Analysis Overview
SHA256
35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951
Threat Level: Known bad
The file 111a63135090da974e45df036b3a9918_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Adds policy Run key to start application
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Checks computer location settings
Checks whether UAC is enabled
Adds Run key to start application
Looks up external IP address via web service
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 06:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 06:57
Reported
2024-06-26 07:00
Platform
win7-20240419-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "nexsjgfunfpvqnemntja.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "pevodyvizpxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aekswgs = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tuxc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "gukcqkgsixehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "pevodyvizpxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "nexsjgfunfpvqnemntja.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "pevodyvizpxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "aqicsomasjsxrndkkpe.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "aqicsomasjsxrndkkpe.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "pevodyvizpxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "gukcqkgsixehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "pevodyvizpxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "gukcqkgsixehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "zmbsfytethnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "gukcqkgsixehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "zmbsfytethnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "aqicsomasjsxrndkkpe.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "cuokcaaqkdovrphqszqic.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zgpahujoxf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "cuokcaaqkdovrphqszqic.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gmuekwkow = "pevodyvizpxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nqvcfo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nexsjgfunfpvqnemntja.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "aqicsomasjsxrndkkpe.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ceioq = "pevodyvizpxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ucmygukqajk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pevodyvizpxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\pubkpanq = "gukcqkgsixehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\ceioq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmbsfytethnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\ceioqyiimpkbhprkwnoquackuuy.wnt | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\SysWOW64\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ceioqyiimpkbhprkwnoquackuuy.wnt | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File created | C:\Windows\ceioqyiimpkbhprkwnoquackuuy.wnt | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\pevodyvizpxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\tmhexwxojdpxutmwzhzsnk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\ceioqyiimpkbhprkwnoquackuuy.wnt | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\nexsjgfunfpvqnemntja.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\zmbsfytethnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\aqicsomasjsxrndkkpe.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\cuokcaaqkdovrphqszqic.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| File opened for modification | C:\Windows\gukcqkgsixehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ceioq.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\ceioq.exe
"C:\Users\Admin\AppData\Local\Temp\ceioq.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ceioq.exe
"C:\Users\Admin\AppData\Local\Temp\ceioq.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.46:80 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | mymqeo.info | udp |
| BG | 85.130.10.17:19110 | tcp | |
| US | 8.8.8.8:53 | tfomvifox.cc | udp |
| US | 8.8.8.8:53 | korzjmnansnan.cc | udp |
| US | 8.8.8.8:53 | isuslk.biz | udp |
| BG | 95.111.36.156:42570 | tcp | |
| US | 8.8.8.8:53 | qakayaiq.biz | udp |
| US | 8.8.8.8:53 | dlradsn.org | udp |
| US | 162.249.65.162:80 | dlradsn.org | tcp |
| US | 8.8.8.8:53 | zipagcn.cc | udp |
| BG | 109.121.224.44:17375 | tcp | |
| US | 8.8.8.8:53 | eyusaaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcikqkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mstgnqfqbex.org | udp |
| US | 8.8.8.8:53 | ggblkkdsholapet.org | udp |
| US | 8.8.8.8:53 | ckopbcuiwcymao.net | udp |
| US | 8.8.8.8:53 | ymazfyeoya.info | udp |
| US | 8.8.8.8:53 | kckspkdsholapet.com | udp |
| US | 8.8.8.8:53 | fajgnsn.com | udp |
| BG | 109.121.224.10:18600 | tcp | |
| US | 8.8.8.8:53 | umqrio.biz | udp |
| US | 8.8.8.8:53 | eueymsuiwcymao.info | udp |
| US | 8.8.8.8:53 | deagvafox.org | udp |
| US | 8.8.8.8:53 | vfrvvcn.org | udp |
| US | 8.8.8.8:53 | ygsink.info | udp |
| US | 8.8.8.8:53 | agadss.biz | udp |
| US | 8.8.8.8:53 | ivqvrodsholapet.com | udp |
| US | 8.8.8.8:53 | ynrvwgfqbex.org | udp |
| US | 8.8.8.8:53 | ciuzwaiq.net | udp |
| US | 8.8.8.8:53 | uioezo.biz | udp |
| US | 8.8.8.8:53 | ohwiomnansnan.org | udp |
| US | 8.8.8.8:53 | ayhwaufqbex.org | udp |
| US | 8.8.8.8:53 | qgasocuiwcymao.info | udp |
| US | 8.8.8.8:53 | isspqkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iiuhlwnansnan.cc | udp |
| US | 8.8.8.8:53 | rxfmdwfox.org | udp |
| US | 8.8.8.8:53 | esowayeoya.biz | udp |
| US | 8.8.8.8:53 | swatnk.biz | udp |
| US | 8.8.8.8:53 | czyhvkdsholapet.org | udp |
| US | 8.8.8.8:53 | wofrnanansnan.com | udp |
| LT | 78.60.58.154:45153 | tcp | |
| US | 8.8.8.8:53 | wwwkqwiugkeq.info | udp |
| US | 8.8.8.8:53 | yokivaiq.info | udp |
| US | 8.8.8.8:53 | lksrusfox.org | udp |
| US | 8.8.8.8:53 | kufamkdsholapet.cc | udp |
| US | 8.8.8.8:53 | wskoageoya.net | udp |
| US | 8.8.8.8:53 | ykkges.info | udp |
| US | 8.8.8.8:53 | ubcmvadsholapet.org | udp |
| US | 8.8.8.8:53 | nbjmgafox.org | udp |
| US | 8.8.8.8:53 | ccquxqeoya.net | udp |
| US | 8.8.8.8:53 | gisahqeoya.info | udp |
| US | 8.8.8.8:53 | xsymfsfox.cc | udp |
| US | 8.8.8.8:53 | synfeanansnan.com | udp |
| US | 8.8.8.8:53 | ocusqyeoya.biz | udp |
| US | 8.8.8.8:53 | sguxwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | dnfjlkn.com | udp |
| US | 8.8.8.8:53 | dthuzifox.cc | udp |
| US | 8.8.8.8:53 | qmgwwmiq.biz | udp |
| BG | 89.215.58.70:38549 | tcp | |
| US | 8.8.8.8:53 | qikukwiq.net | udp |
| US | 8.8.8.8:53 | joqanifox.cc | udp |
| US | 8.8.8.8:53 | mmxsxqfqbex.cc | udp |
| US | 8.8.8.8:53 | ooqyhwiq.info | udp |
| US | 8.8.8.8:53 | iekazkuiwcymao.info | udp |
| US | 8.8.8.8:53 | bpyxjwfox.org | udp |
| US | 8.8.8.8:53 | umdhukdsholapet.cc | udp |
| US | 8.8.8.8:53 | uukgzaiq.biz | udp |
| US | 8.8.8.8:53 | uqcwwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zeponcn.com | udp |
| US | 8.8.8.8:53 | iyhyfqfqbex.org | udp |
| US | 8.8.8.8:53 | kmonya.net | udp |
| US | 8.8.8.8:53 | wymwsguiwcymao.net | udp |
| US | 8.8.8.8:53 | oagirkdsholapet.com | udp |
| US | 8.8.8.8:53 | lvlobkn.com | udp |
| RU | 178.129.167.253:40089 | tcp | |
| US | 8.8.8.8:53 | ugsymeiq.net | udp |
| US | 8.8.8.8:53 | mmmiiueoya.info | udp |
| US | 8.8.8.8:53 | fckafafox.org | udp |
| US | 8.8.8.8:53 | ppdyrwfox.cc | udp |
| US | 8.8.8.8:53 | qcgqsgeoya.biz | udp |
| US | 8.8.8.8:53 | cemisaiugkeq.net | udp |
| US | 8.8.8.8:53 | bncurifox.org | udp |
| US | 8.8.8.8:53 | gcrivwnansnan.com | udp |
| US | 8.8.8.8:53 | oisqasiugkeq.info | udp |
| US | 8.8.8.8:53 | maqjaqeoya.biz | udp |
| US | 8.8.8.8:53 | qkobvsdsholapet.com | udp |
| US | 8.8.8.8:53 | cfjmjadsholapet.com | udp |
| US | 8.8.8.8:53 | cogbysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sucksk.net | udp |
| US | 8.8.8.8:53 | llichwfox.org | udp |
| BG | 79.110.122.84:39385 | tcp | |
| US | 8.8.8.8:53 | corjkwnansnan.org | udp |
| US | 8.8.8.8:53 | qmqeymiq.info | udp |
| US | 8.8.8.8:53 | wymjkaiugkeq.info | udp |
| US | 8.8.8.8:53 | ynqtvwnansnan.com | udp |
| US | 8.8.8.8:53 | vkjrosfox.com | udp |
| US | 8.8.8.8:53 | mawrpcuiwcymao.net | udp |
| US | 8.8.8.8:53 | aoooma.biz | udp |
| US | 8.8.8.8:53 | brtyzcn.org | udp |
| US | 8.8.8.8:53 | dbnyiafox.com | udp |
| US | 8.8.8.8:53 | yyiosk.net | udp |
| US | 8.8.8.8:53 | ciabcgeoya.info | udp |
| US | 8.8.8.8:53 | apmejodsholapet.com | udp |
| US | 8.8.8.8:53 | yxvccgfqbex.org | udp |
| US | 8.8.8.8:53 | qaeqiueoya.biz | udp |
| US | 8.8.8.8:53 | cwgsacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gxaztwnansnan.org | udp |
| US | 8.8.8.8:53 | qwlghodsholapet.org | udp |
| US | 8.8.8.8:53 | syemxyeoya.net | udp |
| US | 8.8.8.8:53 | aqoxoeiq.net | udp |
| US | 8.8.8.8:53 | ejzyxufqbex.org | udp |
| US | 8.8.8.8:53 | xedzmcn.cc | udp |
| US | 8.8.8.8:53 | ooeufo.net | udp |
| US | 8.8.8.8:53 | suipigeoya.biz | udp |
| US | 8.8.8.8:53 | cxmdqkdsholapet.com | udp |
| US | 8.8.8.8:53 | srpymufqbex.cc | udp |
| LT | 89.190.112.105:18997 | tcp | |
| US | 8.8.8.8:53 | qsaovsiugkeq.info | udp |
| US | 8.8.8.8:53 | wgaokiiugkeq.info | udp |
| US | 8.8.8.8:53 | owdorufqbex.org | udp |
| US | 8.8.8.8:53 | uvpkrodsholapet.org | udp |
| US | 8.8.8.8:53 | aquaisiugkeq.net | udp |
| US | 8.8.8.8:53 | giqjsguiwcymao.info | udp |
| US | 8.8.8.8:53 | rlhytcn.cc | udp |
| US | 8.8.8.8:53 | zajmwsn.org | udp |
| US | 8.8.8.8:53 | acqghgeoya.biz | udp |
| US | 8.8.8.8:53 | uqwuck.biz | udp |
| US | 8.8.8.8:53 | sqjuvqfqbex.com | udp |
| US | 8.8.8.8:53 | owzezqfqbex.com | udp |
| US | 8.8.8.8:53 | waioxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | meskia.biz | udp |
| US | 8.8.8.8:53 | alwkvwnansnan.com | udp |
| US | 8.8.8.8:53 | ekfqhkdsholapet.com | udp |
| US | 8.8.8.8:53 | gyejqguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wyywyqeoya.net | udp |
| BG | 85.187.228.109:14661 | tcp | |
| US | 8.8.8.8:53 | rdrwlkn.cc | udp |
| US | 8.8.8.8:53 | vybkxifox.org | udp |
| US | 8.8.8.8:53 | igsvswiugkeq.info | udp |
| US | 8.8.8.8:53 | scssga.info | udp |
| US | 8.8.8.8:53 | qukgqmnansnan.org | udp |
| US | 8.8.8.8:53 | wfxqsmnansnan.com | udp |
| US | 8.8.8.8:53 | uyieteiq.net | udp |
| GR | 62.1.34.216:14428 | tcp | |
| US | 8.8.8.8:53 | mseoyk.net | udp |
| US | 8.8.8.8:53 | loiqlafox.org | udp |
| US | 8.8.8.8:53 | ipbgfufqbex.cc | udp |
| US | 8.8.8.8:53 | mymqnwiq.net | udp |
| BG | 84.252.26.211:23130 | tcp | |
| US | 8.8.8.8:53 | iaoano.biz | udp |
| US | 8.8.8.8:53 | xfjijgn.org | udp |
| US | 8.8.8.8:53 | vspfdafox.com | udp |
| PT | 213.138.236.44:37888 | tcp | |
| US | 8.8.8.8:53 | kwuqhk.info | udp |
| US | 8.8.8.8:53 | wssizueoya.net | udp |
| US | 8.8.8.8:53 | spmjewnansnan.cc | udp |
| US | 8.8.8.8:53 | pulwlifox.com | udp |
| US | 8.8.8.8:53 | emicys.biz | udp |
| LV | 62.84.23.67:14639 | tcp | |
| US | 8.8.8.8:53 | mmwikwiq.net | udp |
| US | 8.8.8.8:53 | ioqmfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sbdwpenansnan.com | udp |
| US | 8.8.8.8:53 | yokaos.info | udp |
| US | 8.8.8.8:53 | osobjiiugkeq.info | udp |
| US | 8.8.8.8:53 | chjjgqfqbex.com | udp |
| DE | 87.120.215.20:36222 | tcp | |
| US | 8.8.8.8:53 | wuhthanansnan.cc | udp |
| US | 8.8.8.8:53 | kckzkueoya.net | udp |
| US | 8.8.8.8:53 | aeeeuaiq.info | udp |
| US | 8.8.8.8:53 | epeeuanansnan.cc | udp |
| US | 8.8.8.8:53 | emdctqfqbex.org | udp |
| US | 8.8.8.8:53 | eywsgo.info | udp |
| US | 8.8.8.8:53 | acwdqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | mhdevufqbex.com | udp |
| BG | 89.253.174.208:42621 | tcp | |
| US | 8.8.8.8:53 | divsdkn.org | udp |
| US | 8.8.8.8:53 | cmeigsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | yaabuueoya.net | udp |
| US | 8.8.8.8:53 | ldjpbcn.org | udp |
| US | 8.8.8.8:53 | gnnpbqfqbex.cc | udp |
| BG | 212.70.138.214:30883 | tcp | |
| US | 8.8.8.8:53 | qseecaiugkeq.info | udp |
| US | 8.8.8.8:53 | iuqxtyeoya.info | udp |
| US | 8.8.8.8:53 | fxguasfox.cc | udp |
| US | 8.8.8.8:53 | wkrzlgfqbex.org | udp |
| US | 8.8.8.8:53 | mmqtqwiugkeq.net | udp |
| US | 8.8.8.8:53 | wmkdhs.net | udp |
| US | 8.8.8.8:53 | vahpqcn.com | udp |
| US | 86.38.204.40:43571 | tcp | |
| US | 8.8.8.8:53 | uurmdyfqbex.org | udp |
| US | 8.8.8.8:53 | kccamwiq.net | udp |
| US | 8.8.8.8:53 | sqigrmiq.net | udp |
| BG | 85.130.122.32:21211 | tcp | |
| US | 8.8.8.8:53 | ypkibmnansnan.org | udp |
| US | 8.8.8.8:53 | uxbibodsholapet.com | udp |
| US | 8.8.8.8:53 | emgwmsiugkeq.info | udp |
| US | 8.8.8.8:53 | ackbia.biz | udp |
| US | 8.8.8.8:53 | lwohpwfox.cc | udp |
| US | 8.8.8.8:53 | krjgewnansnan.cc | udp |
| US | 8.8.8.8:53 | wsocyguiwcymao.info | udp |
| BG | 212.5.158.177:26766 | tcp | |
| US | 8.8.8.8:53 | qyesak.net | udp |
| US | 8.8.8.8:53 | qgryvufqbex.org | udp |
| US | 8.8.8.8:53 | krxihodsholapet.org | udp |
| US | 8.8.8.8:53 | coegcguiwcymao.info | udp |
| US | 8.8.8.8:53 | qsoiia.net | udp |
| US | 8.8.8.8:53 | qlnxyqfqbex.org | udp |
| US | 8.8.8.8:53 | mrtmzufqbex.com | udp |
| LV | 85.15.203.237:43703 | tcp |
Files
\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
| MD5 | 85cb856b920e7b0b7b75115336fc2af2 |
| SHA1 | 1d1a207efec2f5187583b652c35aef74ee4c473f |
| SHA256 | 6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62 |
| SHA512 | 120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8 |
C:\Windows\SysWOW64\pevodyvizpxbupekjn.exe
| MD5 | 111a63135090da974e45df036b3a9918 |
| SHA1 | fb3d7fa910924b524d4009aa2e89f5dde860d9f2 |
| SHA256 | 35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951 |
| SHA512 | 0165b3e8298348bcd88c45502220b19f62f0b105b0eaacd5e904274160a6e519d7caa2926777acfabd62024329a5e691c576e5c87c7a8663fd85c5e2e84a031a |
\Users\Admin\AppData\Local\Temp\ceioq.exe
| MD5 | c35aae6ade1d968cd0c69a2ba1c15a1d |
| SHA1 | 30616a61f09cb0a56b602b6acc21e41c0f1d8f10 |
| SHA256 | 56e8a25a58dbe2e029dc9c3f8d4c6d71d0aa0c21f31c91be27f4157675006584 |
| SHA512 | 8290c4a8f839478dc45ee122b65eefc3185d1de800cdcbd68b573bc6eda965dbc315989f4aa7d93e4056ed637b8e364a44428c8dc2df0a9445cb2fea0fefd363 |
C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | 048fef42df91794176630382e31e5054 |
| SHA1 | 48843646f28095447b2844c91117621fe5737a23 |
| SHA256 | 2fa28d4b4098af75824a96f5e4c33ea044802869460c08a7882aef7e7e08ca42 |
| SHA512 | 0b868ca03798c430722eaa9b43488690868a9864b41bb2ea2109ea9c56966fe37ee3230344cca9f4f78b49624989d1f952c4b9154ad7816372c9ce7e24d41278 |
C:\Users\Admin\AppData\Local\zmbsfytethnpgzmqnpboduhavgvjpribosprdq.wjc
| MD5 | d04c38e7a39a127cb198e6edb6310f07 |
| SHA1 | 72d3681a8370205cbd8ffbbd9f0c921b74574701 |
| SHA256 | 8cdcf975aa739c980048de47a1c2f16c14dcbd3ec9aef7bea672e661cff30d5e |
| SHA512 | 3aff0b289d12b4abf788ab069c63df016107ddeaed9e84e3fbb929641f7a3fc3edb38d5f2fc6da95999677b970af2d20f9589371b53f992a49e569a8e1b6bede |
C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | 8557fa3845f969c60b3c1b43032bceb7 |
| SHA1 | 4e59eb9e340974accb561a4c88d6680be6364d9d |
| SHA256 | 606f259997829a4ed7db03844e102a02240e2e3965450f3ad1f9cc2647f1b1ef |
| SHA512 | 5a1ccaafd8bf75f15c989abfdd33ea8274799a5a8fc766ce129a8c019ae2596c57d16594dd259eae73f8e2c99c071b8e4f4deb779b8bdc174d6eaba227f0ea6c |
C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | 172cb2d05dce3b7f42ac8a75f3868834 |
| SHA1 | 0d2ac361d7c759b75852687aa093edb5fb875288 |
| SHA256 | 4939a1f653d933e23167a92793a13b681bc376825603b5591f49e8b0f863a768 |
| SHA512 | 512e03454eb3700c22ef38464e0441c76612e680810d67e6aa1421764ef482c91b09c062b73a627be7b4a6dafca9befe6787f4982239d19ddfdfe50931855877 |
C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | 89c77cb47339f54ab5743a55045b68a6 |
| SHA1 | 9a0134db3d23b3ba4480617f4b00f6f0aedb6a32 |
| SHA256 | 55946bd2aa5a76f7b777dc93f1b8ffedef1f6e15f669c4cd17b67a1556a54901 |
| SHA512 | 2072b0ada6e830be08bb7c120ff784e9d574fdec5c5faf1b36713cd0d1c6ae82adc8dba60b41b7d33778f7ae010b6c477a6b2f8a7b36eb79b5f2b8173e2f2d80 |
C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | b4541748471db9241f659e433f9b1255 |
| SHA1 | 6378a234a00ff448e609a5a567cd8ac2c02fd5f3 |
| SHA256 | bfb9e817fade3b480bd8f72363c751a06ef1710bf705fb12cbc9cb037fa4d2da |
| SHA512 | 57d856072e15ea7f26e6dd4213e8203f8e079cf73335721b3f0450f3986411c60852815d6c7436ee093ced667ee2bb5b9ed037b21299e21d8620eaf8a293a4bb |
C:\Program Files (x86)\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | 0336ed566320b5a0adc41e6d6de39869 |
| SHA1 | d91c610d2df3ce03aa9598571b4174c745d305ab |
| SHA256 | 08cfd4c850960bbae7193a196a113660496cc5f7b3634126f25cdb188a71fd75 |
| SHA512 | ca48403022906a4b434b0eefa50ed9aea29397c4d65e07116765426d60cfd04d6ed55c404139edf04cbf95b947d323c4f0e484325f82b99b8a0fee5dd98c4200 |
C:\Windows\zmbsfytethnpgzmq.exe
| MD5 | 34d08ddd9722166d14f6eca225b49681 |
| SHA1 | cc638f443c130bbb1bbe83164c033c10e73ebed2 |
| SHA256 | bfbb11cedf1804c4749f964a5bf7d44327aa2095768cee3711fe48c869b300ef |
| SHA512 | 0eba7b480c4a94df6d5d02abc1d016731077c7cc5e0733588beafce8150e6107703b93dddcb9d011b367d565688d17eeb7dd4ec96c952dc2a8830f42f0da55bf |
C:\Users\Admin\AppData\Local\ceioqyiimpkbhprkwnoquackuuy.wnt
| MD5 | a4a0c040707237b481bdacedde0c8d06 |
| SHA1 | fd8333feb7611bed9814d8c0d67e06088dee2c91 |
| SHA256 | fab5e510975986ee8ac568b28f85dcdc02e9b1e2585893322dee42fd89bb5798 |
| SHA512 | 128dac3b2e7a7412c58d68591e41c7930d18c2559b389592c8aaa8b30a3e199792252f184bab4b5c38e202a6a2d6933d414691e4df11a6f1b4e0cc015b6b586b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 06:57
Reported
2024-06-26 07:00
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uetiarewkuscrky = "gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rykwlzjyjqls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "zkaqjbpixihsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "csnigdwuoeiytsmwhuqgb.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "zkaqjbpixihsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "pcumhbrmdqrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "zkaqjbpixihsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "gsjauncwmyykbwmsz.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "csnigdwuoeiytsmwhuqgb.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "gsjauncwmyykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gsjauncwmyykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "ncwqnjbyrgjysqjscojy.exe" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "aohawriewkmatqiqzke.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "zkaqjbpixihsicrw.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "aohawriewkmatqiqzke.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\aohawriewkmatqiqzke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\csnigdwuoeiytsmwhuqgb.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "aohawriewkmatqiqzke.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gsjauncwmyykbwmsz = "gsjauncwmyykbwmsz.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qylyodoeqyucp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\raoctjvmzifocu = "pcumhbrmdqrewsjqyi.exe ." | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pcumhbrmdqrewsjqyi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncwqnjbyrgjysqjscojy.exe ." | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zkaqjbpixihsicrw = "pcumhbrmdqrewsjqyi.exe" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dyyybdbedyhccgfukcdyyy.dbe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\dyyybdbedyhccgfukcdyyy.dbe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\SysWOW64\ualwkxguekekvkuuvykqbmanwkuaualak.loa | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\SysWOW64\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ualwkxguekekvkuuvykqbmanwkuaualak.loa | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ualwkxguekekvkuuvykqbmanwkuaualak.loa | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Program Files (x86)\ualwkxguekekvkuuvykqbmanwkuaualak.loa | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\ualwkxguekekvkuuvykqbmanwkuaualak.loa | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\ualwkxguekekvkuuvykqbmanwkuaualak.loa | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\dyyybdbedyhccgfukcdyyy.dbe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File created | C:\Windows\dyyybdbedyhccgfukcdyyy.dbe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\aohawriewkmatqiqzke.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\gsjauncwmyykbwmsz.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\zkaqjbpixihsicrw.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\pcumhbrmdqrewsjqyi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File created | C:\Windows\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\csnigdwuoeiytsmwhuqgb.exe | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| File opened for modification | C:\Windows\ncwqnjbyrgjysqjscojy.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| File opened for modification | C:\Windows\tkgcbztsnejawwrcoczqmi.exe | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\cchmu.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\111a63135090da974e45df036b3a9918_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\cchmu.exe
"C:\Users\Admin\AppData\Local\Temp\cchmu.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\cchmu.exe
"C:\Users\Admin\AppData\Local\Temp\cchmu.exe" "-c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,7869973516895866428,11647313872437892197,262144 --variations-seed-version --mojo-platform-channel-handle=4472 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
"C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe" "c:\users\admin\appdata\local\temp\111a63135090da974e45df036b3a9918_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BE | 88.221.83.218:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 218.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.11:80 | www.yahoo.com | tcp |
| BG | 90.154.187.99:32232 | tcp | |
| US | 8.8.8.8:53 | mymqeo.info | udp |
| US | 8.8.8.8:53 | tfomvifox.cc | udp |
| US | 8.8.8.8:53 | korzjmnansnan.cc | udp |
| US | 8.8.8.8:53 | isuslk.biz | udp |
| US | 8.8.8.8:53 | qakayaiq.biz | udp |
| US | 8.8.8.8:53 | dlradsn.org | udp |
| US | 162.249.65.162:80 | dlradsn.org | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.114.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipagcn.cc | udp |
| US | 8.8.8.8:53 | eyusaaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcikqkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mstgnqfqbex.org | udp |
| US | 8.8.8.8:53 | ggblkkdsholapet.org | udp |
| US | 8.8.8.8:53 | ckopbcuiwcymao.net | udp |
| US | 8.8.8.8:53 | ymazfyeoya.info | udp |
| US | 8.8.8.8:53 | kckspkdsholapet.com | udp |
| US | 8.8.8.8:53 | fajgnsn.com | udp |
| US | 8.8.8.8:53 | umqrio.biz | udp |
| US | 8.8.8.8:53 | eueymsuiwcymao.info | udp |
| US | 8.8.8.8:53 | deagvafox.org | udp |
| US | 8.8.8.8:53 | vfrvvcn.org | udp |
| US | 8.8.8.8:53 | ygsink.info | udp |
| US | 8.8.8.8:53 | agadss.biz | udp |
| BG | 212.70.138.225:43988 | tcp | |
| US | 8.8.8.8:53 | ivqvrodsholapet.com | udp |
| US | 8.8.8.8:53 | ynrvwgfqbex.org | udp |
| US | 8.8.8.8:53 | ciuzwaiq.net | udp |
| US | 8.8.8.8:53 | uioezo.biz | udp |
| US | 8.8.8.8:53 | ohwiomnansnan.org | udp |
| US | 8.8.8.8:53 | ayhwaufqbex.org | udp |
| US | 8.8.8.8:53 | qgasocuiwcymao.info | udp |
| US | 8.8.8.8:53 | isspqkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iiuhlwnansnan.cc | udp |
| US | 8.8.8.8:53 | rxfmdwfox.org | udp |
| US | 8.8.8.8:53 | esowayeoya.biz | udp |
| US | 8.8.8.8:53 | swatnk.biz | udp |
| US | 8.8.8.8:53 | czyhvkdsholapet.org | udp |
| US | 8.8.8.8:53 | wofrnanansnan.com | udp |
| US | 8.8.8.8:53 | wwwkqwiugkeq.info | udp |
| US | 8.8.8.8:53 | yokivaiq.info | udp |
| US | 8.8.8.8:53 | lksrusfox.org | udp |
| US | 8.8.8.8:53 | kufamkdsholapet.cc | udp |
| US | 8.8.8.8:53 | wskoageoya.net | udp |
| US | 8.8.8.8:53 | ykkges.info | udp |
| US | 8.8.8.8:53 | ubcmvadsholapet.org | udp |
| US | 8.8.8.8:53 | nbjmgafox.org | udp |
| US | 8.8.8.8:53 | ccquxqeoya.net | udp |
| US | 8.8.8.8:53 | gisahqeoya.info | udp |
| US | 8.8.8.8:53 | xsymfsfox.cc | udp |
| US | 8.8.8.8:53 | synfeanansnan.com | udp |
| LT | 78.61.160.75:23569 | tcp | |
| US | 8.8.8.8:53 | ocusqyeoya.biz | udp |
| US | 8.8.8.8:53 | sguxwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | dnfjlkn.com | udp |
| US | 8.8.8.8:53 | dthuzifox.cc | udp |
| US | 8.8.8.8:53 | qmgwwmiq.biz | udp |
| US | 8.8.8.8:53 | qikukwiq.net | udp |
| US | 8.8.8.8:53 | joqanifox.cc | udp |
| US | 8.8.8.8:53 | mmxsxqfqbex.cc | udp |
| US | 8.8.8.8:53 | ooqyhwiq.info | udp |
| US | 8.8.8.8:53 | iekazkuiwcymao.info | udp |
| US | 8.8.8.8:53 | bpyxjwfox.org | udp |
| US | 8.8.8.8:53 | umdhukdsholapet.cc | udp |
| US | 8.8.8.8:53 | uqcwwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zeponcn.com | udp |
| US | 8.8.8.8:53 | iyhyfqfqbex.org | udp |
| US | 8.8.8.8:53 | kmonya.net | udp |
| US | 8.8.8.8:53 | wymwsguiwcymao.net | udp |
| US | 8.8.8.8:53 | oagirkdsholapet.com | udp |
| US | 8.8.8.8:53 | lvlobkn.com | udp |
| US | 8.8.8.8:53 | ugsymeiq.net | udp |
| US | 8.8.8.8:53 | mmmiiueoya.info | udp |
| US | 8.8.8.8:53 | fckafafox.org | udp |
| US | 8.8.8.8:53 | ppdyrwfox.cc | udp |
| US | 8.8.8.8:53 | qcgqsgeoya.biz | udp |
| US | 8.8.8.8:53 | cemisaiugkeq.net | udp |
| US | 8.8.8.8:53 | bncurifox.org | udp |
| US | 8.8.8.8:53 | gcrivwnansnan.com | udp |
| US | 8.8.8.8:53 | oisqasiugkeq.info | udp |
| US | 8.8.8.8:53 | maqjaqeoya.biz | udp |
| US | 8.8.8.8:53 | qkobvsdsholapet.com | udp |
| US | 8.8.8.8:53 | cfjmjadsholapet.com | udp |
| US | 8.8.8.8:53 | cogbysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sucksk.net | udp |
| US | 8.8.8.8:53 | llichwfox.org | udp |
| US | 8.8.8.8:53 | corjkwnansnan.org | udp |
| US | 8.8.8.8:53 | qmqeymiq.info | udp |
| US | 8.8.8.8:53 | wymjkaiugkeq.info | udp |
| US | 8.8.8.8:53 | ynqtvwnansnan.com | udp |
| US | 8.8.8.8:53 | vkjrosfox.com | udp |
| US | 8.8.8.8:53 | mawrpcuiwcymao.net | udp |
| US | 8.8.8.8:53 | aoooma.biz | udp |
| US | 8.8.8.8:53 | brtyzcn.org | udp |
| US | 8.8.8.8:53 | dbnyiafox.com | udp |
| BG | 94.156.20.232:33198 | tcp | |
| US | 8.8.8.8:53 | yyiosk.net | udp |
| US | 8.8.8.8:53 | ciabcgeoya.info | udp |
| US | 8.8.8.8:53 | apmejodsholapet.com | udp |
| US | 8.8.8.8:53 | yxvccgfqbex.org | udp |
| US | 8.8.8.8:53 | qaeqiueoya.biz | udp |
| US | 8.8.8.8:53 | cwgsacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gxaztwnansnan.org | udp |
| US | 8.8.8.8:53 | qwlghodsholapet.org | udp |
| US | 8.8.8.8:53 | syemxyeoya.net | udp |
| US | 8.8.8.8:53 | aqoxoeiq.net | udp |
| US | 8.8.8.8:53 | ejzyxufqbex.org | udp |
| US | 8.8.8.8:53 | xedzmcn.cc | udp |
| US | 8.8.8.8:53 | ooeufo.net | udp |
| US | 8.8.8.8:53 | suipigeoya.biz | udp |
| US | 8.8.8.8:53 | cxmdqkdsholapet.com | udp |
| US | 8.8.8.8:53 | srpymufqbex.cc | udp |
| US | 8.8.8.8:53 | qsaovsiugkeq.info | udp |
| US | 8.8.8.8:53 | wgaokiiugkeq.info | udp |
| US | 8.8.8.8:53 | owdorufqbex.org | udp |
| US | 8.8.8.8:53 | uvpkrodsholapet.org | udp |
| US | 8.8.8.8:53 | aquaisiugkeq.net | udp |
| US | 8.8.8.8:53 | giqjsguiwcymao.info | udp |
| US | 8.8.8.8:53 | rlhytcn.cc | udp |
| US | 8.8.8.8:53 | zajmwsn.org | udp |
| US | 8.8.8.8:53 | acqghgeoya.biz | udp |
| US | 8.8.8.8:53 | uqwuck.biz | udp |
| US | 8.8.8.8:53 | sqjuvqfqbex.com | udp |
| US | 8.8.8.8:53 | owzezqfqbex.com | udp |
| US | 8.8.8.8:53 | waioxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | meskia.biz | udp |
| US | 8.8.8.8:53 | alwkvwnansnan.com | udp |
| US | 8.8.8.8:53 | ekfqhkdsholapet.com | udp |
| US | 8.8.8.8:53 | gyejqguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wyywyqeoya.net | udp |
| US | 8.8.8.8:53 | rdrwlkn.cc | udp |
| US | 8.8.8.8:53 | vybkxifox.org | udp |
| US | 8.8.8.8:53 | igsvswiugkeq.info | udp |
| US | 8.8.8.8:53 | scssga.info | udp |
| US | 8.8.8.8:53 | qukgqmnansnan.org | udp |
| US | 8.8.8.8:53 | uyieteiq.net | udp |
| US | 8.8.8.8:53 | mseoyk.net | udp |
| US | 8.8.8.8:53 | loiqlafox.org | udp |
| US | 8.8.8.8:53 | ipbgfufqbex.cc | udp |
| LV | 85.15.203.237:43703 | tcp | |
| US | 8.8.8.8:53 | mymqnwiq.net | udp |
| US | 8.8.8.8:53 | iaoano.biz | udp |
| US | 8.8.8.8:53 | xfjijgn.org | udp |
| US | 8.8.8.8:53 | vspfdafox.com | udp |
| US | 8.8.8.8:53 | kwuqhk.info | udp |
| US | 8.8.8.8:53 | wssizueoya.net | udp |
| US | 8.8.8.8:53 | spmjewnansnan.cc | udp |
| US | 8.8.8.8:53 | pulwlifox.com | udp |
| US | 8.8.8.8:53 | emicys.biz | udp |
| US | 8.8.8.8:53 | mmwikwiq.net | udp |
| US | 8.8.8.8:53 | ioqmfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sbdwpenansnan.com | udp |
| US | 8.8.8.8:53 | yokaos.info | udp |
| US | 8.8.8.8:53 | osobjiiugkeq.info | udp |
| US | 8.8.8.8:53 | chjjgqfqbex.com | udp |
| US | 8.8.8.8:53 | wuhthanansnan.cc | udp |
| US | 8.8.8.8:53 | kckzkueoya.net | udp |
| US | 8.8.8.8:53 | aeeeuaiq.info | udp |
| US | 8.8.8.8:53 | epeeuanansnan.cc | udp |
| US | 8.8.8.8:53 | emdctqfqbex.org | udp |
| US | 8.8.8.8:53 | eywsgo.info | udp |
| US | 8.8.8.8:53 | acwdqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | mhdevufqbex.com | udp |
| US | 8.8.8.8:53 | divsdkn.org | udp |
| US | 8.8.8.8:53 | cmeigsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | yaabuueoya.net | udp |
| US | 8.8.8.8:53 | ldjpbcn.org | udp |
| US | 8.8.8.8:53 | gnnpbqfqbex.cc | udp |
| US | 8.8.8.8:53 | qseecaiugkeq.info | udp |
| US | 8.8.8.8:53 | iuqxtyeoya.info | udp |
| US | 8.8.8.8:53 | fxguasfox.cc | udp |
| US | 8.8.8.8:53 | wkrzlgfqbex.org | udp |
| US | 8.8.8.8:53 | mmqtqwiugkeq.net | udp |
| US | 8.8.8.8:53 | wmkdhs.net | udp |
| US | 8.8.8.8:53 | vahpqcn.com | udp |
| US | 8.8.8.8:53 | uurmdyfqbex.org | udp |
| US | 8.8.8.8:53 | kccamwiq.net | udp |
| US | 8.8.8.8:53 | sqigrmiq.net | udp |
| US | 8.8.8.8:53 | ypkibmnansnan.org | udp |
| US | 8.8.8.8:53 | uxbibodsholapet.com | udp |
| US | 8.8.8.8:53 | emgwmsiugkeq.info | udp |
| US | 8.8.8.8:53 | ackbia.biz | udp |
| US | 8.8.8.8:53 | lwohpwfox.cc | udp |
| US | 8.8.8.8:53 | krjgewnansnan.cc | udp |
| US | 8.8.8.8:53 | wsocyguiwcymao.info | udp |
| US | 8.8.8.8:53 | qyesak.net | udp |
| US | 8.8.8.8:53 | qgryvufqbex.org | udp |
| US | 8.8.8.8:53 | krxihodsholapet.org | udp |
| US | 8.8.8.8:53 | coegcguiwcymao.info | udp |
| US | 8.8.8.8:53 | qsoiia.net | udp |
| US | 8.8.8.8:53 | qlnxyqfqbex.org | udp |
| US | 8.8.8.8:53 | mrtmzufqbex.com | udp |
| US | 8.8.8.8:53 | sgiwpk.info | udp |
| LT | 85.206.20.136:21346 | tcp | |
| US | 8.8.8.8:53 | igoebaiq.biz | udp |
| US | 8.8.8.8:53 | bgusvsfox.org | udp |
| US | 8.8.8.8:53 | vvxlzkn.org | udp |
| US | 8.8.8.8:53 | iqcvia.info | udp |
| US | 8.8.8.8:53 | samqsk.net | udp |
| US | 8.8.8.8:53 | gqckhmnansnan.cc | udp |
| US | 8.8.8.8:53 | dwdyrgn.cc | udp |
| US | 8.8.8.8:53 | cioguwiq.net | udp |
| US | 8.8.8.8:53 | iwuoyaiq.net | udp |
| US | 8.8.8.8:53 | oumofadsholapet.org | udp |
| US | 8.8.8.8:53 | xmrutifox.org | udp |
| US | 8.8.8.8:53 | wwiossiugkeq.biz | udp |
| US | 8.8.8.8:53 | auaela.info | udp |
| US | 8.8.8.8:53 | avhixufqbex.cc | udp |
| US | 8.8.8.8:53 | mjdldodsholapet.com | udp |
| US | 8.8.8.8:53 | cuisbueoya.biz | udp |
| US | 8.8.8.8:53 | oemxjs.net | udp |
| US | 8.8.8.8:53 | skanymnansnan.com | udp |
| US | 8.8.8.8:53 | yaruuenansnan.com | udp |
| US | 8.8.8.8:53 | qqgpgwiq.biz | udp |
| US | 8.8.8.8:53 | uyuouaiugkeq.biz | udp |
| US | 8.8.8.8:53 | luzkdsn.com | udp |
| US | 8.8.8.8:53 | srhrjadsholapet.com | udp |
| US | 8.8.8.8:53 | wiacxueoya.net | udp |
| US | 8.8.8.8:53 | immzqmiq.biz | udp |
| US | 8.8.8.8:53 | lnmuhsfox.cc | udp |
| US | 8.8.8.8:53 | gnbbnenansnan.com | udp |
| US | 8.8.8.8:53 | yseaesiugkeq.biz | udp |
| US | 8.8.8.8:53 | ysckmcuiwcymao.info | udp |
| US | 8.8.8.8:53 | lnnepkn.org | udp |
| US | 8.8.8.8:53 | uhfkomnansnan.cc | udp |
| US | 8.8.8.8:53 | wgguvwiq.net | udp |
| US | 8.8.8.8:53 | kigfwaiq.info | udp |
| US | 8.8.8.8:53 | vduuvsfox.com | udp |
| US | 8.8.8.8:53 | zilqmwfox.cc | udp |
| US | 8.8.8.8:53 | qomemmiq.biz | udp |
| US | 8.8.8.8:53 | ywkzieiq.info | udp |
| US | 8.8.8.8:53 | miaxradsholapet.com | udp |
| US | 8.8.8.8:53 | mdxllodsholapet.org | udp |
| US | 8.8.8.8:53 | qauziguiwcymao.biz | udp |
| US | 8.8.8.8:53 | sisnaaiq.info | udp |
| US | 8.8.8.8:53 | owvrlyfqbex.com | udp |
| US | 8.8.8.8:53 | hhfkqafox.com | udp |
| US | 8.8.8.8:53 | ccmddsuiwcymao.info | udp |
| US | 8.8.8.8:53 | eyuhsgeoya.info | udp |
| US | 8.8.8.8:53 | onifrenansnan.com | udp |
| US | 8.8.8.8:53 | ibjszanansnan.cc | udp |
| US | 8.8.8.8:53 | sewwjgeoya.biz | udp |
| US | 8.8.8.8:53 | mkasraiugkeq.info | udp |
| US | 8.8.8.8:53 | qdwyeanansnan.org | udp |
| US | 8.8.8.8:53 | wttlpodsholapet.org | udp |
| US | 8.8.8.8:53 | cmukpueoya.info | udp |
| US | 8.8.8.8:53 | ggcrco.biz | udp |
| US | 8.8.8.8:53 | qbmiukdsholapet.org | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikzwzadsholapet.org | udp |
| BG | 85.91.145.125:25536 | tcp | |
| US | 8.8.8.8:53 | qsoagsiugkeq.info | udp |
| US | 8.8.8.8:53 | wqwqdmiq.biz | udp |
| US | 8.8.8.8:53 | vrsejafox.org | udp |
| US | 8.8.8.8:53 | rbruuwfox.cc | udp |
| US | 8.8.8.8:53 | uqcgoyeoya.net | udp |
| US | 8.8.8.8:53 | cgzjnqfqbex.com | udp |
| US | 8.8.8.8:53 | wvfsyodsholapet.org | udp |
| US | 8.8.8.8:53 | umcbuueoya.biz | udp |
| US | 8.8.8.8:53 | eeiykwiugkeq.info | udp |
| US | 8.8.8.8:53 | anuujmnansnan.cc | udp |
| US | 8.8.8.8:53 | ustxrsdsholapet.com | udp |
| US | 8.8.8.8:53 | mwamsaiq.biz | udp |
| US | 8.8.8.8:53 | auyqhcuiwcymao.net | udp |
| US | 8.8.8.8:53 | psmcrafox.com | udp |
| US | 8.8.8.8:53 | fuxylcn.org | udp |
| US | 8.8.8.8:53 | ummyyk.biz | udp |
| US | 8.8.8.8:53 | wgiyfguiwcymao.info | udp |
| US | 8.8.8.8:53 | bznopsn.cc | udp |
| US | 8.8.8.8:53 | xyrmtafox.cc | udp |
| US | 8.8.8.8:53 | kwiueeiq.net | udp |
| US | 8.8.8.8:53 | gcmmxk.net | udp |
| US | 8.8.8.8:53 | ituqnmnansnan.com | udp |
| US | 8.8.8.8:53 | mjjdhanansnan.cc | udp |
| US | 8.8.8.8:53 | wcqjasuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iksmjs.biz | udp |
| US | 8.8.8.8:53 | vkqkgifox.com | udp |
| US | 8.8.8.8:53 | xcbifafox.org | udp |
| US | 8.8.8.8:53 | suaeggeoya.info | udp |
| US | 8.8.8.8:53 | ucwshguiwcymao.info | udp |
| US | 8.8.8.8:53 | bzdyzcn.com | udp |
| US | 8.8.8.8:53 | dzlslafox.org | udp |
| US | 8.8.8.8:53 | smsygiiugkeq.biz | udp |
| US | 8.8.8.8:53 | mouuyguiwcymao.info | udp |
| US | 8.8.8.8:53 | xjffbgn.org | udp |
| US | 8.8.8.8:53 | hofmhifox.com | udp |
| US | 8.8.8.8:53 | iqqqkueoya.biz | udp |
| US | 8.8.8.8:53 | qgeoqueoya.biz | udp |
| US | 8.8.8.8:53 | obnstufqbex.cc | udp |
| US | 8.8.8.8:53 | mzbkrgfqbex.cc | udp |
| US | 8.8.8.8:53 | qecqoaiq.info | udp |
| US | 8.8.8.8:53 | qkuwus.net | udp |
| US | 8.8.8.8:53 | gzyqcanansnan.com | udp |
| US | 8.8.8.8:53 | yunmdkdsholapet.cc | udp |
| US | 8.8.8.8:53 | gsueaa.net | udp |
| US | 8.8.8.8:53 | aokysaiq.info | udp |
| US | 8.8.8.8:53 | haddlsn.cc | udp |
| US | 8.8.8.8:53 | ahzykanansnan.com | udp |
| LT | 78.62.68.115:36767 | tcp | |
| US | 8.8.8.8:53 | kgeylk.net | udp |
| US | 8.8.8.8:53 | kyamwiiugkeq.biz | udp |
| US | 8.8.8.8:53 | kdrwtgfqbex.org | udp |
| US | 8.8.8.8:53 | qhzcuodsholapet.cc | udp |
| US | 8.8.8.8:53 | cyqceiiugkeq.biz | udp |
| US | 8.8.8.8:53 | aogxyyeoya.info | udp |
| US | 8.8.8.8:53 | ycespwnansnan.org | udp |
| US | 8.8.8.8:53 | qmdwwwnansnan.com | udp |
| US | 8.8.8.8:53 | wmcocueoya.biz | udp |
| US | 8.8.8.8:53 | sgmswsuiwcymao.info | udp |
| US | 8.8.8.8:53 | buuexifox.org | udp |
| US | 8.8.8.8:53 | xybxdwfox.com | udp |
| US | 8.8.8.8:53 | uoiousuiwcymao.net | udp |
| US | 8.8.8.8:53 | ywazeeiq.net | udp |
| US | 8.8.8.8:53 | pkpcqcn.org | udp |
| US | 8.8.8.8:53 | qinmjgfqbex.com | udp |
| US | 8.8.8.8:53 | gcokls.info | udp |
| US | 8.8.8.8:53 | cusmbeiq.net | udp |
| US | 8.8.8.8:53 | kfeiwodsholapet.com | udp |
| US | 8.8.8.8:53 | lxtezafox.cc | udp |
| US | 8.8.8.8:53 | wqgqmcuiwcymao.info | udp |
| US | 8.8.8.8:53 | yceewcuiwcymao.net | udp |
| US | 8.8.8.8:53 | fhurfifox.org | udp |
| US | 8.8.8.8:53 | ytxnbwnansnan.org | udp |
| US | 8.8.8.8:53 | gyyyyueoya.info | udp |
| US | 8.8.8.8:53 | kygmyo.biz | udp |
| US | 8.8.8.8:53 | bhdyjcn.org | udp |
| US | 8.8.8.8:53 | iftlfwnansnan.org | udp |
| US | 8.8.8.8:53 | omilys.info | udp |
| US | 8.8.8.8:53 | sgaixo.biz | udp |
| US | 8.8.8.8:53 | ilyepodsholapet.cc | udp |
| US | 8.8.8.8:53 | esnsvwnansnan.org | udp |
| US | 8.8.8.8:53 | mikyaa.info | udp |
| US | 8.8.8.8:53 | uusunguiwcymao.net | udp |
| US | 8.8.8.8:53 | kseukadsholapet.org | udp |
| US | 8.8.8.8:53 | smreqgfqbex.cc | udp |
| US | 8.8.8.8:53 | seqyeyeoya.net | udp |
| US | 8.8.8.8:53 | gcgkxwiq.biz | udp |
| US | 8.8.8.8:53 | gxcutenansnan.cc | udp |
| US | 8.8.8.8:53 | bbjfrsfox.org | udp |
| US | 8.8.8.8:53 | qmcnxiiugkeq.biz | udp |
| US | 8.8.8.8:53 | kmkffmiq.biz | udp |
| US | 8.8.8.8:53 | bcjvhcn.com | udp |
| US | 8.8.8.8:53 | hsbmggn.org | udp |
| US | 8.8.8.8:53 | kqwapqeoya.info | udp |
| US | 8.8.8.8:53 | ssugjsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ieuafodsholapet.org | udp |
| US | 8.8.8.8:53 | othrpsdsholapet.cc | udp |
| US | 8.8.8.8:53 | mqsqvmiq.net | udp |
| US | 8.8.8.8:53 | kwknca.biz | udp |
| US | 8.8.8.8:53 | jbnoxgn.org | udp |
| US | 8.8.8.8:53 | wepmhqfqbex.cc | udp |
| US | 8.8.8.8:53 | oqiyoqeoya.biz | udp |
| BG | 85.130.38.88:31616 | tcp | |
| US | 8.8.8.8:53 | kpfgngfqbex.cc | udp |
| US | 8.8.8.8:53 | zshqrgn.com | udp |
| US | 8.8.8.8:53 | waeqtyeoya.info | udp |
| US | 8.8.8.8:53 | msynqaiq.info | udp |
| US | 8.8.8.8:53 | vxufowfox.cc | udp |
| US | 8.8.8.8:53 | ecbqeqfqbex.org | udp |
| US | 8.8.8.8:53 | ammgoeiq.net | udp |
| US | 8.8.8.8:53 | mgqiqsiugkeq.net | udp |
| US | 8.8.8.8:53 | gnoztsdsholapet.org | udp |
| US | 8.8.8.8:53 | iwdwnmnansnan.org | udp |
| US | 8.8.8.8:53 | qwgmeaiq.info | udp |
| US | 8.8.8.8:53 | yenfbgfqbex.org | udp |
| US | 8.8.8.8:53 | jellksn.cc | udp |
| US | 8.8.8.8:53 | ygeneqeoya.net | udp |
| US | 8.8.8.8:53 | imctpkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | lcikrafox.cc | udp |
| US | 8.8.8.8:53 | qmjsqanansnan.org | udp |
| US | 8.8.8.8:53 | imymucuiwcymao.biz | udp |
| US | 8.8.8.8:53 | jdhywkn.org | udp |
| US | 8.8.8.8:53 | dbxqlwfox.cc | udp |
| US | 8.8.8.8:53 | uowsgaiugkeq.biz | udp |
| US | 8.8.8.8:53 | koecoaiq.net | udp |
| US | 8.8.8.8:53 | wyjthyfqbex.org | udp |
| US | 8.8.8.8:53 | dnxuzkn.com | udp |
| US | 8.8.8.8:53 | gigrasiugkeq.biz | udp |
| US | 8.8.8.8:53 | qqgorsuiwcymao.info | udp |
| US | 8.8.8.8:53 | slfymyfqbex.cc | udp |
| US | 8.8.8.8:53 | aitotmnansnan.cc | udp |
| US | 8.8.8.8:53 | suyuygeoya.net | udp |
| US | 8.8.8.8:53 | eemizgeoya.net | udp |
| US | 8.8.8.8:53 | bjpilcn.org | udp |
| US | 8.8.8.8:53 | nfftmcn.org | udp |
| US | 8.8.8.8:53 | magwuaiq.info | udp |
| US | 8.8.8.8:53 | suemqwiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcjwngfqbex.org | udp |
| US | 8.8.8.8:53 | vojczgn.com | udp |
| US | 8.8.8.8:53 | kisujgeoya.biz | udp |
| US | 8.8.8.8:53 | gkmyryeoya.info | udp |
| US | 8.8.8.8:53 | kthmiqfqbex.org | udp |
| US | 8.8.8.8:53 | mevyxadsholapet.com | udp |
| US | 8.8.8.8:53 | uewaqs.net | udp |
| US | 8.8.8.8:53 | wyionwiq.net | udp |
| US | 8.8.8.8:53 | uokqhodsholapet.cc | udp |
| US | 8.8.8.8:53 | xsxoasn.org | udp |
| BG | 212.70.138.214:30883 | tcp | |
| US | 8.8.8.8:53 | ywgica.net | udp |
| US | 8.8.8.8:53 | umgcpaiq.net | udp |
| US | 8.8.8.8:53 | anbkvyfqbex.com | udp |
| US | 8.8.8.8:53 | jqjluifox.cc | udp |
| US | 8.8.8.8:53 | ooihyaiq.biz | udp |
| US | 8.8.8.8:53 | aosyhaiugkeq.info | udp |
| US | 8.8.8.8:53 | yadnsufqbex.org | udp |
| US | 8.8.8.8:53 | hkveycn.cc | udp |
| US | 8.8.8.8:53 | uecbgs.biz | udp |
| US | 8.8.8.8:53 | iuockyeoya.biz | udp |
| US | 8.8.8.8:53 | xzdiekn.com | udp |
| US | 8.8.8.8:53 | yvnvuwnansnan.cc | udp |
| US | 8.8.8.8:53 | gmigjwiugkeq.biz | udp |
| US | 8.8.8.8:53 | oowwxwiugkeq.net | udp |
| US | 8.8.8.8:53 | sstdtqfqbex.cc | udp |
| US | 8.8.8.8:53 | iwprvodsholapet.com | udp |
| US | 8.8.8.8:53 | icyvcaiugkeq.biz | udp |
| US | 8.8.8.8:53 | aucersdsholapet.org | udp |
| US | 8.8.8.8:53 | axxursdsholapet.com | udp |
| US | 8.8.8.8:53 | swkmqyeoya.biz | udp |
| US | 8.8.8.8:53 | waohaeiq.net | udp |
| US | 8.8.8.8:53 | vukzeifox.org | udp |
| US | 8.8.8.8:53 | rzjifgn.org | udp |
| US | 8.8.8.8:53 | agmqnkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mesfcwiugkeq.biz | udp |
| US | 8.8.8.8:53 | crvchufqbex.org | udp |
| US | 8.8.8.8:53 | wvzckufqbex.cc | udp |
| US | 8.8.8.8:53 | koqjlaiugkeq.net | udp |
| US | 8.8.8.8:53 | ekkddyeoya.info | udp |
| US | 8.8.8.8:53 | bqpqzgn.cc | udp |
| US | 8.8.8.8:53 | skhaxsdsholapet.com | udp |
| US | 8.8.8.8:53 | wwomdgeoya.net | udp |
| US | 8.8.8.8:53 | magfqyeoya.info | udp |
| US | 8.8.8.8:53 | iitwoadsholapet.org | udp |
| US | 98.225.20.72:18833 | tcp | |
| US | 8.8.8.8:53 | ikcokiiugkeq.info | udp |
| US | 8.8.8.8:53 | guuyjs.biz | udp |
| US | 8.8.8.8:53 | zoayaifox.com | udp |
| US | 8.8.8.8:53 | dmbymifox.org | udp |
| US | 8.8.8.8:53 | gwosyaiugkeq.net | udp |
| US | 8.8.8.8:53 | gqaileiq.biz | udp |
| US | 8.8.8.8:53 | zbgmgafox.com | udp |
| US | 8.8.8.8:53 | crdkagfqbex.cc | udp |
| US | 8.8.8.8:53 | ciymwmiq.net | udp |
| US | 8.8.8.8:53 | wieaeo.info | udp |
| US | 8.8.8.8:53 | quiydsdsholapet.cc | udp |
| US | 8.8.8.8:53 | qhtenwnansnan.org | udp |
| US | 8.8.8.8:53 | emigvyeoya.info | udp |
| US | 8.8.8.8:53 | mumvpueoya.biz | udp |
| US | 8.8.8.8:53 | reqjwwfox.com | udp |
| US | 8.8.8.8:53 | ezfnqqfqbex.org | udp |
| US | 8.8.8.8:53 | qakvzaiugkeq.net | udp |
| US | 8.8.8.8:53 | eoggisuiwcymao.net | udp |
| US | 8.8.8.8:53 | ohaqlsdsholapet.com | udp |
| US | 8.8.8.8:53 | idtflenansnan.com | udp |
| US | 8.8.8.8:53 | omykao.info | udp |
| US | 8.8.8.8:53 | umwogaiugkeq.biz | udp |
| US | 8.8.8.8:53 | cekulodsholapet.cc | udp |
| US | 8.8.8.8:53 | vlzkzgn.com | udp |
| US | 8.8.8.8:53 | syasoaiq.net | udp |
| US | 8.8.8.8:53 | askicgeoya.biz | udp |
| US | 8.8.8.8:53 | spognkdsholapet.com | udp |
| US | 8.8.8.8:53 | jvjiugn.com | udp |
| US | 8.8.8.8:53 | ukcqgsiugkeq.net | udp |
| US | 8.8.8.8:53 | hydiosn.org | udp |
| US | 8.8.8.8:53 | jbnccgn.cc | udp |
| US | 8.8.8.8:53 | ayancaiugkeq.net | udp |
| US | 8.8.8.8:53 | kyuoaeiq.info | udp |
| US | 8.8.8.8:53 | qyymjodsholapet.cc | udp |
| US | 8.8.8.8:53 | hlpitcn.cc | udp |
| US | 8.8.8.8:53 | uyynlwiugkeq.info | udp |
| US | 8.8.8.8:53 | keyues.biz | udp |
| US | 8.8.8.8:53 | iplcqufqbex.org | udp |
| US | 8.8.8.8:53 | wpfdnenansnan.com | udp |
| US | 8.8.8.8:53 | umseiaiugkeq.net | udp |
| US | 8.8.8.8:53 | mosogiiugkeq.net | udp |
| US | 8.8.8.8:53 | qkvlhyfqbex.com | udp |
| US | 8.8.8.8:53 | uqhnzkdsholapet.cc | udp |
| US | 8.8.8.8:53 | oyuoraiugkeq.biz | udp |
| US | 8.8.8.8:53 | tmoypifox.org | udp |
| US | 8.8.8.8:53 | kahctenansnan.cc | udp |
| US | 8.8.8.8:53 | yymasgeoya.info | udp |
| US | 8.8.8.8:53 | egieogeoya.biz | udp |
| US | 8.8.8.8:53 | zcostafox.com | udp |
| US | 8.8.8.8:53 | eyksms.info | udp |
| US | 8.8.8.8:53 | iokmds.info | udp |
| US | 8.8.8.8:53 | amyenwnansnan.org | udp |
| BG | 85.239.154.94:37793 | tcp | |
| US | 8.8.8.8:53 | ygbtlwnansnan.org | udp |
| US | 8.8.8.8:53 | maqlksuiwcymao.net | udp |
| US | 8.8.8.8:53 | yqibgwiq.net | udp |
| US | 8.8.8.8:53 | jajixcn.com | udp |
| US | 8.8.8.8:53 | wvzkpanansnan.cc | udp |
| US | 8.8.8.8:53 | okeismiq.biz | udp |
| US | 8.8.8.8:53 | cscsccuiwcymao.info | udp |
| US | 8.8.8.8:53 | yyogtadsholapet.com | udp |
| US | 8.8.8.8:53 | wrdadsdsholapet.org | udp |
| US | 8.8.8.8:53 | qsceeaiugkeq.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | kiqsliiugkeq.net | udp |
| US | 8.8.8.8:53 | pkyutwfox.cc | udp |
| US | 8.8.8.8:53 | qrppekdsholapet.org | udp |
| US | 8.8.8.8:53 | kuuoryeoya.net | udp |
| US | 8.8.8.8:53 | exuaqadsholapet.cc | udp |
| US | 8.8.8.8:53 | milybenansnan.cc | udp |
| US | 8.8.8.8:53 | uugnsqeoya.net | udp |
| US | 8.8.8.8:53 | qcwmoaiq.net | udp |
| US | 8.8.8.8:53 | ctheeenansnan.com | udp |
| US | 8.8.8.8:53 | usaqosiugkeq.net | udp |
| US | 8.8.8.8:53 | gcqcceiq.info | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pqvghcn.org | udp |
| US | 8.8.8.8:53 | ezrusadsholapet.org | udp |
| US | 8.8.8.8:53 | oaypfiiugkeq.info | udp |
| US | 8.8.8.8:53 | wugqgeiq.net | udp |
| US | 8.8.8.8:53 | ojgyvadsholapet.org | udp |
| US | 8.8.8.8:53 | rvxxbwfox.org | udp |
| US | 8.8.8.8:53 | yqsifkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ayechs.net | udp |
| US | 8.8.8.8:53 | ofskdadsholapet.com | udp |
| US | 8.8.8.8:53 | gyeowk.info | udp |
| US | 8.8.8.8:53 | iukowqeoya.net | udp |
| US | 8.8.8.8:53 | aefkxyfqbex.com | udp |
| US | 8.8.8.8:53 | zyzgrcn.org | udp |
| US | 8.8.8.8:53 | yewmqsiugkeq.net | udp |
| US | 8.8.8.8:53 | uogomk.biz | udp |
| US | 8.8.8.8:53 | cebgxgfqbex.com | udp |
| US | 8.8.8.8:53 | gelqzanansnan.org | udp |
| US | 8.8.8.8:53 | kiapso.biz | udp |
| BG | 87.97.144.204:29580 | tcp | |
| US | 8.8.8.8:53 | sgmgsyeoya.info | udp |
| US | 8.8.8.8:53 | qhbxvqfqbex.cc | udp |
| US | 8.8.8.8:53 | kvpcjkdsholapet.com | udp |
| US | 8.8.8.8:53 | kqgjss.info | udp |
| US | 8.8.8.8:53 | eeyeywiugkeq.info | udp |
| US | 8.8.8.8:53 | arogxenansnan.org | udp |
| US | 8.8.8.8:53 | crxkyqfqbex.cc | udp |
| US | 8.8.8.8:53 | isgkbqeoya.biz | udp |
| US | 8.8.8.8:53 | acudmkuiwcymao.net | udp |
| US | 8.8.8.8:53 | wxwffkdsholapet.org | udp |
| US | 8.8.8.8:53 | zwpczcn.com | udp |
| US | 8.8.8.8:53 | wiczfguiwcymao.info | udp |
| US | 8.8.8.8:53 | qmyaekuiwcymao.info | udp |
| US | 8.8.8.8:53 | lhlyfgn.org | udp |
| US | 8.8.8.8:53 | vxbulcn.org | udp |
| US | 8.8.8.8:53 | cgiwxmiq.biz | udp |
| US | 8.8.8.8:53 | djjkpkn.com | udp |
| US | 8.8.8.8:53 | qwhmpodsholapet.cc | udp |
| US | 8.8.8.8:53 | ckqqvsiugkeq.info | udp |
| US | 8.8.8.8:53 | uwmrieiq.net | udp |
| US | 8.8.8.8:53 | bgryrcn.com | udp |
| US | 8.8.8.8:53 | brjrpkn.cc | udp |
| US | 8.8.8.8:53 | aykuueiq.info | udp |
| US | 8.8.8.8:53 | aaswasuiwcymao.net | udp |
| US | 8.8.8.8:53 | iawxrwnansnan.com | udp |
| US | 8.8.8.8:53 | bcnrpafox.com | udp |
| US | 8.8.8.8:53 | ieoqks.info | udp |
| US | 8.8.8.8:53 | wuwmiadsholapet.cc | udp |
| US | 8.8.8.8:53 | tgtilwfox.com | udp |
| US | 8.8.8.8:53 | yeqehs.info | udp |
| US | 8.8.8.8:53 | cayoiwiugkeq.biz | udp |
| US | 8.8.8.8:53 | vlxchgn.org | udp |
| US | 8.8.8.8:53 | iqtwvadsholapet.org | udp |
| US | 8.8.8.8:53 | wmcesiiugkeq.net | udp |
| US | 8.8.8.8:53 | caawamiq.biz | udp |
| US | 8.8.8.8:53 | dqnvskn.cc | udp |
| US | 8.8.8.8:53 | nxtaygn.cc | udp |
| US | 8.8.8.8:53 | maqnjqeoya.net | udp |
| US | 8.8.8.8:53 | sgmiimiq.biz | udp |
| US | 8.8.8.8:53 | yxbudqfqbex.org | udp |
| US | 8.8.8.8:53 | lftmngn.cc | udp |
| US | 8.8.8.8:53 | mmebgiiugkeq.biz | udp |
| US | 8.8.8.8:53 | jfmlbifox.cc | udp |
| US | 8.8.8.8:53 | mwhxdodsholapet.org | udp |
| US | 8.8.8.8:53 | uqeheaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gywsws.net | udp |
| US | 8.8.8.8:53 | wfsqtwnansnan.org | udp |
| LT | 88.223.49.174:35232 | tcp | |
| US | 8.8.8.8:53 | cvxvhufqbex.org | udp |
| US | 8.8.8.8:53 | eugtgaiq.biz | udp |
| US | 8.8.8.8:53 | qossaueoya.biz | udp |
| US | 8.8.8.8:53 | jgkwfifox.com | udp |
| US | 8.8.8.8:53 | cxrejwnansnan.cc | udp |
| US | 8.8.8.8:53 | ciowdiiugkeq.biz | udp |
| US | 8.8.8.8:53 | ekmwwk.biz | udp |
| US | 8.8.8.8:53 | xsvuckn.com | udp |
| US | 8.8.8.8:53 | yrvgjufqbex.org | udp |
| US | 8.8.8.8:53 | caiedgeoya.info | udp |
| US | 8.8.8.8:53 | iooiwa.info | udp |
| US | 8.8.8.8:53 | xiryzkn.cc | udp |
| US | 8.8.8.8:53 | mwtjmenansnan.cc | udp |
| US | 8.8.8.8:53 | mykbms.net | udp |
| US | 8.8.8.8:53 | oeopseiq.net | udp |
| US | 8.8.8.8:53 | jvlzrkn.cc | udp |
| US | 8.8.8.8:53 | kljiaqfqbex.cc | udp |
| US | 8.8.8.8:53 | myukkwiugkeq.info | udp |
| US | 8.8.8.8:53 | wccioa.net | udp |
| US | 8.8.8.8:53 | kdlwdyfqbex.org | udp |
| US | 8.8.8.8:53 | qfpptanansnan.cc | udp |
| US | 8.8.8.8:53 | casyncuiwcymao.info | udp |
| US | 8.8.8.8:53 | qwofqqeoya.biz | udp |
| US | 8.8.8.8:53 | ktienmnansnan.cc | udp |
| US | 8.8.8.8:53 | wgjetanansnan.cc | udp |
| US | 8.8.8.8:53 | wegcsqeoya.info | udp |
| US | 8.8.8.8:53 | ayiggaiq.biz | udp |
| US | 8.8.8.8:53 | wutwxgfqbex.cc | udp |
| US | 8.8.8.8:53 | wgfkjanansnan.cc | udp |
| US | 8.8.8.8:53 | asuwvueoya.info | udp |
| US | 8.8.8.8:53 | mcojfgeoya.biz | udp |
| US | 8.8.8.8:53 | qidsfqfqbex.com | udp |
| US | 8.8.8.8:53 | xopuxafox.org | udp |
| US | 8.8.8.8:53 | emuyko.biz | udp |
| US | 8.8.8.8:53 | pkwjuafox.cc | udp |
| US | 8.8.8.8:53 | elzmkodsholapet.org | udp |
| US | 8.8.8.8:53 | ummchsiugkeq.info | udp |
| US | 8.8.8.8:53 | sskgwyeoya.net | udp |
| US | 8.8.8.8:53 | deknaifox.org | udp |
| US | 8.8.8.8:53 | uidoeyfqbex.cc | udp |
| US | 8.8.8.8:53 | iisbqgeoya.info | udp |
| US | 8.8.8.8:53 | geyymwiugkeq.biz | udp |
| US | 8.8.8.8:53 | spsdcenansnan.cc | udp |
| US | 8.8.8.8:53 | qdzuxanansnan.cc | udp |
| US | 8.8.8.8:53 | goscfqeoya.info | udp |
| US | 8.8.8.8:53 | wookuwiq.info | udp |
| US | 8.8.8.8:53 | hwpufgn.cc | udp |
| US | 8.8.8.8:53 | grhcgqfqbex.cc | udp |
| US | 8.8.8.8:53 | ekycya.net | udp |
| US | 8.8.8.8:53 | qgyioo.biz | udp |
| US | 8.8.8.8:53 | hudkvkn.com | udp |
| US | 8.8.8.8:53 | mwpqjgfqbex.com | udp |
| US | 8.8.8.8:53 | mmesemiq.info | udp |
| US | 8.8.8.8:53 | wyiecwiq.net | udp |
| US | 8.8.8.8:53 | brxcxkn.org | udp |
| US | 8.8.8.8:53 | kmheegfqbex.org | udp |
| US | 89.117.8.117:41337 | tcp | |
| US | 8.8.8.8:53 | kekylmiq.biz | udp |
| US | 8.8.8.8:53 | ouwyzodsholapet.cc | udp |
| US | 8.8.8.8:53 | ltbudafox.com | udp |
| US | 8.8.8.8:53 | ciolusiugkeq.info | udp |
| US | 8.8.8.8:53 | wcieomiq.biz | udp |
| US | 8.8.8.8:53 | hlbcmgn.cc | udp |
| US | 8.8.8.8:53 | denmywfox.cc | udp |
| US | 8.8.8.8:53 | guefgwiugkeq.net | udp |
| US | 8.8.8.8:53 | momwha.info | udp |
| US | 8.8.8.8:53 | qmwmumnansnan.cc | udp |
| US | 8.8.8.8:53 | snxuhgfqbex.cc | udp |
| US | 8.8.8.8:53 | esmmbkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ywocqa.info | udp |
| US | 8.8.8.8:53 | hinypcn.com | udp |
| US | 8.8.8.8:53 | cuhglyfqbex.cc | udp |
| US | 8.8.8.8:53 | symmbs.info | udp |
| US | 8.8.8.8:53 | wokeqiiugkeq.net | udp |
| US | 8.8.8.8:53 | jchwngn.cc | udp |
| US | 8.8.8.8:53 | rxflwcn.org | udp |
| US | 8.8.8.8:53 | uomjxkuiwcymao.info | udp |
| US | 8.8.8.8:53 | yckzwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gyluhufqbex.org | udp |
| US | 8.8.8.8:53 | jndgxcn.com | udp |
| US | 8.8.8.8:53 | wuizjueoya.info | udp |
| BG | 217.75.139.26:21660 | tcp | |
| US | 8.8.8.8:53 | koiczkuiwcymao.info | udp |
| US | 8.8.8.8:53 | tnvszcn.cc | udp |
| US | 8.8.8.8:53 | wovvzkdsholapet.com | udp |
| US | 8.8.8.8:53 | gsuidsiugkeq.biz | udp |
| US | 8.8.8.8:53 | iiafomiq.info | udp |
| US | 8.8.8.8:53 | csuqnodsholapet.cc | udp |
| US | 8.8.8.8:53 | wijrdufqbex.cc | udp |
| US | 8.8.8.8:53 | swemaiiugkeq.biz | udp |
| US | 8.8.8.8:53 | gmqcksuiwcymao.biz | udp |
| US | 8.8.8.8:53 | pkhscsn.com | udp |
| US | 8.8.8.8:53 | oehugkdsholapet.cc | udp |
| US | 8.8.8.8:53 | esosxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | cwqxaeiq.info | udp |
| US | 8.8.8.8:53 | whbfkufqbex.com | udp |
| US | 8.8.8.8:53 | gogmesuiwcymao.info | udp |
| US | 8.8.8.8:53 | mtmkvkdsholapet.com | udp |
| US | 8.8.8.8:53 | gepgxsdsholapet.cc | udp |
| US | 8.8.8.8:53 | iqqhqqeoya.info | udp |
| US | 8.8.8.8:53 | gewufguiwcymao.net | udp |
| US | 8.8.8.8:53 | cgygnadsholapet.com | udp |
| US | 8.8.8.8:53 | zqnbfwfox.org | udp |
| US | 8.8.8.8:53 | wugvekuiwcymao.biz | udp |
| US | 8.8.8.8:53 | eyiewyeoya.info | udp |
| US | 8.8.8.8:53 | 79.242.123.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | untorgfqbex.org | udp |
| US | 8.8.8.8:53 | oapqrqfqbex.cc | udp |
| US | 8.8.8.8:53 | yskuss.biz | udp |
| US | 8.8.8.8:53 | sqyiaaiugkeq.net | udp |
| US | 8.8.8.8:53 | edxmfqfqbex.org | udp |
| US | 8.8.8.8:53 | qvbmxodsholapet.cc | udp |
| US | 8.8.8.8:53 | ywkeoueoya.info | udp |
| US | 8.8.8.8:53 | ucsgamiq.info | udp |
| US | 8.8.8.8:53 | yhcobodsholapet.com | udp |
| US | 8.8.8.8:53 | zgjubsn.com | udp |
| US | 8.8.8.8:53 | ecquoueoya.biz | udp |
| US | 8.8.8.8:53 | qhoeqmnansnan.cc | udp |
| US | 8.8.8.8:53 | aaxefanansnan.cc | udp |
| US | 8.8.8.8:53 | sqcwos.biz | udp |
| US | 8.8.8.8:53 | kymrgwiq.net | udp |
| US | 8.8.8.8:53 | pwestsfox.org | udp |
| US | 8.8.8.8:53 | gajkjwnansnan.com | udp |
| US | 8.8.8.8:53 | mmaxwqeoya.info | udp |
| US | 8.8.8.8:53 | yasupiiugkeq.net | udp |
| US | 8.8.8.8:53 | uqgkoodsholapet.org | udp |
| US | 8.8.8.8:53 | rsxszcn.cc | udp |
| US | 8.8.8.8:53 | asqqlcuiwcymao.net | udp |
| BG | 95.87.63.140:39366 | tcp | |
| US | 8.8.8.8:53 | wnomzadsholapet.cc | udp |
| US | 8.8.8.8:53 | bmhwjafox.com | udp |
| US | 8.8.8.8:53 | eeqivcuiwcymao.info | udp |
| US | 8.8.8.8:53 | iccshaiq.biz | udp |
| US | 8.8.8.8:53 | ljnexkn.com | udp |
| US | 8.8.8.8:53 | gvhwpsdsholapet.com | udp |
| US | 8.8.8.8:53 | qqmsgyeoya.net | udp |
| US | 8.8.8.8:53 | qyguza.net | udp |
| US | 8.8.8.8:53 | wjzuyqfqbex.org | udp |
| US | 8.8.8.8:53 | vwzvvsfox.com | udp |
| US | 8.8.8.8:53 | csydsaiq.info | udp |
| US | 8.8.8.8:53 | kqecimiq.net | udp |
| US | 8.8.8.8:53 | imtrayfqbex.cc | udp |
| US | 8.8.8.8:53 | hwtydgn.cc | udp |
| US | 8.8.8.8:53 | ieednsuiwcymao.net | udp |
| US | 8.8.8.8:53 | qoomewiq.info | udp |
| US | 8.8.8.8:53 | wwgspodsholapet.org | udp |
| US | 8.8.8.8:53 | qptclanansnan.org | udp |
| US | 8.8.8.8:53 | mmskygeoya.info | udp |
| US | 8.8.8.8:53 | prnsvsn.org | udp |
| US | 8.8.8.8:53 | mibjcenansnan.com | udp |
| US | 8.8.8.8:53 | miwdgkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kqkmgsiugkeq.info | udp |
| US | 8.8.8.8:53 | kwrepgfqbex.com | udp |
| US | 8.8.8.8:53 | wvlydodsholapet.org | udp |
| US | 8.8.8.8:53 | wicubqeoya.net | udp |
| US | 8.8.8.8:53 | saifymiq.biz | udp |
| US | 8.8.8.8:53 | rhptqgn.org | udp |
| US | 8.8.8.8:53 | ycmoraiugkeq.biz | udp |
| US | 8.8.8.8:53 | kiatcs.net | udp |
| US | 8.8.8.8:53 | rasanwfox.com | udp |
| US | 8.8.8.8:53 | jdzukwfox.com | udp |
| US | 8.8.8.8:53 | wecsmk.biz | udp |
| US | 8.8.8.8:53 | yxhtzgfqbex.cc | udp |
| US | 8.8.8.8:53 | merknsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sgyxmyeoya.biz | udp |
| US | 8.8.8.8:53 | aksfgiiugkeq.biz | udp |
| US | 8.8.8.8:53 | abiymmnansnan.org | udp |
| US | 8.8.8.8:53 | cupytwnansnan.org | udp |
| US | 8.8.8.8:53 | qiwidkuiwcymao.net | udp |
| US | 8.8.8.8:53 | ieiqosuiwcymao.net | udp |
| US | 8.8.8.8:53 | flyieafox.com | udp |
| US | 8.8.8.8:53 | jrhbnwfox.com | udp |
| US | 8.8.8.8:53 | eoiyzguiwcymao.net | udp |
| US | 8.8.8.8:53 | suwioa.net | udp |
| US | 8.8.8.8:53 | gjphzyfqbex.cc | udp |
| US | 8.8.8.8:53 | ygxommnansnan.cc | udp |
| US | 8.8.8.8:53 | qkmkeo.net | udp |
| US | 8.8.8.8:53 | iuiqaiiugkeq.net | udp |
| US | 8.8.8.8:53 | xtqmvafox.cc | udp |
| US | 8.8.8.8:53 | eozulanansnan.org | udp |
| RU | 94.41.225.2:43070 | tcp | |
| US | 8.8.8.8:53 | oeaejo.net | udp |
| US | 8.8.8.8:53 | ggghksiugkeq.info | udp |
| US | 8.8.8.8:53 | nnmcmafox.com | udp |
| US | 8.8.8.8:53 | ilxnhenansnan.cc | udp |
| US | 8.8.8.8:53 | womcco.info | udp |
| US | 8.8.8.8:53 | kssmvwnansnan.org | udp |
| US | 8.8.8.8:53 | zjdkbifox.cc | udp |
| US | 8.8.8.8:53 | gwyujiiugkeq.info | udp |
| US | 8.8.8.8:53 | ciqeakuiwcymao.info | udp |
| US | 8.8.8.8:53 | iiwobadsholapet.org | udp |
| US | 8.8.8.8:53 | fmzmbsn.org | udp |
| US | 8.8.8.8:53 | kkaqqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | symiageoya.info | udp |
| US | 8.8.8.8:53 | ywxqtgfqbex.org | udp |
| US | 8.8.8.8:53 | evzwfanansnan.com | udp |
| US | 8.8.8.8:53 | omuwcsuiwcymao.info | udp |
| US | 8.8.8.8:53 | kkuwjadsholapet.org | udp |
| US | 8.8.8.8:53 | wldlpenansnan.cc | udp |
| US | 8.8.8.8:53 | ecyrwmiq.biz | udp |
| US | 8.8.8.8:53 | suyuyo.biz | udp |
| US | 8.8.8.8:53 | fdwbrifox.com | udp |
| US | 8.8.8.8:53 | nwryzsfox.com | udp |
| US | 8.8.8.8:53 | mgaxpkuiwcymao.net | udp |
| US | 8.8.8.8:53 | wyoodwiugkeq.net | udp |
| US | 8.8.8.8:53 | ohailenansnan.org | udp |
| US | 8.8.8.8:53 | sptnzyfqbex.org | udp |
| US | 8.8.8.8:53 | acceliiugkeq.net | udp |
| US | 8.8.8.8:53 | muigfaiq.info | udp |
| US | 8.8.8.8:53 | kmaytadsholapet.org | udp |
| US | 8.8.8.8:53 | kakmngeoya.biz | udp |
| US | 8.8.8.8:53 | hgcemafox.org | udp |
| US | 8.8.8.8:53 | nsdilwfox.cc | udp |
| US | 8.8.8.8:53 | suguoyeoya.biz | udp |
| US | 8.8.8.8:53 | mgijcyeoya.biz | udp |
| US | 8.8.8.8:53 | mmjmygfqbex.cc | udp |
| US | 8.8.8.8:53 | grdksanansnan.org | udp |
| US | 8.8.8.8:53 | quyeps.info | udp |
| US | 8.8.8.8:53 | eagjdk.info | udp |
| US | 8.8.8.8:53 | mwqkbmnansnan.com | udp |
| US | 8.8.8.8:53 | qcvwpenansnan.org | udp |
| US | 8.8.8.8:53 | omenowiugkeq.biz | udp |
| US | 8.8.8.8:53 | kqwkkiiugkeq.info | udp |
| US | 8.8.8.8:53 | jpqoqafox.com | udp |
| LT | 78.62.240.10:13594 | tcp | |
| US | 8.8.8.8:53 | ksxutufqbex.cc | udp |
| US | 8.8.8.8:53 | icujxiiugkeq.biz | udp |
| US | 8.8.8.8:53 | komiksiugkeq.biz | udp |
| US | 8.8.8.8:53 | alvljufqbex.com | udp |
| US | 8.8.8.8:53 | rjxwfkn.org | udp |
| US | 8.8.8.8:53 | mqsuxguiwcymao.biz | udp |
| US | 8.8.8.8:53 | rdkkkifox.org | udp |
| US | 8.8.8.8:53 | ejpvuyfqbex.com | udp |
| US | 8.8.8.8:53 | gyskesuiwcymao.net | udp |
| US | 8.8.8.8:53 | qkguoyeoya.biz | udp |
| US | 8.8.8.8:53 | qwmssaiq.net | udp |
| US | 8.8.8.8:53 | meauoguiwcymao.info | udp |
| US | 8.8.8.8:53 | wnqwgenansnan.com | udp |
| US | 8.8.8.8:53 | irbgzodsholapet.com | udp |
| US | 8.8.8.8:53 | ysqcvkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kqweccuiwcymao.net | udp |
| US | 8.8.8.8:53 | pnholkn.org | udp |
| US | 8.8.8.8:53 | kadyianansnan.org | udp |
| US | 8.8.8.8:53 | aygbcaiq.biz | udp |
| US | 8.8.8.8:53 | qucozeiq.biz | udp |
| US | 8.8.8.8:53 | sgekvmnansnan.org | udp |
| US | 8.8.8.8:53 | rqnqnwfox.org | udp |
| US | 8.8.8.8:53 | uquwueiq.biz | udp |
| US | 8.8.8.8:53 | cmwuacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | kiwcdsdsholapet.cc | udp |
| US | 8.8.8.8:53 | zxjaxkn.cc | udp |
| US | 8.8.8.8:53 | mqkkha.net | udp |
| US | 8.8.8.8:53 | woakfeiq.biz | udp |
| US | 8.8.8.8:53 | zexahgn.cc | udp |
| US | 8.8.8.8:53 | axvqxufqbex.cc | udp |
| US | 8.8.8.8:53 | gquuzkuiwcymao.info | udp |
| US | 8.8.8.8:53 | aaiuwqeoya.net | udp |
| US | 8.8.8.8:53 | pghqjkn.cc | udp |
| US | 8.8.8.8:53 | uzvqlwnansnan.cc | udp |
| US | 8.8.8.8:53 | ykucaa.biz | udp |
| US | 8.8.8.8:53 | qcssiiiugkeq.biz | udp |
| US | 8.8.8.8:53 | aqgatkdsholapet.com | udp |
| US | 8.8.8.8:53 | gcbudqfqbex.org | udp |
| US | 8.8.8.8:53 | kyaqjqeoya.info | udp |
| US | 8.8.8.8:53 | ojjadufqbex.com | udp |
| US | 8.8.8.8:53 | lnbalkn.cc | udp |
| US | 8.8.8.8:53 | qamusaiq.net | udp |
| US | 8.8.8.8:53 | iqifpwiq.info | udp |
| US | 8.8.8.8:53 | pnlqxcn.org | udp |
| US | 8.8.8.8:53 | kyxapgfqbex.com | udp |
| US | 8.8.8.8:53 | qwypusiugkeq.net | udp |
| US | 8.8.8.8:53 | umywasiugkeq.net | udp |
| US | 8.8.8.8:53 | ahkucsdsholapet.org | udp |
| US | 8.8.8.8:53 | gaoumyeoya.info | udp |
| US | 8.8.8.8:53 | qgeygo.biz | udp |
| US | 8.8.8.8:53 | unyxzwnansnan.cc | udp |
| US | 8.8.8.8:53 | lzdkmgn.com | udp |
| US | 8.8.8.8:53 | ygeergeoya.info | udp |
| LT | 78.63.29.53:40396 | tcp | |
| US | 8.8.8.8:53 | geisjwiugkeq.net | udp |
| US | 8.8.8.8:53 | rxmprsfox.cc | udp |
| US | 8.8.8.8:53 | emzbngfqbex.com | udp |
| US | 8.8.8.8:53 | sqalbaiq.biz | udp |
| US | 8.8.8.8:53 | amauqaiq.info | udp |
| US | 8.8.8.8:53 | geubesdsholapet.cc | udp |
| US | 8.8.8.8:53 | bspscsfox.org | udp |
| US | 8.8.8.8:53 | keublkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kyoeeguiwcymao.info | udp |
| US | 8.8.8.8:53 | tslyqsn.cc | udp |
| US | 8.8.8.8:53 | qzfunsdsholapet.com | udp |
| US | 8.8.8.8:53 | oeewscuiwcymao.biz | udp |
| US | 8.8.8.8:53 | qqwkxeiq.biz | udp |
| US | 8.8.8.8:53 | xxmaeifox.org | udp |
| US | 8.8.8.8:53 | uzpyfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | ciggia.biz | udp |
| US | 8.8.8.8:53 | mqyxqmiq.biz | udp |
| US | 8.8.8.8:53 | ymrhnqfqbex.cc | udp |
| US | 8.8.8.8:53 | pcxalgn.org | udp |
| US | 8.8.8.8:53 | ukgfpiiugkeq.biz | udp |
| US | 8.8.8.8:53 | icgwrwiq.info | udp |
| US | 8.8.8.8:53 | wjdgayfqbex.com | udp |
| US | 8.8.8.8:53 | utpaimnansnan.com | udp |
| US | 8.8.8.8:53 | msakxcuiwcymao.info | udp |
| US | 8.8.8.8:53 | qbhdgqfqbex.cc | udp |
| US | 8.8.8.8:53 | kargdqfqbex.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\yepeoopsioz.exe
| MD5 | 85cb856b920e7b0b7b75115336fc2af2 |
| SHA1 | 1d1a207efec2f5187583b652c35aef74ee4c473f |
| SHA256 | 6fff20aabe8265b6e811c9dbcb987f9c15cf07d1d8b80ced7b287d96900f5c62 |
| SHA512 | 120ff9c77c19216e5691b6ba812f09f7db7b46685a391027fff56e5b73200f4211b6bac2c2d28cdfe461d1fbf10f1a3204adeedbd0a34a034a862c6278d901e8 |
C:\Windows\SysWOW64\pcumhbrmdqrewsjqyi.exe
| MD5 | 111a63135090da974e45df036b3a9918 |
| SHA1 | fb3d7fa910924b524d4009aa2e89f5dde860d9f2 |
| SHA256 | 35b68d273d5c97c052bfb5ca776dd64da12ab455430922b6e108c97a2b5a3951 |
| SHA512 | 0165b3e8298348bcd88c45502220b19f62f0b105b0eaacd5e904274160a6e519d7caa2926777acfabd62024329a5e691c576e5c87c7a8663fd85c5e2e84a031a |
C:\Users\Admin\AppData\Local\Temp\cchmu.exe
| MD5 | 9eb670c5e5787493685a2db7f443e49e |
| SHA1 | 346b11e1d3d41f4c82b1df1d056cf1ca2ac31b7c |
| SHA256 | 3907c1287fd950d1fc2e53f15e0e4cb8702dc297846dc6382ea93f3554c989fe |
| SHA512 | f655ab2e894722d7904a3ed8d722ea26820dcb46defbe78154a833ed5a3a77ce091a0dd439e3c142cfa8d89fabb2eb673c738c5ccb80551974af242a38e425a5 |
C:\Users\Admin\AppData\Local\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | 8e64a873638f6984cbdbd8879d41ee5b |
| SHA1 | 6168616d3122dd4107f74c7a11cfdca47c0e8228 |
| SHA256 | b88d702d56a9aaf4b5d110ff2079ce375df4ea2a75a8f9a24d1adff8c5ec8ce0 |
| SHA512 | e2581fea05793be927daa2873cadd28798536431fd8d71c92dd4200e35fe08e3668058ff4e80aeb96206f578f5aaae4e7350956be38bf391b1152cafecb7d92d |
C:\Users\Admin\AppData\Local\ualwkxguekekvkuuvykqbmanwkuaualak.loa
| MD5 | 9d8d268e8d23fdcf6d749469e473acfc |
| SHA1 | b9667b79f61a71ef21a1357ca9d13c44b4cd6c3b |
| SHA256 | 4a4a4e1f2a05d55dfe7f00e0daced90b6f61794aca7ebd7ddb51d26168229186 |
| SHA512 | 8d4128cf9a5a2927df1adf0a81eeaf3c5d213f5b313b7a27a2827987f4cc1d65c34a0f0e078eb5288cfebec0baa4aabd6806a0b491eabc28d3c63fd38c8c5e4b |
C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | 2cb5e15f1f965d94ce5c46ec63d38553 |
| SHA1 | f5104e46c34048cacb2cd8a6e5697147650a9849 |
| SHA256 | 2ecf3ca9298e231c73af35c3c12d3ffa92b217bf6903f6ebfa5b1ea9ffa7b58a |
| SHA512 | d4321994fa982b87d86f66a4781a0000f328919c6b700f54ec25d35eb9609eb7be447ed4d499bd972a67f6d3f875b42d3f010218cc94bda96f38d9ab8640a934 |
C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | 5fe21a53dbceb10141e39bd3da0cbe7f |
| SHA1 | e053e094b922987a7e227f727587393234a32748 |
| SHA256 | ab16db1296340406cfe27b72da26d99fff7dbf5faaca7837f279be7bf6175cc5 |
| SHA512 | 86411beb8fda7891984c7071b1909e7d3c6d34246aa1bffd727948896c000cfc971618425b22f9e7f950279acf894725aac410c85d22061898f30160ec513457 |
C:\Users\Admin\AppData\Local\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | dd4225caedb696d2402b33b058f24ded |
| SHA1 | 7ac9df91b7d11af24c7f6f208bf34780ce20e116 |
| SHA256 | b19119f45d1fa0ef8425e4278ba7490aac2af15b05559cf7285cb0fe9c58213a |
| SHA512 | ad413e6a7c2f4536f07cb42be33d64f16a0ccdc1fc0fc370b1e545622221d9e964930f42b8d8964ce14bccc50cecfcb065b00413165b9832e41b0c5311b48f03 |
C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | 38ff5da98fc38f8e2d363468449c244e |
| SHA1 | 26cfae327b13f9ad398f7696e091d6832d7f8ce5 |
| SHA256 | fedcfe38f60572145e266b98ea2225183100dc4ea5eab54aca99cf4cd260687f |
| SHA512 | ac2c3349796a45b53d2be0092c217cbd1fe49b59c8929de214f69870366d14b3bd90025dbbdf0278e6a32c690a71291650797712c7b8a78f62b5d90713e029bb |
C:\Users\Admin\AppData\Local\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | a50c7e46ba57b18bd2c48a5fffb83086 |
| SHA1 | 06e51b4d77a3c26e293a655e0b9dc3233deef691 |
| SHA256 | 05287de6cde1d93b29c9c1d4c0205c10cf573b6f8f43196009181de744dff07c |
| SHA512 | b0456fa2230edd01d695250339fa0189982ec7f4cbfc383f2f06a80bf495097c427513ce8b21ec3a2b666b36fdc6d1c6915d55ebc1644fc17121950a444ab6d8 |
C:\Windows\pcumhbrmdqrewsjqyi.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Program Files (x86)\dyyybdbedyhccgfukcdyyy.dbe
| MD5 | d28ee099eb87678040e8548f91236ff1 |
| SHA1 | a6470ca71c79641edb8b59d27afdf40ea252f43c |
| SHA256 | a86d1b4ae0dd327feb0872d743afb4bc64971237332c66275a1b6125b12b28aa |
| SHA512 | 13cf0d92c1e1e14eef9c8df484e08ac2c47e98c9538df9f52e9fc6037117956a3541669756dbbe6d0da4af6ff6d962e120bb06dd6572ba1d0e7a82170ed87340 |