Malware Analysis Report

2025-03-15 00:56

Sample ID 240626-hrfsdstgnl
Target 111a63135090da974e45df036b3a9918_JaffaCakes118
SHA256 35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951

Threat Level: Known bad

The file 111a63135090da974e45df036b3a9918_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Adds policy Run key to start application

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 06:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 06:57

Reported

2024-06-26 07:00

Platform

win7-20240419-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "nexsjgfunfpvqnemntja.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "pevodyvizpxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "gukcqkgsixehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "pevodyvizpxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "nexsjgfunfpvqnemntja.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "pevodyvizpxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "aqicsomasjsxrndkkpe.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "aqicsomasjsxrndkkpe.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "pevodyvizpxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "gukcqkgsixehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "pevodyvizpxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "gukcqkgsixehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "zmbsfytethnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "gukcqkgsixehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "zmbsfytethnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "aqicsomasjsxrndkkpe.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "cuokcaaqkdovrphqszqic.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "cuokcaaqkdovrphqszqic.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "pevodyvizpxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "aqicsomasjsxrndkkpe.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "pevodyvizpxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "gukcqkgsixehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\ceioqyiimpkbhprkwnoquackuuy.wnt C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\SysWOW64\ceioqyiimpkbhprkwnoquackuuy.wnt C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Program Files (x86)\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File created C:\Windows\ceioqyiimpkbhprkwnoquackuuy.wnt C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\pevodyvizpxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\tmhexwxojdpxutmwzhzsnk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\ceioqyiimpkbhprkwnoquackuuy.wnt C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\nexsjgfunfpvqnemntja.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\zmbsfytethnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\aqicsomasjsxrndkkpe.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\cuokcaaqkdovrphqszqic.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
File opened for modification C:\Windows\gukcqkgsixehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2752 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2752 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2752 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2752 wrote to memory of 3044 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 3044 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 3044 wrote to memory of 292 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\ceioq.exe
PID 2752 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2752 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2752 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2752 wrote to memory of 2776 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ceioq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\ceioq.exe

"C:\Users\Admin\AppData\Local\Temp\ceioq.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ceioq.exe

"C:\Users\Admin\AppData\Local\Temp\ceioq.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.46:80 www.youtube.com tcp
US 8.8.8.8:53 mymqeo.info udp
BG 85.130.10.17:19110 tcp
US 8.8.8.8:53 tfomvifox.cc udp
US 8.8.8.8:53 korzjmnansnan.cc udp
US 8.8.8.8:53 isuslk.biz udp
BG 95.111.36.156:42570 tcp
US 8.8.8.8:53 qakayaiq.biz udp
US 8.8.8.8:53 dlradsn.org udp
US 162.249.65.162:80 dlradsn.org tcp
US 8.8.8.8:53 zipagcn.cc udp
BG 109.121.224.44:17375 tcp
US 8.8.8.8:53 eyusaaiugkeq.biz udp
US 8.8.8.8:53 gcikqkuiwcymao.info udp
US 8.8.8.8:53 mstgnqfqbex.org udp
US 8.8.8.8:53 ggblkkdsholapet.org udp
US 8.8.8.8:53 ckopbcuiwcymao.net udp
US 8.8.8.8:53 ymazfyeoya.info udp
US 8.8.8.8:53 kckspkdsholapet.com udp
US 8.8.8.8:53 fajgnsn.com udp
BG 109.121.224.10:18600 tcp
US 8.8.8.8:53 umqrio.biz udp
US 8.8.8.8:53 eueymsuiwcymao.info udp
US 8.8.8.8:53 deagvafox.org udp
US 8.8.8.8:53 vfrvvcn.org udp
US 8.8.8.8:53 ygsink.info udp
US 8.8.8.8:53 agadss.biz udp
US 8.8.8.8:53 ivqvrodsholapet.com udp
US 8.8.8.8:53 ynrvwgfqbex.org udp
US 8.8.8.8:53 ciuzwaiq.net udp
US 8.8.8.8:53 uioezo.biz udp
US 8.8.8.8:53 ohwiomnansnan.org udp
US 8.8.8.8:53 ayhwaufqbex.org udp
US 8.8.8.8:53 qgasocuiwcymao.info udp
US 8.8.8.8:53 isspqkuiwcymao.biz udp
US 8.8.8.8:53 iiuhlwnansnan.cc udp
US 8.8.8.8:53 rxfmdwfox.org udp
US 8.8.8.8:53 esowayeoya.biz udp
US 8.8.8.8:53 swatnk.biz udp
US 8.8.8.8:53 czyhvkdsholapet.org udp
US 8.8.8.8:53 wofrnanansnan.com udp
LT 78.60.58.154:45153 tcp
US 8.8.8.8:53 wwwkqwiugkeq.info udp
US 8.8.8.8:53 yokivaiq.info udp
US 8.8.8.8:53 lksrusfox.org udp
US 8.8.8.8:53 kufamkdsholapet.cc udp
US 8.8.8.8:53 wskoageoya.net udp
US 8.8.8.8:53 ykkges.info udp
US 8.8.8.8:53 ubcmvadsholapet.org udp
US 8.8.8.8:53 nbjmgafox.org udp
US 8.8.8.8:53 ccquxqeoya.net udp
US 8.8.8.8:53 gisahqeoya.info udp
US 8.8.8.8:53 xsymfsfox.cc udp
US 8.8.8.8:53 synfeanansnan.com udp
US 8.8.8.8:53 ocusqyeoya.biz udp
US 8.8.8.8:53 sguxwcuiwcymao.biz udp
US 8.8.8.8:53 dnfjlkn.com udp
US 8.8.8.8:53 dthuzifox.cc udp
US 8.8.8.8:53 qmgwwmiq.biz udp
BG 89.215.58.70:38549 tcp
US 8.8.8.8:53 qikukwiq.net udp
US 8.8.8.8:53 joqanifox.cc udp
US 8.8.8.8:53 mmxsxqfqbex.cc udp
US 8.8.8.8:53 ooqyhwiq.info udp
US 8.8.8.8:53 iekazkuiwcymao.info udp
US 8.8.8.8:53 bpyxjwfox.org udp
US 8.8.8.8:53 umdhukdsholapet.cc udp
US 8.8.8.8:53 uukgzaiq.biz udp
US 8.8.8.8:53 uqcwwkuiwcymao.net udp
US 8.8.8.8:53 zeponcn.com udp
US 8.8.8.8:53 iyhyfqfqbex.org udp
US 8.8.8.8:53 kmonya.net udp
US 8.8.8.8:53 wymwsguiwcymao.net udp
US 8.8.8.8:53 oagirkdsholapet.com udp
US 8.8.8.8:53 lvlobkn.com udp
RU 178.129.167.253:40089 tcp
US 8.8.8.8:53 ugsymeiq.net udp
US 8.8.8.8:53 mmmiiueoya.info udp
US 8.8.8.8:53 fckafafox.org udp
US 8.8.8.8:53 ppdyrwfox.cc udp
US 8.8.8.8:53 qcgqsgeoya.biz udp
US 8.8.8.8:53 cemisaiugkeq.net udp
US 8.8.8.8:53 bncurifox.org udp
US 8.8.8.8:53 gcrivwnansnan.com udp
US 8.8.8.8:53 oisqasiugkeq.info udp
US 8.8.8.8:53 maqjaqeoya.biz udp
US 8.8.8.8:53 qkobvsdsholapet.com udp
US 8.8.8.8:53 cfjmjadsholapet.com udp
US 8.8.8.8:53 cogbysiugkeq.biz udp
US 8.8.8.8:53 sucksk.net udp
US 8.8.8.8:53 llichwfox.org udp
BG 79.110.122.84:39385 tcp
US 8.8.8.8:53 corjkwnansnan.org udp
US 8.8.8.8:53 qmqeymiq.info udp
US 8.8.8.8:53 wymjkaiugkeq.info udp
US 8.8.8.8:53 ynqtvwnansnan.com udp
US 8.8.8.8:53 vkjrosfox.com udp
US 8.8.8.8:53 mawrpcuiwcymao.net udp
US 8.8.8.8:53 aoooma.biz udp
US 8.8.8.8:53 brtyzcn.org udp
US 8.8.8.8:53 dbnyiafox.com udp
US 8.8.8.8:53 yyiosk.net udp
US 8.8.8.8:53 ciabcgeoya.info udp
US 8.8.8.8:53 apmejodsholapet.com udp
US 8.8.8.8:53 yxvccgfqbex.org udp
US 8.8.8.8:53 qaeqiueoya.biz udp
US 8.8.8.8:53 cwgsacuiwcymao.biz udp
US 8.8.8.8:53 gxaztwnansnan.org udp
US 8.8.8.8:53 qwlghodsholapet.org udp
US 8.8.8.8:53 syemxyeoya.net udp
US 8.8.8.8:53 aqoxoeiq.net udp
US 8.8.8.8:53 ejzyxufqbex.org udp
US 8.8.8.8:53 xedzmcn.cc udp
US 8.8.8.8:53 ooeufo.net udp
US 8.8.8.8:53 suipigeoya.biz udp
US 8.8.8.8:53 cxmdqkdsholapet.com udp
US 8.8.8.8:53 srpymufqbex.cc udp
LT 89.190.112.105:18997 tcp
US 8.8.8.8:53 qsaovsiugkeq.info udp
US 8.8.8.8:53 wgaokiiugkeq.info udp
US 8.8.8.8:53 owdorufqbex.org udp
US 8.8.8.8:53 uvpkrodsholapet.org udp
US 8.8.8.8:53 aquaisiugkeq.net udp
US 8.8.8.8:53 giqjsguiwcymao.info udp
US 8.8.8.8:53 rlhytcn.cc udp
US 8.8.8.8:53 zajmwsn.org udp
US 8.8.8.8:53 acqghgeoya.biz udp
US 8.8.8.8:53 uqwuck.biz udp
US 8.8.8.8:53 sqjuvqfqbex.com udp
US 8.8.8.8:53 owzezqfqbex.com udp
US 8.8.8.8:53 waioxcuiwcymao.net udp
US 8.8.8.8:53 meskia.biz udp
US 8.8.8.8:53 alwkvwnansnan.com udp
US 8.8.8.8:53 ekfqhkdsholapet.com udp
US 8.8.8.8:53 gyejqguiwcymao.biz udp
US 8.8.8.8:53 wyywyqeoya.net udp
BG 85.187.228.109:14661 tcp
US 8.8.8.8:53 rdrwlkn.cc udp
US 8.8.8.8:53 vybkxifox.org udp
US 8.8.8.8:53 igsvswiugkeq.info udp
US 8.8.8.8:53 scssga.info udp
US 8.8.8.8:53 qukgqmnansnan.org udp
US 8.8.8.8:53 wfxqsmnansnan.com udp
US 8.8.8.8:53 uyieteiq.net udp
GR 62.1.34.216:14428 tcp
US 8.8.8.8:53 mseoyk.net udp
US 8.8.8.8:53 loiqlafox.org udp
US 8.8.8.8:53 ipbgfufqbex.cc udp
US 8.8.8.8:53 mymqnwiq.net udp
BG 84.252.26.211:23130 tcp
US 8.8.8.8:53 iaoano.biz udp
US 8.8.8.8:53 xfjijgn.org udp
US 8.8.8.8:53 vspfdafox.com udp
PT 213.138.236.44:37888 tcp
US 8.8.8.8:53 kwuqhk.info udp
US 8.8.8.8:53 wssizueoya.net udp
US 8.8.8.8:53 spmjewnansnan.cc udp
US 8.8.8.8:53 pulwlifox.com udp
US 8.8.8.8:53 emicys.biz udp
LV 62.84.23.67:14639 tcp
US 8.8.8.8:53 mmwikwiq.net udp
US 8.8.8.8:53 ioqmfsdsholapet.cc udp
US 8.8.8.8:53 sbdwpenansnan.com udp
US 8.8.8.8:53 yokaos.info udp
US 8.8.8.8:53 osobjiiugkeq.info udp
US 8.8.8.8:53 chjjgqfqbex.com udp
DE 87.120.215.20:36222 tcp
US 8.8.8.8:53 wuhthanansnan.cc udp
US 8.8.8.8:53 kckzkueoya.net udp
US 8.8.8.8:53 aeeeuaiq.info udp
US 8.8.8.8:53 epeeuanansnan.cc udp
US 8.8.8.8:53 emdctqfqbex.org udp
US 8.8.8.8:53 eywsgo.info udp
US 8.8.8.8:53 acwdqkuiwcymao.net udp
US 8.8.8.8:53 mhdevufqbex.com udp
BG 89.253.174.208:42621 tcp
US 8.8.8.8:53 divsdkn.org udp
US 8.8.8.8:53 cmeigsuiwcymao.biz udp
US 8.8.8.8:53 yaabuueoya.net udp
US 8.8.8.8:53 ldjpbcn.org udp
US 8.8.8.8:53 gnnpbqfqbex.cc udp
BG 212.70.138.214:30883 tcp
US 8.8.8.8:53 qseecaiugkeq.info udp
US 8.8.8.8:53 iuqxtyeoya.info udp
US 8.8.8.8:53 fxguasfox.cc udp
US 8.8.8.8:53 wkrzlgfqbex.org udp
US 8.8.8.8:53 mmqtqwiugkeq.net udp
US 8.8.8.8:53 wmkdhs.net udp
US 8.8.8.8:53 vahpqcn.com udp
US 86.38.204.40:43571 tcp
US 8.8.8.8:53 uurmdyfqbex.org udp
US 8.8.8.8:53 kccamwiq.net udp
US 8.8.8.8:53 sqigrmiq.net udp
BG 85.130.122.32:21211 tcp
US 8.8.8.8:53 ypkibmnansnan.org udp
US 8.8.8.8:53 uxbibodsholapet.com udp
US 8.8.8.8:53 emgwmsiugkeq.info udp
US 8.8.8.8:53 ackbia.biz udp
US 8.8.8.8:53 lwohpwfox.cc udp
US 8.8.8.8:53 krjgewnansnan.cc udp
US 8.8.8.8:53 wsocyguiwcymao.info udp
BG 212.5.158.177:26766 tcp
US 8.8.8.8:53 qyesak.net udp
US 8.8.8.8:53 qgryvufqbex.org udp
US 8.8.8.8:53 krxihodsholapet.org udp
US 8.8.8.8:53 coegcguiwcymao.info udp
US 8.8.8.8:53 qsoiia.net udp
US 8.8.8.8:53 qlnxyqfqbex.org udp
US 8.8.8.8:53 mrtmzufqbex.com udp
LV 85.15.203.237:43703 tcp

Files

\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

MD5 85cb856b920e7b0b7b75115336fc2af2
SHA1 1d1a207efec2f5187583b652c35aef74ee4c473f
SHA256 6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62
SHA512 120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe

MD5 111a63135090da974e45df036b3a9918
SHA1 fb3d7fa910924b524d4009aa2e89f5dde860d9f2
SHA256 35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951
SHA512 0165b3e8298348bcd88c45502220b19f62f0b105b0eaacd5e904274160a6e519d7caa2926777acfabd62024329a5e691c576e5c87c7a8663fd85c5e2e84a031a

\Users\Admin\AppData\Local\Temp\ceioq.exe

MD5 c35aae6ade1d968cd0c69a2ba1c15a1d
SHA1 30616a61f09cb0a56b602b6acc21e41c0f1d8f10
SHA256 56e8a25a58dbe2e029dc9c3f8d4c6d71d0aa0c21f31c91be27f4157675006584
SHA512 8290c4a8f839478dc45ee122b65eefc3185d1de800cdcbd68b573bc6eda965dbc315989f4aa7d93e4056ed637b8e364a44428c8dc2df0a9445cb2fea0fefd363

C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 048fef42df91794176630382e31e5054
SHA1 48843646f28095447b2844c91117621fe5737a23
SHA256 2fa28d4b4098af75824a96f5e4c33ea044802869460c08a7882aef7e7e08ca42
SHA512 0b868ca03798c430722eaa9b43488690868a9864b41bb2ea2109ea9c56966fe37ee3230344cca9f4f78b49624989d1f952c4b9154ad7816372c9ce7e24d41278

C:\Users\Admin\AppData\Local\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc

MD5 d04c38e7a39a127cb198e6edb6310f07
SHA1 72d3681a8370205cbd8ffbbd9f0c921b74574701
SHA256 8cdcf975aa739c980048de47a1c2f16c14dcbd3ec9aef7bea672e661cff30d5e
SHA512 3aff0b289d12b4abf788ab069c63df016107ddeaed9e84e3fbb929641f7a3fc3edb38d5f2fc6da95999677b970af2d20f9589371b53f992a49e569a8e1b6bede

C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 8557fa3845f969c60b3c1b43032bceb7
SHA1 4e59eb9e340974accb561a4c88d6680be6364d9d
SHA256 606f259997829a4ed7db03844e102a02240e2e3965450f3ad1f9cc2647f1b1ef
SHA512 5a1ccaafd8bf75f15c989abfdd33ea8274799a5a8fc766ce129a8c019ae2596c57d16594dd259eae73f8e2c99c071b8e4f4deb779b8bdc174d6eaba227f0ea6c

C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 172cb2d05dce3b7f42ac8a75f3868834
SHA1 0d2ac361d7c759b75852687aa093edb5fb875288
SHA256 4939a1f653d933e23167a92793a13b681bc376825603b5591f49e8b0f863a768
SHA512 512e03454eb3700c22ef38464e0441c76612e680810d67e6aa1421764ef482c91b09c062b73a627be7b4a6dafca9befe6787f4982239d19ddfdfe50931855877

C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 89c77cb47339f54ab5743a55045b68a6
SHA1 9a0134db3d23b3ba4480617f4b00f6f0aedb6a32
SHA256 55946bd2aa5a76f7b777dc93f1b8ffedef1f6e15f669c4cd17b67a1556a54901
SHA512 2072b0ada6e830be08bb7c120ff784e9d574fdec5c5faf1b36713cd0d1c6ae82adc8dba60b41b7d33778f7ae010b6c477a6b2f8a7b36eb79b5f2b8173e2f2d80

C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 b4541748471db9241f659e433f9b1255
SHA1 6378a234a00ff448e609a5a567cd8ac2c02fd5f3
SHA256 bfb9e817fade3b480bd8f72363c751a06ef1710bf705fb12cbc9cb037fa4d2da
SHA512 57d856072e15ea7f26e6dd4213e8203f8e079cf73335721b3f0450f3986411c60852815d6c7436ee093ced667ee2bb5b9ed037b21299e21d8620eaf8a293a4bb

C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 0336ed566320b5a0adc41e6d6de39869
SHA1 d91c610d2df3ce03aa9598571b4174c745d305ab
SHA256 08cfd4c850960bbae7193a196a113660496cc5f7b3634126f25cdb188a71fd75
SHA512 ca48403022906a4b434b0eefa50ed9aea29397c4d65e07116765426d60cfd04d6ed55c404139edf04cbf95b947d323c4f0e484325f82b99b8a0fee5dd98c4200

C:\Windows\zmbsfytethnpgzmq.exe

MD5 34d08ddd9722166d14f6eca225b49681
SHA1 cc638f443c130bbb1bbe83164c033c10e73ebed2
SHA256 bfbb11cedf1804c4749f964a5bf7d44327aa2095768cee3711fe48c869b300ef
SHA512 0eba7b480c4a94df6d5d02abc1d016731077c7cc5e0733588beafce8150e6107703b93dddcb9d011b367d565688d17eeb7dd4ec96c952dc2a8830f42f0da55bf

C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt

MD5 a4a0c040707237b481bdacedde0c8d06
SHA1 fd8333feb7611bed9814d8c0d67e06088dee2c91
SHA256 fab5e510975986ee8ac568b28f85dcdc02e9b1e2585893322dee42fd89bb5798
SHA512 128dac3b2e7a7412c58d68591e41c7930d18c2559b389592c8aaa8b30a3e199792252f184bab4b5c38e202a6a2d6933d414691e4df11a6f1b4e0cc015b6b586b

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 06:57

Reported

2024-06-26 07:00

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "zkaqjbpixihsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "csnigdwuoeiytsmwhuqgb.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "zkaqjbpixihsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "pcumhbrmdqrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "zkaqjbpixihsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "gsjauncwmyykbwmsz.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "csnigdwuoeiytsmwhuqgb.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "gsjauncwmyykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "ncwqnjbyrgjysqjscojy.exe" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "aohawriewkmatqiqzke.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "zkaqjbpixihsicrw.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "aohawriewkmatqiqzke.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "aohawriewkmatqiqzke.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "gsjauncwmyykbwmsz.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "pcumhbrmdqrewsjqyi.exe ." C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "pcumhbrmdqrewsjqyi.exe" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\dyyybdbedyhccgfukcdyyy.dbe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\dyyybdbedyhccgfukcdyyy.dbe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\SysWOW64\ualwkxguekekvkuuvykqbmanwkuaualak.loa C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\SysWOW64\ualwkxguekekvkuuvykqbmanwkuaualak.loa C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Program Files (x86)\ualwkxguekekvkuuvykqbmanwkuaualak.loa C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Program Files (x86)\ualwkxguekekvkuuvykqbmanwkuaualak.loa C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\ualwkxguekekvkuuvykqbmanwkuaualak.loa C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\ualwkxguekekvkuuvykqbmanwkuaualak.loa C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\dyyybdbedyhccgfukcdyyy.dbe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File created C:\Windows\dyyybdbedyhccgfukcdyyy.dbe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\aohawriewkmatqiqzke.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\gsjauncwmyykbwmsz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\zkaqjbpixihsicrw.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\pcumhbrmdqrewsjqyi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File created C:\Windows\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\csnigdwuoeiytsmwhuqgb.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
File opened for modification C:\Windows\ncwqnjbyrgjysqjscojy.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
File opened for modification C:\Windows\tkgcbztsnejawwrcoczqmi.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 748 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 748 wrote to memory of 3304 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 3304 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe
PID 3304 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe
PID 3304 wrote to memory of 5072 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe
PID 3304 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe
PID 3304 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe
PID 3304 wrote to memory of 4124 N/A C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe C:\Users\Admin\AppData\Local\Temp\cchmu.exe
PID 748 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 748 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
PID 748 wrote to memory of 508 N/A C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\cchmu.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\cchmu.exe

"C:\Users\Admin\AppData\Local\Temp\cchmu.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\cchmu.exe

"C:\Users\Admin\AppData\Local\Temp\cchmu.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
BE 88.221.83.218:443 www.bing.com tcp
US 8.8.8.8:53 218.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
BG 90.154.187.99:32232 tcp
US 8.8.8.8:53 mymqeo.info udp
US 8.8.8.8:53 tfomvifox.cc udp
US 8.8.8.8:53 korzjmnansnan.cc udp
US 8.8.8.8:53 isuslk.biz udp
US 8.8.8.8:53 qakayaiq.biz udp
US 8.8.8.8:53 dlradsn.org udp
US 162.249.65.162:80 dlradsn.org tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 11.114.248.87.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 zipagcn.cc udp
US 8.8.8.8:53 eyusaaiugkeq.biz udp
US 8.8.8.8:53 gcikqkuiwcymao.info udp
US 8.8.8.8:53 mstgnqfqbex.org udp
US 8.8.8.8:53 ggblkkdsholapet.org udp
US 8.8.8.8:53 ckopbcuiwcymao.net udp
US 8.8.8.8:53 ymazfyeoya.info udp
US 8.8.8.8:53 kckspkdsholapet.com udp
US 8.8.8.8:53 fajgnsn.com udp
US 8.8.8.8:53 umqrio.biz udp
US 8.8.8.8:53 eueymsuiwcymao.info udp
US 8.8.8.8:53 deagvafox.org udp
US 8.8.8.8:53 vfrvvcn.org udp
US 8.8.8.8:53 ygsink.info udp
US 8.8.8.8:53 agadss.biz udp
BG 212.70.138.225:43988 tcp
US 8.8.8.8:53 ivqvrodsholapet.com udp
US 8.8.8.8:53 ynrvwgfqbex.org udp
US 8.8.8.8:53 ciuzwaiq.net udp
US 8.8.8.8:53 uioezo.biz udp
US 8.8.8.8:53 ohwiomnansnan.org udp
US 8.8.8.8:53 ayhwaufqbex.org udp
US 8.8.8.8:53 qgasocuiwcymao.info udp
US 8.8.8.8:53 isspqkuiwcymao.biz udp
US 8.8.8.8:53 iiuhlwnansnan.cc udp
US 8.8.8.8:53 rxfmdwfox.org udp
US 8.8.8.8:53 esowayeoya.biz udp
US 8.8.8.8:53 swatnk.biz udp
US 8.8.8.8:53 czyhvkdsholapet.org udp
US 8.8.8.8:53 wofrnanansnan.com udp
US 8.8.8.8:53 wwwkqwiugkeq.info udp
US 8.8.8.8:53 yokivaiq.info udp
US 8.8.8.8:53 lksrusfox.org udp
US 8.8.8.8:53 kufamkdsholapet.cc udp
US 8.8.8.8:53 wskoageoya.net udp
US 8.8.8.8:53 ykkges.info udp
US 8.8.8.8:53 ubcmvadsholapet.org udp
US 8.8.8.8:53 nbjmgafox.org udp
US 8.8.8.8:53 ccquxqeoya.net udp
US 8.8.8.8:53 gisahqeoya.info udp
US 8.8.8.8:53 xsymfsfox.cc udp
US 8.8.8.8:53 synfeanansnan.com udp
LT 78.61.160.75:23569 tcp
US 8.8.8.8:53 ocusqyeoya.biz udp
US 8.8.8.8:53 sguxwcuiwcymao.biz udp
US 8.8.8.8:53 dnfjlkn.com udp
US 8.8.8.8:53 dthuzifox.cc udp
US 8.8.8.8:53 qmgwwmiq.biz udp
US 8.8.8.8:53 qikukwiq.net udp
US 8.8.8.8:53 joqanifox.cc udp
US 8.8.8.8:53 mmxsxqfqbex.cc udp
US 8.8.8.8:53 ooqyhwiq.info udp
US 8.8.8.8:53 iekazkuiwcymao.info udp
US 8.8.8.8:53 bpyxjwfox.org udp
US 8.8.8.8:53 umdhukdsholapet.cc udp
US 8.8.8.8:53 uqcwwkuiwcymao.net udp
US 8.8.8.8:53 zeponcn.com udp
US 8.8.8.8:53 iyhyfqfqbex.org udp
US 8.8.8.8:53 kmonya.net udp
US 8.8.8.8:53 wymwsguiwcymao.net udp
US 8.8.8.8:53 oagirkdsholapet.com udp
US 8.8.8.8:53 lvlobkn.com udp
US 8.8.8.8:53 ugsymeiq.net udp
US 8.8.8.8:53 mmmiiueoya.info udp
US 8.8.8.8:53 fckafafox.org udp
US 8.8.8.8:53 ppdyrwfox.cc udp
US 8.8.8.8:53 qcgqsgeoya.biz udp
US 8.8.8.8:53 cemisaiugkeq.net udp
US 8.8.8.8:53 bncurifox.org udp
US 8.8.8.8:53 gcrivwnansnan.com udp
US 8.8.8.8:53 oisqasiugkeq.info udp
US 8.8.8.8:53 maqjaqeoya.biz udp
US 8.8.8.8:53 qkobvsdsholapet.com udp
US 8.8.8.8:53 cfjmjadsholapet.com udp
US 8.8.8.8:53 cogbysiugkeq.biz udp
US 8.8.8.8:53 sucksk.net udp
US 8.8.8.8:53 llichwfox.org udp
US 8.8.8.8:53 corjkwnansnan.org udp
US 8.8.8.8:53 qmqeymiq.info udp
US 8.8.8.8:53 wymjkaiugkeq.info udp
US 8.8.8.8:53 ynqtvwnansnan.com udp
US 8.8.8.8:53 vkjrosfox.com udp
US 8.8.8.8:53 mawrpcuiwcymao.net udp
US 8.8.8.8:53 aoooma.biz udp
US 8.8.8.8:53 brtyzcn.org udp
US 8.8.8.8:53 dbnyiafox.com udp
BG 94.156.20.232:33198 tcp
US 8.8.8.8:53 yyiosk.net udp
US 8.8.8.8:53 ciabcgeoya.info udp
US 8.8.8.8:53 apmejodsholapet.com udp
US 8.8.8.8:53 yxvccgfqbex.org udp
US 8.8.8.8:53 qaeqiueoya.biz udp
US 8.8.8.8:53 cwgsacuiwcymao.biz udp
US 8.8.8.8:53 gxaztwnansnan.org udp
US 8.8.8.8:53 qwlghodsholapet.org udp
US 8.8.8.8:53 syemxyeoya.net udp
US 8.8.8.8:53 aqoxoeiq.net udp
US 8.8.8.8:53 ejzyxufqbex.org udp
US 8.8.8.8:53 xedzmcn.cc udp
US 8.8.8.8:53 ooeufo.net udp
US 8.8.8.8:53 suipigeoya.biz udp
US 8.8.8.8:53 cxmdqkdsholapet.com udp
US 8.8.8.8:53 srpymufqbex.cc udp
US 8.8.8.8:53 qsaovsiugkeq.info udp
US 8.8.8.8:53 wgaokiiugkeq.info udp
US 8.8.8.8:53 owdorufqbex.org udp
US 8.8.8.8:53 uvpkrodsholapet.org udp
US 8.8.8.8:53 aquaisiugkeq.net udp
US 8.8.8.8:53 giqjsguiwcymao.info udp
US 8.8.8.8:53 rlhytcn.cc udp
US 8.8.8.8:53 zajmwsn.org udp
US 8.8.8.8:53 acqghgeoya.biz udp
US 8.8.8.8:53 uqwuck.biz udp
US 8.8.8.8:53 sqjuvqfqbex.com udp
US 8.8.8.8:53 owzezqfqbex.com udp
US 8.8.8.8:53 waioxcuiwcymao.net udp
US 8.8.8.8:53 meskia.biz udp
US 8.8.8.8:53 alwkvwnansnan.com udp
US 8.8.8.8:53 ekfqhkdsholapet.com udp
US 8.8.8.8:53 gyejqguiwcymao.biz udp
US 8.8.8.8:53 wyywyqeoya.net udp
US 8.8.8.8:53 rdrwlkn.cc udp
US 8.8.8.8:53 vybkxifox.org udp
US 8.8.8.8:53 igsvswiugkeq.info udp
US 8.8.8.8:53 scssga.info udp
US 8.8.8.8:53 qukgqmnansnan.org udp
US 8.8.8.8:53 uyieteiq.net udp
US 8.8.8.8:53 mseoyk.net udp
US 8.8.8.8:53 loiqlafox.org udp
US 8.8.8.8:53 ipbgfufqbex.cc udp
LV 85.15.203.237:43703 tcp
US 8.8.8.8:53 mymqnwiq.net udp
US 8.8.8.8:53 iaoano.biz udp
US 8.8.8.8:53 xfjijgn.org udp
US 8.8.8.8:53 vspfdafox.com udp
US 8.8.8.8:53 kwuqhk.info udp
US 8.8.8.8:53 wssizueoya.net udp
US 8.8.8.8:53 spmjewnansnan.cc udp
US 8.8.8.8:53 pulwlifox.com udp
US 8.8.8.8:53 emicys.biz udp
US 8.8.8.8:53 mmwikwiq.net udp
US 8.8.8.8:53 ioqmfsdsholapet.cc udp
US 8.8.8.8:53 sbdwpenansnan.com udp
US 8.8.8.8:53 yokaos.info udp
US 8.8.8.8:53 osobjiiugkeq.info udp
US 8.8.8.8:53 chjjgqfqbex.com udp
US 8.8.8.8:53 wuhthanansnan.cc udp
US 8.8.8.8:53 kckzkueoya.net udp
US 8.8.8.8:53 aeeeuaiq.info udp
US 8.8.8.8:53 epeeuanansnan.cc udp
US 8.8.8.8:53 emdctqfqbex.org udp
US 8.8.8.8:53 eywsgo.info udp
US 8.8.8.8:53 acwdqkuiwcymao.net udp
US 8.8.8.8:53 mhdevufqbex.com udp
US 8.8.8.8:53 divsdkn.org udp
US 8.8.8.8:53 cmeigsuiwcymao.biz udp
US 8.8.8.8:53 yaabuueoya.net udp
US 8.8.8.8:53 ldjpbcn.org udp
US 8.8.8.8:53 gnnpbqfqbex.cc udp
US 8.8.8.8:53 qseecaiugkeq.info udp
US 8.8.8.8:53 iuqxtyeoya.info udp
US 8.8.8.8:53 fxguasfox.cc udp
US 8.8.8.8:53 wkrzlgfqbex.org udp
US 8.8.8.8:53 mmqtqwiugkeq.net udp
US 8.8.8.8:53 wmkdhs.net udp
US 8.8.8.8:53 vahpqcn.com udp
US 8.8.8.8:53 uurmdyfqbex.org udp
US 8.8.8.8:53 kccamwiq.net udp
US 8.8.8.8:53 sqigrmiq.net udp
US 8.8.8.8:53 ypkibmnansnan.org udp
US 8.8.8.8:53 uxbibodsholapet.com udp
US 8.8.8.8:53 emgwmsiugkeq.info udp
US 8.8.8.8:53 ackbia.biz udp
US 8.8.8.8:53 lwohpwfox.cc udp
US 8.8.8.8:53 krjgewnansnan.cc udp
US 8.8.8.8:53 wsocyguiwcymao.info udp
US 8.8.8.8:53 qyesak.net udp
US 8.8.8.8:53 qgryvufqbex.org udp
US 8.8.8.8:53 krxihodsholapet.org udp
US 8.8.8.8:53 coegcguiwcymao.info udp
US 8.8.8.8:53 qsoiia.net udp
US 8.8.8.8:53 qlnxyqfqbex.org udp
US 8.8.8.8:53 mrtmzufqbex.com udp
US 8.8.8.8:53 sgiwpk.info udp
LT 85.206.20.136:21346 tcp
US 8.8.8.8:53 igoebaiq.biz udp
US 8.8.8.8:53 bgusvsfox.org udp
US 8.8.8.8:53 vvxlzkn.org udp
US 8.8.8.8:53 iqcvia.info udp
US 8.8.8.8:53 samqsk.net udp
US 8.8.8.8:53 gqckhmnansnan.cc udp
US 8.8.8.8:53 dwdyrgn.cc udp
US 8.8.8.8:53 cioguwiq.net udp
US 8.8.8.8:53 iwuoyaiq.net udp
US 8.8.8.8:53 oumofadsholapet.org udp
US 8.8.8.8:53 xmrutifox.org udp
US 8.8.8.8:53 wwiossiugkeq.biz udp
US 8.8.8.8:53 auaela.info udp
US 8.8.8.8:53 avhixufqbex.cc udp
US 8.8.8.8:53 mjdldodsholapet.com udp
US 8.8.8.8:53 cuisbueoya.biz udp
US 8.8.8.8:53 oemxjs.net udp
US 8.8.8.8:53 skanymnansnan.com udp
US 8.8.8.8:53 yaruuenansnan.com udp
US 8.8.8.8:53 qqgpgwiq.biz udp
US 8.8.8.8:53 uyuouaiugkeq.biz udp
US 8.8.8.8:53 luzkdsn.com udp
US 8.8.8.8:53 srhrjadsholapet.com udp
US 8.8.8.8:53 wiacxueoya.net udp
US 8.8.8.8:53 immzqmiq.biz udp
US 8.8.8.8:53 lnmuhsfox.cc udp
US 8.8.8.8:53 gnbbnenansnan.com udp
US 8.8.8.8:53 yseaesiugkeq.biz udp
US 8.8.8.8:53 ysckmcuiwcymao.info udp
US 8.8.8.8:53 lnnepkn.org udp
US 8.8.8.8:53 uhfkomnansnan.cc udp
US 8.8.8.8:53 wgguvwiq.net udp
US 8.8.8.8:53 kigfwaiq.info udp
US 8.8.8.8:53 vduuvsfox.com udp
US 8.8.8.8:53 zilqmwfox.cc udp
US 8.8.8.8:53 qomemmiq.biz udp
US 8.8.8.8:53 ywkzieiq.info udp
US 8.8.8.8:53 miaxradsholapet.com udp
US 8.8.8.8:53 mdxllodsholapet.org udp
US 8.8.8.8:53 qauziguiwcymao.biz udp
US 8.8.8.8:53 sisnaaiq.info udp
US 8.8.8.8:53 owvrlyfqbex.com udp
US 8.8.8.8:53 hhfkqafox.com udp
US 8.8.8.8:53 ccmddsuiwcymao.info udp
US 8.8.8.8:53 eyuhsgeoya.info udp
US 8.8.8.8:53 onifrenansnan.com udp
US 8.8.8.8:53 ibjszanansnan.cc udp
US 8.8.8.8:53 sewwjgeoya.biz udp
US 8.8.8.8:53 mkasraiugkeq.info udp
US 8.8.8.8:53 qdwyeanansnan.org udp
US 8.8.8.8:53 wttlpodsholapet.org udp
US 8.8.8.8:53 cmukpueoya.info udp
US 8.8.8.8:53 ggcrco.biz udp
US 8.8.8.8:53 qbmiukdsholapet.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 ikzwzadsholapet.org udp
BG 85.91.145.125:25536 tcp
US 8.8.8.8:53 qsoagsiugkeq.info udp
US 8.8.8.8:53 wqwqdmiq.biz udp
US 8.8.8.8:53 vrsejafox.org udp
US 8.8.8.8:53 rbruuwfox.cc udp
US 8.8.8.8:53 uqcgoyeoya.net udp
US 8.8.8.8:53 cgzjnqfqbex.com udp
US 8.8.8.8:53 wvfsyodsholapet.org udp
US 8.8.8.8:53 umcbuueoya.biz udp
US 8.8.8.8:53 eeiykwiugkeq.info udp
US 8.8.8.8:53 anuujmnansnan.cc udp
US 8.8.8.8:53 ustxrsdsholapet.com udp
US 8.8.8.8:53 mwamsaiq.biz udp
US 8.8.8.8:53 auyqhcuiwcymao.net udp
US 8.8.8.8:53 psmcrafox.com udp
US 8.8.8.8:53 fuxylcn.org udp
US 8.8.8.8:53 ummyyk.biz udp
US 8.8.8.8:53 wgiyfguiwcymao.info udp
US 8.8.8.8:53 bznopsn.cc udp
US 8.8.8.8:53 xyrmtafox.cc udp
US 8.8.8.8:53 kwiueeiq.net udp
US 8.8.8.8:53 gcmmxk.net udp
US 8.8.8.8:53 ituqnmnansnan.com udp
US 8.8.8.8:53 mjjdhanansnan.cc udp
US 8.8.8.8:53 wcqjasuiwcymao.biz udp
US 8.8.8.8:53 iksmjs.biz udp
US 8.8.8.8:53 vkqkgifox.com udp
US 8.8.8.8:53 xcbifafox.org udp
US 8.8.8.8:53 suaeggeoya.info udp
US 8.8.8.8:53 ucwshguiwcymao.info udp
US 8.8.8.8:53 bzdyzcn.com udp
US 8.8.8.8:53 dzlslafox.org udp
US 8.8.8.8:53 smsygiiugkeq.biz udp
US 8.8.8.8:53 mouuyguiwcymao.info udp
US 8.8.8.8:53 xjffbgn.org udp
US 8.8.8.8:53 hofmhifox.com udp
US 8.8.8.8:53 iqqqkueoya.biz udp
US 8.8.8.8:53 qgeoqueoya.biz udp
US 8.8.8.8:53 obnstufqbex.cc udp
US 8.8.8.8:53 mzbkrgfqbex.cc udp
US 8.8.8.8:53 qecqoaiq.info udp
US 8.8.8.8:53 qkuwus.net udp
US 8.8.8.8:53 gzyqcanansnan.com udp
US 8.8.8.8:53 yunmdkdsholapet.cc udp
US 8.8.8.8:53 gsueaa.net udp
US 8.8.8.8:53 aokysaiq.info udp
US 8.8.8.8:53 haddlsn.cc udp
US 8.8.8.8:53 ahzykanansnan.com udp
LT 78.62.68.115:36767 tcp
US 8.8.8.8:53 kgeylk.net udp
US 8.8.8.8:53 kyamwiiugkeq.biz udp
US 8.8.8.8:53 kdrwtgfqbex.org udp
US 8.8.8.8:53 qhzcuodsholapet.cc udp
US 8.8.8.8:53 cyqceiiugkeq.biz udp
US 8.8.8.8:53 aogxyyeoya.info udp
US 8.8.8.8:53 ycespwnansnan.org udp
US 8.8.8.8:53 qmdwwwnansnan.com udp
US 8.8.8.8:53 wmcocueoya.biz udp
US 8.8.8.8:53 sgmswsuiwcymao.info udp
US 8.8.8.8:53 buuexifox.org udp
US 8.8.8.8:53 xybxdwfox.com udp
US 8.8.8.8:53 uoiousuiwcymao.net udp
US 8.8.8.8:53 ywazeeiq.net udp
US 8.8.8.8:53 pkpcqcn.org udp
US 8.8.8.8:53 qinmjgfqbex.com udp
US 8.8.8.8:53 gcokls.info udp
US 8.8.8.8:53 cusmbeiq.net udp
US 8.8.8.8:53 kfeiwodsholapet.com udp
US 8.8.8.8:53 lxtezafox.cc udp
US 8.8.8.8:53 wqgqmcuiwcymao.info udp
US 8.8.8.8:53 yceewcuiwcymao.net udp
US 8.8.8.8:53 fhurfifox.org udp
US 8.8.8.8:53 ytxnbwnansnan.org udp
US 8.8.8.8:53 gyyyyueoya.info udp
US 8.8.8.8:53 kygmyo.biz udp
US 8.8.8.8:53 bhdyjcn.org udp
US 8.8.8.8:53 iftlfwnansnan.org udp
US 8.8.8.8:53 omilys.info udp
US 8.8.8.8:53 sgaixo.biz udp
US 8.8.8.8:53 ilyepodsholapet.cc udp
US 8.8.8.8:53 esnsvwnansnan.org udp
US 8.8.8.8:53 mikyaa.info udp
US 8.8.8.8:53 uusunguiwcymao.net udp
US 8.8.8.8:53 kseukadsholapet.org udp
US 8.8.8.8:53 smreqgfqbex.cc udp
US 8.8.8.8:53 seqyeyeoya.net udp
US 8.8.8.8:53 gcgkxwiq.biz udp
US 8.8.8.8:53 gxcutenansnan.cc udp
US 8.8.8.8:53 bbjfrsfox.org udp
US 8.8.8.8:53 qmcnxiiugkeq.biz udp
US 8.8.8.8:53 kmkffmiq.biz udp
US 8.8.8.8:53 bcjvhcn.com udp
US 8.8.8.8:53 hsbmggn.org udp
US 8.8.8.8:53 kqwapqeoya.info udp
US 8.8.8.8:53 ssugjsuiwcymao.biz udp
US 8.8.8.8:53 ieuafodsholapet.org udp
US 8.8.8.8:53 othrpsdsholapet.cc udp
US 8.8.8.8:53 mqsqvmiq.net udp
US 8.8.8.8:53 kwknca.biz udp
US 8.8.8.8:53 jbnoxgn.org udp
US 8.8.8.8:53 wepmhqfqbex.cc udp
US 8.8.8.8:53 oqiyoqeoya.biz udp
BG 85.130.38.88:31616 tcp
US 8.8.8.8:53 kpfgngfqbex.cc udp
US 8.8.8.8:53 zshqrgn.com udp
US 8.8.8.8:53 waeqtyeoya.info udp
US 8.8.8.8:53 msynqaiq.info udp
US 8.8.8.8:53 vxufowfox.cc udp
US 8.8.8.8:53 ecbqeqfqbex.org udp
US 8.8.8.8:53 ammgoeiq.net udp
US 8.8.8.8:53 mgqiqsiugkeq.net udp
US 8.8.8.8:53 gnoztsdsholapet.org udp
US 8.8.8.8:53 iwdwnmnansnan.org udp
US 8.8.8.8:53 qwgmeaiq.info udp
US 8.8.8.8:53 yenfbgfqbex.org udp
US 8.8.8.8:53 jellksn.cc udp
US 8.8.8.8:53 ygeneqeoya.net udp
US 8.8.8.8:53 imctpkuiwcymao.biz udp
US 8.8.8.8:53 lcikrafox.cc udp
US 8.8.8.8:53 qmjsqanansnan.org udp
US 8.8.8.8:53 imymucuiwcymao.biz udp
US 8.8.8.8:53 jdhywkn.org udp
US 8.8.8.8:53 dbxqlwfox.cc udp
US 8.8.8.8:53 uowsgaiugkeq.biz udp
US 8.8.8.8:53 koecoaiq.net udp
US 8.8.8.8:53 wyjthyfqbex.org udp
US 8.8.8.8:53 dnxuzkn.com udp
US 8.8.8.8:53 gigrasiugkeq.biz udp
US 8.8.8.8:53 qqgorsuiwcymao.info udp
US 8.8.8.8:53 slfymyfqbex.cc udp
US 8.8.8.8:53 aitotmnansnan.cc udp
US 8.8.8.8:53 suyuygeoya.net udp
US 8.8.8.8:53 eemizgeoya.net udp
US 8.8.8.8:53 bjpilcn.org udp
US 8.8.8.8:53 nfftmcn.org udp
US 8.8.8.8:53 magwuaiq.info udp
US 8.8.8.8:53 suemqwiugkeq.biz udp
US 8.8.8.8:53 gcjwngfqbex.org udp
US 8.8.8.8:53 vojczgn.com udp
US 8.8.8.8:53 kisujgeoya.biz udp
US 8.8.8.8:53 gkmyryeoya.info udp
US 8.8.8.8:53 kthmiqfqbex.org udp
US 8.8.8.8:53 mevyxadsholapet.com udp
US 8.8.8.8:53 uewaqs.net udp
US 8.8.8.8:53 wyionwiq.net udp
US 8.8.8.8:53 uokqhodsholapet.cc udp
US 8.8.8.8:53 xsxoasn.org udp
BG 212.70.138.214:30883 tcp
US 8.8.8.8:53 ywgica.net udp
US 8.8.8.8:53 umgcpaiq.net udp
US 8.8.8.8:53 anbkvyfqbex.com udp
US 8.8.8.8:53 jqjluifox.cc udp
US 8.8.8.8:53 ooihyaiq.biz udp
US 8.8.8.8:53 aosyhaiugkeq.info udp
US 8.8.8.8:53 yadnsufqbex.org udp
US 8.8.8.8:53 hkveycn.cc udp
US 8.8.8.8:53 uecbgs.biz udp
US 8.8.8.8:53 iuockyeoya.biz udp
US 8.8.8.8:53 xzdiekn.com udp
US 8.8.8.8:53 yvnvuwnansnan.cc udp
US 8.8.8.8:53 gmigjwiugkeq.biz udp
US 8.8.8.8:53 oowwxwiugkeq.net udp
US 8.8.8.8:53 sstdtqfqbex.cc udp
US 8.8.8.8:53 iwprvodsholapet.com udp
US 8.8.8.8:53 icyvcaiugkeq.biz udp
US 8.8.8.8:53 aucersdsholapet.org udp
US 8.8.8.8:53 axxursdsholapet.com udp
US 8.8.8.8:53 swkmqyeoya.biz udp
US 8.8.8.8:53 waohaeiq.net udp
US 8.8.8.8:53 vukzeifox.org udp
US 8.8.8.8:53 rzjifgn.org udp
US 8.8.8.8:53 agmqnkuiwcymao.info udp
US 8.8.8.8:53 mesfcwiugkeq.biz udp
US 8.8.8.8:53 crvchufqbex.org udp
US 8.8.8.8:53 wvzckufqbex.cc udp
US 8.8.8.8:53 koqjlaiugkeq.net udp
US 8.8.8.8:53 ekkddyeoya.info udp
US 8.8.8.8:53 bqpqzgn.cc udp
US 8.8.8.8:53 skhaxsdsholapet.com udp
US 8.8.8.8:53 wwomdgeoya.net udp
US 8.8.8.8:53 magfqyeoya.info udp
US 8.8.8.8:53 iitwoadsholapet.org udp
US 98.225.20.72:18833 tcp
US 8.8.8.8:53 ikcokiiugkeq.info udp
US 8.8.8.8:53 guuyjs.biz udp
US 8.8.8.8:53 zoayaifox.com udp
US 8.8.8.8:53 dmbymifox.org udp
US 8.8.8.8:53 gwosyaiugkeq.net udp
US 8.8.8.8:53 gqaileiq.biz udp
US 8.8.8.8:53 zbgmgafox.com udp
US 8.8.8.8:53 crdkagfqbex.cc udp
US 8.8.8.8:53 ciymwmiq.net udp
US 8.8.8.8:53 wieaeo.info udp
US 8.8.8.8:53 quiydsdsholapet.cc udp
US 8.8.8.8:53 qhtenwnansnan.org udp
US 8.8.8.8:53 emigvyeoya.info udp
US 8.8.8.8:53 mumvpueoya.biz udp
US 8.8.8.8:53 reqjwwfox.com udp
US 8.8.8.8:53 ezfnqqfqbex.org udp
US 8.8.8.8:53 qakvzaiugkeq.net udp
US 8.8.8.8:53 eoggisuiwcymao.net udp
US 8.8.8.8:53 ohaqlsdsholapet.com udp
US 8.8.8.8:53 idtflenansnan.com udp
US 8.8.8.8:53 omykao.info udp
US 8.8.8.8:53 umwogaiugkeq.biz udp
US 8.8.8.8:53 cekulodsholapet.cc udp
US 8.8.8.8:53 vlzkzgn.com udp
US 8.8.8.8:53 syasoaiq.net udp
US 8.8.8.8:53 askicgeoya.biz udp
US 8.8.8.8:53 spognkdsholapet.com udp
US 8.8.8.8:53 jvjiugn.com udp
US 8.8.8.8:53 ukcqgsiugkeq.net udp
US 8.8.8.8:53 hydiosn.org udp
US 8.8.8.8:53 jbnccgn.cc udp
US 8.8.8.8:53 ayancaiugkeq.net udp
US 8.8.8.8:53 kyuoaeiq.info udp
US 8.8.8.8:53 qyymjodsholapet.cc udp
US 8.8.8.8:53 hlpitcn.cc udp
US 8.8.8.8:53 uyynlwiugkeq.info udp
US 8.8.8.8:53 keyues.biz udp
US 8.8.8.8:53 iplcqufqbex.org udp
US 8.8.8.8:53 wpfdnenansnan.com udp
US 8.8.8.8:53 umseiaiugkeq.net udp
US 8.8.8.8:53 mosogiiugkeq.net udp
US 8.8.8.8:53 qkvlhyfqbex.com udp
US 8.8.8.8:53 uqhnzkdsholapet.cc udp
US 8.8.8.8:53 oyuoraiugkeq.biz udp
US 8.8.8.8:53 tmoypifox.org udp
US 8.8.8.8:53 kahctenansnan.cc udp
US 8.8.8.8:53 yymasgeoya.info udp
US 8.8.8.8:53 egieogeoya.biz udp
US 8.8.8.8:53 zcostafox.com udp
US 8.8.8.8:53 eyksms.info udp
US 8.8.8.8:53 iokmds.info udp
US 8.8.8.8:53 amyenwnansnan.org udp
BG 85.239.154.94:37793 tcp
US 8.8.8.8:53 ygbtlwnansnan.org udp
US 8.8.8.8:53 maqlksuiwcymao.net udp
US 8.8.8.8:53 yqibgwiq.net udp
US 8.8.8.8:53 jajixcn.com udp
US 8.8.8.8:53 wvzkpanansnan.cc udp
US 8.8.8.8:53 okeismiq.biz udp
US 8.8.8.8:53 cscsccuiwcymao.info udp
US 8.8.8.8:53 yyogtadsholapet.com udp
US 8.8.8.8:53 wrdadsdsholapet.org udp
US 8.8.8.8:53 qsceeaiugkeq.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 kiqsliiugkeq.net udp
US 8.8.8.8:53 pkyutwfox.cc udp
US 8.8.8.8:53 qrppekdsholapet.org udp
US 8.8.8.8:53 kuuoryeoya.net udp
US 8.8.8.8:53 exuaqadsholapet.cc udp
US 8.8.8.8:53 milybenansnan.cc udp
US 8.8.8.8:53 uugnsqeoya.net udp
US 8.8.8.8:53 qcwmoaiq.net udp
US 8.8.8.8:53 ctheeenansnan.com udp
US 8.8.8.8:53 usaqosiugkeq.net udp
US 8.8.8.8:53 gcqcceiq.info udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 pqvghcn.org udp
US 8.8.8.8:53 ezrusadsholapet.org udp
US 8.8.8.8:53 oaypfiiugkeq.info udp
US 8.8.8.8:53 wugqgeiq.net udp
US 8.8.8.8:53 ojgyvadsholapet.org udp
US 8.8.8.8:53 rvxxbwfox.org udp
US 8.8.8.8:53 yqsifkuiwcymao.biz udp
US 8.8.8.8:53 ayechs.net udp
US 8.8.8.8:53 ofskdadsholapet.com udp
US 8.8.8.8:53 gyeowk.info udp
US 8.8.8.8:53 iukowqeoya.net udp
US 8.8.8.8:53 aefkxyfqbex.com udp
US 8.8.8.8:53 zyzgrcn.org udp
US 8.8.8.8:53 yewmqsiugkeq.net udp
US 8.8.8.8:53 uogomk.biz udp
US 8.8.8.8:53 cebgxgfqbex.com udp
US 8.8.8.8:53 gelqzanansnan.org udp
US 8.8.8.8:53 kiapso.biz udp
BG 87.97.144.204:29580 tcp
US 8.8.8.8:53 sgmgsyeoya.info udp
US 8.8.8.8:53 qhbxvqfqbex.cc udp
US 8.8.8.8:53 kvpcjkdsholapet.com udp
US 8.8.8.8:53 kqgjss.info udp
US 8.8.8.8:53 eeyeywiugkeq.info udp
US 8.8.8.8:53 arogxenansnan.org udp
US 8.8.8.8:53 crxkyqfqbex.cc udp
US 8.8.8.8:53 isgkbqeoya.biz udp
US 8.8.8.8:53 acudmkuiwcymao.net udp
US 8.8.8.8:53 wxwffkdsholapet.org udp
US 8.8.8.8:53 zwpczcn.com udp
US 8.8.8.8:53 wiczfguiwcymao.info udp
US 8.8.8.8:53 qmyaekuiwcymao.info udp
US 8.8.8.8:53 lhlyfgn.org udp
US 8.8.8.8:53 vxbulcn.org udp
US 8.8.8.8:53 cgiwxmiq.biz udp
US 8.8.8.8:53 djjkpkn.com udp
US 8.8.8.8:53 qwhmpodsholapet.cc udp
US 8.8.8.8:53 ckqqvsiugkeq.info udp
US 8.8.8.8:53 uwmrieiq.net udp
US 8.8.8.8:53 bgryrcn.com udp
US 8.8.8.8:53 brjrpkn.cc udp
US 8.8.8.8:53 aykuueiq.info udp
US 8.8.8.8:53 aaswasuiwcymao.net udp
US 8.8.8.8:53 iawxrwnansnan.com udp
US 8.8.8.8:53 bcnrpafox.com udp
US 8.8.8.8:53 ieoqks.info udp
US 8.8.8.8:53 wuwmiadsholapet.cc udp
US 8.8.8.8:53 tgtilwfox.com udp
US 8.8.8.8:53 yeqehs.info udp
US 8.8.8.8:53 cayoiwiugkeq.biz udp
US 8.8.8.8:53 vlxchgn.org udp
US 8.8.8.8:53 iqtwvadsholapet.org udp
US 8.8.8.8:53 wmcesiiugkeq.net udp
US 8.8.8.8:53 caawamiq.biz udp
US 8.8.8.8:53 dqnvskn.cc udp
US 8.8.8.8:53 nxtaygn.cc udp
US 8.8.8.8:53 maqnjqeoya.net udp
US 8.8.8.8:53 sgmiimiq.biz udp
US 8.8.8.8:53 yxbudqfqbex.org udp
US 8.8.8.8:53 lftmngn.cc udp
US 8.8.8.8:53 mmebgiiugkeq.biz udp
US 8.8.8.8:53 jfmlbifox.cc udp
US 8.8.8.8:53 mwhxdodsholapet.org udp
US 8.8.8.8:53 uqeheaiugkeq.biz udp
US 8.8.8.8:53 gywsws.net udp
US 8.8.8.8:53 wfsqtwnansnan.org udp
LT 88.223.49.174:35232 tcp
US 8.8.8.8:53 cvxvhufqbex.org udp
US 8.8.8.8:53 eugtgaiq.biz udp
US 8.8.8.8:53 qossaueoya.biz udp
US 8.8.8.8:53 jgkwfifox.com udp
US 8.8.8.8:53 cxrejwnansnan.cc udp
US 8.8.8.8:53 ciowdiiugkeq.biz udp
US 8.8.8.8:53 ekmwwk.biz udp
US 8.8.8.8:53 xsvuckn.com udp
US 8.8.8.8:53 yrvgjufqbex.org udp
US 8.8.8.8:53 caiedgeoya.info udp
US 8.8.8.8:53 iooiwa.info udp
US 8.8.8.8:53 xiryzkn.cc udp
US 8.8.8.8:53 mwtjmenansnan.cc udp
US 8.8.8.8:53 mykbms.net udp
US 8.8.8.8:53 oeopseiq.net udp
US 8.8.8.8:53 jvlzrkn.cc udp
US 8.8.8.8:53 kljiaqfqbex.cc udp
US 8.8.8.8:53 myukkwiugkeq.info udp
US 8.8.8.8:53 wccioa.net udp
US 8.8.8.8:53 kdlwdyfqbex.org udp
US 8.8.8.8:53 qfpptanansnan.cc udp
US 8.8.8.8:53 casyncuiwcymao.info udp
US 8.8.8.8:53 qwofqqeoya.biz udp
US 8.8.8.8:53 ktienmnansnan.cc udp
US 8.8.8.8:53 wgjetanansnan.cc udp
US 8.8.8.8:53 wegcsqeoya.info udp
US 8.8.8.8:53 ayiggaiq.biz udp
US 8.8.8.8:53 wutwxgfqbex.cc udp
US 8.8.8.8:53 wgfkjanansnan.cc udp
US 8.8.8.8:53 asuwvueoya.info udp
US 8.8.8.8:53 mcojfgeoya.biz udp
US 8.8.8.8:53 qidsfqfqbex.com udp
US 8.8.8.8:53 xopuxafox.org udp
US 8.8.8.8:53 emuyko.biz udp
US 8.8.8.8:53 pkwjuafox.cc udp
US 8.8.8.8:53 elzmkodsholapet.org udp
US 8.8.8.8:53 ummchsiugkeq.info udp
US 8.8.8.8:53 sskgwyeoya.net udp
US 8.8.8.8:53 deknaifox.org udp
US 8.8.8.8:53 uidoeyfqbex.cc udp
US 8.8.8.8:53 iisbqgeoya.info udp
US 8.8.8.8:53 geyymwiugkeq.biz udp
US 8.8.8.8:53 spsdcenansnan.cc udp
US 8.8.8.8:53 qdzuxanansnan.cc udp
US 8.8.8.8:53 goscfqeoya.info udp
US 8.8.8.8:53 wookuwiq.info udp
US 8.8.8.8:53 hwpufgn.cc udp
US 8.8.8.8:53 grhcgqfqbex.cc udp
US 8.8.8.8:53 ekycya.net udp
US 8.8.8.8:53 qgyioo.biz udp
US 8.8.8.8:53 hudkvkn.com udp
US 8.8.8.8:53 mwpqjgfqbex.com udp
US 8.8.8.8:53 mmesemiq.info udp
US 8.8.8.8:53 wyiecwiq.net udp
US 8.8.8.8:53 brxcxkn.org udp
US 8.8.8.8:53 kmheegfqbex.org udp
US 89.117.8.117:41337 tcp
US 8.8.8.8:53 kekylmiq.biz udp
US 8.8.8.8:53 ouwyzodsholapet.cc udp
US 8.8.8.8:53 ltbudafox.com udp
US 8.8.8.8:53 ciolusiugkeq.info udp
US 8.8.8.8:53 wcieomiq.biz udp
US 8.8.8.8:53 hlbcmgn.cc udp
US 8.8.8.8:53 denmywfox.cc udp
US 8.8.8.8:53 guefgwiugkeq.net udp
US 8.8.8.8:53 momwha.info udp
US 8.8.8.8:53 qmwmumnansnan.cc udp
US 8.8.8.8:53 snxuhgfqbex.cc udp
US 8.8.8.8:53 esmmbkuiwcymao.biz udp
US 8.8.8.8:53 ywocqa.info udp
US 8.8.8.8:53 hinypcn.com udp
US 8.8.8.8:53 cuhglyfqbex.cc udp
US 8.8.8.8:53 symmbs.info udp
US 8.8.8.8:53 wokeqiiugkeq.net udp
US 8.8.8.8:53 jchwngn.cc udp
US 8.8.8.8:53 rxflwcn.org udp
US 8.8.8.8:53 uomjxkuiwcymao.info udp
US 8.8.8.8:53 yckzwcuiwcymao.biz udp
US 8.8.8.8:53 gyluhufqbex.org udp
US 8.8.8.8:53 jndgxcn.com udp
US 8.8.8.8:53 wuizjueoya.info udp
BG 217.75.139.26:21660 tcp
US 8.8.8.8:53 koiczkuiwcymao.info udp
US 8.8.8.8:53 tnvszcn.cc udp
US 8.8.8.8:53 wovvzkdsholapet.com udp
US 8.8.8.8:53 gsuidsiugkeq.biz udp
US 8.8.8.8:53 iiafomiq.info udp
US 8.8.8.8:53 csuqnodsholapet.cc udp
US 8.8.8.8:53 wijrdufqbex.cc udp
US 8.8.8.8:53 swemaiiugkeq.biz udp
US 8.8.8.8:53 gmqcksuiwcymao.biz udp
US 8.8.8.8:53 pkhscsn.com udp
US 8.8.8.8:53 oehugkdsholapet.cc udp
US 8.8.8.8:53 esosxcuiwcymao.net udp
US 8.8.8.8:53 cwqxaeiq.info udp
US 8.8.8.8:53 whbfkufqbex.com udp
US 8.8.8.8:53 gogmesuiwcymao.info udp
US 8.8.8.8:53 mtmkvkdsholapet.com udp
US 8.8.8.8:53 gepgxsdsholapet.cc udp
US 8.8.8.8:53 iqqhqqeoya.info udp
US 8.8.8.8:53 gewufguiwcymao.net udp
US 8.8.8.8:53 cgygnadsholapet.com udp
US 8.8.8.8:53 zqnbfwfox.org udp
US 8.8.8.8:53 wugvekuiwcymao.biz udp
US 8.8.8.8:53 eyiewyeoya.info udp
US 8.8.8.8:53 79.242.123.52.in-addr.arpa udp
US 8.8.8.8:53 untorgfqbex.org udp
US 8.8.8.8:53 oapqrqfqbex.cc udp
US 8.8.8.8:53 yskuss.biz udp
US 8.8.8.8:53 sqyiaaiugkeq.net udp
US 8.8.8.8:53 edxmfqfqbex.org udp
US 8.8.8.8:53 qvbmxodsholapet.cc udp
US 8.8.8.8:53 ywkeoueoya.info udp
US 8.8.8.8:53 ucsgamiq.info udp
US 8.8.8.8:53 yhcobodsholapet.com udp
US 8.8.8.8:53 zgjubsn.com udp
US 8.8.8.8:53 ecquoueoya.biz udp
US 8.8.8.8:53 qhoeqmnansnan.cc udp
US 8.8.8.8:53 aaxefanansnan.cc udp
US 8.8.8.8:53 sqcwos.biz udp
US 8.8.8.8:53 kymrgwiq.net udp
US 8.8.8.8:53 pwestsfox.org udp
US 8.8.8.8:53 gajkjwnansnan.com udp
US 8.8.8.8:53 mmaxwqeoya.info udp
US 8.8.8.8:53 yasupiiugkeq.net udp
US 8.8.8.8:53 uqgkoodsholapet.org udp
US 8.8.8.8:53 rsxszcn.cc udp
US 8.8.8.8:53 asqqlcuiwcymao.net udp
BG 95.87.63.140:39366 tcp
US 8.8.8.8:53 wnomzadsholapet.cc udp
US 8.8.8.8:53 bmhwjafox.com udp
US 8.8.8.8:53 eeqivcuiwcymao.info udp
US 8.8.8.8:53 iccshaiq.biz udp
US 8.8.8.8:53 ljnexkn.com udp
US 8.8.8.8:53 gvhwpsdsholapet.com udp
US 8.8.8.8:53 qqmsgyeoya.net udp
US 8.8.8.8:53 qyguza.net udp
US 8.8.8.8:53 wjzuyqfqbex.org udp
US 8.8.8.8:53 vwzvvsfox.com udp
US 8.8.8.8:53 csydsaiq.info udp
US 8.8.8.8:53 kqecimiq.net udp
US 8.8.8.8:53 imtrayfqbex.cc udp
US 8.8.8.8:53 hwtydgn.cc udp
US 8.8.8.8:53 ieednsuiwcymao.net udp
US 8.8.8.8:53 qoomewiq.info udp
US 8.8.8.8:53 wwgspodsholapet.org udp
US 8.8.8.8:53 qptclanansnan.org udp
US 8.8.8.8:53 mmskygeoya.info udp
US 8.8.8.8:53 prnsvsn.org udp
US 8.8.8.8:53 mibjcenansnan.com udp
US 8.8.8.8:53 miwdgkuiwcymao.net udp
US 8.8.8.8:53 kqkmgsiugkeq.info udp
US 8.8.8.8:53 kwrepgfqbex.com udp
US 8.8.8.8:53 wvlydodsholapet.org udp
US 8.8.8.8:53 wicubqeoya.net udp
US 8.8.8.8:53 saifymiq.biz udp
US 8.8.8.8:53 rhptqgn.org udp
US 8.8.8.8:53 ycmoraiugkeq.biz udp
US 8.8.8.8:53 kiatcs.net udp
US 8.8.8.8:53 rasanwfox.com udp
US 8.8.8.8:53 jdzukwfox.com udp
US 8.8.8.8:53 wecsmk.biz udp
US 8.8.8.8:53 yxhtzgfqbex.cc udp
US 8.8.8.8:53 merknsdsholapet.cc udp
US 8.8.8.8:53 sgyxmyeoya.biz udp
US 8.8.8.8:53 aksfgiiugkeq.biz udp
US 8.8.8.8:53 abiymmnansnan.org udp
US 8.8.8.8:53 cupytwnansnan.org udp
US 8.8.8.8:53 qiwidkuiwcymao.net udp
US 8.8.8.8:53 ieiqosuiwcymao.net udp
US 8.8.8.8:53 flyieafox.com udp
US 8.8.8.8:53 jrhbnwfox.com udp
US 8.8.8.8:53 eoiyzguiwcymao.net udp
US 8.8.8.8:53 suwioa.net udp
US 8.8.8.8:53 gjphzyfqbex.cc udp
US 8.8.8.8:53 ygxommnansnan.cc udp
US 8.8.8.8:53 qkmkeo.net udp
US 8.8.8.8:53 iuiqaiiugkeq.net udp
US 8.8.8.8:53 xtqmvafox.cc udp
US 8.8.8.8:53 eozulanansnan.org udp
RU 94.41.225.2:43070 tcp
US 8.8.8.8:53 oeaejo.net udp
US 8.8.8.8:53 ggghksiugkeq.info udp
US 8.8.8.8:53 nnmcmafox.com udp
US 8.8.8.8:53 ilxnhenansnan.cc udp
US 8.8.8.8:53 womcco.info udp
US 8.8.8.8:53 kssmvwnansnan.org udp
US 8.8.8.8:53 zjdkbifox.cc udp
US 8.8.8.8:53 gwyujiiugkeq.info udp
US 8.8.8.8:53 ciqeakuiwcymao.info udp
US 8.8.8.8:53 iiwobadsholapet.org udp
US 8.8.8.8:53 fmzmbsn.org udp
US 8.8.8.8:53 kkaqqkuiwcymao.net udp
US 8.8.8.8:53 symiageoya.info udp
US 8.8.8.8:53 ywxqtgfqbex.org udp
US 8.8.8.8:53 evzwfanansnan.com udp
US 8.8.8.8:53 omuwcsuiwcymao.info udp
US 8.8.8.8:53 kkuwjadsholapet.org udp
US 8.8.8.8:53 wldlpenansnan.cc udp
US 8.8.8.8:53 ecyrwmiq.biz udp
US 8.8.8.8:53 suyuyo.biz udp
US 8.8.8.8:53 fdwbrifox.com udp
US 8.8.8.8:53 nwryzsfox.com udp
US 8.8.8.8:53 mgaxpkuiwcymao.net udp
US 8.8.8.8:53 wyoodwiugkeq.net udp
US 8.8.8.8:53 ohailenansnan.org udp
US 8.8.8.8:53 sptnzyfqbex.org udp
US 8.8.8.8:53 acceliiugkeq.net udp
US 8.8.8.8:53 muigfaiq.info udp
US 8.8.8.8:53 kmaytadsholapet.org udp
US 8.8.8.8:53 kakmngeoya.biz udp
US 8.8.8.8:53 hgcemafox.org udp
US 8.8.8.8:53 nsdilwfox.cc udp
US 8.8.8.8:53 suguoyeoya.biz udp
US 8.8.8.8:53 mgijcyeoya.biz udp
US 8.8.8.8:53 mmjmygfqbex.cc udp
US 8.8.8.8:53 grdksanansnan.org udp
US 8.8.8.8:53 quyeps.info udp
US 8.8.8.8:53 eagjdk.info udp
US 8.8.8.8:53 mwqkbmnansnan.com udp
US 8.8.8.8:53 qcvwpenansnan.org udp
US 8.8.8.8:53 omenowiugkeq.biz udp
US 8.8.8.8:53 kqwkkiiugkeq.info udp
US 8.8.8.8:53 jpqoqafox.com udp
LT 78.62.240.10:13594 tcp
US 8.8.8.8:53 ksxutufqbex.cc udp
US 8.8.8.8:53 icujxiiugkeq.biz udp
US 8.8.8.8:53 komiksiugkeq.biz udp
US 8.8.8.8:53 alvljufqbex.com udp
US 8.8.8.8:53 rjxwfkn.org udp
US 8.8.8.8:53 mqsuxguiwcymao.biz udp
US 8.8.8.8:53 rdkkkifox.org udp
US 8.8.8.8:53 ejpvuyfqbex.com udp
US 8.8.8.8:53 gyskesuiwcymao.net udp
US 8.8.8.8:53 qkguoyeoya.biz udp
US 8.8.8.8:53 qwmssaiq.net udp
US 8.8.8.8:53 meauoguiwcymao.info udp
US 8.8.8.8:53 wnqwgenansnan.com udp
US 8.8.8.8:53 irbgzodsholapet.com udp
US 8.8.8.8:53 ysqcvkuiwcymao.net udp
US 8.8.8.8:53 kqweccuiwcymao.net udp
US 8.8.8.8:53 pnholkn.org udp
US 8.8.8.8:53 kadyianansnan.org udp
US 8.8.8.8:53 aygbcaiq.biz udp
US 8.8.8.8:53 qucozeiq.biz udp
US 8.8.8.8:53 sgekvmnansnan.org udp
US 8.8.8.8:53 rqnqnwfox.org udp
US 8.8.8.8:53 uquwueiq.biz udp
US 8.8.8.8:53 cmwuacuiwcymao.biz udp
US 8.8.8.8:53 kiwcdsdsholapet.cc udp
US 8.8.8.8:53 zxjaxkn.cc udp
US 8.8.8.8:53 mqkkha.net udp
US 8.8.8.8:53 woakfeiq.biz udp
US 8.8.8.8:53 zexahgn.cc udp
US 8.8.8.8:53 axvqxufqbex.cc udp
US 8.8.8.8:53 gquuzkuiwcymao.info udp
US 8.8.8.8:53 aaiuwqeoya.net udp
US 8.8.8.8:53 pghqjkn.cc udp
US 8.8.8.8:53 uzvqlwnansnan.cc udp
US 8.8.8.8:53 ykucaa.biz udp
US 8.8.8.8:53 qcssiiiugkeq.biz udp
US 8.8.8.8:53 aqgatkdsholapet.com udp
US 8.8.8.8:53 gcbudqfqbex.org udp
US 8.8.8.8:53 kyaqjqeoya.info udp
US 8.8.8.8:53 ojjadufqbex.com udp
US 8.8.8.8:53 lnbalkn.cc udp
US 8.8.8.8:53 qamusaiq.net udp
US 8.8.8.8:53 iqifpwiq.info udp
US 8.8.8.8:53 pnlqxcn.org udp
US 8.8.8.8:53 kyxapgfqbex.com udp
US 8.8.8.8:53 qwypusiugkeq.net udp
US 8.8.8.8:53 umywasiugkeq.net udp
US 8.8.8.8:53 ahkucsdsholapet.org udp
US 8.8.8.8:53 gaoumyeoya.info udp
US 8.8.8.8:53 qgeygo.biz udp
US 8.8.8.8:53 unyxzwnansnan.cc udp
US 8.8.8.8:53 lzdkmgn.com udp
US 8.8.8.8:53 ygeergeoya.info udp
LT 78.63.29.53:40396 tcp
US 8.8.8.8:53 geisjwiugkeq.net udp
US 8.8.8.8:53 rxmprsfox.cc udp
US 8.8.8.8:53 emzbngfqbex.com udp
US 8.8.8.8:53 sqalbaiq.biz udp
US 8.8.8.8:53 amauqaiq.info udp
US 8.8.8.8:53 geubesdsholapet.cc udp
US 8.8.8.8:53 bspscsfox.org udp
US 8.8.8.8:53 keublkuiwcymao.net udp
US 8.8.8.8:53 kyoeeguiwcymao.info udp
US 8.8.8.8:53 tslyqsn.cc udp
US 8.8.8.8:53 qzfunsdsholapet.com udp
US 8.8.8.8:53 oeewscuiwcymao.biz udp
US 8.8.8.8:53 qqwkxeiq.biz udp
US 8.8.8.8:53 xxmaeifox.org udp
US 8.8.8.8:53 uzpyfsdsholapet.cc udp
US 8.8.8.8:53 ciggia.biz udp
US 8.8.8.8:53 mqyxqmiq.biz udp
US 8.8.8.8:53 ymrhnqfqbex.cc udp
US 8.8.8.8:53 pcxalgn.org udp
US 8.8.8.8:53 ukgfpiiugkeq.biz udp
US 8.8.8.8:53 icgwrwiq.info udp
US 8.8.8.8:53 wjdgayfqbex.com udp
US 8.8.8.8:53 utpaimnansnan.com udp
US 8.8.8.8:53 msakxcuiwcymao.info udp
US 8.8.8.8:53 qbhdgqfqbex.cc udp
US 8.8.8.8:53 kargdqfqbex.org udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe

MD5 85cb856b920e7b0b7b75115336fc2af2
SHA1 1d1a207efec2f5187583b652c35aef74ee4c473f
SHA256 6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62
SHA512 120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8

C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe

MD5 111a63135090da974e45df036b3a9918
SHA1 fb3d7fa910924b524d4009aa2e89f5dde860d9f2
SHA256 35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951
SHA512 0165b3e8298348bcd88c45502220b19f62f0b105b0eaacd5e904274160a6e519d7caa2926777acfabd62024329a5e691c576e5c87c7a8663fd85c5e2e84a031a

C:\Users\Admin\AppData\Local\Temp\cchmu.exe

MD5 9eb670c5e5787493685a2db7f443e49e
SHA1 346b11e1d3d41f4c82b1df1d056cf1ca2ac31b7c
SHA256 3907c1287fd950d1fc2e53f15e0e4cb8702dc297846dc6382ea93f3554c989fe
SHA512 f655ab2e894722d7904a3ed8d722ea26820dcb46defbe78154a833ed5a3a77ce091a0dd439e3c142cfa8d89fabb2eb673c738c5ccb80551974af242a38e425a5

C:\Users\Admin\AppData\Local\dyyybdbedyhccgfukcdyyy.dbe

MD5 8e64a873638f6984cbdbd8879d41ee5b
SHA1 6168616d3122dd4107f74c7a11cfdca47c0e8228
SHA256 b88d702d56a9aaf4b5d110ff2079ce375df4ea2a75a8f9a24d1adff8c5ec8ce0
SHA512 e2581fea05793be927daa2873cadd28798536431fd8d71c92dd4200e35fe08e3668058ff4e80aeb96206f578f5aaae4e7350956be38bf391b1152cafecb7d92d

C:\Users\Admin\AppData\Local\ualwkxguekekvkuuvykqbmanwkuaualak.loa

MD5 9d8d268e8d23fdcf6d749469e473acfc
SHA1 b9667b79f61a71ef21a1357ca9d13c44b4cd6c3b
SHA256 4a4a4e1f2a05d55dfe7f00e0daced90b6f61794aca7ebd7ddb51d26168229186
SHA512 8d4128cf9a5a2927df1adf0a81eeaf3c5d213f5b313b7a27a2827987f4cc1d65c34a0f0e078eb5288cfebec0baa4aabd6806a0b491eabc28d3c63fd38c8c5e4b

C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe

MD5 2cb5e15f1f965d94ce5c46ec63d38553
SHA1 f5104e46c34048cacb2cd8a6e5697147650a9849
SHA256 2ecf3ca9298e231c73af35c3c12d3ffa92b217bf6903f6ebfa5b1ea9ffa7b58a
SHA512 d4321994fa982b87d86f66a4781a0000f328919c6b700f54ec25d35eb9609eb7be447ed4d499bd972a67f6d3f875b42d3f010218cc94bda96f38d9ab8640a934

C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe

MD5 5fe21a53dbceb10141e39bd3da0cbe7f
SHA1 e053e094b922987a7e227f727587393234a32748
SHA256 ab16db1296340406cfe27b72da26d99fff7dbf5faaca7837f279be7bf6175cc5
SHA512 86411beb8fda7891984c7071b1909e7d3c6d34246aa1bffd727948896c000cfc971618425b22f9e7f950279acf894725aac410c85d22061898f30160ec513457

C:\Users\Admin\AppData\Local\dyyybdbedyhccgfukcdyyy.dbe

MD5 dd4225caedb696d2402b33b058f24ded
SHA1 7ac9df91b7d11af24c7f6f208bf34780ce20e116
SHA256 b19119f45d1fa0ef8425e4278ba7490aac2af15b05559cf7285cb0fe9c58213a
SHA512 ad413e6a7c2f4536f07cb42be33d64f16a0ccdc1fc0fc370b1e545622221d9e964930f42b8d8964ce14bccc50cecfcb065b00413165b9832e41b0c5311b48f03

C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe

MD5 38ff5da98fc38f8e2d363468449c244e
SHA1 26cfae327b13f9ad398f7696e091d6832d7f8ce5
SHA256 fedcfe38f60572145e266b98ea2225183100dc4ea5eab54aca99cf4cd260687f
SHA512 ac2c3349796a45b53d2be0092c217cbd1fe49b59c8929de214f69870366d14b3bd90025dbbdf0278e6a32c690a71291650797712c7b8a78f62b5d90713e029bb

C:\Users\Admin\AppData\Local\dyyybdbedyhccgfukcdyyy.dbe

MD5 a50c7e46ba57b18bd2c48a5fffb83086
SHA1 06e51b4d77a3c26e293a655e0b9dc3233deef691
SHA256 05287de6cde1d93b29c9c1d4c0205c10cf573b6f8f43196009181de744dff07c
SHA512 b0456fa2230edd01d695250339fa0189982ec7f4cbfc383f2f06a80bf495097c427513ce8b21ec3a2b666b36fdc6d1c6915d55ebc1644fc17121950a444ab6d8

C:\Windows\pcumhbrmdqrewsjqyi.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe

MD5 d28ee099eb87678040e8548f91236ff1
SHA1 a6470ca71c79641edb8b59d27afdf40ea252f43c
SHA256 a86d1b4ae0dd327feb0872d743afb4bc64971237332c66275a1b6125b12b28aa
SHA512 13cf0d92c1e1e14eef9c8df484e08ac2c47e98c9538df9f52e9fc6037117956a3541669756dbbe6d0da4af6ff6d962e120bb06dd6572ba1d0e7a82170ed87340