Malware Analysis Report

2025-03-15 00:57

Sample ID 240626-f8dm9azhqk
Target 10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118
SHA256 c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4

Threat Level: Known bad

The file 10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Adds policy Run key to start application

Executes dropped EXE

Checks computer location settings

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 05:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 05:32

Reported

2024-06-26 05:34

Platform

win7-20240220-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dhhop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qxakowfp = "bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "dxnkbwspoflqdhghsgrlb.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "hxjcpgyrmzbcllgdk.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "dxnkbwspoflqdhghsgrlb.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "bthcrkezwlpsdfcbkwf.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "hxjcpgyrmzbcllgdk.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "dxnkbwspoflqdhghsgrlb.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sdkygsftjrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "qhuocunhdruwghdbju.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\hptejscna = "dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "dxnkbwspoflqdhghsgrlb.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxjcpgyrmzbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "ohwsicxtrhmqcfddnakd.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\otucek = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhuocunhdruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "dxnkbwspoflqdhghsgrlb.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohwsicxtrhmqcfddnakd.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vflyfqcpelh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bthcrkezwlpsdfcbkwf.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "bthcrkezwlpsdfcbkwf.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\otucek = "bthcrkezwlpsdfcbkwf.exe" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ajoagqbnbh = "ohwsicxtrhmqcfddnakd.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bhjsvck = "apaseuldxjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created C:\Windows\SysWOW64\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\edyawwxzdzkumvzfvoedya.wxz C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created C:\Windows\SysWOW64\edyawwxzdzkumvzfvoedya.wxz C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Program Files (x86)\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created C:\Program Files (x86)\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created C:\Windows\edyawwxzdzkumvzfvoedya.wxz C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\edyawwxzdzkumvzfvoedya.wxz C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File created C:\Windows\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\hxjcpgyrmzbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\upgewspnnfmsgllnzoavmk.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\ohwsicxtrhmqcfddnakd.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\bthcrkezwlpsdfcbkwf.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\dxnkbwspoflqdhghsgrlb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\qhuocunhdruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
File opened for modification C:\Windows\apaseuldxjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2908 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2908 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2908 wrote to memory of 2904 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2904 wrote to memory of 1612 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\otucek.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2908 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\otucek.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\otucek.exe

"C:\Users\Admin\AppData\Local\Temp\otucek.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\otucek.exe

"C:\Users\Admin\AppData\Local\Temp\otucek.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.adobe.com udp
BE 23.14.90.107:80 www.adobe.com tcp
US 8.8.8.8:53 www.myspace.com udp
US 34.111.176.156:80 www.myspace.com tcp
BG 94.236.143.231:36236 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 raxidorxnox.org udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 cmgsihuolav.net udp
LT 78.57.175.59:16129 tcp
US 8.8.8.8:53 uuzqrv.net udp
US 8.8.8.8:53 upmclqneoy.net udp
US 8.8.8.8:53 zkmgpbhgj.com udp
PL 93.181.153.49:40155 tcp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 hsjifjv.org udp
BG 89.215.244.86:24620 tcp
US 8.8.8.8:53 xjldbuxospwl.info udp
US 8.8.8.8:53 prdtgxaz.info udp
US 8.8.8.8:53 uepeffnqt.info udp
US 8.8.8.8:53 umckwaoo.com udp
BG 84.252.53.197:15885 tcp
US 8.8.8.8:53 texrnn.info udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 hodrooyim.org udp
BG 94.101.198.196:32651 tcp
US 8.8.8.8:53 ixtltfwj.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
DE 87.121.29.254:26345 tcp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 yyvdirmqjhbg.net udp
US 8.8.8.8:53 wdnjotcjyy.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 tgdtwkjaafc.com udp
BG 213.214.69.53:14181 tcp
US 8.8.8.8:53 ouumqemi.com udp
US 8.8.8.8:53 rhnjtqtf.info udp
BG 88.87.9.36:21855 tcp
US 8.8.8.8:53 vhmdjypgv.net udp
US 8.8.8.8:53 hcjdhnebfc.net udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 rfdrzkhqh.com udp
US 8.8.8.8:53 hswepwt.com udp

Files

memory/2908-0-0x0000000000400000-0x0000000000489000-memory.dmp

\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

MD5 365fb539069341a0f697861998460dc1
SHA1 33fc5eebf788a3319a5c355ec8414c380105fc24
SHA256 b5643a7d0fe6085506e23f0f7a8ffdd41f0cb91aef9c4348dd724a5f743be5b9
SHA512 74250cd72b8cef32b7e75f75ff36a63f4482268e103ea4038b56b10aeae0b91b3b4418c7a1d8771702ec377e8266150d9074f9d81687e74cb2d4cf23f9074a02

C:\Windows\SysWOW64\qhuocunhdruwghdbju.exe

MD5 10e2e4a7f16b729bfaa9630c1146569f
SHA1 2d2781b1290c8c50a98abed0c57033f0339d69bf
SHA256 c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4
SHA512 d0cc92bbb54e1f9e969998c99385f37a5d0fd37af006117b914f038cc9a809058a997ffe039f601325efc7f933a23aed750b3d287333cf9d168955451b99fef0

\Users\Admin\AppData\Local\Temp\otucek.exe

MD5 9af079c5e2aae2ec3e47b74b4eff7fbc
SHA1 08f707e82b31e925c3cf7451fed6a0554a47bfad
SHA256 22739d9ec4b69c262b7a441a292232fca52b2740d77dc17c5c299f26f8807ce4
SHA512 36ff8dd79ba95364d3d6615ef77fef497db91214e434a271c745204a4516cf62d2c5db4a5991551566ddaa5076f7ebcf0c2ee5ab1c85991af4feb3904e576227

C:\Users\Admin\AppData\Local\edyawwxzdzkumvzfvoedya.wxz

MD5 397272189dc22035a4368934ffe2aca5
SHA1 d5f6d44d7031ae516bafc661a34f3c416b97f0e7
SHA256 51c4d985366e2febd2723ae46a2f98538ec43b6eb71daa6d911108ab0ae92af8
SHA512 8e43809ccbc9e66933b29ea6efe2fff79dbde2e86760a91b96abbd0b115d88cba543f5b2285d895bff792ea12a43ea6780c6bb14ef9f59b2a899ba49b348bf6e

C:\Users\Admin\AppData\Local\vflyfqcpelhcfzofgklvbovgsfubxsvpe.wab

MD5 a1caed5be299d32899002087559db5ed
SHA1 615b886c7d6113a0a37e288c984c6f9a4a2a091f
SHA256 42b51b186037388dd72cef3cfa72cccccc5d170af1926ab2e2669f66be73e7e4
SHA512 8f752c3649de0d4c7ed15f7d6e5ab9f23ed886fe2c7e79fbbbd922b7ce2a7439f9f0adc32a4ca246fa74c4615554e0883c57d8a925d427788b1317cd11ba9caa

C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz

MD5 004fa85752df32656f6bf0d82161fea4
SHA1 17468cb5f046c1d6318d7127fe1d925208618f08
SHA256 ba7529a3a870a3db77eae89ee046cccc67ba78692d5a3826dd41525887e581d3
SHA512 55d2ac19361e6d812966d45eddffbb1f08c22661b10d33db3861626af57808d8964047822c2b40b43406579cc379687d4089c0257d9f22c322769f92fe9a0c60

C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz

MD5 07197db388558d0c2eabfff13d841e3e
SHA1 0c062c9075e59790609824197b5eb3150d8ab0a3
SHA256 70a227d930f702300949bfa6a95f092107f181a1c9e2c31b62407c0f311b59ed
SHA512 94e887d8bce5971907501b31f61bbced35ddee206cf71e568ca87e3763b73b0161b04d29676c72f07bc94b799671a39bb5ca63de39caaf8a9653e052b7dbcb4b

C:\Program Files (x86)\edyawwxzdzkumvzfvoedya.wxz

MD5 86851bf27f61853e8a3b5268c672a312
SHA1 7981362ac1f4e25cabf993811a4096143989298b
SHA256 dfa3e7c578a1314e384606aa9a7a0641a60c9648f441695e399e257d8dae89a3
SHA512 911291d97f99a9cc8e4bd182f51b11d6b8527e96e974450db1a2d8d1c32f448e696adae6bace265fe53d83dcb5617e4ada9eeb08059f795062d71ef17974c264

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 05:32

Reported

2024-06-26 05:34

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "zvpzumzpjzykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvpzumzpjzykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "zvpzumzpjzykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kdubtisfwjfocu = "gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ndrvkwdnble = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "zvpzumzpjzykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "zvpzumzpjzykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvpzumzpjzykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "gfcpniyrohjysqjscocb.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "ifalhaofarrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "gfcpniyrohjysqjscocb.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "sngpjambujhsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "trnzwqfxtlmatqiqzkx.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "trnzwqfxtlmatqiqzkx.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvpzumzpjzykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "trnzwqfxtlmatqiqzkx.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "ifalhaofarrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "gfcpniyrohjysqjscocb.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "zvpzumzpjzykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "zvpzumzpjzykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "zvpzumzpjzykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sngpjambujhsicrw = "sngpjambujhsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ifalhaofarrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\trnzwqfxtlmatqiqzkx.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\nhzhaqbphvscrky = "vvthgctnlfiytsmwhujjh.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zvpzumzpjzykbwmsz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvthgctnlfiytsmwhujjh.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gfcpniyrohjysqjscocb.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\jbrxoclxnzucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ifalhaofarrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kbqvlygrgrls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sngpjambujhsicrw.exe" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created C:\Windows\SysWOW64\ahmhnqopuvfceklcuokrwrxa.zef C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\ahmhnqopuvfceklcuokrwrxa.zef C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\SysWOW64\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Program Files (x86)\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created C:\Program Files (x86)\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\ahmhnqopuvfceklcuokrwrxa.zef C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\mnmbbyqlkfjawwrcocstsh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\gfcpniyrohjysqjscocb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created C:\Windows\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\ifalhaofarrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File created C:\Windows\ahmhnqopuvfceklcuokrwrxa.zef C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\vvthgctnlfiytsmwhujjh.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\trnzwqfxtlmatqiqzkx.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\zvpzumzpjzykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
File opened for modification C:\Windows\sngpjambujhsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 3564 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 3564 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 4620 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe
PID 4620 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe
PID 4620 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe
PID 4620 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe
PID 4620 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe
PID 4620 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\tfppail.exe
PID 3564 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 3564 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 3564 wrote to memory of 524 N/A C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\tfppail.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\10e2e4a7f16b729bfaa9630c1146569f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\tfppail.exe

"C:\Users\Admin\AppData\Local\Temp\tfppail.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\tfppail.exe

"C:\Users\Admin\AppData\Local\Temp\tfppail.exe" "-c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2904,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\10e2e4a7f16b729bfaa9630c1146569f_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.baidu.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
HK 103.235.47.188:80 www.baidu.com tcp
BG 77.77.47.140:37401 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 188.47.235.103.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 czuaxrjwz.info udp
US 8.8.8.8:53 jpohvi.info udp
US 8.8.8.8:53 ykqitdlzoafl.info udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 wciccoaqgywi.org udp
US 8.8.8.8:53 nechuv.net udp
US 8.8.8.8:53 nohmaysdqlnm.info udp
US 8.8.8.8:53 aoieqa.org udp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
IE 92.251.196.67:17384 tcp
US 8.8.8.8:53 tumezwbjaz.net udp
US 8.8.8.8:53 zkmgpbhgj.com udp
US 8.8.8.8:53 uipqwsmpjgh.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 mkbwfgfja.info udp
US 8.8.8.8:53 prdtgxaz.info udp
US 8.8.8.8:53 retvxe.net udp
US 8.8.8.8:53 fcterrg.net udp
US 8.8.8.8:53 jkvaba.net udp
US 8.8.8.8:53 uimescouwmsm.com udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 lebcyqd.com udp
US 8.8.8.8:53 wckioakwsu.org udp
US 8.8.8.8:53 mowyegya.org udp
US 8.8.8.8:53 tknysgkzt.net udp
US 8.8.8.8:53 gfpinqbmbmx.info udp
US 8.8.8.8:53 hbywrbnrjgrc.net udp
US 8.8.8.8:53 wdqzak.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
BG 95.87.198.136:27153 tcp
US 8.8.8.8:53 mahkshj.info udp
US 8.8.8.8:53 ceoawsgi.org udp
US 8.8.8.8:53 ngodfstltvni.net udp
US 8.8.8.8:53 wiqoaqmaayqs.org udp
US 8.8.8.8:53 guxujsy.info udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 mgdozpxkn.net udp
US 8.8.8.8:53 cmdifezujkr.info udp
US 8.8.8.8:53 qkbonwbfvup.net udp
US 8.8.8.8:53 wywvyk.info udp
US 8.8.8.8:53 hkzpou.net udp
US 8.8.8.8:53 zxnatqlcynt.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 fehhbmeyim.net udp
US 8.8.8.8:53 dcsepizll.info udp
US 8.8.8.8:53 ykkmmsoi.org udp
US 8.8.8.8:53 mskiumkecmce.org udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 kgwfhsfg.net udp
US 8.8.8.8:53 bynkxn.net udp
US 8.8.8.8:53 bsqotgivphh.org udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 psgcvgr.net udp
US 8.8.8.8:53 bktmnxjujuh.info udp
US 8.8.8.8:53 fphezgrudwy.com udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 atierp.info udp
US 8.8.8.8:53 rktqewv.com udp
US 8.8.8.8:53 cktstug.net udp
US 8.8.8.8:53 fmllrsnh.info udp
US 8.8.8.8:53 gcjcpcv.net udp
US 8.8.8.8:53 cgioigqcyk.com udp
US 8.8.8.8:53 fcbghgzuhfd.net udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 bkbqosd.org udp
US 8.8.8.8:53 bnvmvujbf.com udp
US 8.8.8.8:53 hmjyzgfadan.net udp
US 8.8.8.8:53 yenhhbn.info udp
US 8.8.8.8:53 elnwxj.info udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 qkvarwtkpmi.info udp
US 8.8.8.8:53 lriyqqd.com udp
US 8.8.8.8:53 yuemqo.org udp
US 8.8.8.8:53 fmjldgh.info udp
US 8.8.8.8:53 wqnwbmrdh.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 aakpyygkspxf.info udp
US 8.8.8.8:53 misasuzsp.net udp
US 8.8.8.8:53 qeatvxdoucf.info udp
US 8.8.8.8:53 nbsqtv.info udp
US 8.8.8.8:53 ashmtyrlb.info udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 kexabpklup.net udp
US 8.8.8.8:53 ruympenybac.info udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
LT 78.62.180.134:28865 tcp
US 8.8.8.8:53 ywjgnaz.net udp
US 8.8.8.8:53 xsqsbw.info udp
US 8.8.8.8:53 dyhqdnradr.info udp
US 8.8.8.8:53 pzeibgmqtiy.com udp
US 8.8.8.8:53 ppfspir.net udp
US 8.8.8.8:53 rmbzvoskrbt.org udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 zoiktio.net udp
US 8.8.8.8:53 qeykgznjofov.net udp
US 8.8.8.8:53 xkcepmhcc.org udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 gqhggzzsso.net udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 mmaygygsiiwo.org udp
US 8.8.8.8:53 maihbinhfbnf.info udp
US 8.8.8.8:53 wrurbikhe.net udp
US 8.8.8.8:53 xoygdbaqf.net udp
US 8.8.8.8:53 ifbuuucojssb.info udp
US 8.8.8.8:53 vetbckh.net udp
US 8.8.8.8:53 narmbyptrnb.info udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
LT 78.62.234.73:14384 tcp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 smccjmjcfki.net udp
US 8.8.8.8:53 wfkoosj.info udp
US 8.8.8.8:53 bswzaji.info udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 tpxkao.net udp
US 8.8.8.8:53 uggascemos.org udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 ghzsfps.net udp
US 8.8.8.8:53 rvkudwamt.info udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 azwzvzkuvl.net udp
US 8.8.8.8:53 ssumtm.info udp
US 8.8.8.8:53 bilscbgutyf.com udp
US 8.8.8.8:53 qszmjmvrkmd.net udp
US 8.8.8.8:53 haimrtkp.info udp
US 8.8.8.8:53 hyottqfwzub.info udp
US 89.117.21.117:45245 tcp
US 8.8.8.8:53 qzwehqy.info udp
US 8.8.8.8:53 eppizju.info udp
US 8.8.8.8:53 giioceskecgw.com udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 bgbtfyrujy.net udp
US 8.8.8.8:53 dbvyftictgas.net udp
US 8.8.8.8:53 cxvpmijmjz.info udp
US 8.8.8.8:53 niytwdcltppi.net udp
US 8.8.8.8:53 zjswuwos.info udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 kojxtgf.net udp
US 8.8.8.8:53 cqerrsddcncp.net udp
US 8.8.8.8:53 wkhsvnlbjmb.info udp
US 8.8.8.8:53 jmzchqpks.info udp
US 8.8.8.8:53 oxcwiskrzisj.info udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 xyveoyl.org udp
US 8.8.8.8:53 dlqzwhks.net udp
US 8.8.8.8:53 twronanbl.org udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 linyrahgjztb.net udp
US 8.8.8.8:53 exlbpob.info udp
US 8.8.8.8:53 pstaspkmecrv.info udp
US 8.8.8.8:53 oqkemiiy.org udp
US 8.8.8.8:53 scyssywk.org udp
MD 89.28.90.76:13273 tcp
US 162.249.65.164:80 scyssywk.org tcp
US 8.8.8.8:53 dchkravomgvz.net udp
US 8.8.8.8:53 yjlohkjvbef.net udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 nmjgoicyy.org udp
US 8.8.8.8:53 ywqggoak.org udp
US 8.8.8.8:53 tjlalwx.com udp
US 8.8.8.8:53 bqpxmumwcea.net udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 tvfsnu.net udp
US 8.8.8.8:53 hnatzywd.info udp
US 8.8.8.8:53 sgcqqwasosqi.com udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 sawioiusmyeo.com udp
US 8.8.8.8:53 ksjojeycamv.net udp
US 8.8.8.8:53 xfbckregdhtv.info udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 vwfutlg.info udp
US 8.8.8.8:53 yglihwjhorm.info udp
US 8.8.8.8:53 vydmzunvhhnw.info udp
US 8.8.8.8:53 vhlaeegl.info udp
US 8.8.8.8:53 msusugqq.com udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 uyuwgmyo.com udp
US 8.8.8.8:53 vzuads.info udp
US 8.8.8.8:53 vovshqno.net udp
US 8.8.8.8:53 iaqccq.com udp
US 8.8.8.8:53 ewzuphyig.net udp
US 8.8.8.8:53 fgzenab.info udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 ucrszfzf.info udp
US 8.8.8.8:53 xapkxlxc.info udp
US 8.8.8.8:53 qadfsqv.net udp
US 8.8.8.8:53 xotuoivmx.com udp
US 8.8.8.8:53 egroraxatel.net udp
US 8.8.8.8:53 kmqwcsao.org udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 pftymldotwz.org udp
US 8.8.8.8:53 jzidjlva.net udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 dnvzbf.info udp
US 8.8.8.8:53 ikgsoe.com udp
US 8.8.8.8:53 qqqazklgr.net udp
RU 178.66.148.50:44613 tcp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 fenwpqgfagp.info udp
US 8.8.8.8:53 saojqqztqqev.info udp
US 8.8.8.8:53 ljjbekvgppwh.info udp
US 8.8.8.8:53 wcwjlkd.info udp
US 8.8.8.8:53 ttqdczzgdjoa.info udp
US 8.8.8.8:53 wiumcssoiawa.com udp
US 8.8.8.8:53 nbdyxnobgc.info udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 jikibrqb.info udp
US 8.8.8.8:53 cknojmbsf.info udp
US 8.8.8.8:53 kcporryn.net udp
US 8.8.8.8:53 hehhrajvzzty.net udp
US 8.8.8.8:53 gsmysyusyu.com udp
US 8.8.8.8:53 zxdcpam.info udp
US 8.8.8.8:53 nkedlfdqzu.net udp
US 8.8.8.8:53 yguegaeseige.com udp
US 8.8.8.8:53 nurtzuf.com udp
US 8.8.8.8:53 hcpexgl.net udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 vzrawxycib.info udp
US 8.8.8.8:53 pxiyqljef.org udp
US 8.8.8.8:53 kaqawaueascs.com udp
US 8.8.8.8:53 jojcpqbg.net udp
US 8.8.8.8:53 rkhunwg.com udp
US 8.8.8.8:53 qldnfd.net udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 hlvfmaepom.net udp
US 8.8.8.8:53 kiacqceaaaky.com udp
US 8.8.8.8:53 rgmumlutry.net udp
US 8.8.8.8:53 exfrbbbwjctj.net udp
US 8.8.8.8:53 ffujrsnlpioe.info udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 cyzafyx.net udp
US 8.8.8.8:53 kgwkzwnuv.info udp
US 8.8.8.8:53 hmskewbfw.net udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 amwnskjef.info udp
US 8.8.8.8:53 uebrlepe.info udp
US 8.8.8.8:53 uizdqbrrdiso.info udp
US 8.8.8.8:53 zrkholzwximd.net udp
US 8.8.8.8:53 gmseoaao.com udp
US 8.8.8.8:53 fojjzxdwvqg.net udp
US 8.8.8.8:53 lqzsttjmupr.org udp
US 8.8.8.8:53 wnzshgnguffc.net udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 rgukqurny.org udp
US 8.8.8.8:53 ipiytt.info udp
US 8.8.8.8:53 pxjfrwzcyvx.org udp
US 8.8.8.8:53 rudfxcjvcd.net udp
US 8.8.8.8:53 pojwyl.info udp
US 8.8.8.8:53 qbocfslapf.info udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 ulbdikbwhf.info udp
US 8.8.8.8:53 bqhynkf.net udp
US 8.8.8.8:53 egtyronwtqd.info udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 ekeuosqigoeq.com udp
US 8.8.8.8:53 gnsufj.info udp
US 8.8.8.8:53 vivqnsmxqgp.net udp
US 8.8.8.8:53 wbudud.info udp
US 8.8.8.8:53 xcaxujvtnm.net udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 ywyksm.com udp
US 8.8.8.8:53 cuocaaeiog.com udp
US 8.8.8.8:53 qsbltorcthr.net udp
US 8.8.8.8:53 dlwuxyqohgd.org udp
US 8.8.8.8:53 mwawsoweaa.org udp
US 8.8.8.8:53 xizgvuz.com udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 fuwzhttfql.info udp
US 8.8.8.8:53 phnudeukzyu.com udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 bybkbpjlnf.net udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 efnwzram.info udp
US 8.8.8.8:53 keztjb.info udp
US 8.8.8.8:53 pmkdbuhgsup.com udp
US 8.8.8.8:53 cgpetec.net udp
US 8.8.8.8:53 voakfar.com udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 kwqyjpzqpqp.info udp
US 8.8.8.8:53 kxqftntrfv.info udp
US 8.8.8.8:53 vzzivev.org udp
BG 212.233.247.52:39538 tcp
US 8.8.8.8:53 pmwuhnhkb.com udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
US 8.8.8.8:53 gqmegmwimiyk.com udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 kpvnkzumlf.net udp
US 8.8.8.8:53 erqhyxcf.net udp
US 8.8.8.8:53 yoeuoiak.org udp
US 8.8.8.8:53 jraaeq.net udp
US 8.8.8.8:53 btxwcpkrxkte.net udp
US 8.8.8.8:53 rxnsvfyoss.net udp
US 8.8.8.8:53 vchkrzdyzum.org udp
BG 85.196.180.26:32446 tcp
US 8.8.8.8:53 bnuczivueor.net udp
US 8.8.8.8:53 hvszyg.info udp
US 8.8.8.8:53 wtkucqxo.net udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 npupnd.info udp
US 8.8.8.8:53 kquagkym.com udp
US 8.8.8.8:53 igjcav.info udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 lkzkmkv.net udp
US 8.8.8.8:53 fogvtnlnwy.net udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 oyiasswi.org udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 kfekbulrl.info udp
US 8.8.8.8:53 swkynladvvv.net udp
US 8.8.8.8:53 hhlorggcrlgx.net udp
US 8.8.8.8:53 xiindgbplq.net udp
US 8.8.8.8:53 qtgswqugxbj.info udp
US 8.8.8.8:53 oqyegm.org udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 pwzhlngxfevm.net udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 kttutm.net udp
US 8.8.8.8:53 noxgpzp.com udp
US 8.8.8.8:53 hdnzfdixwlms.info udp
US 8.8.8.8:53 wmpbaorgoct.net udp
US 8.8.8.8:53 bxdmnmkvhnx.org udp
US 8.8.8.8:53 ccumqokuuy.org udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 hiewuplllxj.info udp
US 8.8.8.8:53 oknmhblefkl.net udp
US 8.8.8.8:53 nmokuqame.com udp
US 8.8.8.8:53 hdvhofid.net udp
US 8.8.8.8:53 fbngnogngcuy.info udp
US 8.8.8.8:53 bgnmbpnkxfco.info udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 zanatel.org udp
US 8.8.8.8:53 dggcvax.net udp
US 8.8.8.8:53 lhlnamefxcr.com udp
US 8.8.8.8:53 iajnsm.net udp
US 8.8.8.8:53 wwyquaqkmmms.com udp
US 8.8.8.8:53 jjxkovro.info udp
US 8.8.8.8:53 qausokkaik.org udp
US 8.8.8.8:53 hqumvpfmmyn.net udp
US 8.8.8.8:53 pwygpj.net udp
US 8.8.8.8:53 mwkyisww.com udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 hkzfbe.net udp
US 8.8.8.8:53 idvimxz.net udp
US 8.8.8.8:53 xmxlrx.info udp
US 8.8.8.8:53 ucouuikk.com udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 tchximlbdye.info udp
US 8.8.8.8:53 dqjfyu.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ukuyuq.com udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 cmtojk.net udp
US 8.8.8.8:53 euqxydatxn.net udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 vabhhpvsz.net udp
US 8.8.8.8:53 cjkrba.net udp
US 8.8.8.8:53 arjzgfodkifw.net udp
US 8.8.8.8:53 xxprnu.net udp
US 8.8.8.8:53 fwlkoinehjn.net udp
US 8.8.8.8:53 rghovmigp.info udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 ebfnuehzhb.info udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 ibxkaftwjf.info udp
US 8.8.8.8:53 skbatzjqbafv.net udp
US 8.8.8.8:53 uoaowymwmu.com udp
US 8.8.8.8:53 iwiysnzonxp.info udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 fmvoxjg.net udp
US 8.8.8.8:53 samcmuoimuwc.com udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 fmpgtlnr.net udp
US 8.8.8.8:53 thtfdihgtya.com udp
US 8.8.8.8:53 hubwfjfszn.net udp
US 8.8.8.8:53 wugugsqoiekw.org udp
US 8.8.8.8:53 aeiyhuj.info udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 hgxgrek.info udp
US 8.8.8.8:53 zixwrjjcr.org udp
US 8.8.8.8:53 jzpstujndqzn.net udp
US 8.8.8.8:53 sumgemgwem.com udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 cfbgfclmu.info udp
US 8.8.8.8:53 jfiroxpq.net udp
US 8.8.8.8:53 xwgzfhwt.info udp
US 8.8.8.8:53 kqcouayqqo.org udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 ycqkmsl.info udp
US 8.8.8.8:53 qjuogr.info udp
US 8.8.8.8:53 jaktktbzcd.info udp
US 8.8.8.8:53 yigttjzexac.info udp
US 8.8.8.8:53 ydrbnsdovub.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 moukjezcbfq.info udp
US 8.8.8.8:53 mpzepeeifsj.net udp
US 8.8.8.8:53 fyprxtisjsf.net udp
US 8.8.8.8:53 matcxqpsx.net udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 miiaoqckyk.com udp
US 8.8.8.8:53 txsatkxkh.net udp
US 8.8.8.8:53 xsfvby.net udp
US 8.8.8.8:53 gymosoeuse.com udp
US 8.8.8.8:53 eelbdcuyxer.net udp
US 8.8.8.8:53 igcuequq.com udp
US 8.8.8.8:53 jdccsrfyfqo.net udp
US 8.8.8.8:53 ulcxrl.info udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 hipcvavdnnj.org udp
US 8.8.8.8:53 mkysowqc.com udp
US 8.8.8.8:53 uzeisptacdzd.info udp
US 8.8.8.8:53 vkruxzcgeor.net udp
US 8.8.8.8:53 dabsfkf.org udp
US 8.8.8.8:53 yuzulkteh.net udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 lmiixwl.info udp
US 8.8.8.8:53 ckfmxrngl.net udp
US 8.8.8.8:53 fgjgzxa.com udp
US 8.8.8.8:53 usqayacwag.com udp
US 8.8.8.8:53 loftqx.info udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 ouyijet.net udp
US 8.8.8.8:53 inagoxllds.net udp
US 8.8.8.8:53 suisoowrjvra.info udp
US 8.8.8.8:53 gczvcwbiq.net udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 lllgdvqupifn.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 jrhydkecl.net udp
US 8.8.8.8:53 etvmxvwnwph.info udp
US 8.8.8.8:53 oscisooagmou.com udp
US 8.8.8.8:53 icyiyaiu.com udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 lezwtrnowjl.info udp
US 8.8.8.8:53 wtcpgp.net udp
US 8.8.8.8:53 qkiiaiaayeae.com udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 kmhgnyzat.net udp
US 8.8.8.8:53 yfjevzzf.net udp
US 8.8.8.8:53 jgzeqrhze.info udp
US 8.8.8.8:53 nibrxmb.com udp
US 8.8.8.8:53 jaysblh.net udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 zzfdhwyk.net udp
US 8.8.8.8:53 riqtkb.info udp
US 8.8.8.8:53 yurcavko.info udp
US 8.8.8.8:53 akellwrbyf.info udp
US 8.8.8.8:53 ihwgbnn.net udp
US 8.8.8.8:53 skfkrrjzgrrb.info udp
US 8.8.8.8:53 afcdrlusoqxp.info udp
US 8.8.8.8:53 kzucrldmwhip.info udp
US 8.8.8.8:53 kyfvuuhqsk.net udp
US 8.8.8.8:53 qilibwzch.net udp
US 8.8.8.8:53 reievzj.org udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 ramdcrnrfeef.info udp
US 8.8.8.8:53 vrbryihz.info udp
US 8.8.8.8:53 uwqhdkp.info udp
US 8.8.8.8:53 xusuahgmdjxv.net udp
US 8.8.8.8:53 yckellczvq.net udp
US 8.8.8.8:53 yxlcbuil.net udp
US 8.8.8.8:53 otoyfsmfdbb.net udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 rvhelwy.net udp
US 8.8.8.8:53 godojuv.net udp
US 8.8.8.8:53 eyceeqeo.org udp
US 8.8.8.8:53 gqqeamwkgm.com udp
US 8.8.8.8:53 csfprf.net udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 pwwleb.info udp
LT 88.222.178.132:29284 tcp
US 8.8.8.8:53 ryoytgjii.com udp
US 8.8.8.8:53 vxyettrklkij.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 ngjbbcwxd.net udp
US 8.8.8.8:53 tswlzdfbjjgt.info udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 wmskoyiwckcc.com udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 vjlkfav.info udp
US 8.8.8.8:53 uybfjppqbwi.net udp
US 8.8.8.8:53 qkyeky.com udp
US 8.8.8.8:53 csyckcwigawi.org udp
US 8.8.8.8:53 ugftcdjn.net udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 psiivqnwwln.com udp
US 8.8.8.8:53 vwvztrxonx.info udp
US 8.8.8.8:53 pspyymcuzx.net udp
US 8.8.8.8:53 vqetvpzbzkav.info udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 tnxarya.net udp
US 8.8.8.8:53 uiicsqiumksq.org udp
US 8.8.8.8:53 tfevbshoab.net udp
US 8.8.8.8:53 gynchtukx.info udp
US 8.8.8.8:53 ukygcoimyk.org udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 iygasxojrc.net udp
US 8.8.8.8:53 ampqjul.info udp
US 8.8.8.8:53 vdudzap.info udp
US 8.8.8.8:53 adxshibufkdc.info udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 egvmdtnyr.info udp
US 8.8.8.8:53 yjpnygixyx.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 zqcaqqttiikm.info udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 uwqrbwysgcqs.info udp
US 8.8.8.8:53 zylyqstmdoh.org udp
US 8.8.8.8:53 daxunil.org udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 omqxhbhj.net udp
US 8.8.8.8:53 euqtjghuym.info udp
US 8.8.8.8:53 cgoorgsra.net udp
US 8.8.8.8:53 xbqsfj.net udp
US 8.8.8.8:53 qwoomgeakcqc.com udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 thfcjvbjjgyn.net udp
US 8.8.8.8:53 ehzkcnld.net udp
US 8.8.8.8:53 kdfezybzo.info udp
US 8.8.8.8:53 mkfjzhfsclp.info udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 jrzlnuk.info udp
US 8.8.8.8:53 wccouamkso.com udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 xhxgbijljl.info udp
US 8.8.8.8:53 wuyiuywggc.com udp
US 8.8.8.8:53 hkugnwbst.info udp
LT 88.216.150.200:23469 tcp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 gghgwif.net udp
US 8.8.8.8:53 rrplkiaxf.org udp
US 8.8.8.8:53 bglmvzxcpb.net udp
US 8.8.8.8:53 jvunsxaneq.info udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 gqsqgqkiqw.com udp
US 8.8.8.8:53 gitopjdgb.info udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 osfwhjbd.net udp
US 8.8.8.8:53 gxufcxlayzbp.net udp
US 8.8.8.8:53 xozujmxuonk.net udp
US 8.8.8.8:53 icgaagecgk.org udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 gdeqnmhralw.info udp
US 8.8.8.8:53 bsxttmwrf.info udp
US 8.8.8.8:53 catabgehb.info udp
US 8.8.8.8:53 jrmkjlciocn.net udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 hnnsxqjoymc.org udp
US 8.8.8.8:53 metztfp.info udp
US 8.8.8.8:53 dtdkfhyx.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 kpybelzvkdkt.net udp
US 8.8.8.8:53 wyrqpbqgz.info udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 rehaqwq.com udp
US 8.8.8.8:53 cwxoncxmla.info udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 vqoonhwhl.org udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 tjpahurkauv.com udp
US 8.8.8.8:53 uygwqg.org udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 bofdnfzzfmnq.net udp
US 8.8.8.8:53 dalfiqdl.net udp
US 8.8.8.8:53 bevrzka.net udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 ebxxxyqzoo.net udp
US 8.8.8.8:53 fjxmrh.info udp
LT 78.62.118.30:24281 tcp
US 8.8.8.8:53 dnjcljakvt.info udp
US 8.8.8.8:53 mgeoau.org udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 zxklkmv.net udp
US 8.8.8.8:53 ajvuhnsn.info udp
US 8.8.8.8:53 vjlikcg.org udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 iwjaigphvmz.info udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 uiymqyos.org udp
US 8.8.8.8:53 rkwthclcupth.info udp
US 8.8.8.8:53 dijuhiharm.info udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 rojwsqumfvt.com udp
US 8.8.8.8:53 gcaqcqkkqy.org udp
US 8.8.8.8:53 cwxjzsnq.info udp
US 8.8.8.8:53 arvpycxyk.info udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 wkgimklh.info udp
US 8.8.8.8:53 kwurft.net udp
US 8.8.8.8:53 srclaozvnv.info udp
US 8.8.8.8:53 gvdihxf.info udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 razbluvsqqa.net udp
US 8.8.8.8:53 nbrdxq.net udp
US 8.8.8.8:53 dkcctkyf.info udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 giqssk.org udp
US 8.8.8.8:53 lipsxon.net udp
US 8.8.8.8:53 jqucrgbpvzl.info udp
US 8.8.8.8:53 xutbnuhwx.info udp
US 8.8.8.8:53 zjtwdetin.org udp
US 8.8.8.8:53 gpzvvimg.net udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 vwzlbkneb.info udp
US 8.8.8.8:53 kyezhtzwcx.info udp
US 8.8.8.8:53 zrzbimdx.info udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
MD 109.185.174.48:35667 tcp
US 8.8.8.8:53 eawmuqmi.org udp
US 8.8.8.8:53 ldbujuuvlfm.org udp
US 8.8.8.8:53 njnczdhoj.org udp
US 8.8.8.8:53 pmcgqvkadmxu.net udp
US 8.8.8.8:53 qmgurgzlqdl.info udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 bjtysensn.info udp
US 8.8.8.8:53 lmngvuryb.org udp
US 8.8.8.8:53 skbqiabuo.info udp
US 8.8.8.8:53 sgfojomzlgm.info udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 ocnxbvt.info udp
US 8.8.8.8:53 ofqdimldvyj.net udp
US 8.8.8.8:53 qmmaisguis.org udp
US 8.8.8.8:53 cieomg.org udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 syimccagmy.org udp
US 8.8.8.8:53 faxojokn.info udp
US 8.8.8.8:53 jkpjkbvbhx.net udp
US 8.8.8.8:53 mynslwkzqam.info udp
US 8.8.8.8:53 jllsugp.info udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 gwzphyn.info udp
US 8.8.8.8:53 rghseqv.net udp
US 8.8.8.8:53 qoaqeiwcwc.com udp
US 8.8.8.8:53 nvedat.info udp
US 8.8.8.8:53 jxxmjjlfvykt.info udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 sksukyca.com udp
US 8.8.8.8:53 yjvcoer.net udp
US 8.8.8.8:53 iciaiuykiqcq.com udp
US 8.8.8.8:53 gouuqhjjfohz.info udp
US 8.8.8.8:53 rgdizgs.com udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 fgtoboxmvnx.org udp
US 8.8.8.8:53 jwlzfdz.net udp
US 8.8.8.8:53 ygtsmap.net udp
US 8.8.8.8:53 azzllizgjr.info udp
US 8.8.8.8:53 ogbsdypjuwj.net udp
LT 88.222.196.34:37018 tcp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 vykifcl.info udp
US 8.8.8.8:53 cqqyggkiuick.org udp
US 8.8.8.8:53 pdmmllhpgq.info udp
US 8.8.8.8:53 mwqskc.com udp
US 8.8.8.8:53 weyrtj.net udp
US 8.8.8.8:53 bckgrclol.net udp
US 8.8.8.8:53 yzfkrwh.net udp
US 8.8.8.8:53 lxbeqsvovif.com udp
US 8.8.8.8:53 ecmywcyo.org udp
US 8.8.8.8:53 ugwkurscxkzq.net udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 prkvgdckok.net udp
US 8.8.8.8:53 xklnky.net udp
US 8.8.8.8:53 ayiswccwzs.info udp
US 8.8.8.8:53 avvhxybqoya.info udp
US 8.8.8.8:53 pjsdxmvplgi.info udp
US 8.8.8.8:53 geagaiyw.com udp
US 8.8.8.8:53 jfzciyx.org udp
US 162.249.65.164:80 jfzciyx.org tcp
US 8.8.8.8:53 ewgqwo.com udp
US 8.8.8.8:53 nmnkazttyj.net udp
US 8.8.8.8:53 betbrvvezej.net udp
US 8.8.8.8:53 uhglqt.net udp
US 8.8.8.8:53 kuljrix.net udp
US 8.8.8.8:53 zudmvnd.com udp
US 8.8.8.8:53 uokeql.info udp
US 8.8.8.8:53 yjdqsuayvwu.net udp
US 8.8.8.8:53 sidlvctfcd.net udp
US 8.8.8.8:53 gexxlkmcxyz.net udp
US 8.8.8.8:53 kvxtfdvofl.info udp
US 8.8.8.8:53 gtoyfuhhbye.net udp
US 8.8.8.8:53 pcrqltw.info udp
US 8.8.8.8:53 htrqxi.net udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 mqalxvdnwf.info udp
US 8.8.8.8:53 ptwgfwjn.info udp
US 8.8.8.8:53 fgeqdapcypf.net udp
US 8.8.8.8:53 uexgbhpcvjw.net udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 ktfokezzjjxo.net udp
US 8.8.8.8:53 kvvwrzdyfip.info udp
US 8.8.8.8:53 iyogkwiquaqs.org udp
US 8.8.8.8:53 bmzdfoks.info udp
US 8.8.8.8:53 lpyaid.info udp
US 8.8.8.8:53 cebmaioozax.net udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 usmecwqwes.com udp
US 8.8.8.8:53 epviawh.net udp
US 8.8.8.8:53 fszbvdzg.net udp
US 8.8.8.8:53 tirnpwmcwmd.org udp
US 8.8.8.8:53 dildtyhof.info udp
US 8.8.8.8:53 vabibbc.info udp
US 8.8.8.8:53 asnapiuotwf.net udp
US 8.8.8.8:53 bkpkvekvzgd.net udp
US 8.8.8.8:53 hwkplz.net udp
US 8.8.8.8:53 mesiwmoqwgao.com udp
US 8.8.8.8:53 iozedkjmhpz.net udp
US 8.8.8.8:53 xfvqmg.info udp
US 8.8.8.8:53 kgpmewlau.info udp
US 8.8.8.8:53 zusbpnvlif.info udp
US 8.8.8.8:53 lcdtoj.info udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 pldhbwqapxfa.net udp
US 8.8.8.8:53 qinzzyctzscv.info udp
MD 95.65.81.102:36208 tcp
US 8.8.8.8:53 egyjkw.net udp
US 8.8.8.8:53 rgdtzur.com udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 oxanlcfkvp.info udp
US 8.8.8.8:53 zdsfyjey.net udp
US 8.8.8.8:53 gxemjsfnq.info udp
US 8.8.8.8:53 yycmkq.org udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 keyaztzoeqx.info udp
US 8.8.8.8:53 ubdvzyaw.net udp
US 8.8.8.8:53 kghvtk.net udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 aweknajbm.net udp
US 8.8.8.8:53 nukkjobqd.info udp
US 8.8.8.8:53 txfdlgkoejiw.net udp
US 8.8.8.8:53 klmljthik.info udp
US 8.8.8.8:53 skyuyuyeyk.org udp
US 8.8.8.8:53 lxnvcuqjheaw.info udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 fatiyppe.info udp
US 8.8.8.8:53 lerobrcyat.net udp
US 8.8.8.8:53 wswmkykgcsok.com udp
US 8.8.8.8:53 yceqcskoeg.org udp
US 162.249.65.164:80 yceqcskoeg.org tcp
N/A 94.156.173.174:15087 tcp

Files

memory/3564-0-0x0000000000400000-0x0000000000489000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

MD5 365fb539069341a0f697861998460dc1
SHA1 33fc5eebf788a3319a5c355ec8414c380105fc24
SHA256 b5643a7d0fe6085506e23f0f7a8ffdd41f0cb91aef9c4348dd724a5f743be5b9
SHA512 74250cd72b8cef32b7e75f75ff36a63f4482268e103ea4038b56b10aeae0b91b3b4418c7a1d8771702ec377e8266150d9074f9d81687e74cb2d4cf23f9074a02

C:\Windows\SysWOW64\ifalhaofarrewsjqyi.exe

MD5 10e2e4a7f16b729bfaa9630c1146569f
SHA1 2d2781b1290c8c50a98abed0c57033f0339d69bf
SHA256 c64c2956f4ba62f3cce3478294c318a019be07cedab3c0c5a0ce363ea9ad5bb4
SHA512 d0cc92bbb54e1f9e969998c99385f37a5d0fd37af006117b914f038cc9a809058a997ffe039f601325efc7f933a23aed750b3d287333cf9d168955451b99fef0

C:\Users\Admin\AppData\Local\Temp\tfppail.exe

MD5 70e781607c2b2e26748a99d44173a03e
SHA1 b9e87570959bb84702eac4c2f0d9292ba5949f95
SHA256 f73e720c93e34d1d8978e7b3ed70eca55e691bccb072f94ea5a40ff3f9b87b59
SHA512 18c1aa086a51879dd31920fc8d12a3a4c503f5f4d3c1e045cd6f948904d37fa8e0e3a4da108a10f15fd3fe59e0db0cfdd402c350d756caeefc0b61eca51ed4e2

C:\Users\Admin\AppData\Local\ahmhnqopuvfceklcuokrwrxa.zef

MD5 02f4eee7e24390ad1c516ea42e289b2f
SHA1 8c5c392907b9b36aef51ddc72f9272f748d36575
SHA256 ecc8bfbd5da5db3384a42c7ae303fe0f0cb9f3b5275d3dd9193397fbd74cd42f
SHA512 f7f07a0f42d1c13882307933dfc8c2a6197273d89843d7a9be8cac7082844e8791c43ae76ddcd68f2b25f448cc487395cdbff344f9902943112370d3eb152b93

C:\Users\Admin\AppData\Local\jbrxoclxnzucpgsuxcjbrxoclxnzucpgsux.jbr

MD5 2c667c40c42cc2026c5f419f49485232
SHA1 15c6ca0694ad0e302c20d2d8f51fd754322bc28d
SHA256 94047e9c8822f664cfb2fe0457ca8ecebf168ffe4c337212310c69a9b793a979
SHA512 f565e33b5e3a2fcfcd85cea1459c24f155e6851030e66281e9cf7909b924a137063fd25c17633558c8d8bdf0fe56bf0ed90bf8fb3104bdd5c7e5a92ffe0d1fb8

C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef

MD5 ed49aefb3b2d0dd9010971f125e8f7ad
SHA1 6f850d39a342bd6d325973967d2b71279a36af05
SHA256 8d170ccf930b1385b40625f68924a4ac7cca1bd1da25fa3d36f3cc1dc8cb292d
SHA512 8eaf104858ad78135a7a60e53e79703e683f65b7ff52b04924574087e206bfc6bf8fdeeeaec35a30a6402b4c350de97acf3fd824159de945c713df6ef3444a47

C:\Users\Admin\AppData\Local\ahmhnqopuvfceklcuokrwrxa.zef

MD5 421b0b1aefda8a9e42e8f94711f1f30e
SHA1 cd0ff6bd5b574e3ebb7a8e680b1fe746f358b6dc
SHA256 87e42b678ee564c6c6b59f2207bec7248613995e4fbcae6ecb8fa90483c3fc6c
SHA512 46a9b786d0911f65e7e3a7e0406b6049320667a7e1b5d7ff9aa776ac8c9a6c98c75bace7808d2d48c20a898e7cfb0f98f99da22aded4084e1f564c0030b435be

C:\Users\Admin\AppData\Local\ahmhnqopuvfceklcuokrwrxa.zef

MD5 f6460346a8f253bda5540c65df848bc9
SHA1 a0e9a202656ff4d45eb73b94322b055ea658aef7
SHA256 87520b03a55d82f6f78b583a3506490de3b9d89a57c20b6909e0fa8ee962bccb
SHA512 5e76005c6533fd5124e28e6ddd56ca402baa3be1beeb4514af8e841a5b5484f3529686d8c3a380e39bf43a50cdd6f17361527133b49669697b24fe7434f36f88

C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef

MD5 5e8984827c6a676aec562b75988197a1
SHA1 d9b6c06213930201df133da5c7da870380818c5a
SHA256 69f0a96538c99212583b43879c1330bd4e9c782b12e039edbeda30c0fc0d7bb7
SHA512 31bd348131b843d977313ba5da8c1c001b8816b27069bc1081c6deae323cf901336d4013d9d213ab8967ba2e49153a6bf85cb09eb7728153c791679eedb8fa86

C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef

MD5 5c49612bb641f8ba3cc772285b03d191
SHA1 837d181eba26b422e7dd533b73b1a8de7868d428
SHA256 20ea0b39be33fc982d0560794c5f9406bb9d065e4506132544566c7761d1a0d6
SHA512 8266cfc9ebf337008d71ab77bf2c0806ad3685cbbb6f8e1a296d6cfbc069fc0518811c923d9e38329374f4543c922b42ec03756e3dec7b0df88a088fe0fcc52f

C:\Program Files (x86)\ahmhnqopuvfceklcuokrwrxa.zef

MD5 e8251bae3ab4eb115fbfdd727eb087ed
SHA1 aa6376ef5a24db7d8bb18747ae9dd1eab4642f24
SHA256 6745ce1fdcd75fe5b22fb6656a6ee6e5d0ea8ba7f359f984d746905d60a1887a
SHA512 af66bc7dafc7de91c0b753f73d825ad2d414893685d3ea67ccb84a5116a3a7e5ed649e3659d21411ec9baa7839a7555fb986e7841d40df8288929d1065dbd973