Malware Analysis Report

2025-03-15 00:56

Sample ID 240626-hz21lavcnk
Target 1123f172c57750172e8d6b3f993d9513_JaffaCakes118
SHA256 7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226

Threat Level: Known bad

The file 1123f172c57750172e8d6b3f993d9513_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Disables Task Manager via registry modification

Adds policy Run key to start application

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 07:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 07:11

Reported

2024-06-26 07:13

Platform

win7-20240611-en

Max time kernel

151s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Disables Task Manager via registry modification

evasion

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "fqiavkzqjjirfdftg.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "mavqogysortfwxctjocx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "zmgaxofytvwhxxbrgkx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "yizqkymcutrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "fqiavkzqjjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "zmgaxofytvwhxxbrgkx.exe" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "oatmiyogabblazcrfi.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "yizqkymcutrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe ." C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "bqmihatolpsfxzfxoujfb.exe ." C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\dwwwzwtstbizvblhcmfff.fcb C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\dwwwzwtstbizvblhcmfff.fcb C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\dwwwzwtstbizvblhcmfff.fcb C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Program Files (x86)\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Program Files (x86)\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Program Files (x86)\dwwwzwtstbizvblhcmfff.fcb C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\dwwwzwtstbizvblhcmfff.fcb C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\dwwwzwtstbizvblhcmfff.fcb C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\bqmihatolpsfxzfxoujfb.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\yizqkymcutrzmjkx.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File created C:\Windows\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\mavqogysortfwxctjocx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File created C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\zmgaxofytvwhxxbrgkx.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
File opened for modification C:\Windows\oatmiyogabblazcrfi.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\sifccwqmkpthadkdvcspmm.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
File opened for modification C:\Windows\fqiavkzqjjirfdftg.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2200 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2808 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2808 wrote to memory of 1716 N/A C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
PID 2200 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2200 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2200 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
PID 2200 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe

"C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe

"C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:80 www.youtube.com tcp
AU 218.100.81.0:3432 tcp
US 8.8.8.8:53 mymqeo.info udp
US 8.8.8.8:53 tfomvifox.cc udp
US 8.8.8.8:53 korzjmnansnan.cc udp
US 8.8.8.8:53 isuslk.biz udp
US 8.8.8.8:53 qakayaiq.biz udp
US 8.8.8.8:53 dlradsn.org udp
US 162.249.65.162:80 dlradsn.org tcp
US 8.8.8.8:53 zipagcn.cc udp
US 8.8.8.8:53 eyusaaiugkeq.biz udp
US 8.8.8.8:53 gcikqkuiwcymao.info udp
US 8.8.8.8:53 mstgnqfqbex.org udp
US 8.8.8.8:53 ggblkkdsholapet.org udp
US 8.8.8.8:53 ckopbcuiwcymao.net udp
US 8.8.8.8:53 ymazfyeoya.info udp
US 8.8.8.8:53 kckspkdsholapet.com udp
US 8.8.8.8:53 fajgnsn.com udp
US 8.8.8.8:53 umqrio.biz udp
US 8.8.8.8:53 eueymsuiwcymao.info udp
US 8.8.8.8:53 deagvafox.org udp
US 8.8.8.8:53 vfrvvcn.org udp
US 8.8.8.8:53 ygsink.info udp
US 8.8.8.8:53 agadss.biz udp
US 8.8.8.8:53 ivqvrodsholapet.com udp
US 8.8.8.8:53 ynrvwgfqbex.org udp
US 8.8.8.8:53 ciuzwaiq.net udp
US 8.8.8.8:53 uioezo.biz udp
US 8.8.8.8:53 ohwiomnansnan.org udp
US 8.8.8.8:53 ayhwaufqbex.org udp
US 8.8.8.8:53 qgasocuiwcymao.info udp
US 8.8.8.8:53 isspqkuiwcymao.biz udp
US 8.8.8.8:53 iiuhlwnansnan.cc udp
US 8.8.8.8:53 rxfmdwfox.org udp
US 8.8.8.8:53 esowayeoya.biz udp
US 8.8.8.8:53 swatnk.biz udp
US 8.8.8.8:53 czyhvkdsholapet.org udp
US 8.8.8.8:53 wofrnanansnan.com udp
US 8.8.8.8:53 wwwkqwiugkeq.info udp
US 8.8.8.8:53 yokivaiq.info udp
US 8.8.8.8:53 lksrusfox.org udp
US 8.8.8.8:53 kufamkdsholapet.cc udp
US 8.8.8.8:53 wskoageoya.net udp
US 8.8.8.8:53 ykkges.info udp
US 8.8.8.8:53 ubcmvadsholapet.org udp
US 8.8.8.8:53 nbjmgafox.org udp
US 8.8.8.8:53 ccquxqeoya.net udp
US 8.8.8.8:53 gisahqeoya.info udp
US 8.8.8.8:53 xsymfsfox.cc udp
US 8.8.8.8:53 synfeanansnan.com udp
US 8.8.8.8:53 ocusqyeoya.biz udp
US 8.8.8.8:53 sguxwcuiwcymao.biz udp
US 8.8.8.8:53 dnfjlkn.com udp
US 8.8.8.8:53 dthuzifox.cc udp
US 8.8.8.8:53 qmgwwmiq.biz udp
US 8.8.8.8:53 qikukwiq.net udp
US 8.8.8.8:53 joqanifox.cc udp
US 8.8.8.8:53 mmxsxqfqbex.cc udp
US 8.8.8.8:53 ooqyhwiq.info udp
US 8.8.8.8:53 iekazkuiwcymao.info udp
US 8.8.8.8:53 bpyxjwfox.org udp
US 8.8.8.8:53 umdhukdsholapet.cc udp
US 8.8.8.8:53 uukgzaiq.biz udp
US 8.8.8.8:53 uqcwwkuiwcymao.net udp
US 8.8.8.8:53 zeponcn.com udp
US 8.8.8.8:53 iyhyfqfqbex.org udp
US 8.8.8.8:53 kmonya.net udp
US 8.8.8.8:53 wymwsguiwcymao.net udp
US 8.8.8.8:53 oagirkdsholapet.com udp
US 8.8.8.8:53 lvlobkn.com udp
US 8.8.8.8:53 ugsymeiq.net udp
US 8.8.8.8:53 mmmiiueoya.info udp
US 8.8.8.8:53 fckafafox.org udp
US 8.8.8.8:53 ppdyrwfox.cc udp
US 8.8.8.8:53 qcgqsgeoya.biz udp
US 8.8.8.8:53 cemisaiugkeq.net udp
US 8.8.8.8:53 bncurifox.org udp
US 8.8.8.8:53 gcrivwnansnan.com udp
US 8.8.8.8:53 oisqasiugkeq.info udp
US 8.8.8.8:53 maqjaqeoya.biz udp
US 8.8.8.8:53 qkobvsdsholapet.com udp
US 8.8.8.8:53 cfjmjadsholapet.com udp
US 8.8.8.8:53 cogbysiugkeq.biz udp
US 8.8.8.8:53 sucksk.net udp
US 8.8.8.8:53 llichwfox.org udp
US 8.8.8.8:53 corjkwnansnan.org udp
US 8.8.8.8:53 qmqeymiq.info udp
US 8.8.8.8:53 wymjkaiugkeq.info udp
US 8.8.8.8:53 ynqtvwnansnan.com udp
US 8.8.8.8:53 vkjrosfox.com udp
US 8.8.8.8:53 mawrpcuiwcymao.net udp
US 8.8.8.8:53 aoooma.biz udp
US 8.8.8.8:53 brtyzcn.org udp
US 8.8.8.8:53 dbnyiafox.com udp
US 8.8.8.8:53 yyiosk.net udp
US 8.8.8.8:53 ciabcgeoya.info udp
US 8.8.8.8:53 apmejodsholapet.com udp
US 8.8.8.8:53 yxvccgfqbex.org udp
US 8.8.8.8:53 qaeqiueoya.biz udp
US 8.8.8.8:53 cwgsacuiwcymao.biz udp
US 8.8.8.8:53 gxaztwnansnan.org udp
US 8.8.8.8:53 qwlghodsholapet.org udp
US 8.8.8.8:53 syemxyeoya.net udp
US 8.8.8.8:53 aqoxoeiq.net udp
US 8.8.8.8:53 ejzyxufqbex.org udp
US 8.8.8.8:53 xedzmcn.cc udp
US 8.8.8.8:53 ooeufo.net udp
US 8.8.8.8:53 suipigeoya.biz udp
US 8.8.8.8:53 cxmdqkdsholapet.com udp
US 8.8.8.8:53 srpymufqbex.cc udp
US 8.8.8.8:53 qsaovsiugkeq.info udp
US 8.8.8.8:53 wgaokiiugkeq.info udp
US 8.8.8.8:53 owdorufqbex.org udp
US 8.8.8.8:53 uvpkrodsholapet.org udp
US 8.8.8.8:53 aquaisiugkeq.net udp
US 8.8.8.8:53 giqjsguiwcymao.info udp
US 8.8.8.8:53 rlhytcn.cc udp
US 8.8.8.8:53 zajmwsn.org udp
US 8.8.8.8:53 acqghgeoya.biz udp
US 8.8.8.8:53 uqwuck.biz udp
US 8.8.8.8:53 sqjuvqfqbex.com udp
US 8.8.8.8:53 owzezqfqbex.com udp
US 8.8.8.8:53 waioxcuiwcymao.net udp
US 8.8.8.8:53 meskia.biz udp
US 8.8.8.8:53 alwkvwnansnan.com udp
US 8.8.8.8:53 ekfqhkdsholapet.com udp
US 8.8.8.8:53 gyejqguiwcymao.biz udp
US 8.8.8.8:53 wyywyqeoya.net udp
US 8.8.8.8:53 rdrwlkn.cc udp
US 8.8.8.8:53 vybkxifox.org udp
US 8.8.8.8:53 igsvswiugkeq.info udp
US 8.8.8.8:53 scssga.info udp
US 8.8.8.8:53 qukgqmnansnan.org udp
US 8.8.8.8:53 wfxqsmnansnan.com udp
US 8.8.8.8:53 uyieteiq.net udp
US 8.8.8.8:53 mseoyk.net udp
US 8.8.8.8:53 loiqlafox.org udp
US 8.8.8.8:53 ipbgfufqbex.cc udp
US 8.8.8.8:53 mymqnwiq.net udp
US 8.8.8.8:53 iaoano.biz udp
US 8.8.8.8:53 xfjijgn.org udp
US 8.8.8.8:53 vspfdafox.com udp
US 8.8.8.8:53 kwuqhk.info udp
US 8.8.8.8:53 wssizueoya.net udp
US 8.8.8.8:53 spmjewnansnan.cc udp
US 8.8.8.8:53 pulwlifox.com udp
US 8.8.8.8:53 emicys.biz udp
US 8.8.8.8:53 mmwikwiq.net udp
US 8.8.8.8:53 ioqmfsdsholapet.cc udp
US 8.8.8.8:53 sbdwpenansnan.com udp
US 8.8.8.8:53 yokaos.info udp
US 8.8.8.8:53 osobjiiugkeq.info udp
US 8.8.8.8:53 chjjgqfqbex.com udp
US 8.8.8.8:53 wuhthanansnan.cc udp
US 8.8.8.8:53 kckzkueoya.net udp
US 8.8.8.8:53 aeeeuaiq.info udp
US 8.8.8.8:53 epeeuanansnan.cc udp
US 8.8.8.8:53 emdctqfqbex.org udp
US 8.8.8.8:53 eywsgo.info udp
US 8.8.8.8:53 acwdqkuiwcymao.net udp
US 8.8.8.8:53 mhdevufqbex.com udp
US 8.8.8.8:53 divsdkn.org udp
US 8.8.8.8:53 cmeigsuiwcymao.biz udp
US 8.8.8.8:53 yaabuueoya.net udp
US 8.8.8.8:53 ldjpbcn.org udp
US 8.8.8.8:53 gnnpbqfqbex.cc udp
US 8.8.8.8:53 qseecaiugkeq.info udp
US 8.8.8.8:53 iuqxtyeoya.info udp
US 8.8.8.8:53 fxguasfox.cc udp
US 8.8.8.8:53 wkrzlgfqbex.org udp
US 8.8.8.8:53 mmqtqwiugkeq.net udp
US 8.8.8.8:53 wmkdhs.net udp
US 8.8.8.8:53 vahpqcn.com udp
US 8.8.8.8:53 uurmdyfqbex.org udp
US 8.8.8.8:53 kccamwiq.net udp
US 8.8.8.8:53 sqigrmiq.net udp
US 8.8.8.8:53 ypkibmnansnan.org udp
US 8.8.8.8:53 uxbibodsholapet.com udp
US 8.8.8.8:53 emgwmsiugkeq.info udp
US 8.8.8.8:53 ackbia.biz udp
US 8.8.8.8:53 lwohpwfox.cc udp
US 8.8.8.8:53 krjgewnansnan.cc udp
US 8.8.8.8:53 wsocyguiwcymao.info udp
US 8.8.8.8:53 qyesak.net udp
US 8.8.8.8:53 qgryvufqbex.org udp
US 8.8.8.8:53 krxihodsholapet.org udp
US 8.8.8.8:53 coegcguiwcymao.info udp
US 8.8.8.8:53 qsoiia.net udp

Files

\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe

MD5 a3492b467622a421ab2ff18ba2762c53
SHA1 2e6963888847f0e70d9efe6c99b6cfe3d1b0e1e0
SHA256 062efd6997c37d42c5394912d2a59a4105cf789c90824cf56a7dd64569f973fd
SHA512 deb864b71ac1c1b3b65642d5af2f3e82ec3430dedda24a3abe2ec19425c6b1c1aa963d9e8bb60fe9a29228448a50a6392a7899434ba9e500a3ea13f958866a32

C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe

MD5 1123f172c57750172e8d6b3f993d9513
SHA1 7656038336d4e81804790f6d23bd0f72b2bb1542
SHA256 7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226
SHA512 e865ea1b9294607e8b0bcd3423ab543fe167e96251c1f058ebe524e062fb68dcdcebbee03b6422b5d4e08728d58981d895c9119042a3e08e0595d38d34f86fdc

\Users\Admin\AppData\Local\Temp\zaiqbgl.exe

MD5 67b6de0f59baea1a26ef953a573fa5e0
SHA1 bb0e72eaecbc1459ff4937ff925eabf7dc26c2a3
SHA256 c9d1afafa5823f86a4a1f18eb08ca64be4eb0fe04b5e43900f679e7a384f9dea
SHA512 68ca6f668648da41d0415b46f7c43615ac9e5ef84a41a571f8432de2e25fe41e16dae9e7b6a265340151663d1470c65fb18d8092b2f23d5f1ada5de3cf1fab1d

C:\Users\Admin\AppData\Local\dwwwzwtstbizvblhcmfff.fcb

MD5 f633f0857752ef848cd9786038626a5c
SHA1 9c50914882894e97c1e1047cd9a9120987442680
SHA256 ffb8e8ccfb593fdf88ddcba7192b171103a4111d0f0e4a8056a16ee8e26877da
SHA512 0114ffe48eb0d9f7786921752c3c3564323a5fd4e63ad51305564e99dedfdef19827679a62a804095def86ecbbdfbf8244698630c60de2a2689cec3d46758b2d

C:\Users\Admin\AppData\Local\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae

MD5 7205e6a45d06070d5798c451ec5e8876
SHA1 c1362723136fd30372cbd6c4dfa54369c09f7246
SHA256 0c34b4e75249d1b64646c9d8cb4c08408a25dc60c6be103f9fc67aaab6358345
SHA512 6c5da2b3ea5e7f11654fd4a80ea7a3eea749b997e817a40361b1fdf411dc7262d3c30e540d6dae0b711eb8b3409ad3c529ce0929f3f78af4f07554f8b8fe3a0c

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 07:11

Reported

2024-06-26 07:13

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "ngvxpgxrfdjhlgszvodf.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "ngvxpgxrfdjhlgszvodf.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "ngvxpgxrfdjhlgszvodf.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "zozxlylblfhbbsad.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "asghyoexkhmjmgrxsky.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "gwihwkypavytumvzs.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "zozxlylblfhbbsad.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "zozxlylblfhbbsad.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "ngvxpgxrfdjhlgszvodf.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "gwihwkypavytumvzs.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "ngvxpgxrfdjhlgszvodf.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "zozxlylblfhbbsad.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "gwihwkypavytumvzs.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "asghyoexkhmjmgrxsky.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "zozxlylblfhbbsad.exe" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "cwmpiasncbihmivdaukng.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "asghyoexkhmjmgrxsky.exe ." C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\ecwdawsrknybkkbnomgnk.cbu C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\ecwdawsrknybkkbnomgnk.cbu C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ecwdawsrknybkkbnomgnk.cbu C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Program Files (x86)\ecwdawsrknybkkbnomgnk.cbu C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Program Files (x86)\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Program Files (x86)\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ecwdawsrknybkkbnomgnk.cbu C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\ngvxpgxrfdjhlgszvodf.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\ecwdawsrknybkkbnomgnk.cbu C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\cwmpiasncbihmivdaukng.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\tofjdwplbbjjpmajhctxrk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\asghyoexkhmjmgrxsky.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\pgttjynfrnrnpisxri.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File created C:\Windows\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
File opened for modification C:\Windows\zozxlylblfhbbsad.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\gwihwkypavytumvzs.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1988 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1988 wrote to memory of 5092 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 5092 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
PID 5092 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
PID 5092 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
PID 5092 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
PID 5092 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
PID 5092 wrote to memory of 3600 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
PID 1988 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1988 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1988 wrote to memory of 2728 N/A C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\agixcgk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\agixcgk.exe

"C:\Users\Admin\AppData\Local\Temp\agixcgk.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\agixcgk.exe

"C:\Users\Admin\AppData\Local\Temp\agixcgk.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.204.78:80 www.youtube.com tcp
AU 218.100.81.0:3432 tcp
US 8.8.8.8:53 mymqeo.info udp
US 8.8.8.8:53 tfomvifox.cc udp
US 8.8.8.8:53 korzjmnansnan.cc udp
US 8.8.8.8:53 isuslk.biz udp
US 8.8.8.8:53 qakayaiq.biz udp
US 8.8.8.8:53 dlradsn.org udp
US 162.249.65.162:80 dlradsn.org tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 78.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 zipagcn.cc udp
US 8.8.8.8:53 eyusaaiugkeq.biz udp
US 8.8.8.8:53 gcikqkuiwcymao.info udp
US 8.8.8.8:53 mstgnqfqbex.org udp
US 8.8.8.8:53 ggblkkdsholapet.org udp
US 8.8.8.8:53 ckopbcuiwcymao.net udp
US 8.8.8.8:53 ymazfyeoya.info udp
US 8.8.8.8:53 kckspkdsholapet.com udp
US 8.8.8.8:53 fajgnsn.com udp
US 8.8.8.8:53 umqrio.biz udp
US 8.8.8.8:53 eueymsuiwcymao.info udp
US 8.8.8.8:53 deagvafox.org udp
US 8.8.8.8:53 vfrvvcn.org udp
US 8.8.8.8:53 ygsink.info udp
US 8.8.8.8:53 agadss.biz udp
US 8.8.8.8:53 ivqvrodsholapet.com udp
US 8.8.8.8:53 ynrvwgfqbex.org udp
US 8.8.8.8:53 ciuzwaiq.net udp
US 8.8.8.8:53 uioezo.biz udp
US 8.8.8.8:53 ohwiomnansnan.org udp
US 8.8.8.8:53 ayhwaufqbex.org udp
US 8.8.8.8:53 qgasocuiwcymao.info udp
US 8.8.8.8:53 isspqkuiwcymao.biz udp
US 8.8.8.8:53 iiuhlwnansnan.cc udp
US 8.8.8.8:53 rxfmdwfox.org udp
US 8.8.8.8:53 esowayeoya.biz udp
US 8.8.8.8:53 swatnk.biz udp
US 8.8.8.8:53 czyhvkdsholapet.org udp
US 8.8.8.8:53 wofrnanansnan.com udp
US 8.8.8.8:53 wwwkqwiugkeq.info udp
US 8.8.8.8:53 yokivaiq.info udp
US 8.8.8.8:53 lksrusfox.org udp
US 8.8.8.8:53 kufamkdsholapet.cc udp
US 8.8.8.8:53 wskoageoya.net udp
US 8.8.8.8:53 ykkges.info udp
US 8.8.8.8:53 ubcmvadsholapet.org udp
US 8.8.8.8:53 nbjmgafox.org udp
US 8.8.8.8:53 ccquxqeoya.net udp
US 8.8.8.8:53 gisahqeoya.info udp
US 8.8.8.8:53 xsymfsfox.cc udp
US 8.8.8.8:53 synfeanansnan.com udp
US 8.8.8.8:53 ocusqyeoya.biz udp
US 8.8.8.8:53 sguxwcuiwcymao.biz udp
US 8.8.8.8:53 dnfjlkn.com udp
US 8.8.8.8:53 dthuzifox.cc udp
US 8.8.8.8:53 qmgwwmiq.biz udp
US 8.8.8.8:53 qikukwiq.net udp
US 8.8.8.8:53 joqanifox.cc udp
US 8.8.8.8:53 mmxsxqfqbex.cc udp
US 8.8.8.8:53 ooqyhwiq.info udp
US 8.8.8.8:53 iekazkuiwcymao.info udp
US 8.8.8.8:53 bpyxjwfox.org udp
US 8.8.8.8:53 umdhukdsholapet.cc udp
US 8.8.8.8:53 uukgzaiq.biz udp
US 8.8.8.8:53 uqcwwkuiwcymao.net udp
US 8.8.8.8:53 zeponcn.com udp
US 8.8.8.8:53 iyhyfqfqbex.org udp
US 8.8.8.8:53 kmonya.net udp
US 8.8.8.8:53 wymwsguiwcymao.net udp
US 8.8.8.8:53 oagirkdsholapet.com udp
US 8.8.8.8:53 lvlobkn.com udp
US 8.8.8.8:53 ugsymeiq.net udp
US 8.8.8.8:53 mmmiiueoya.info udp
US 8.8.8.8:53 fckafafox.org udp
US 8.8.8.8:53 ppdyrwfox.cc udp
US 8.8.8.8:53 qcgqsgeoya.biz udp
US 8.8.8.8:53 cemisaiugkeq.net udp
US 8.8.8.8:53 bncurifox.org udp
US 8.8.8.8:53 gcrivwnansnan.com udp
US 8.8.8.8:53 oisqasiugkeq.info udp
US 8.8.8.8:53 maqjaqeoya.biz udp
US 8.8.8.8:53 qkobvsdsholapet.com udp
US 8.8.8.8:53 cfjmjadsholapet.com udp
US 8.8.8.8:53 cogbysiugkeq.biz udp
US 8.8.8.8:53 sucksk.net udp
US 8.8.8.8:53 llichwfox.org udp
US 8.8.8.8:53 corjkwnansnan.org udp
US 8.8.8.8:53 qmqeymiq.info udp
US 8.8.8.8:53 wymjkaiugkeq.info udp
US 8.8.8.8:53 ynqtvwnansnan.com udp
US 8.8.8.8:53 vkjrosfox.com udp
US 8.8.8.8:53 mawrpcuiwcymao.net udp
US 8.8.8.8:53 aoooma.biz udp
US 8.8.8.8:53 brtyzcn.org udp
US 8.8.8.8:53 dbnyiafox.com udp
US 8.8.8.8:53 yyiosk.net udp
US 8.8.8.8:53 ciabcgeoya.info udp
US 8.8.8.8:53 apmejodsholapet.com udp
US 8.8.8.8:53 yxvccgfqbex.org udp
US 8.8.8.8:53 qaeqiueoya.biz udp
US 8.8.8.8:53 cwgsacuiwcymao.biz udp
US 8.8.8.8:53 gxaztwnansnan.org udp
US 8.8.8.8:53 qwlghodsholapet.org udp
US 8.8.8.8:53 syemxyeoya.net udp
US 8.8.8.8:53 aqoxoeiq.net udp
US 8.8.8.8:53 ejzyxufqbex.org udp
US 8.8.8.8:53 xedzmcn.cc udp
US 8.8.8.8:53 ooeufo.net udp
US 8.8.8.8:53 suipigeoya.biz udp
US 8.8.8.8:53 cxmdqkdsholapet.com udp
US 8.8.8.8:53 srpymufqbex.cc udp
US 8.8.8.8:53 qsaovsiugkeq.info udp
US 8.8.8.8:53 wgaokiiugkeq.info udp
US 8.8.8.8:53 owdorufqbex.org udp
US 8.8.8.8:53 uvpkrodsholapet.org udp
US 8.8.8.8:53 aquaisiugkeq.net udp
US 8.8.8.8:53 giqjsguiwcymao.info udp
US 8.8.8.8:53 rlhytcn.cc udp
US 8.8.8.8:53 zajmwsn.org udp
US 8.8.8.8:53 acqghgeoya.biz udp
US 8.8.8.8:53 uqwuck.biz udp
US 8.8.8.8:53 sqjuvqfqbex.com udp
US 8.8.8.8:53 owzezqfqbex.com udp
US 8.8.8.8:53 waioxcuiwcymao.net udp
US 8.8.8.8:53 meskia.biz udp
US 8.8.8.8:53 alwkvwnansnan.com udp
US 8.8.8.8:53 ekfqhkdsholapet.com udp
US 8.8.8.8:53 gyejqguiwcymao.biz udp
US 8.8.8.8:53 wyywyqeoya.net udp
US 8.8.8.8:53 rdrwlkn.cc udp
US 8.8.8.8:53 vybkxifox.org udp
US 8.8.8.8:53 igsvswiugkeq.info udp
US 8.8.8.8:53 scssga.info udp
US 8.8.8.8:53 qukgqmnansnan.org udp
US 8.8.8.8:53 wfxqsmnansnan.com udp
US 8.8.8.8:53 uyieteiq.net udp
US 8.8.8.8:53 mseoyk.net udp
US 8.8.8.8:53 loiqlafox.org udp
US 8.8.8.8:53 ipbgfufqbex.cc udp
US 8.8.8.8:53 mymqnwiq.net udp
US 8.8.8.8:53 iaoano.biz udp
US 8.8.8.8:53 xfjijgn.org udp
US 8.8.8.8:53 vspfdafox.com udp
US 8.8.8.8:53 kwuqhk.info udp
US 8.8.8.8:53 wssizueoya.net udp
US 8.8.8.8:53 spmjewnansnan.cc udp
US 8.8.8.8:53 pulwlifox.com udp
US 8.8.8.8:53 emicys.biz udp
US 8.8.8.8:53 mmwikwiq.net udp
US 8.8.8.8:53 ioqmfsdsholapet.cc udp
US 8.8.8.8:53 sbdwpenansnan.com udp
US 8.8.8.8:53 yokaos.info udp
US 8.8.8.8:53 osobjiiugkeq.info udp
US 8.8.8.8:53 chjjgqfqbex.com udp
US 8.8.8.8:53 wuhthanansnan.cc udp
US 8.8.8.8:53 kckzkueoya.net udp
US 8.8.8.8:53 aeeeuaiq.info udp
US 8.8.8.8:53 epeeuanansnan.cc udp
US 8.8.8.8:53 emdctqfqbex.org udp
US 8.8.8.8:53 eywsgo.info udp
US 8.8.8.8:53 acwdqkuiwcymao.net udp
US 8.8.8.8:53 mhdevufqbex.com udp
US 8.8.8.8:53 divsdkn.org udp
US 8.8.8.8:53 cmeigsuiwcymao.biz udp
US 8.8.8.8:53 yaabuueoya.net udp
US 8.8.8.8:53 ldjpbcn.org udp
US 8.8.8.8:53 gnnpbqfqbex.cc udp
US 8.8.8.8:53 qseecaiugkeq.info udp
US 8.8.8.8:53 iuqxtyeoya.info udp
US 8.8.8.8:53 fxguasfox.cc udp
US 8.8.8.8:53 wkrzlgfqbex.org udp
US 8.8.8.8:53 mmqtqwiugkeq.net udp
US 8.8.8.8:53 wmkdhs.net udp
US 8.8.8.8:53 vahpqcn.com udp
US 8.8.8.8:53 uurmdyfqbex.org udp
US 8.8.8.8:53 kccamwiq.net udp
US 8.8.8.8:53 sqigrmiq.net udp
US 8.8.8.8:53 ypkibmnansnan.org udp
US 8.8.8.8:53 uxbibodsholapet.com udp
US 8.8.8.8:53 emgwmsiugkeq.info udp
US 8.8.8.8:53 ackbia.biz udp
US 8.8.8.8:53 lwohpwfox.cc udp
US 8.8.8.8:53 krjgewnansnan.cc udp
US 8.8.8.8:53 wsocyguiwcymao.info udp
US 8.8.8.8:53 qyesak.net udp
US 8.8.8.8:53 qgryvufqbex.org udp
US 8.8.8.8:53 krxihodsholapet.org udp
US 8.8.8.8:53 coegcguiwcymao.info udp
US 8.8.8.8:53 qsoiia.net udp
US 8.8.8.8:53 qlnxyqfqbex.org udp
US 8.8.8.8:53 mrtmzufqbex.com udp
US 8.8.8.8:53 sgiwpk.info udp
US 8.8.8.8:53 igoebaiq.biz udp
US 8.8.8.8:53 bgusvsfox.org udp
US 8.8.8.8:53 vvxlzkn.org udp
US 8.8.8.8:53 iqcvia.info udp
US 8.8.8.8:53 samqsk.net udp
US 8.8.8.8:53 gqckhmnansnan.cc udp
US 8.8.8.8:53 dwdyrgn.cc udp
US 8.8.8.8:53 cioguwiq.net udp
US 8.8.8.8:53 iwuoyaiq.net udp
US 8.8.8.8:53 oumofadsholapet.org udp
US 8.8.8.8:53 xmrutifox.org udp
US 8.8.8.8:53 wwiossiugkeq.biz udp
US 8.8.8.8:53 auaela.info udp
US 8.8.8.8:53 avhixufqbex.cc udp
US 8.8.8.8:53 mjdldodsholapet.com udp
US 8.8.8.8:53 cuisbueoya.biz udp
US 8.8.8.8:53 oemxjs.net udp
US 8.8.8.8:53 skanymnansnan.com udp
US 8.8.8.8:53 yaruuenansnan.com udp
US 8.8.8.8:53 qqgpgwiq.biz udp
US 8.8.8.8:53 uyuouaiugkeq.biz udp
US 8.8.8.8:53 luzkdsn.com udp
US 8.8.8.8:53 srhrjadsholapet.com udp
US 8.8.8.8:53 wiacxueoya.net udp
US 8.8.8.8:53 immzqmiq.biz udp
US 8.8.8.8:53 lnmuhsfox.cc udp
US 8.8.8.8:53 gnbbnenansnan.com udp
US 8.8.8.8:53 yseaesiugkeq.biz udp
US 8.8.8.8:53 lnnepkn.org udp
US 8.8.8.8:53 uhfkomnansnan.cc udp
US 8.8.8.8:53 wgguvwiq.net udp
US 8.8.8.8:53 kigfwaiq.info udp
US 8.8.8.8:53 vduuvsfox.com udp
US 8.8.8.8:53 zilqmwfox.cc udp
US 8.8.8.8:53 qomemmiq.biz udp
US 8.8.8.8:53 ywkzieiq.info udp
US 8.8.8.8:53 miaxradsholapet.com udp
US 8.8.8.8:53 mdxllodsholapet.org udp
US 8.8.8.8:53 qauziguiwcymao.biz udp
US 8.8.8.8:53 sisnaaiq.info udp
US 8.8.8.8:53 owvrlyfqbex.com udp
US 8.8.8.8:53 hhfkqafox.com udp
US 8.8.8.8:53 ccmddsuiwcymao.info udp
US 8.8.8.8:53 eyuhsgeoya.info udp
US 8.8.8.8:53 onifrenansnan.com udp
US 8.8.8.8:53 ibjszanansnan.cc udp
US 8.8.8.8:53 sewwjgeoya.biz udp
US 8.8.8.8:53 mkasraiugkeq.info udp
US 8.8.8.8:53 qdwyeanansnan.org udp
US 8.8.8.8:53 wttlpodsholapet.org udp
US 8.8.8.8:53 cmukpueoya.info udp
US 8.8.8.8:53 ggcrco.biz udp
US 8.8.8.8:53 qbmiukdsholapet.org udp
US 8.8.8.8:53 ikzwzadsholapet.org udp
US 8.8.8.8:53 qsoagsiugkeq.info udp
US 8.8.8.8:53 wqwqdmiq.biz udp
US 8.8.8.8:53 vrsejafox.org udp
US 8.8.8.8:53 rbruuwfox.cc udp
US 8.8.8.8:53 uqcgoyeoya.net udp
US 8.8.8.8:53 eymxuwiq.biz udp
US 8.8.8.8:53 cgzjnqfqbex.com udp
US 8.8.8.8:53 wvfsyodsholapet.org udp
US 8.8.8.8:53 umcbuueoya.biz udp
US 8.8.8.8:53 eeiykwiugkeq.info udp
US 8.8.8.8:53 anuujmnansnan.cc udp
US 8.8.8.8:53 ustxrsdsholapet.com udp
US 8.8.8.8:53 mwamsaiq.biz udp
US 8.8.8.8:53 auyqhcuiwcymao.net udp
US 8.8.8.8:53 psmcrafox.com udp
US 8.8.8.8:53 fuxylcn.org udp
US 8.8.8.8:53 ummyyk.biz udp
US 8.8.8.8:53 wgiyfguiwcymao.info udp
US 8.8.8.8:53 bznopsn.cc udp
US 8.8.8.8:53 xyrmtafox.cc udp
US 8.8.8.8:53 kwiueeiq.net udp
US 8.8.8.8:53 gcmmxk.net udp
US 8.8.8.8:53 ituqnmnansnan.com udp
US 8.8.8.8:53 mjjdhanansnan.cc udp
US 8.8.8.8:53 wcqjasuiwcymao.biz udp
US 8.8.8.8:53 iksmjs.biz udp
US 8.8.8.8:53 vkqkgifox.com udp
US 8.8.8.8:53 xcbifafox.org udp
US 8.8.8.8:53 suaeggeoya.info udp
US 8.8.8.8:53 ucwshguiwcymao.info udp
US 8.8.8.8:53 bzdyzcn.com udp
US 8.8.8.8:53 dzlslafox.org udp
US 8.8.8.8:53 smsygiiugkeq.biz udp
US 8.8.8.8:53 mouuyguiwcymao.info udp
US 8.8.8.8:53 xjffbgn.org udp
US 8.8.8.8:53 hofmhifox.com udp
US 8.8.8.8:53 iqqqkueoya.biz udp
US 8.8.8.8:53 qgeoqueoya.biz udp
US 8.8.8.8:53 obnstufqbex.cc udp
US 8.8.8.8:53 mzbkrgfqbex.cc udp
US 8.8.8.8:53 qecqoaiq.info udp
US 8.8.8.8:53 qkuwus.net udp
US 8.8.8.8:53 gzyqcanansnan.com udp
US 8.8.8.8:53 yunmdkdsholapet.cc udp
US 8.8.8.8:53 gsueaa.net udp
US 8.8.8.8:53 aokysaiq.info udp
US 8.8.8.8:53 haddlsn.cc udp
US 8.8.8.8:53 ahzykanansnan.com udp
US 8.8.8.8:53 kgeylk.net udp
US 8.8.8.8:53 kyamwiiugkeq.biz udp
US 8.8.8.8:53 kdrwtgfqbex.org udp
US 8.8.8.8:53 qhzcuodsholapet.cc udp
US 8.8.8.8:53 aogxyyeoya.info udp
US 8.8.8.8:53 ycespwnansnan.org udp
US 8.8.8.8:53 qmdwwwnansnan.com udp
US 8.8.8.8:53 sgmswsuiwcymao.info udp
US 8.8.8.8:53 buuexifox.org udp
US 8.8.8.8:53 xybxdwfox.com udp
US 8.8.8.8:53 uoiousuiwcymao.net udp
US 8.8.8.8:53 ywazeeiq.net udp
US 8.8.8.8:53 pkpcqcn.org udp
US 8.8.8.8:53 qinmjgfqbex.com udp
US 8.8.8.8:53 gcokls.info udp
US 8.8.8.8:53 cusmbeiq.net udp
US 8.8.8.8:53 kfeiwodsholapet.com udp
US 8.8.8.8:53 lxtezafox.cc udp
US 8.8.8.8:53 wqgqmcuiwcymao.info udp
US 8.8.8.8:53 yceewcuiwcymao.net udp
US 8.8.8.8:53 fhurfifox.org udp
US 8.8.8.8:53 ytxnbwnansnan.org udp
US 8.8.8.8:53 gyyyyueoya.info udp
US 8.8.8.8:53 kygmyo.biz udp
US 8.8.8.8:53 bhdyjcn.org udp
US 8.8.8.8:53 iftlfwnansnan.org udp
US 8.8.8.8:53 omilys.info udp
US 8.8.8.8:53 sgaixo.biz udp
US 8.8.8.8:53 ilyepodsholapet.cc udp
US 8.8.8.8:53 esnsvwnansnan.org udp
US 8.8.8.8:53 mikyaa.info udp
US 8.8.8.8:53 uusunguiwcymao.net udp
US 8.8.8.8:53 kseukadsholapet.org udp
US 8.8.8.8:53 smreqgfqbex.cc udp
US 8.8.8.8:53 seqyeyeoya.net udp
US 8.8.8.8:53 gcgkxwiq.biz udp
US 8.8.8.8:53 gxcutenansnan.cc udp
US 8.8.8.8:53 qmcnxiiugkeq.biz udp
US 8.8.8.8:53 kmkffmiq.biz udp
US 8.8.8.8:53 bcjvhcn.com udp
US 8.8.8.8:53 hsbmggn.org udp
US 8.8.8.8:53 kqwapqeoya.info udp
US 8.8.8.8:53 ieuafodsholapet.org udp
US 8.8.8.8:53 othrpsdsholapet.cc udp
US 8.8.8.8:53 mqsqvmiq.net udp
US 8.8.8.8:53 kwknca.biz udp
US 8.8.8.8:53 wepmhqfqbex.cc udp
US 8.8.8.8:53 gocnniiugkeq.biz udp
US 8.8.8.8:53 oqiyoqeoya.biz udp
US 8.8.8.8:53 kpfgngfqbex.cc udp
US 8.8.8.8:53 zshqrgn.com udp
US 8.8.8.8:53 waeqtyeoya.info udp
US 8.8.8.8:53 msynqaiq.info udp
US 8.8.8.8:53 vxufowfox.cc udp
US 8.8.8.8:53 ecbqeqfqbex.org udp
US 8.8.8.8:53 ammgoeiq.net udp
US 8.8.8.8:53 mgqiqsiugkeq.net udp
US 8.8.8.8:53 gnoztsdsholapet.org udp
US 8.8.8.8:53 iwdwnmnansnan.org udp
US 8.8.8.8:53 yeccawiugkeq.biz udp
US 8.8.8.8:53 qwgmeaiq.info udp
US 8.8.8.8:53 yenfbgfqbex.org udp
US 8.8.8.8:53 jellksn.cc udp
US 8.8.8.8:53 ygeneqeoya.net udp
US 8.8.8.8:53 imctpkuiwcymao.biz udp
US 8.8.8.8:53 lcikrafox.cc udp
US 8.8.8.8:53 qmjsqanansnan.org udp
US 8.8.8.8:53 smuixueoya.net udp
US 8.8.8.8:53 imymucuiwcymao.biz udp
US 8.8.8.8:53 jdhywkn.org udp
US 8.8.8.8:53 dbxqlwfox.cc udp
US 8.8.8.8:53 uowsgaiugkeq.biz udp
US 8.8.8.8:53 koecoaiq.net udp
US 8.8.8.8:53 wyjthyfqbex.org udp
US 8.8.8.8:53 dnxuzkn.com udp
US 8.8.8.8:53 gigrasiugkeq.biz udp
US 8.8.8.8:53 qqgorsuiwcymao.info udp
US 8.8.8.8:53 slfymyfqbex.cc udp
US 8.8.8.8:53 aitotmnansnan.cc udp
US 8.8.8.8:53 suyuygeoya.net udp
US 8.8.8.8:53 eemizgeoya.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 bjpilcn.org udp
US 8.8.8.8:53 nfftmcn.org udp
US 8.8.8.8:53 magwuaiq.info udp
US 8.8.8.8:53 suemqwiugkeq.biz udp
US 8.8.8.8:53 gcjwngfqbex.org udp
US 8.8.8.8:53 vojczgn.com udp
US 8.8.8.8:53 kisujgeoya.biz udp
US 8.8.8.8:53 gkmyryeoya.info udp
US 8.8.8.8:53 kthmiqfqbex.org udp
US 8.8.8.8:53 mevyxadsholapet.com udp
US 8.8.8.8:53 uewaqs.net udp
US 8.8.8.8:53 wyionwiq.net udp
US 8.8.8.8:53 uokqhodsholapet.cc udp
US 8.8.8.8:53 xsxoasn.org udp
US 8.8.8.8:53 umgcpaiq.net udp
US 8.8.8.8:53 anbkvyfqbex.com udp
US 8.8.8.8:53 jqjluifox.cc udp
US 8.8.8.8:53 ooihyaiq.biz udp
US 8.8.8.8:53 aosyhaiugkeq.info udp
US 8.8.8.8:53 yadnsufqbex.org udp
US 8.8.8.8:53 uecbgs.biz udp
US 8.8.8.8:53 iuockyeoya.biz udp
US 8.8.8.8:53 xzdiekn.com udp
US 8.8.8.8:53 yvnvuwnansnan.cc udp
US 8.8.8.8:53 gmigjwiugkeq.biz udp
US 8.8.8.8:53 oowwxwiugkeq.net udp
US 8.8.8.8:53 iwprvodsholapet.com udp
US 8.8.8.8:53 wuowgeiq.biz udp
US 8.8.8.8:53 aucersdsholapet.org udp
US 8.8.8.8:53 axxursdsholapet.com udp
US 8.8.8.8:53 swkmqyeoya.biz udp
US 8.8.8.8:53 waohaeiq.net udp
US 8.8.8.8:53 vukzeifox.org udp
US 8.8.8.8:53 rzjifgn.org udp
US 8.8.8.8:53 agmqnkuiwcymao.info udp
US 8.8.8.8:53 mesfcwiugkeq.biz udp
US 8.8.8.8:53 crvchufqbex.org udp
US 8.8.8.8:53 wvzckufqbex.cc udp
US 8.8.8.8:53 koqjlaiugkeq.net udp
US 8.8.8.8:53 ekkddyeoya.info udp
US 8.8.8.8:53 bqpqzgn.cc udp
US 8.8.8.8:53 skhaxsdsholapet.com udp
US 8.8.8.8:53 wwomdgeoya.net udp
US 8.8.8.8:53 magfqyeoya.info udp
US 8.8.8.8:53 jegjfwfox.com udp
US 8.8.8.8:53 iitwoadsholapet.org udp
US 8.8.8.8:53 ikcokiiugkeq.info udp
US 8.8.8.8:53 guuyjs.biz udp
US 8.8.8.8:53 zoayaifox.com udp
US 8.8.8.8:53 dmbymifox.org udp
US 8.8.8.8:53 gwosyaiugkeq.net udp
US 8.8.8.8:53 gqaileiq.biz udp
US 8.8.8.8:53 zbgmgafox.com udp
US 8.8.8.8:53 crdkagfqbex.cc udp
US 8.8.8.8:53 ciymwmiq.net udp
US 8.8.8.8:53 wieaeo.info udp
US 8.8.8.8:53 quiydsdsholapet.cc udp
US 8.8.8.8:53 qhtenwnansnan.org udp
US 8.8.8.8:53 emigvyeoya.info udp
US 8.8.8.8:53 mumvpueoya.biz udp
US 8.8.8.8:53 reqjwwfox.com udp
US 8.8.8.8:53 ezfnqqfqbex.org udp
US 8.8.8.8:53 qakvzaiugkeq.net udp
US 8.8.8.8:53 eoggisuiwcymao.net udp
US 8.8.8.8:53 ohaqlsdsholapet.com udp
US 8.8.8.8:53 idtflenansnan.com udp
US 8.8.8.8:53 omykao.info udp
US 8.8.8.8:53 umwogaiugkeq.biz udp
US 8.8.8.8:53 cekulodsholapet.cc udp
US 8.8.8.8:53 vlzkzgn.com udp
US 8.8.8.8:53 syasoaiq.net udp
US 8.8.8.8:53 askicgeoya.biz udp
US 8.8.8.8:53 spognkdsholapet.com udp
US 8.8.8.8:53 jvjiugn.com udp
US 8.8.8.8:53 cawoxaiq.biz udp
US 8.8.8.8:53 ukcqgsiugkeq.net udp
US 8.8.8.8:53 hydiosn.org udp
US 8.8.8.8:53 jbnccgn.cc udp
US 8.8.8.8:53 ayancaiugkeq.net udp
US 8.8.8.8:53 kyuoaeiq.info udp
US 8.8.8.8:53 qyymjodsholapet.cc udp
US 8.8.8.8:53 hlpitcn.cc udp
US 8.8.8.8:53 uyynlwiugkeq.info udp
US 8.8.8.8:53 keyues.biz udp
US 8.8.8.8:53 iplcqufqbex.org udp
US 8.8.8.8:53 wpfdnenansnan.com udp
US 8.8.8.8:53 mosogiiugkeq.net udp
US 8.8.8.8:53 qkvlhyfqbex.com udp
US 8.8.8.8:53 uqhnzkdsholapet.cc udp
US 8.8.8.8:53 yqstysiugkeq.info udp
US 8.8.8.8:53 oyuoraiugkeq.biz udp
US 8.8.8.8:53 tmoypifox.org udp
US 8.8.8.8:53 kahctenansnan.cc udp
US 8.8.8.8:53 yymasgeoya.info udp
US 8.8.8.8:53 egieogeoya.biz udp
US 8.8.8.8:53 zcostafox.com udp
US 8.8.8.8:53 jvbofgn.com udp
US 8.8.8.8:53 eyksms.info udp
US 8.8.8.8:53 iokmds.info udp
US 8.8.8.8:53 amyenwnansnan.org udp
US 8.8.8.8:53 ygbtlwnansnan.org udp
US 8.8.8.8:53 maqlksuiwcymao.net udp
US 8.8.8.8:53 yqibgwiq.net udp
US 8.8.8.8:53 jajixcn.com udp
US 8.8.8.8:53 wvzkpanansnan.cc udp
US 8.8.8.8:53 cscsccuiwcymao.info udp
US 8.8.8.8:53 yyogtadsholapet.com udp
US 8.8.8.8:53 wrdadsdsholapet.org udp
US 8.8.8.8:53 qsceeaiugkeq.info udp
US 8.8.8.8:53 kiqsliiugkeq.net udp
US 8.8.8.8:53 pkyutwfox.cc udp
US 8.8.8.8:53 qrppekdsholapet.org udp
US 8.8.8.8:53 kuuoryeoya.net udp
US 8.8.8.8:53 imyvcs.net udp
US 8.8.8.8:53 exuaqadsholapet.cc udp
US 8.8.8.8:53 milybenansnan.cc udp
US 8.8.8.8:53 uugnsqeoya.net udp
US 8.8.8.8:53 qcwmoaiq.net udp
US 8.8.8.8:53 ixiytenansnan.com udp
US 8.8.8.8:53 ctheeenansnan.com udp
US 8.8.8.8:53 usaqosiugkeq.net udp
US 8.8.8.8:53 ezrusadsholapet.org udp
US 8.8.8.8:53 oaypfiiugkeq.info udp
US 8.8.8.8:53 wugqgeiq.net udp
US 8.8.8.8:53 ojgyvadsholapet.org udp
US 8.8.8.8:53 rvxxbwfox.org udp
US 8.8.8.8:53 yqsifkuiwcymao.biz udp
US 8.8.8.8:53 ayechs.net udp
US 8.8.8.8:53 ofskdadsholapet.com udp
US 8.8.8.8:53 catgfufqbex.cc udp
US 8.8.8.8:53 gyeowk.info udp
US 8.8.8.8:53 iukowqeoya.net udp
US 8.8.8.8:53 yewmqsiugkeq.net udp
US 8.8.8.8:53 uogomk.biz udp
US 8.8.8.8:53 cebgxgfqbex.com udp
US 8.8.8.8:53 gelqzanansnan.org udp
US 8.8.8.8:53 kiapso.biz udp
US 8.8.8.8:53 sgmgsyeoya.info udp
US 8.8.8.8:53 qhbxvqfqbex.cc udp
US 8.8.8.8:53 kvpcjkdsholapet.com udp
US 8.8.8.8:53 kqgjss.info udp
US 8.8.8.8:53 eeyeywiugkeq.info udp
US 8.8.8.8:53 arogxenansnan.org udp
US 8.8.8.8:53 crxkyqfqbex.cc udp
US 8.8.8.8:53 isgkbqeoya.biz udp
US 8.8.8.8:53 acudmkuiwcymao.net udp
US 8.8.8.8:53 zwpczcn.com udp
US 8.8.8.8:53 wiczfguiwcymao.info udp
US 8.8.8.8:53 qmyaekuiwcymao.info udp
US 8.8.8.8:53 lhlyfgn.org udp
US 8.8.8.8:53 vxbulcn.org udp
US 8.8.8.8:53 cgiwxmiq.biz udp
US 8.8.8.8:53 eoscuueoya.net udp
US 8.8.8.8:53 djjkpkn.com udp
US 8.8.8.8:53 qwhmpodsholapet.cc udp
US 8.8.8.8:53 ckqqvsiugkeq.info udp
US 8.8.8.8:53 uwmrieiq.net udp
US 8.8.8.8:53 bgryrcn.com udp
US 8.8.8.8:53 brjrpkn.cc udp
US 8.8.8.8:53 aykuueiq.info udp
US 8.8.8.8:53 aaswasuiwcymao.net udp
US 8.8.8.8:53 iawxrwnansnan.com udp
US 8.8.8.8:53 bcnrpafox.com udp
US 8.8.8.8:53 mocwqcuiwcymao.info udp
US 8.8.8.8:53 ieoqks.info udp
US 8.8.8.8:53 wuwmiadsholapet.cc udp
US 8.8.8.8:53 tgtilwfox.com udp
US 8.8.8.8:53 yeqehs.info udp
US 8.8.8.8:53 cayoiwiugkeq.biz udp
US 8.8.8.8:53 vlxchgn.org udp
US 8.8.8.8:53 iqtwvadsholapet.org udp
US 8.8.8.8:53 wmcesiiugkeq.net udp
US 8.8.8.8:53 caawamiq.biz udp
US 8.8.8.8:53 dqnvskn.cc udp
US 8.8.8.8:53 nxtaygn.cc udp
US 8.8.8.8:53 maqnjqeoya.net udp
US 8.8.8.8:53 sgmiimiq.biz udp
US 8.8.8.8:53 lftmngn.cc udp
US 8.8.8.8:53 moogfk.net udp
US 8.8.8.8:53 mmebgiiugkeq.biz udp
US 8.8.8.8:53 jfmlbifox.cc udp
US 8.8.8.8:53 mwhxdodsholapet.org udp
US 8.8.8.8:53 uqeheaiugkeq.biz udp
US 8.8.8.8:53 gywsws.net udp
US 8.8.8.8:53 wfsqtwnansnan.org udp
US 8.8.8.8:53 cvxvhufqbex.org udp
US 8.8.8.8:53 eugtgaiq.biz udp
US 8.8.8.8:53 qossaueoya.biz udp
US 8.8.8.8:53 jgkwfifox.com udp
US 8.8.8.8:53 cxrejwnansnan.cc udp
US 8.8.8.8:53 ciowdiiugkeq.biz udp
US 8.8.8.8:53 ekmwwk.biz udp
US 8.8.8.8:53 xsvuckn.com udp
US 8.8.8.8:53 yrvgjufqbex.org udp
US 8.8.8.8:53 caiedgeoya.info udp
US 8.8.8.8:53 iooiwa.info udp
US 8.8.8.8:53 xiryzkn.cc udp
US 8.8.8.8:53 mwtjmenansnan.cc udp
US 8.8.8.8:53 mykbms.net udp
US 8.8.8.8:53 oeopseiq.net udp
US 8.8.8.8:53 jvlzrkn.cc udp
US 8.8.8.8:53 kljiaqfqbex.cc udp
US 8.8.8.8:53 myukkwiugkeq.info udp
US 8.8.8.8:53 wccioa.net udp
US 8.8.8.8:53 kdlwdyfqbex.org udp
US 8.8.8.8:53 qfpptanansnan.cc udp
US 8.8.8.8:53 casyncuiwcymao.info udp
US 8.8.8.8:53 qwofqqeoya.biz udp
US 8.8.8.8:53 ktienmnansnan.cc udp
US 8.8.8.8:53 wgjetanansnan.cc udp
US 8.8.8.8:53 wegcsqeoya.info udp
US 8.8.8.8:53 ayiggaiq.biz udp
US 8.8.8.8:53 wutwxgfqbex.cc udp
US 8.8.8.8:53 wgfkjanansnan.cc udp
US 8.8.8.8:53 asuwvueoya.info udp
US 8.8.8.8:53 mcojfgeoya.biz udp
US 8.8.8.8:53 qidsfqfqbex.com udp
US 8.8.8.8:53 xopuxafox.org udp
US 8.8.8.8:53 emuyko.biz udp
US 8.8.8.8:53 wkyhas.net udp
US 8.8.8.8:53 pkwjuafox.cc udp
US 8.8.8.8:53 elzmkodsholapet.org udp
US 8.8.8.8:53 sskgwyeoya.net udp
US 8.8.8.8:53 deknaifox.org udp
US 8.8.8.8:53 uidoeyfqbex.cc udp
US 8.8.8.8:53 iisbqgeoya.info udp
US 8.8.8.8:53 geyymwiugkeq.biz udp
US 8.8.8.8:53 spsdcenansnan.cc udp
US 8.8.8.8:53 qdzuxanansnan.cc udp
US 8.8.8.8:53 goscfqeoya.info udp
US 8.8.8.8:53 wookuwiq.info udp
US 8.8.8.8:53 hwpufgn.cc udp
US 8.8.8.8:53 ekycya.net udp
US 8.8.8.8:53 qgyioo.biz udp
US 8.8.8.8:53 hudkvkn.com udp
US 8.8.8.8:53 mwpqjgfqbex.com udp
US 8.8.8.8:53 mmesemiq.info udp
US 8.8.8.8:53 wyiecwiq.net udp
US 8.8.8.8:53 brxcxkn.org udp
US 8.8.8.8:53 kmheegfqbex.org udp
US 8.8.8.8:53 agkudkuiwcymao.info udp
US 8.8.8.8:53 ouwyzodsholapet.cc udp
US 8.8.8.8:53 ltbudafox.com udp
US 8.8.8.8:53 ciolusiugkeq.info udp
US 8.8.8.8:53 wcieomiq.biz udp
US 8.8.8.8:53 hlbcmgn.cc udp
US 8.8.8.8:53 denmywfox.cc udp
US 8.8.8.8:53 guefgwiugkeq.net udp
US 8.8.8.8:53 momwha.info udp
US 8.8.8.8:53 qmwmumnansnan.cc udp
US 8.8.8.8:53 snxuhgfqbex.cc udp
US 8.8.8.8:53 esmmbkuiwcymao.biz udp
US 8.8.8.8:53 ywocqa.info udp
US 8.8.8.8:53 hinypcn.com udp
US 8.8.8.8:53 cuhglyfqbex.cc udp
US 8.8.8.8:53 symmbs.info udp
US 8.8.8.8:53 jchwngn.cc udp
US 8.8.8.8:53 rxflwcn.org udp
US 8.8.8.8:53 uomjxkuiwcymao.info udp
US 8.8.8.8:53 yckzwcuiwcymao.biz udp
US 8.8.8.8:53 gyluhufqbex.org udp
US 8.8.8.8:53 jndgxcn.com udp
US 8.8.8.8:53 wuizjueoya.info udp
US 8.8.8.8:53 koiczkuiwcymao.info udp
US 8.8.8.8:53 tnvszcn.cc udp
US 8.8.8.8:53 wovvzkdsholapet.com udp
US 8.8.8.8:53 gsuidsiugkeq.biz udp
US 8.8.8.8:53 iiafomiq.info udp
US 8.8.8.8:53 csuqnodsholapet.cc udp
US 8.8.8.8:53 wijrdufqbex.cc udp
US 8.8.8.8:53 swemaiiugkeq.biz udp
US 8.8.8.8:53 gmqcksuiwcymao.biz udp
US 8.8.8.8:53 pkhscsn.com udp
US 8.8.8.8:53 esosxcuiwcymao.net udp
US 8.8.8.8:53 cwqxaeiq.info udp
US 8.8.8.8:53 whbfkufqbex.com udp
US 8.8.8.8:53 lkrkpcn.com udp
US 8.8.8.8:53 gogmesuiwcymao.info udp
US 8.8.8.8:53 gcscliiugkeq.biz udp
US 8.8.8.8:53 mtmkvkdsholapet.com udp
US 8.8.8.8:53 gepgxsdsholapet.cc udp
US 8.8.8.8:53 iqqhqqeoya.info udp
US 8.8.8.8:53 gewufguiwcymao.net udp
US 8.8.8.8:53 cgygnadsholapet.com udp
US 8.8.8.8:53 zqnbfwfox.org udp
US 8.8.8.8:53 wugvekuiwcymao.biz udp
US 8.8.8.8:53 eyiewyeoya.info udp
US 8.8.8.8:53 untorgfqbex.org udp
US 8.8.8.8:53 oapqrqfqbex.cc udp
US 8.8.8.8:53 yskuss.biz udp
US 8.8.8.8:53 sqyiaaiugkeq.net udp
US 8.8.8.8:53 edxmfqfqbex.org udp
US 8.8.8.8:53 qvbmxodsholapet.cc udp
US 8.8.8.8:53 ywkeoueoya.info udp
US 8.8.8.8:53 ucsgamiq.info udp
US 8.8.8.8:53 yhcobodsholapet.com udp
US 8.8.8.8:53 zgjubsn.com udp
US 8.8.8.8:53 qwuntiiugkeq.info udp
US 8.8.8.8:53 qhoeqmnansnan.cc udp
US 8.8.8.8:53 aaxefanansnan.cc udp
US 8.8.8.8:53 sqcwos.biz udp
US 8.8.8.8:53 kymrgwiq.net udp
US 8.8.8.8:53 pwestsfox.org udp
US 8.8.8.8:53 gajkjwnansnan.com udp
US 8.8.8.8:53 mmaxwqeoya.info udp
US 8.8.8.8:53 yasupiiugkeq.net udp
US 8.8.8.8:53 uqgkoodsholapet.org udp
US 8.8.8.8:53 rsxszcn.cc udp
US 8.8.8.8:53 asqqlcuiwcymao.net udp
US 8.8.8.8:53 mowwqaiq.info udp
US 8.8.8.8:53 wnomzadsholapet.cc udp
US 8.8.8.8:53 bmhwjafox.com udp
US 8.8.8.8:53 eeqivcuiwcymao.info udp
US 8.8.8.8:53 iccshaiq.biz udp
US 8.8.8.8:53 ljnexkn.com udp
US 8.8.8.8:53 gvhwpsdsholapet.com udp
US 8.8.8.8:53 qqmsgyeoya.net udp
US 8.8.8.8:53 qyguza.net udp
US 8.8.8.8:53 wjzuyqfqbex.org udp
US 8.8.8.8:53 vwzvvsfox.com udp
US 8.8.8.8:53 csydsaiq.info udp
US 8.8.8.8:53 kqecimiq.net udp
US 8.8.8.8:53 imtrayfqbex.cc udp
US 8.8.8.8:53 hwtydgn.cc udp
US 8.8.8.8:53 ieednsuiwcymao.net udp
US 8.8.8.8:53 qoomewiq.info udp
US 8.8.8.8:53 wwgspodsholapet.org udp
US 8.8.8.8:53 qptclanansnan.org udp
US 8.8.8.8:53 mmskygeoya.info udp
US 8.8.8.8:53 kkmcns.info udp
US 8.8.8.8:53 prnsvsn.org udp
US 8.8.8.8:53 mibjcenansnan.com udp
US 8.8.8.8:53 miwdgkuiwcymao.net udp
US 8.8.8.8:53 kqkmgsiugkeq.info udp
US 8.8.8.8:53 kwrepgfqbex.com udp
US 8.8.8.8:53 wvlydodsholapet.org udp
US 8.8.8.8:53 wicubqeoya.net udp
US 8.8.8.8:53 saifymiq.biz udp
US 8.8.8.8:53 rhptqgn.org udp
US 8.8.8.8:53 bipqusn.com udp
US 8.8.8.8:53 ycmoraiugkeq.biz udp
US 8.8.8.8:53 kiatcs.net udp
US 8.8.8.8:53 rasanwfox.com udp
US 8.8.8.8:53 jdzukwfox.com udp
US 8.8.8.8:53 wecsmk.biz udp
US 8.8.8.8:53 wymsqcuiwcymao.info udp
US 8.8.8.8:53 yxhtzgfqbex.cc udp
US 8.8.8.8:53 merknsdsholapet.cc udp
US 8.8.8.8:53 sgyxmyeoya.biz udp
US 8.8.8.8:53 aksfgiiugkeq.biz udp
US 8.8.8.8:53 abiymmnansnan.org udp
US 8.8.8.8:53 cupytwnansnan.org udp
US 8.8.8.8:53 qiwidkuiwcymao.net udp
US 8.8.8.8:53 ieiqosuiwcymao.net udp
US 8.8.8.8:53 flyieafox.com udp
US 8.8.8.8:53 jrhbnwfox.com udp
US 8.8.8.8:53 eoiyzguiwcymao.net udp
US 8.8.8.8:53 suwioa.net udp
US 8.8.8.8:53 gjphzyfqbex.cc udp
US 8.8.8.8:53 ygxommnansnan.cc udp
US 8.8.8.8:53 qkmkeo.net udp
US 8.8.8.8:53 iuiqaiiugkeq.net udp
US 8.8.8.8:53 xtqmvafox.cc udp
US 8.8.8.8:53 eozulanansnan.org udp
US 8.8.8.8:53 oeaejo.net udp
US 8.8.8.8:53 ggghksiugkeq.info udp
US 8.8.8.8:53 nnmcmafox.com udp
US 8.8.8.8:53 ilxnhenansnan.cc udp
US 8.8.8.8:53 womcco.info udp
US 8.8.8.8:53 smsaraiugkeq.net udp
US 8.8.8.8:53 kssmvwnansnan.org udp
US 8.8.8.8:53 zjdkbifox.cc udp
US 8.8.8.8:53 gwyujiiugkeq.info udp
US 8.8.8.8:53 ciqeakuiwcymao.info udp
US 8.8.8.8:53 iiwobadsholapet.org udp
US 8.8.8.8:53 fmzmbsn.org udp
US 8.8.8.8:53 kkaqqkuiwcymao.net udp
US 8.8.8.8:53 ywxqtgfqbex.org udp
US 8.8.8.8:53 evzwfanansnan.com udp
US 8.8.8.8:53 sagkaa.biz udp
US 8.8.8.8:53 omuwcsuiwcymao.info udp
US 8.8.8.8:53 kkuwjadsholapet.org udp
US 8.8.8.8:53 ecyrwmiq.biz udp
US 8.8.8.8:53 suyuyo.biz udp
US 8.8.8.8:53 fdwbrifox.com udp
US 8.8.8.8:53 nwryzsfox.com udp
US 8.8.8.8:53 mgaxpkuiwcymao.net udp
US 8.8.8.8:53 ohailenansnan.org udp
US 8.8.8.8:53 sptnzyfqbex.org udp
US 8.8.8.8:53 acceliiugkeq.net udp
US 8.8.8.8:53 muigfaiq.info udp
US 8.8.8.8:53 kmaytadsholapet.org udp
US 8.8.8.8:53 rcnxtafox.com udp
US 8.8.8.8:53 kakmngeoya.biz udp
US 8.8.8.8:53 aceuksiugkeq.net udp
US 8.8.8.8:53 hgcemafox.org udp
US 8.8.8.8:53 nsdilwfox.cc udp
US 8.8.8.8:53 suguoyeoya.biz udp
US 8.8.8.8:53 mgijcyeoya.biz udp
US 8.8.8.8:53 mmjmygfqbex.cc udp
US 8.8.8.8:53 grdksanansnan.org udp
US 8.8.8.8:53 quyeps.info udp
US 8.8.8.8:53 eagjdk.info udp
US 8.8.8.8:53 mwqkbmnansnan.com udp
US 8.8.8.8:53 qcvwpenansnan.org udp
US 8.8.8.8:53 omenowiugkeq.biz udp
US 8.8.8.8:53 kqwkkiiugkeq.info udp
US 8.8.8.8:53 jpqoqafox.com udp
US 8.8.8.8:53 ksxutufqbex.cc udp
US 8.8.8.8:53 komiksiugkeq.biz udp
US 8.8.8.8:53 alvljufqbex.com udp
US 8.8.8.8:53 rjxwfkn.org udp
US 8.8.8.8:53 mqsuxguiwcymao.biz udp
US 8.8.8.8:53 wawqwmiq.biz udp
US 8.8.8.8:53 ejpvuyfqbex.com udp
US 8.8.8.8:53 gyskesuiwcymao.net udp
US 8.8.8.8:53 qkguoyeoya.biz udp
US 8.8.8.8:53 xinwpcn.org udp
US 8.8.8.8:53 aozcyadsholapet.cc udp
US 8.8.8.8:53 qwmssaiq.net udp
US 8.8.8.8:53 meauoguiwcymao.info udp
US 8.8.8.8:53 wnqwgenansnan.com udp
US 8.8.8.8:53 irbgzodsholapet.com udp
US 8.8.8.8:53 ysqcvkuiwcymao.net udp
US 8.8.8.8:53 kqweccuiwcymao.net udp
US 8.8.8.8:53 pnholkn.org udp
US 8.8.8.8:53 aygbcaiq.biz udp
US 8.8.8.8:53 qucozeiq.biz udp
US 8.8.8.8:53 sgekvmnansnan.org udp
US 8.8.8.8:53 rqnqnwfox.org udp
US 8.8.8.8:53 uquwueiq.biz udp
US 8.8.8.8:53 cmwuacuiwcymao.biz udp
US 8.8.8.8:53 kiwcdsdsholapet.cc udp
US 8.8.8.8:53 zxjaxkn.cc udp
US 8.8.8.8:53 mqkkha.net udp
US 8.8.8.8:53 woakfeiq.biz udp
US 8.8.8.8:53 zexahgn.cc udp
US 8.8.8.8:53 axvqxufqbex.cc udp
US 8.8.8.8:53 gquuzkuiwcymao.info udp
US 8.8.8.8:53 aaiuwqeoya.net udp
US 8.8.8.8:53 pghqjkn.cc udp
US 8.8.8.8:53 uzvqlwnansnan.cc udp
US 8.8.8.8:53 ykucaa.biz udp
US 8.8.8.8:53 qcssiiiugkeq.biz udp
US 8.8.8.8:53 aqgatkdsholapet.com udp
US 8.8.8.8:53 gcbudqfqbex.org udp
US 8.8.8.8:53 kyaqjqeoya.info udp
US 8.8.8.8:53 igmyto.biz udp
US 8.8.8.8:53 ojjadufqbex.com udp
US 8.8.8.8:53 lnbalkn.cc udp
US 8.8.8.8:53 qamusaiq.net udp
US 8.8.8.8:53 iqifpwiq.info udp
US 8.8.8.8:53 pnlqxcn.org udp
US 8.8.8.8:53 kyxapgfqbex.com udp
US 8.8.8.8:53 qwypusiugkeq.net udp
US 8.8.8.8:53 umywasiugkeq.net udp
US 8.8.8.8:53 ahkucsdsholapet.org udp
US 8.8.8.8:53 ynvyrenansnan.com udp
US 8.8.8.8:53 gaoumyeoya.info udp
US 8.8.8.8:53 unyxzwnansnan.cc udp
US 8.8.8.8:53 lzdkmgn.com udp
US 8.8.8.8:53 ygeergeoya.info udp
US 8.8.8.8:53 geisjwiugkeq.net udp
US 8.8.8.8:53 rxmprsfox.cc udp
US 8.8.8.8:53 emzbngfqbex.com udp
US 8.8.8.8:53 sqalbaiq.biz udp
US 8.8.8.8:53 amauqaiq.info udp
US 8.8.8.8:53 geubesdsholapet.cc udp
US 8.8.8.8:53 bspscsfox.org udp
US 8.8.8.8:53 keublkuiwcymao.net udp
US 8.8.8.8:53 kyoeeguiwcymao.info udp
US 8.8.8.8:53 tslyqsn.cc udp
US 8.8.8.8:53 qzfunsdsholapet.com udp
US 8.8.8.8:53 oeewscuiwcymao.biz udp
US 8.8.8.8:53 qqwkxeiq.biz udp
US 8.8.8.8:53 xxmaeifox.org udp
US 8.8.8.8:53 uzpyfsdsholapet.cc udp
US 8.8.8.8:53 ciggia.biz udp
US 8.8.8.8:53 ymrhnqfqbex.cc udp
US 8.8.8.8:53 pcxalgn.org udp
US 8.8.8.8:53 icgwrwiq.info udp
US 8.8.8.8:53 wjdgayfqbex.com udp
US 8.8.8.8:53 utpaimnansnan.com udp
US 8.8.8.8:53 qkoooa.info udp
US 8.8.8.8:53 qbhdgqfqbex.cc udp
US 8.8.8.8:53 kargdqfqbex.org udp
US 8.8.8.8:53 ckwnyo.info udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 goegkmiq.info udp
US 8.8.8.8:53 mhvhuwnansnan.cc udp
US 8.8.8.8:53 usijwsiugkeq.biz udp
US 8.8.8.8:53 aoiykwiugkeq.net udp
US 8.8.8.8:53 olwmqmnansnan.cc udp
US 8.8.8.8:53 smdgmodsholapet.com udp
US 8.8.8.8:53 cyaucwiugkeq.net udp
US 8.8.8.8:53 msmqgeiq.net udp
US 8.8.8.8:53 ouaivenansnan.org udp
US 8.8.8.8:53 ccrkmmnansnan.org udp
US 8.8.8.8:53 qcqgncuiwcymao.biz udp
US 8.8.8.8:53 cieivs.net udp
US 8.8.8.8:53 tlbocsn.org udp
US 8.8.8.8:53 qpfxjqfqbex.cc udp
US 8.8.8.8:53 gmgqys.biz udp
US 8.8.8.8:53 wamyva.net udp
US 8.8.8.8:53 oxkohanansnan.cc udp
US 8.8.8.8:53 wgzstkdsholapet.cc udp
US 8.8.8.8:53 qiwwws.net udp
US 8.8.8.8:53 nrpwvkn.org udp
US 8.8.8.8:53 sofgjyfqbex.org udp
US 8.8.8.8:53 soyuwiiugkeq.info udp
US 8.8.8.8:53 ywyyoguiwcymao.info udp
US 8.8.8.8:53 qxdwlyfqbex.cc udp
US 8.8.8.8:53 cnnpvgfqbex.com udp
US 8.8.8.8:53 gqegxaiugkeq.net udp
US 8.8.8.8:53 eoicomiq.biz udp
US 8.8.8.8:53 tkaunafox.com udp
US 8.8.8.8:53 jbnscgn.org udp
US 8.8.8.8:53 qkmowk.net udp
US 8.8.8.8:53 mwcxwqeoya.net udp
US 8.8.8.8:53 ufvxtgfqbex.com udp
US 8.8.8.8:53 gvhapwnansnan.org udp
US 8.8.8.8:53 omugoguiwcymao.biz udp
US 8.8.8.8:53 sqsswaiugkeq.net udp
US 8.8.8.8:53 fvniwcn.com udp
US 8.8.8.8:53 yspusodsholapet.org udp
US 8.8.8.8:53 ywqyma.info udp
US 8.8.8.8:53 oaoxko.net udp
US 8.8.8.8:53 uxllwufqbex.cc udp
US 8.8.8.8:53 xwvnlkn.cc udp
US 8.8.8.8:53 mmqxggeoya.biz udp
US 8.8.8.8:53 oaiavsuiwcymao.info udp
US 8.8.8.8:53 pdpagcn.com udp
US 8.8.8.8:53 kghezufqbex.org udp
US 8.8.8.8:53 qscagiiugkeq.info udp
US 8.8.8.8:53 gowiaguiwcymao.biz udp
US 8.8.8.8:53 jkfmzsfox.cc udp
US 8.8.8.8:53 wmuiysiugkeq.biz udp
US 8.8.8.8:53 kupapmnansnan.com udp
US 8.8.8.8:53 ugmqsguiwcymao.biz udp
US 8.8.8.8:53 kkamwwiq.biz udp
US 8.8.8.8:53 fksytsfox.cc udp
US 8.8.8.8:53 shnslodsholapet.cc udp
US 8.8.8.8:53 suaksiiugkeq.net udp
US 8.8.8.8:53 qccsnsuiwcymao.info udp
US 8.8.8.8:53 ggsltenansnan.cc udp
US 8.8.8.8:53 gcxzranansnan.com udp
US 8.8.8.8:53 qawgmaiugkeq.info udp
US 8.8.8.8:53 kwcmukuiwcymao.info udp
US 8.8.8.8:53 ihsqtsdsholapet.cc udp
US 8.8.8.8:53 rnbubcn.cc udp
US 8.8.8.8:53 swugiwiq.info udp
US 8.8.8.8:53 arbydufqbex.org udp
US 8.8.8.8:53 quskxqeoya.info udp
US 8.8.8.8:53 iqwayk.biz udp
US 8.8.8.8:53 obmipkdsholapet.com udp
US 8.8.8.8:53 asoqhiiugkeq.net udp
US 8.8.8.8:53 mywyiwiugkeq.info udp
US 8.8.8.8:53 xnbpnafox.cc udp
US 8.8.8.8:53 icwlocuiwcymao.biz udp
US 8.8.8.8:53 gkuyos.net udp
US 8.8.8.8:53 zuauswfox.cc udp
US 8.8.8.8:53 hqdgfwfox.cc udp
US 8.8.8.8:53 imelesuiwcymao.net udp
US 8.8.8.8:53 ykigoaiq.net udp
US 8.8.8.8:53 yqfqbyfqbex.cc udp
US 8.8.8.8:53 sixnssdsholapet.org udp
US 8.8.8.8:53 gqeoikuiwcymao.biz udp
US 8.8.8.8:53 ogeghaiq.net udp
US 8.8.8.8:53 qqylhadsholapet.org udp
US 8.8.8.8:53 kldfdkdsholapet.com udp
US 8.8.8.8:53 usgxnaiugkeq.biz udp
US 8.8.8.8:53 qckgaueoya.net udp
US 8.8.8.8:53 msmeoadsholapet.cc udp
US 8.8.8.8:53 fxdqpkn.com udp
US 8.8.8.8:53 kwgsycuiwcymao.info udp
US 8.8.8.8:53 iyiypsuiwcymao.net udp
US 8.8.8.8:53 emonmanansnan.cc udp
US 8.8.8.8:53 mphuxufqbex.org udp
US 8.8.8.8:53 yasetcuiwcymao.info udp
US 8.8.8.8:53 skqluqeoya.info udp
US 8.8.8.8:53 xoyvgsfox.cc udp
US 8.8.8.8:53 rxlolwfox.cc udp
US 8.8.8.8:53 ameioyeoya.biz udp
US 8.8.8.8:53 mmmiecuiwcymao.info udp
US 8.8.8.8:53 qbqctwnansnan.org udp
US 8.8.8.8:53 jyzucifox.com udp
US 8.8.8.8:53 koarak.net udp

Files

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

MD5 a3492b467622a421ab2ff18ba2762c53
SHA1 2e6963888847f0e70d9efe6c99b6cfe3d1b0e1e0
SHA256 062efd6997c37d42c5394912d2a59a4105cf789c90824cf56a7dd64569f973fd
SHA512 deb864b71ac1c1b3b65642d5af2f3e82ec3430dedda24a3abe2ec19425c6b1c1aa963d9e8bb60fe9a29228448a50a6392a7899434ba9e500a3ea13f958866a32

C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe

MD5 1123f172c57750172e8d6b3f993d9513
SHA1 7656038336d4e81804790f6d23bd0f72b2bb1542
SHA256 7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226
SHA512 e865ea1b9294607e8b0bcd3423ab543fe167e96251c1f058ebe524e062fb68dcdcebbee03b6422b5d4e08728d58981d895c9119042a3e08e0595d38d34f86fdc

C:\Users\Admin\AppData\Local\Temp\agixcgk.exe

MD5 99bb071aa0a1d862df72c0ad9b18c1da
SHA1 0887b1a7aad7dad3717f84572b2596b4c56c5ac4
SHA256 b5d27a930117fdc84a79e2d784660df9d1d4de6ed394c3c16e62a0bb096ec74c
SHA512 cd16b63419fa41a4e41b35ed69fac4edde6f7a6db9de86388baefc5235a241b49419978d50a9cdc3acf5c7bfa719ac3fa8fa8bf3359b93cc5c457a3b3152493a

C:\Users\Admin\AppData\Local\ecwdawsrknybkkbnomgnk.cbu

MD5 38b4b21ecab6714c7053d8e1cd2a56e4
SHA1 a5f0828fb1874bc21c52db7e09d774b55270ce73
SHA256 6177636bcfd0b1258c8a36efc2afc7e81518ac20c01a574bd0beed80ab796bc6
SHA512 ab1d22a092d1c2a3cfb08e3f11f1a81eceadb6e96a81e4fbde5dc22249c6b2a4bf6bf5d1886974bc8e70d6d7704722b6489d8b4ba6108a53e751812720bc6739

C:\Users\Admin\AppData\Local\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn

MD5 298656d65ae7278f43e09c37cf78d436
SHA1 2fe313b24781f78c9913928261382b3a17b0685c
SHA256 52ba5991b1041afb5123a67cc63e2e9796a0342d0987c28adffc70c4c8cbe9bc
SHA512 6bd9e406a8448f3850e8302ef17db986d494b0d99258d5920a3b5fa04bad9abcc08530ad1e0399cc87153d5b71f4a887705dab4122e6e20f0d489eb06bb2c852

C:\agixcgk.bat

MD5 63daff54e0942f3e71a8b83e3b4b85c3
SHA1 daa9a8e73adfae1ea659d588c1ff03769441651f
SHA256 702d3c6df52613c1e479797bd35216ba811304e71f2a7f3bb20a18c4685ba655
SHA512 fe2619e4e920364e2f001c96b238addc50e5d2b93e7698d59c2be6cd39016aa51ff1434532806e9dec0182be2ac9012f986a911522a0db8966278f0ca8007818