |
| US | 8.8.8.8:53 | jmzchqpks.info | udp |
| US | 8.8.8.8:53 | oxcwiskrzisj.info | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | xyveoyl.org | udp |
| US | 8.8.8.8:53 | dlqzwhks.net | udp |
| US | 8.8.8.8:53 | twronanbl.org | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | linyrahgjztb.net | udp |
| US | 8.8.8.8:53 | exlbpob.info | udp |
| US | 8.8.8.8:53 | pstaspkmecrv.info | udp |
| US | 8.8.8.8:53 | oqkemiiy.org | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| MD | 89.28.90.76:13273 | tcp | |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| US | 8.8.8.8:53 | dchkravomgvz.net | udp |
| US | 8.8.8.8:53 | yjlohkjvbef.net | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | nmjgoicyy.org | udp |
| US | 8.8.8.8:53 | ywqggoak.org | udp |
| US | 8.8.8.8:53 | tjlalwx.com | udp |
| US | 8.8.8.8:53 | bqpxmumwcea.net | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | tvfsnu.net | udp |
| US | 8.8.8.8:53 | hnatzywd.info | udp |
| US | 8.8.8.8:53 | sgcqqwasosqi.com | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | sawioiusmyeo.com | udp |
| US | 8.8.8.8:53 | ksjojeycamv.net | udp |
| US | 8.8.8.8:53 | xfbckregdhtv.info | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | vwfutlg.info | udp |
| US | 8.8.8.8:53 | yglihwjhorm.info | udp |
| US | 8.8.8.8:53 | vydmzunvhhnw.info | udp |
| US | 8.8.8.8:53 | vhlaeegl.info | udp |
| US | 8.8.8.8:53 | msusugqq.com | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | uyuwgmyo.com | udp |
| US | 8.8.8.8:53 | vzuads.info | udp |
| US | 8.8.8.8:53 | vovshqno.net | udp |
| US | 8.8.8.8:53 | iaqccq.com | udp |
| US | 8.8.8.8:53 | ewzuphyig.net | udp |
| US | 8.8.8.8:53 | fgzenab.info | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | ucrszfzf.info | udp |
| US | 8.8.8.8:53 | xapkxlxc.info | udp |
| US | 8.8.8.8:53 | qadfsqv.net | udp |
| US | 8.8.8.8:53 | xotuoivmx.com | udp |
| US | 8.8.8.8:53 | egroraxatel.net | udp |
| US | 8.8.8.8:53 | kmqwcsao.org | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | pftymldotwz.org | udp |
| US | 8.8.8.8:53 | jzidjlva.net | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | dnvzbf.info | udp |
| US | 8.8.8.8:53 | ikgsoe.com | udp |
| US | 8.8.8.8:53 | qqqazklgr.net | udp |
| RU | 178.66.148.50:44613 | tcp | |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | fenwpqgfagp.info | udp |
| US | 8.8.8.8:53 | saojqqztqqev.info | udp |
| US | 8.8.8.8:53 | ljjbekvgppwh.info | udp |
| US | 8.8.8.8:53 | wcwjlkd.info | udp |
| US | 8.8.8.8:53 | ttqdczzgdjoa.info | udp |
| US | 8.8.8.8:53 | wiumcssoiawa.com | udp |
| US | 8.8.8.8:53 | nbdyxnobgc.info | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | jikibrqb.info | udp |
| US | 8.8.8.8:53 | cknojmbsf.info | udp |
| US | 8.8.8.8:53 | kcporryn.net | udp |
| US | 8.8.8.8:53 | hehhrajvzzty.net | udp |
| US | 8.8.8.8:53 | gsmysyusyu.com | udp |
| US | 8.8.8.8:53 | zxdcpam.info | udp |
| US | 8.8.8.8:53 | nkedlfdqzu.net | udp |
| US | 8.8.8.8:53 | yguegaeseige.com | udp |
| US | 8.8.8.8:53 | nurtzuf.com | udp |
| US | 8.8.8.8:53 | hcpexgl.net | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | vzrawxycib.info | udp |
| US | 8.8.8.8:53 | pxiyqljef.org | udp |
| US | 8.8.8.8:53 | kaqawaueascs.com | udp |
| US | 8.8.8.8:53 | jojcpqbg.net | udp |
| US | 8.8.8.8:53 | rkhunwg.com | udp |
| US | 8.8.8.8:53 | qldnfd.net | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | hlvfmaepom.net | udp |
| US | 8.8.8.8:53 | kiacqceaaaky.com | udp |
| US | 8.8.8.8:53 | rgmumlutry.net | udp |
| US | 8.8.8.8:53 | exfrbbbwjctj.net | udp |
| US | 8.8.8.8:53 | ffujrsnlpioe.info | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | cyzafyx.net | udp |
| US | 8.8.8.8:53 | kgwkzwnuv.info | udp |
| US | 8.8.8.8:53 | hmskewbfw.net | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | amwnskjef.info | udp |
| US | 8.8.8.8:53 | uebrlepe.info | udp |
| US | 8.8.8.8:53 | uizdqbrrdiso.info | udp |
| US | 8.8.8.8:53 | zrkholzwximd.net | udp |
| US | 8.8.8.8:53 | gmseoaao.com | udp |
| US | 8.8.8.8:53 | fojjzxdwvqg.net | udp |
| US | 8.8.8.8:53 | lqzsttjmupr.org | udp |
| US | 8.8.8.8:53 | wnzshgnguffc.net | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | rgukqurny.org | udp |
| US | 8.8.8.8:53 | ipiytt.info | udp |
| US | 8.8.8.8:53 | pxjfrwzcyvx.org | udp |
| US | 8.8.8.8:53 | rudfxcjvcd.net | udp |
| US | 8.8.8.8:53 | pojwyl.info | udp |
| US | 8.8.8.8:53 | qbocfslapf.info | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | ulbdikbwhf.info | udp |
| US | 8.8.8.8:53 | bqhynkf.net | udp |
| US | 8.8.8.8:53 | egtyronwtqd.info | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | ekeuosqigoeq.com | udp |
| US | 8.8.8.8:53 | gnsufj.info | udp |
| US | 8.8.8.8:53 | vivqnsmxqgp.net | udp |
| US | 8.8.8.8:53 | wbudud.info | udp |
| US | 8.8.8.8:53 | xcaxujvtnm.net | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | ywyksm.com | udp |
| US | 8.8.8.8:53 | cuocaaeiog.com | udp |
| US | 8.8.8.8:53 | qsbltorcthr.net | udp |
| US | 8.8.8.8:53 | dlwuxyqohgd.org | udp |
| US | 8.8.8.8:53 | mwawsoweaa.org | udp |
| US | 8.8.8.8:53 | xizgvuz.com | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | fuwzhttfql.info | udp |
| US | 8.8.8.8:53 | phnudeukzyu.com | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | bybkbpjlnf.net | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | efnwzram.info | udp |
| US | 8.8.8.8:53 | keztjb.info | udp |
| US | 8.8.8.8:53 | pmkdbuhgsup.com | udp |
| US | 8.8.8.8:53 | cgpetec.net | udp |
| US | 8.8.8.8:53 | voakfar.com | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | kwqyjpzqpqp.info | udp |
| US | 8.8.8.8:53 | kxqftntrfv.info | udp |
| US | 8.8.8.8:53 | vzzivev.org | udp |
| BG | 212.233.247.52:39538 | tcp | |
| US | 8.8.8.8:53 | pmwuhnhkb.com | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| US | 8.8.8.8:53 | gqmegmwimiyk.com | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | kpvnkzumlf.net | udp |
| US | 8.8.8.8:53 | erqhyxcf.net | udp |
| US | 8.8.8.8:53 | yoeuoiak.org | udp |
| US | 8.8.8.8:53 | jraaeq.net | udp |
| US | 8.8.8.8:53 | btxwcpkrxkte.net | udp |
| US | 8.8.8.8:53 | rxnsvfyoss.net | udp |
| US | 8.8.8.8:53 | vchkrzdyzum.org | udp |
| BG | 85.196.180.26:32446 | tcp | |
| US | 8.8.8.8:53 | bnuczivueor.net | udp |
| US | 8.8.8.8:53 | hvszyg.info | udp |
| US | 8.8.8.8:53 | wtkucqxo.net | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | npupnd.info | udp |
| US | 8.8.8.8:53 | kquagkym.com | udp |
| US | 8.8.8.8:53 | igjcav.info | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | lkzkmkv.net | udp |
| US | 8.8.8.8:53 | fogvtnlnwy.net | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | oyiasswi.org | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | kfekbulrl.info | udp |
| US | 8.8.8.8:53 | swkynladvvv.net | udp |
| US | 8.8.8.8:53 | hhlorggcrlgx.net | udp |
| US | 8.8.8.8:53 | xiindgbplq.net | udp |
| US | 8.8.8.8:53 | qtgswqugxbj.info | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | pwzhlngxfevm.net | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | kttutm.net | udp |
| US | 8.8.8.8:53 | noxgpzp.com | udp |
| US | 8.8.8.8:53 | hdnzfdixwlms.info | udp |
| US | 8.8.8.8:53 | wmpbaorgoct.net | udp |
| US | 8.8.8.8:53 | bxdmnmkvhnx.org | udp |
| US | 8.8.8.8:53 | ccumqokuuy.org | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | hiewuplllxj.info | udp |
| US | 8.8.8.8:53 | oknmhblefkl.net | udp |
| US | 8.8.8.8:53 | nmokuqame.com | udp |
| US | 8.8.8.8:53 | hdvhofid.net | udp |
| US | 8.8.8.8:53 | fbngnogngcuy.info | udp |
| US | 8.8.8.8:53 | bgnmbpnkxfco.info | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | zanatel.org | udp |
| US | 8.8.8.8:53 | dggcvax.net | udp |
| US | 8.8.8.8:53 | lhlnamefxcr.com | udp |
| US | 8.8.8.8:53 | iajnsm.net | udp |
| US | 8.8.8.8:53 | wwyquaqkmmms.com | udp |
| US | 8.8.8.8:53 | jjxkovro.info | udp |
| US | 8.8.8.8:53 | qausokkaik.org | udp |
| US | 8.8.8.8:53 | hqumvpfmmyn.net | udp |
| US | 8.8.8.8:53 | pwygpj.net | udp |
| US | 8.8.8.8:53 | mwkyisww.com | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | hkzfbe.net | udp |
| US | 8.8.8.8:53 | idvimxz.net | udp |
| US | 8.8.8.8:53 | xmxlrx.info | udp |
| US | 8.8.8.8:53 | ucouuikk.com | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | tchximlbdye.info | udp |
| US | 8.8.8.8:53 | dqjfyu.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ukuyuq.com | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cmtojk.net | udp |
| US | 8.8.8.8:53 | euqxydatxn.net | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | vabhhpvsz.net | udp |
| US | 8.8.8.8:53 | cjkrba.net | udp |
| US | 8.8.8.8:53 | arjzgfodkifw.net | udp |
| US | 8.8.8.8:53 | xxprnu.net | udp |
| US | 8.8.8.8:53 | fwlkoinehjn.net | udp |
| US | 8.8.8.8:53 | rghovmigp.info | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | ebfnuehzhb.info | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | ibxkaftwjf.info | udp |
| US | 8.8.8.8:53 | skbatzjqbafv.net | udp |
| US | 8.8.8.8:53 | uoaowymwmu.com | udp |
| US | 8.8.8.8:53 | iwiysnzonxp.info | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | fmvoxjg.net | udp |
| US | 8.8.8.8:53 | samcmuoimuwc.com | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | fmpgtlnr.net | udp |
| US | 8.8.8.8:53 | thtfdihgtya.com | udp |
| US | 8.8.8.8:53 | hubwfjfszn.net | udp |
| US | 8.8.8.8:53 | wugugsqoiekw.org | udp |
| US | 8.8.8.8:53 | aeiyhuj.info | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | hgxgrek.info | udp |
| US | 8.8.8.8:53 | zixwrjjcr.org | udp |
| US | 8.8.8.8:53 | jzpstujndqzn.net | udp |
| US | 8.8.8.8:53 | sumgemgwem.com | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | cfbgfclmu.info | udp |
| US | 8.8.8.8:53 | jfiroxpq.net | udp |
| US | 8.8.8.8:53 | xwgzfhwt.info | udp |
| US | 8.8.8.8:53 | kqcouayqqo.org | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | ycqkmsl.info | udp |
| US | 8.8.8.8:53 | qjuogr.info | udp |
| US | 8.8.8.8:53 | jaktktbzcd.info | udp |
| US | 8.8.8.8:53 | yigttjzexac.info | udp |
| US | 8.8.8.8:53 | ydrbnsdovub.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | moukjezcbfq.info | udp |
| US | 8.8.8.8:53 | mpzepeeifsj.net | udp |
| US | 8.8.8.8:53 | fyprxtisjsf.net | udp |
| US | 8.8.8.8:53 | matcxqpsx.net | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | miiaoqckyk.com | udp |
| US | 8.8.8.8:53 | txsatkxkh.net | udp |
| US | 8.8.8.8:53 | xsfvby.net | udp |
| US | 8.8.8.8:53 | gymosoeuse.com | udp |
| US | 8.8.8.8:53 | eelbdcuyxer.net | udp |
| US | 8.8.8.8:53 | igcuequq.com | udp |
| US | 8.8.8.8:53 | jdccsrfyfqo.net | udp |
| US | 8.8.8.8:53 | ulcxrl.info | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | hipcvavdnnj.org | udp |
| US | 8.8.8.8:53 | mkysowqc.com | udp |
| US | 8.8.8.8:53 | uzeisptacdzd.info | udp |
| US | 8.8.8.8:53 | vkruxzcgeor.net | udp |
| US | 8.8.8.8:53 | dabsfkf.org | udp |
| US | 8.8.8.8:53 | yuzulkteh.net | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | lmiixwl.info | udp |
| US | 8.8.8.8:53 | ckfmxrngl.net | udp |
| US | 8.8.8.8:53 | fgjgzxa.com | udp |
| US | 8.8.8.8:53 | usqayacwag.com | udp |
| US | 8.8.8.8:53 | loftqx.info | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | ouyijet.net | udp |
| US | 8.8.8.8:53 | inagoxllds.net | udp |
| US | 8.8.8.8:53 | suisoowrjvra.info | udp |
| US | 8.8.8.8:53 | gczvcwbiq.net | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | lllgdvqupifn.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | jrhydkecl.net | udp |
| US | 8.8.8.8:53 | etvmxvwnwph.info | udp |
| US | 8.8.8.8:53 | oscisooagmou.com | udp |
| US | 8.8.8.8:53 | icyiyaiu.com | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | lezwtrnowjl.info | udp |
| US | 8.8.8.8:53 | wtcpgp.net | udp |
| US | 8.8.8.8:53 | qkiiaiaayeae.com | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | kmhgnyzat.net | udp |
| US | 8.8.8.8:53 | yfjevzzf.net | udp |
| US | 8.8.8.8:53 | jgzeqrhze.info | udp |
| US | 8.8.8.8:53 | nibrxmb.com | udp |
| US | 8.8.8.8:53 | jaysblh.net | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | zzfdhwyk.net | udp |
| US | 8.8.8.8:53 | riqtkb.info | udp |
| US | 8.8.8.8:53 | yurcavko.info | udp |
| US | 8.8.8.8:53 | akellwrbyf.info | udp |
| US | 8.8.8.8:53 | ihwgbnn.net | udp |
| US | 8.8.8.8:53 | skfkrrjzgrrb.info | udp |
| US | 8.8.8.8:53 | afcdrlusoqxp.info | udp |
| US | 8.8.8.8:53 | kzucrldmwhip.info | udp |
| US | 8.8.8.8:53 | kyfvuuhqsk.net | udp |
| US | 8.8.8.8:53 | qilibwzch.net | udp |
| US | 8.8.8.8:53 | reievzj.org | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | ramdcrnrfeef.info | udp |
| US | 8.8.8.8:53 | vrbryihz.info | udp |
| US | 8.8.8.8:53 | uwqhdkp.info | udp |
| US | 8.8.8.8:53 | xusuahgmdjxv.net | udp |
| US | 8.8.8.8:53 | yckellczvq.net | udp |
| US | 8.8.8.8:53 | yxlcbuil.net | udp |
| US | 8.8.8.8:53 | otoyfsmfdbb.net | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | rvhelwy.net | udp |
| US | 8.8.8.8:53 | godojuv.net | udp |
| US | 8.8.8.8:53 | eyceeqeo.org | udp |
| US | 8.8.8.8:53 | gqqeamwkgm.com | udp |
| US | 8.8.8.8:53 | csfprf.net | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | pwwleb.info | udp |
| LT | 88.222.178.132:29284 | tcp | |
| US | 8.8.8.8:53 | ryoytgjii.com | udp |
| US | 8.8.8.8:53 | vxyettrklkij.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | ngjbbcwxd.net | udp |
| US | 8.8.8.8:53 | tswlzdfbjjgt.info | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | wmskoyiwckcc.com | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | vjlkfav.info | udp |
| US | 8.8.8.8:53 | uybfjppqbwi.net | udp |
| US | 8.8.8.8:53 | qkyeky.com | udp |
| US | 8.8.8.8:53 | csyckcwigawi.org | udp |
| US | 8.8.8.8:53 | ugftcdjn.net | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | psiivqnwwln.com | udp |
| US | 8.8.8.8:53 | vwvztrxonx.info | udp |
| US | 8.8.8.8:53 | pspyymcuzx.net | udp |
| US | 8.8.8.8:53 | vqetvpzbzkav.info | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | tnxarya.net | udp |
| US | 8.8.8.8:53 | uiicsqiumksq.org | udp |
| US | 8.8.8.8:53 | tfevbshoab.net | udp |
| US | 8.8.8.8:53 | gynchtukx.info | udp |
| US | 8.8.8.8:53 | ukygcoimyk.org | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | iygasxojrc.net | udp |
| US | 8.8.8.8:53 | ampqjul.info | udp |
| US | 8.8.8.8:53 | vdudzap.info | udp |
| US | 8.8.8.8:53 | adxshibufkdc.info | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | egvmdtnyr.info | udp |
| US | 8.8.8.8:53 | yjpnygixyx.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | zqcaqqttiikm.info | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | uwqrbwysgcqs.info | udp |
| US | 8.8.8.8:53 | zylyqstmdoh.org | udp |
| US | 8.8.8.8:53 | daxunil.org | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | omqxhbhj.net | udp |
| US | 8.8.8.8:53 | euqtjghuym.info | udp |
| US | 8.8.8.8:53 | cgoorgsra.net | udp |
| US | 8.8.8.8:53 | xbqsfj.net | udp |
| US | 8.8.8.8:53 | qwoomgeakcqc.com | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | thfcjvbjjgyn.net | udp |
| US | 8.8.8.8:53 | ehzkcnld.net | udp |
| US | 8.8.8.8:53 | kdfezybzo.info | udp |
| US | 8.8.8.8:53 | mkfjzhfsclp.info | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | jrzlnuk.info | udp |
| US | 8.8.8.8:53 | wccouamkso.com | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | xhxgbijljl.info | udp |
| US | 8.8.8.8:53 | wuyiuywggc.com | udp |
| US | 8.8.8.8:53 | hkugnwbst.info | udp |
| LT | 88.216.150.200:23469 | tcp | |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | gghgwif.net | udp |
| US | 8.8.8.8:53 | rrplkiaxf.org | udp |
| US | 8.8.8.8:53 | bglmvzxcpb.net | udp |
| US | 8.8.8.8:53 | jvunsxaneq.info | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | gqsqgqkiqw.com | udp |
| US | 8.8.8.8:53 | gitopjdgb.info | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | osfwhjbd.net | udp |
| US | 8.8.8.8:53 | gxufcxlayzbp.net | udp |
| US | 8.8.8.8:53 | xozujmxuonk.net | udp |
| US | 8.8.8.8:53 | icgaagecgk.org | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | gdeqnmhralw.info | udp |
| US | 8.8.8.8:53 | bsxttmwrf.info | udp |
| US | 8.8.8.8:53 | catabgehb.info | udp |
| US | 8.8.8.8:53 | jrmkjlciocn.net | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | hnnsxqjoymc.org | udp |
| US | 8.8.8.8:53 | metztfp.info | udp |
| US | 8.8.8.8:53 | dtdkfhyx.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | kpybelzvkdkt.net | udp |
| US | 8.8.8.8:53 | wyrqpbqgz.info | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | rehaqwq.com | udp |
| US | 8.8.8.8:53 | cwxoncxmla.info | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | vqoonhwhl.org | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | tjpahurkauv.com | udp |
| US | 8.8.8.8:53 | uygwqg.org | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | bofdnfzzfmnq.net | udp |
| US | 8.8.8.8:53 | dalfiqdl.net | udp |
| US | 8.8.8.8:53 | bevrzka.net | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | ebxxxyqzoo.net | udp |
| US | 8.8.8.8:53 | fjxmrh.info | udp |
| LT | 78.62.118.30:24281 | tcp | |
| US | 8.8.8.8:53 | dnjcljakvt.info | udp |
| US | 8.8.8.8:53 | mgeoau.org | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | zxklkmv.net | udp |
| US | 8.8.8.8:53 | ajvuhnsn.info | udp |
| US | 8.8.8.8:53 | vjlikcg.org | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | iwjaigphvmz.info | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | uiymqyos.org | udp |
| US | 8.8.8.8:53 | rkwthclcupth.info | udp |
| US | 8.8.8.8:53 | dijuhiharm.info | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | rojwsqumfvt.com | udp |
| US | 8.8.8.8:53 | gcaqcqkkqy.org | udp |
| US | 8.8.8.8:53 | cwxjzsnq.info | udp |
| US | 8.8.8.8:53 | arvpycxyk.info | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | wkgimklh.info | udp |
| US | 8.8.8.8:53 | kwurft.net | udp |
| US | 8.8.8.8:53 | srclaozvnv.info | udp |
| US | 8.8.8.8:53 | gvdihxf.info | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | razbluvsqqa.net | udp |
| US | 8.8.8.8:53 | nbrdxq.net | udp |
| US | 8.8.8.8:53 | dkcctkyf.info | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | giqssk.org | udp |
| US | 8.8.8.8:53 | lipsxon.net | udp |
| US | 8.8.8.8:53 | jqucrgbpvzl.info | udp |
| US | 8.8.8.8:53 | xutbnuhwx.info | udp |
| US | 8.8.8.8:53 | zjtwdetin.org | udp |
| US | 8.8.8.8:53 | gpzvvimg.net | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | vwzlbkneb.info | udp |
| US | 8.8.8.8:53 | kyezhtzwcx.info | udp |
| US | 8.8.8.8:53 | zrzbimdx.info | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| MD | 109.185.174.48:35667 | tcp | |
| US | 8.8.8.8:53 | eawmuqmi.org | udp |
| US | 8.8.8.8:53 | ldbujuuvlfm.org | udp |
| US | 8.8.8.8:53 | njnczdhoj.org | udp |
| US | 8.8.8.8:53 | pmcgqvkadmxu.net | udp |
| US | 8.8.8.8:53 | qmgurgzlqdl.info | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | bjtysensn.info | udp |
| US | 8.8.8.8:53 | lmngvuryb.org | udp |
| US | 8.8.8.8:53 | skbqiabuo.info | udp |
| US | 8.8.8.8:53 | sgfojomzlgm.info | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | ocnxbvt.info | udp |
| US | 8.8.8.8:53 | ofqdimldvyj.net | udp |
| US | 8.8.8.8:53 | qmmaisguis.org | udp |
| US | 8.8.8.8:53 | cieomg.org | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | syimccagmy.org | udp |
| US | 8.8.8.8:53 | faxojokn.info | udp |
| US | 8.8.8.8:53 | jkpjkbvbhx.net | udp |
| US | 8.8.8.8:53 | mynslwkzqam.info | udp |
| US | 8.8.8.8:53 | jllsugp.info | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | gwzphyn.info | udp |
| US | 8.8.8.8:53 | rghseqv.net | udp |
| US | 8.8.8.8:53 | qoaqeiwcwc.com | udp |
| US | 8.8.8.8:53 | nvedat.info | udp |
| US | 8.8.8.8:53 | jxxmjjlfvykt.info | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | sksukyca.com | udp |
| US | 8.8.8.8:53 | yjvcoer.net | udp |
| US | 8.8.8.8:53 | iciaiuykiqcq.com | udp |
| US | 8.8.8.8:53 | gouuqhjjfohz.info | udp |
| US | 8.8.8.8:53 | rgdizgs.com | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | fgtoboxmvnx.org | udp |
| US | 8.8.8.8:53 | jwlzfdz.net | udp |
| US | 8.8.8.8:53 | ygtsmap.net | udp |
| US | 8.8.8.8:53 | azzllizgjr.info | udp |
| US | 8.8.8.8:53 | ogbsdypjuwj.net | udp |
| LT | 88.222.196.34:37018 | tcp | |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | vykifcl.info | udp |
| US | 8.8.8.8:53 | cqqyggkiuick.org | udp |
| US | 8.8.8.8:53 | pdmmllhpgq.info | udp |
| US | 8.8.8.8:53 | mwqskc.com | udp |
| US | 8.8.8.8:53 | weyrtj.net | udp |
| US | 8.8.8.8:53 | bckgrclol.net | udp |
| US | 8.8.8.8:53 | yzfkrwh.net | udp |
| US | 8.8.8.8:53 | lxbeqsvovif.com | udp |
| US | 8.8.8.8:53 | ecmywcyo.org | udp |
| US | 8.8.8.8:53 | ugwkurscxkzq.net | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | prkvgdckok.net | udp |
| US | 8.8.8.8:53 | xklnky.net | udp |
| US | 8.8.8.8:53 | ayiswccwzs.info | udp |
| US | 8.8.8.8:53 | avvhxybqoya.info | udp |
| US | 8.8.8.8:53 | pjsdxmvplgi.info | udp |
| US | 8.8.8.8:53 | geagaiyw.com | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| US | 8.8.8.8:53 | ewgqwo.com | udp |
| US | 8.8.8.8:53 | nmnkazttyj.net | udp |
| US | 8.8.8.8:53 | betbrvvezej.net | udp |
| US | 8.8.8.8:53 | uhglqt.net | udp |
| US | 8.8.8.8:53 | kuljrix.net | udp |
| US | 8.8.8.8:53 | zudmvnd.com | udp |
| US | 8.8.8.8:53 | uokeql.info | udp |
| US | 8.8.8.8:53 | yjdqsuayvwu.net | udp |
| US | 8.8.8.8:53 | sidlvctfcd.net | udp |
| US | 8.8.8.8:53 | gexxlkmcxyz.net | udp |
| US | 8.8.8.8:53 | kvxtfdvofl.info | udp |
| US | 8.8.8.8:53 | gtoyfuhhbye.net | udp |
| US | 8.8.8.8:53 | pcrqltw.info | udp |
| US | 8.8.8.8:53 | htrqxi.net | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | mqalxvdnwf.info | udp |
| US | 8.8.8.8:53 | ptwgfwjn.info | udp |
| US | 8.8.8.8:53 | fgeqdapcypf.net | udp |
| US | 8.8.8.8:53 | uexgbhpcvjw.net | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | ktfokezzjjxo.net | udp |
| US | 8.8.8.8:53 | kvvwrzdyfip.info | udp |
| US | 8.8.8.8:53 | iyogkwiquaqs.org | udp |
| US | 8.8.8.8:53 | bmzdfoks.info | udp |
| US | 8.8.8.8:53 | lpyaid.info | udp |
| US | 8.8.8.8:53 | cebmaioozax.net | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | usmecwqwes.com | udp |
| US | 8.8.8.8:53 | epviawh.net | udp |
| US | 8.8.8.8:53 | fszbvdzg.net | udp |
| US | 8.8.8.8:53 | tirnpwmcwmd.org | udp |
| US | 8.8.8.8:53 | dildtyhof.info | udp |
| US | 8.8.8.8:53 | vabibbc.info | udp |
| US | 8.8.8.8:53 | asnapiuotwf.net | udp |
| US | 8.8.8.8:53 | bkpkvekvzgd.net | udp |
| US | 8.8.8.8:53 | hwkplz.net | udp |
| US | 8.8.8.8:53 | mesiwmoqwgao.com | udp |
| US | 8.8.8.8:53 | iozedkjmhpz.net | udp |
| US | 8.8.8.8:53 | xfvqmg.info | udp |
| US | 8.8.8.8:53 | kgpmewlau.info | udp |
| US | 8.8.8.8:53 | zusbpnvlif.info | udp |
| US | 8.8.8.8:53 | lcdtoj.info | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | pldhbwqapxfa.net | udp |
| US | 8.8.8.8:53 | qinzzyctzscv.info | udp |
| MD | 95.65.81.102:36208 | tcp | |
| US | 8.8.8.8:53 | egyjkw.net | udp |
| US | 8.8.8.8:53 | rgdtzur.com | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | oxanlcfkvp.info | udp |
| US | 8.8.8.8:53 | zdsfyjey.net | udp |
| US | 8.8.8.8:53 | gxemjsfnq.info | udp |
| US | 8.8.8.8:53 | yycmkq.org | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | keyaztzoeqx.info | udp |
| US | 8.8.8.8:53 | ubdvzyaw.net | udp |
| US | 8.8.8.8:53 | kghvtk.net | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | aweknajbm.net | udp |
| US | 8.8.8.8:53 | nukkjobqd.info | udp |
| US | 8.8.8.8:53 | txfdlgkoejiw.net | udp |
| US | 8.8.8.8:53 | klmljthik.info | udp |
| US | 8.8.8.8:53 | skyuyuyeyk.org | udp |
| US | 8.8.8.8:53 | lxnvcuqjheaw.info | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | fatiyppe.info | udp |
| US | 8.8.8.8:53 | lerobrcyat.net | udp |
| US | 8.8.8.8:53 | wswmkykgcsok.com | udp |
| US | 8.8.8.8:53 | yceqcskoeg.org | udp |
| US | 162.249.65.164:80 | yceqcskoeg.org | tcp |
| N/A | 94.156.173.174:15087 | tcp |
Files
memory/3564-0-0x0000000000400000-0x0000000000489000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
| MD5 | 365fb539069341a0f697861998460dc1 |
| SHA1 | 33fc5eebf788a3319a5c355ec8414c380105fc24 |
| SHA256 | b5643a7d0fe6085506e23f0f7a8ffdd41f0cb91aef9c4348dd724a5f743be5b9 |
| SHA512 | 74250cd72b8cef32b7e75f75ff36a63f4482268e103ea4038b56b10aeae0b91b3b4418c7a1d8771702ec377e8266150d9074f9d81687e74cb2d4cf23f9074a02 |
C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe
| MD5 | 10e2e4a7f16b729bfaa9630c1146569f |
| SHA1 | 2d2781b1290c8c50a98abed0c57033f0339d69bf |
| SHA256 | c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4 |
| SHA512 | d0cc92bbb54e1f9e969998c99385f37a5d0fd37af006117b914f038cc9a809058a997ffe039f601325efc7f933a23aed750b3d287333cf9d168955451b99fef0 |
C:\Users\Admin\AppData\Local\Temp\tfppail.exe
| MD5 | 70e781607c2b2e26748a99d44173a03e |
| SHA1 | b9e87570959bb84702eac4c2f0d9292ba5949f95 |
| SHA256 | f73e720c93e34d1d8978e7b3ed70eca55e691bccb072f94ea5a40ff3f9b87b59 |
| SHA512 | 18c1aa086a51879dd31920fc8d12a3a4c503f5f4d3c1e045cd6f948904d37fa8e0e3a4da108a10f15fd3fe59e0db0cfdd402c350d756caeefc0b61eca51ed4e2 |
C:\Users\Admin\AppData\Local\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | 02f4eee7e24390ad1c516ea42e289b2f |
| SHA1 | 8c5c392907b9b36aef51ddc72f9272f748d36575 |
| SHA256 | ecc8bfbd5da5db3384a42c7ae303fe0f0cb9f3b5275d3dd9193397fbd74cd42f |
| SHA512 | f7f07a0f42d1c13882307933dfc8c2a6197273d89843d7a9be8cac7082844e8791c43ae76ddcd68f2b25f448cc487395cdbff344f9902943112370d3eb152b93 |
C:\Users\Admin\AppData\Local\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr
| MD5 | 2c667c40c42cc2026c5f419f49485232 |
| SHA1 | 15c6ca0694ad0e302c20d2d8f51fd754322bc28d |
| SHA256 | 94047e9c8822f664cfb2fe0457ca8ecebf168ffe4c337212310c69a9b793a979 |
| SHA512 | f565e33b5e3a2fcfcd85cea1459c24f155e6851030e66281e9cf7909b924a137063fd25c17633558c8d8bdf0fe56bf0ed90bf8fb3104bdd5c7e5a92ffe0d1fb8 |
C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | ed49aefb3b2d0dd9010971f125e8f7ad |
| SHA1 | 6f850d39a342bd6d325973967d2b71279a36af05 |
| SHA256 | 8d170ccf930b1385b40625f68924a4ac7cca1bd1da25fa3d36f3cc1dc8cb292d |
| SHA512 | 8eaf104858ad78135a7a60e53e79703e683f65b7ff52b04924574087e206bfc6bf8fdeeeaec35a30a6402b4c350de97acf3fd824159de945c713df6ef3444a47 |
C:\Users\Admin\AppData\Local\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | 421b0b1aefda8a9e42e8f94711f1f30e |
| SHA1 | cd0ff6bd5b574e3ebb7a8e680b1fe746f358b6dc |
| SHA256 | 87e42b678ee564c6c6b59f2207bec7248613995e4fbcae6ecb8fa90483c3fc6c |
| SHA512 | 46a9b786d0911f65e7e3a7e0406b6049320667a7e1b5d7ff9aa776ac8c9a6c98c75bace7808d2d48c20a898e7cfb0f98f99da22aded4084e1f564c0030b435be |
C:\Users\Admin\AppData\Local\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | f6460346a8f253bda5540c65df848bc9 |
| SHA1 | a0e9a202656ff4d45eb73b94322b055ea658aef7 |
| SHA256 | 87520b03a55d82f6f78b583a3506490de3b9d89a57c20b6909e0fa8ee962bccb |
| SHA512 | 5e76005c6533fd5124e28e6ddd56ca402baa3be1beeb4514af8e841a5b5484f3529686d8c3a380e39bf43a50cdd6f17361527133b49669697b24fe7434f36f88 |
C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | 5e8984827c6a676aec562b75988197a1 |
| SHA1 | d9b6c06213930201df133da5c7da870380818c5a |
| SHA256 | 69f0a96538c99212583b43879c1330bd4e9c782b12e039edbeda30c0fc0d7bb7 |
| SHA512 | 31bd348131b843d977313ba5da8c1c001b8816b27069bc1081c6deae323cf901336d4013d9d213ab8967ba2e49153a6bf85cb09eb7728153c791679eedb8fa86 |
C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | 5c49612bb641f8ba3cc772285b03d191 |
| SHA1 | 837d181eba26b422e7dd533b73b1a8de7868d428 |
| SHA256 | 20ea0b39be33fc982d0560794c5f9406bb9d065e4506132544566c7761d1a0d6 |
| SHA512 | 8266cfc9ebf337008d71ab77bf2c0806ad3685cbbb6f8e1a296d6cfbc069fc0518811c923d9e38329374f4543c922b42ec03756e3dec7b0df88a088fe0fcc52f |
C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef
| MD5 | e8251bae3ab4eb115fbfdd727eb087ed |
| SHA1 | aa6376ef5a24db7d8bb18747ae9dd1eab4642f24 |
| SHA256 | 6745ce1fdcd75fe5b22fb6656a6ee6e5d0ea8ba7f359f984d746905d60a1887a |
| SHA512 | af66bc7dafc7de91c0b753f73d825ad2d414893685d3ea67ccb84a5116a3a7e5ed649e3659d21411ec9baa7839a7555fb986e7841d40df8288929d1065dbd973 |