Analysis Overview
SHA256
7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226
Threat Level: Known bad
The file 1123f172c57750172e8d6b3f993d9513_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Disables Task Manager via registry modification
Adds policy Run key to start application
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in System32 directory
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 07:11
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 07:11
Reported
2024-06-26 07:13
Platform
win7-20240611-en
Max time kernel
151s
Max time network
155s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qyncugsgwtpvgb = "mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\tykwludobvo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Disables Task Manager via registry modification
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "fqiavkzqjjirfdftg.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "mavqogysortfwxctjocx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oatmiyogabblazcrfi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqmihatolpsfxzfxoujfb.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\fqiavkzqjjirfdftg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "zmgaxofytvwhxxbrgkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mavqogysortfwxctjocx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "yizqkymcutrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yizqkymcutrzmjkx = "oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "fqiavkzqjjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "zmgaxofytvwhxxbrgkx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qwjwmwgsgbvz = "oatmiyogabblazcrfi.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcsibobqhfcjvrr = "yizqkymcutrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oatmiyogabblazcrfi.exe ." | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pwkypalynjejt = "bqmihatolpsfxzfxoujfb.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\dwwwzwtstbizvblhcmfff.fcb | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dwwwzwtstbizvblhcmfff.fcb | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\SysWOW64\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\SysWOW64\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\dwwwzwtstbizvblhcmfff.fcb | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Program Files (x86)\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Program Files (x86)\dwwwzwtstbizvblhcmfff.fcb | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\dwwwzwtstbizvblhcmfff.fcb | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\dwwwzwtstbizvblhcmfff.fcb | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\bqmihatolpsfxzfxoujfb.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\yizqkymcutrzmjkx.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File created | C:\Windows\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\mavqogysortfwxctjocx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\zmgaxofytvwhxxbrgkx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\oatmiyogabblazcrfi.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\sifccwqmkpthadkdvcspmm.exe | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| File opened for modification | C:\Windows\fqiavkzqjjirfdftg.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
"C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
"C:\Users\Admin\AppData\Local\Temp\zaiqbgl.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.178.14:80 | www.youtube.com | tcp |
| AU | 218.100.81.0:3432 | tcp | |
| US | 8.8.8.8:53 | mymqeo.info | udp |
| US | 8.8.8.8:53 | tfomvifox.cc | udp |
| US | 8.8.8.8:53 | korzjmnansnan.cc | udp |
| US | 8.8.8.8:53 | isuslk.biz | udp |
| US | 8.8.8.8:53 | qakayaiq.biz | udp |
| US | 8.8.8.8:53 | dlradsn.org | udp |
| US | 162.249.65.162:80 | dlradsn.org | tcp |
| US | 8.8.8.8:53 | zipagcn.cc | udp |
| US | 8.8.8.8:53 | eyusaaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcikqkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mstgnqfqbex.org | udp |
| US | 8.8.8.8:53 | ggblkkdsholapet.org | udp |
| US | 8.8.8.8:53 | ckopbcuiwcymao.net | udp |
| US | 8.8.8.8:53 | ymazfyeoya.info | udp |
| US | 8.8.8.8:53 | kckspkdsholapet.com | udp |
| US | 8.8.8.8:53 | fajgnsn.com | udp |
| US | 8.8.8.8:53 | umqrio.biz | udp |
| US | 8.8.8.8:53 | eueymsuiwcymao.info | udp |
| US | 8.8.8.8:53 | deagvafox.org | udp |
| US | 8.8.8.8:53 | vfrvvcn.org | udp |
| US | 8.8.8.8:53 | ygsink.info | udp |
| US | 8.8.8.8:53 | agadss.biz | udp |
| US | 8.8.8.8:53 | ivqvrodsholapet.com | udp |
| US | 8.8.8.8:53 | ynrvwgfqbex.org | udp |
| US | 8.8.8.8:53 | ciuzwaiq.net | udp |
| US | 8.8.8.8:53 | uioezo.biz | udp |
| US | 8.8.8.8:53 | ohwiomnansnan.org | udp |
| US | 8.8.8.8:53 | ayhwaufqbex.org | udp |
| US | 8.8.8.8:53 | qgasocuiwcymao.info | udp |
| US | 8.8.8.8:53 | isspqkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iiuhlwnansnan.cc | udp |
| US | 8.8.8.8:53 | rxfmdwfox.org | udp |
| US | 8.8.8.8:53 | esowayeoya.biz | udp |
| US | 8.8.8.8:53 | swatnk.biz | udp |
| US | 8.8.8.8:53 | czyhvkdsholapet.org | udp |
| US | 8.8.8.8:53 | wofrnanansnan.com | udp |
| US | 8.8.8.8:53 | wwwkqwiugkeq.info | udp |
| US | 8.8.8.8:53 | yokivaiq.info | udp |
| US | 8.8.8.8:53 | lksrusfox.org | udp |
| US | 8.8.8.8:53 | kufamkdsholapet.cc | udp |
| US | 8.8.8.8:53 | wskoageoya.net | udp |
| US | 8.8.8.8:53 | ykkges.info | udp |
| US | 8.8.8.8:53 | ubcmvadsholapet.org | udp |
| US | 8.8.8.8:53 | nbjmgafox.org | udp |
| US | 8.8.8.8:53 | ccquxqeoya.net | udp |
| US | 8.8.8.8:53 | gisahqeoya.info | udp |
| US | 8.8.8.8:53 | xsymfsfox.cc | udp |
| US | 8.8.8.8:53 | synfeanansnan.com | udp |
| US | 8.8.8.8:53 | ocusqyeoya.biz | udp |
| US | 8.8.8.8:53 | sguxwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | dnfjlkn.com | udp |
| US | 8.8.8.8:53 | dthuzifox.cc | udp |
| US | 8.8.8.8:53 | qmgwwmiq.biz | udp |
| US | 8.8.8.8:53 | qikukwiq.net | udp |
| US | 8.8.8.8:53 | joqanifox.cc | udp |
| US | 8.8.8.8:53 | mmxsxqfqbex.cc | udp |
| US | 8.8.8.8:53 | ooqyhwiq.info | udp |
| US | 8.8.8.8:53 | iekazkuiwcymao.info | udp |
| US | 8.8.8.8:53 | bpyxjwfox.org | udp |
| US | 8.8.8.8:53 | umdhukdsholapet.cc | udp |
| US | 8.8.8.8:53 | uukgzaiq.biz | udp |
| US | 8.8.8.8:53 | uqcwwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zeponcn.com | udp |
| US | 8.8.8.8:53 | iyhyfqfqbex.org | udp |
| US | 8.8.8.8:53 | kmonya.net | udp |
| US | 8.8.8.8:53 | wymwsguiwcymao.net | udp |
| US | 8.8.8.8:53 | oagirkdsholapet.com | udp |
| US | 8.8.8.8:53 | lvlobkn.com | udp |
| US | 8.8.8.8:53 | ugsymeiq.net | udp |
| US | 8.8.8.8:53 | mmmiiueoya.info | udp |
| US | 8.8.8.8:53 | fckafafox.org | udp |
| US | 8.8.8.8:53 | ppdyrwfox.cc | udp |
| US | 8.8.8.8:53 | qcgqsgeoya.biz | udp |
| US | 8.8.8.8:53 | cemisaiugkeq.net | udp |
| US | 8.8.8.8:53 | bncurifox.org | udp |
| US | 8.8.8.8:53 | gcrivwnansnan.com | udp |
| US | 8.8.8.8:53 | oisqasiugkeq.info | udp |
| US | 8.8.8.8:53 | maqjaqeoya.biz | udp |
| US | 8.8.8.8:53 | qkobvsdsholapet.com | udp |
| US | 8.8.8.8:53 | cfjmjadsholapet.com | udp |
| US | 8.8.8.8:53 | cogbysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sucksk.net | udp |
| US | 8.8.8.8:53 | llichwfox.org | udp |
| US | 8.8.8.8:53 | corjkwnansnan.org | udp |
| US | 8.8.8.8:53 | qmqeymiq.info | udp |
| US | 8.8.8.8:53 | wymjkaiugkeq.info | udp |
| US | 8.8.8.8:53 | ynqtvwnansnan.com | udp |
| US | 8.8.8.8:53 | vkjrosfox.com | udp |
| US | 8.8.8.8:53 | mawrpcuiwcymao.net | udp |
| US | 8.8.8.8:53 | aoooma.biz | udp |
| US | 8.8.8.8:53 | brtyzcn.org | udp |
| US | 8.8.8.8:53 | dbnyiafox.com | udp |
| US | 8.8.8.8:53 | yyiosk.net | udp |
| US | 8.8.8.8:53 | ciabcgeoya.info | udp |
| US | 8.8.8.8:53 | apmejodsholapet.com | udp |
| US | 8.8.8.8:53 | yxvccgfqbex.org | udp |
| US | 8.8.8.8:53 | qaeqiueoya.biz | udp |
| US | 8.8.8.8:53 | cwgsacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gxaztwnansnan.org | udp |
| US | 8.8.8.8:53 | qwlghodsholapet.org | udp |
| US | 8.8.8.8:53 | syemxyeoya.net | udp |
| US | 8.8.8.8:53 | aqoxoeiq.net | udp |
| US | 8.8.8.8:53 | ejzyxufqbex.org | udp |
| US | 8.8.8.8:53 | xedzmcn.cc | udp |
| US | 8.8.8.8:53 | ooeufo.net | udp |
| US | 8.8.8.8:53 | suipigeoya.biz | udp |
| US | 8.8.8.8:53 | cxmdqkdsholapet.com | udp |
| US | 8.8.8.8:53 | srpymufqbex.cc | udp |
| US | 8.8.8.8:53 | qsaovsiugkeq.info | udp |
| US | 8.8.8.8:53 | wgaokiiugkeq.info | udp |
| US | 8.8.8.8:53 | owdorufqbex.org | udp |
| US | 8.8.8.8:53 | uvpkrodsholapet.org | udp |
| US | 8.8.8.8:53 | aquaisiugkeq.net | udp |
| US | 8.8.8.8:53 | giqjsguiwcymao.info | udp |
| US | 8.8.8.8:53 | rlhytcn.cc | udp |
| US | 8.8.8.8:53 | zajmwsn.org | udp |
| US | 8.8.8.8:53 | acqghgeoya.biz | udp |
| US | 8.8.8.8:53 | uqwuck.biz | udp |
| US | 8.8.8.8:53 | sqjuvqfqbex.com | udp |
| US | 8.8.8.8:53 | owzezqfqbex.com | udp |
| US | 8.8.8.8:53 | waioxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | meskia.biz | udp |
| US | 8.8.8.8:53 | alwkvwnansnan.com | udp |
| US | 8.8.8.8:53 | ekfqhkdsholapet.com | udp |
| US | 8.8.8.8:53 | gyejqguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wyywyqeoya.net | udp |
| US | 8.8.8.8:53 | rdrwlkn.cc | udp |
| US | 8.8.8.8:53 | vybkxifox.org | udp |
| US | 8.8.8.8:53 | igsvswiugkeq.info | udp |
| US | 8.8.8.8:53 | scssga.info | udp |
| US | 8.8.8.8:53 | qukgqmnansnan.org | udp |
| US | 8.8.8.8:53 | wfxqsmnansnan.com | udp |
| US | 8.8.8.8:53 | uyieteiq.net | udp |
| US | 8.8.8.8:53 | mseoyk.net | udp |
| US | 8.8.8.8:53 | loiqlafox.org | udp |
| US | 8.8.8.8:53 | ipbgfufqbex.cc | udp |
| US | 8.8.8.8:53 | mymqnwiq.net | udp |
| US | 8.8.8.8:53 | iaoano.biz | udp |
| US | 8.8.8.8:53 | xfjijgn.org | udp |
| US | 8.8.8.8:53 | vspfdafox.com | udp |
| US | 8.8.8.8:53 | kwuqhk.info | udp |
| US | 8.8.8.8:53 | wssizueoya.net | udp |
| US | 8.8.8.8:53 | spmjewnansnan.cc | udp |
| US | 8.8.8.8:53 | pulwlifox.com | udp |
| US | 8.8.8.8:53 | emicys.biz | udp |
| US | 8.8.8.8:53 | mmwikwiq.net | udp |
| US | 8.8.8.8:53 | ioqmfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sbdwpenansnan.com | udp |
| US | 8.8.8.8:53 | yokaos.info | udp |
| US | 8.8.8.8:53 | osobjiiugkeq.info | udp |
| US | 8.8.8.8:53 | chjjgqfqbex.com | udp |
| US | 8.8.8.8:53 | wuhthanansnan.cc | udp |
| US | 8.8.8.8:53 | kckzkueoya.net | udp |
| US | 8.8.8.8:53 | aeeeuaiq.info | udp |
| US | 8.8.8.8:53 | epeeuanansnan.cc | udp |
| US | 8.8.8.8:53 | emdctqfqbex.org | udp |
| US | 8.8.8.8:53 | eywsgo.info | udp |
| US | 8.8.8.8:53 | acwdqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | mhdevufqbex.com | udp |
| US | 8.8.8.8:53 | divsdkn.org | udp |
| US | 8.8.8.8:53 | cmeigsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | yaabuueoya.net | udp |
| US | 8.8.8.8:53 | ldjpbcn.org | udp |
| US | 8.8.8.8:53 | gnnpbqfqbex.cc | udp |
| US | 8.8.8.8:53 | qseecaiugkeq.info | udp |
| US | 8.8.8.8:53 | iuqxtyeoya.info | udp |
| US | 8.8.8.8:53 | fxguasfox.cc | udp |
| US | 8.8.8.8:53 | wkrzlgfqbex.org | udp |
| US | 8.8.8.8:53 | mmqtqwiugkeq.net | udp |
| US | 8.8.8.8:53 | wmkdhs.net | udp |
| US | 8.8.8.8:53 | vahpqcn.com | udp |
| US | 8.8.8.8:53 | uurmdyfqbex.org | udp |
| US | 8.8.8.8:53 | kccamwiq.net | udp |
| US | 8.8.8.8:53 | sqigrmiq.net | udp |
| US | 8.8.8.8:53 | ypkibmnansnan.org | udp |
| US | 8.8.8.8:53 | uxbibodsholapet.com | udp |
| US | 8.8.8.8:53 | emgwmsiugkeq.info | udp |
| US | 8.8.8.8:53 | ackbia.biz | udp |
| US | 8.8.8.8:53 | lwohpwfox.cc | udp |
| US | 8.8.8.8:53 | krjgewnansnan.cc | udp |
| US | 8.8.8.8:53 | wsocyguiwcymao.info | udp |
| US | 8.8.8.8:53 | qyesak.net | udp |
| US | 8.8.8.8:53 | qgryvufqbex.org | udp |
| US | 8.8.8.8:53 | krxihodsholapet.org | udp |
| US | 8.8.8.8:53 | coegcguiwcymao.info | udp |
| US | 8.8.8.8:53 | qsoiia.net | udp |
Files
\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
| MD5 | a3492b467622a421ab2ff18ba2762c53 |
| SHA1 | 2e6963888847f0e70d9efe6c99b6cfe3d1b0e1e0 |
| SHA256 | 062efd6997c37d42c5394912d2a59a4105cf789c90824cf56a7dd64569f973fd |
| SHA512 | deb864b71ac1c1b3b65642d5af2f3e82ec3430dedda24a3abe2ec19425c6b1c1aa963d9e8bb60fe9a29228448a50a6392a7899434ba9e500a3ea13f958866a32 |
C:\Windows\SysWOW64\oatmiyogabblazcrfi.exe
| MD5 | 1123f172c57750172e8d6b3f993d9513 |
| SHA1 | 7656038336d4e81804790f6d23bd0f72b2bb1542 |
| SHA256 | 7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226 |
| SHA512 | e865ea1b9294607e8b0bcd3423ab543fe167e96251c1f058ebe524e062fb68dcdcebbee03b6422b5d4e08728d58981d895c9119042a3e08e0595d38d34f86fdc |
\Users\Admin\AppData\Local\Temp\zaiqbgl.exe
| MD5 | 67b6de0f59baea1a26ef953a573fa5e0 |
| SHA1 | bb0e72eaecbc1459ff4937ff925eabf7dc26c2a3 |
| SHA256 | c9d1afafa5823f86a4a1f18eb08ca64be4eb0fe04b5e43900f679e7a384f9dea |
| SHA512 | 68ca6f668648da41d0415b46f7c43615ac9e5ef84a41a571f8432de2e25fe41e16dae9e7b6a265340151663d1470c65fb18d8092b2f23d5f1ada5de3cf1fab1d |
C:\Users\Admin\AppData\Local\dwwwzwtstbizvblhcmfff.fcb
| MD5 | f633f0857752ef848cd9786038626a5c |
| SHA1 | 9c50914882894e97c1e1047cd9a9120987442680 |
| SHA256 | ffb8e8ccfb593fdf88ddcba7192b171103a4111d0f0e4a8056a16ee8e26877da |
| SHA512 | 0114ffe48eb0d9f7786921752c3c3564323a5fd4e63ad51305564e99dedfdef19827679a62a804095def86ecbbdfbf8244698630c60de2a2689cec3d46758b2d |
C:\Users\Admin\AppData\Local\ycnymucmyrjlsjelrmqbmaiqamfxzgxs.fae
| MD5 | 7205e6a45d06070d5798c451ec5e8876 |
| SHA1 | c1362723136fd30372cbd6c4dfa54369c09f7246 |
| SHA256 | 0c34b4e75249d1b64646c9d8cb4c08408a25dc60c6be103f9fc67aaab6358345 |
| SHA512 | 6c5da2b3ea5e7f11654fd4a80ea7a3eea749b997e817a40361b1fdf411dc7262d3c30e540d6dae0b711eb8b3409ad3c529ce0929f3f78af4f07554f8b8fe3a0c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 07:11
Reported
2024-06-26 07:13
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
101s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "ngvxpgxrfdjhlgszvodf.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwzpvafn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\uekdmucnshe = "ngvxpgxrfdjhlgszvodf.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "ngvxpgxrfdjhlgszvodf.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "zozxlylblfhbbsad.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "asghyoexkhmjmgrxsky.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "gwihwkypavytumvzs.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "zozxlylblfhbbsad.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ngvxpgxrfdjhlgszvodf.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "zozxlylblfhbbsad.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "ngvxpgxrfdjhlgszvodf.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "gwihwkypavytumvzs.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "ngvxpgxrfdjhlgszvodf.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "zozxlylblfhbbsad.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qckfqakxevuli = "gwihwkypavytumvzs.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "asghyoexkhmjmgrxsky.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\asghyoexkhmjmgrxsky.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gosjqwclo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gwihwkypavytumvzs.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uispcoapyrslkah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgttjynfrnrnpisxri.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\renjvgrfnffxvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwmpiasncbihmivdaukng.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "zozxlylblfhbbsad.exe" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rcjdnwfrxnlb = "cwmpiasncbihmivdaukng.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zinfnublpd = "asghyoexkhmjmgrxsky.exe ." | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\ecwdawsrknybkkbnomgnk.cbu | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ecwdawsrknybkkbnomgnk.cbu | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\SysWOW64\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ecwdawsrknybkkbnomgnk.cbu | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ecwdawsrknybkkbnomgnk.cbu | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Program Files (x86)\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ecwdawsrknybkkbnomgnk.cbu | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\ngvxpgxrfdjhlgszvodf.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\ecwdawsrknybkkbnomgnk.cbu | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\cwmpiasncbihmivdaukng.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\tofjdwplbbjjpmajhctxrk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\asghyoexkhmjmgrxsky.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\pgttjynfrnrnpisxri.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File created | C:\Windows\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| File opened for modification | C:\Windows\zozxlylblfhbbsad.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\gwihwkypavytumvzs.exe | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\agixcgk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1123f172c57750172e8d6b3f993d9513_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
"C:\Users\Admin\AppData\Local\Temp\agixcgk.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
"C:\Users\Admin\AppData\Local\Temp\agixcgk.exe" "-c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\1123f172c57750172e8d6b3f993d9513_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.204.78:80 | www.youtube.com | tcp |
| AU | 218.100.81.0:3432 | tcp | |
| US | 8.8.8.8:53 | mymqeo.info | udp |
| US | 8.8.8.8:53 | tfomvifox.cc | udp |
| US | 8.8.8.8:53 | korzjmnansnan.cc | udp |
| US | 8.8.8.8:53 | isuslk.biz | udp |
| US | 8.8.8.8:53 | qakayaiq.biz | udp |
| US | 8.8.8.8:53 | dlradsn.org | udp |
| US | 162.249.65.162:80 | dlradsn.org | tcp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipagcn.cc | udp |
| US | 8.8.8.8:53 | eyusaaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcikqkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mstgnqfqbex.org | udp |
| US | 8.8.8.8:53 | ggblkkdsholapet.org | udp |
| US | 8.8.8.8:53 | ckopbcuiwcymao.net | udp |
| US | 8.8.8.8:53 | ymazfyeoya.info | udp |
| US | 8.8.8.8:53 | kckspkdsholapet.com | udp |
| US | 8.8.8.8:53 | fajgnsn.com | udp |
| US | 8.8.8.8:53 | umqrio.biz | udp |
| US | 8.8.8.8:53 | eueymsuiwcymao.info | udp |
| US | 8.8.8.8:53 | deagvafox.org | udp |
| US | 8.8.8.8:53 | vfrvvcn.org | udp |
| US | 8.8.8.8:53 | ygsink.info | udp |
| US | 8.8.8.8:53 | agadss.biz | udp |
| US | 8.8.8.8:53 | ivqvrodsholapet.com | udp |
| US | 8.8.8.8:53 | ynrvwgfqbex.org | udp |
| US | 8.8.8.8:53 | ciuzwaiq.net | udp |
| US | 8.8.8.8:53 | uioezo.biz | udp |
| US | 8.8.8.8:53 | ohwiomnansnan.org | udp |
| US | 8.8.8.8:53 | ayhwaufqbex.org | udp |
| US | 8.8.8.8:53 | qgasocuiwcymao.info | udp |
| US | 8.8.8.8:53 | isspqkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iiuhlwnansnan.cc | udp |
| US | 8.8.8.8:53 | rxfmdwfox.org | udp |
| US | 8.8.8.8:53 | esowayeoya.biz | udp |
| US | 8.8.8.8:53 | swatnk.biz | udp |
| US | 8.8.8.8:53 | czyhvkdsholapet.org | udp |
| US | 8.8.8.8:53 | wofrnanansnan.com | udp |
| US | 8.8.8.8:53 | wwwkqwiugkeq.info | udp |
| US | 8.8.8.8:53 | yokivaiq.info | udp |
| US | 8.8.8.8:53 | lksrusfox.org | udp |
| US | 8.8.8.8:53 | kufamkdsholapet.cc | udp |
| US | 8.8.8.8:53 | wskoageoya.net | udp |
| US | 8.8.8.8:53 | ykkges.info | udp |
| US | 8.8.8.8:53 | ubcmvadsholapet.org | udp |
| US | 8.8.8.8:53 | nbjmgafox.org | udp |
| US | 8.8.8.8:53 | ccquxqeoya.net | udp |
| US | 8.8.8.8:53 | gisahqeoya.info | udp |
| US | 8.8.8.8:53 | xsymfsfox.cc | udp |
| US | 8.8.8.8:53 | synfeanansnan.com | udp |
| US | 8.8.8.8:53 | ocusqyeoya.biz | udp |
| US | 8.8.8.8:53 | sguxwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | dnfjlkn.com | udp |
| US | 8.8.8.8:53 | dthuzifox.cc | udp |
| US | 8.8.8.8:53 | qmgwwmiq.biz | udp |
| US | 8.8.8.8:53 | qikukwiq.net | udp |
| US | 8.8.8.8:53 | joqanifox.cc | udp |
| US | 8.8.8.8:53 | mmxsxqfqbex.cc | udp |
| US | 8.8.8.8:53 | ooqyhwiq.info | udp |
| US | 8.8.8.8:53 | iekazkuiwcymao.info | udp |
| US | 8.8.8.8:53 | bpyxjwfox.org | udp |
| US | 8.8.8.8:53 | umdhukdsholapet.cc | udp |
| US | 8.8.8.8:53 | uukgzaiq.biz | udp |
| US | 8.8.8.8:53 | uqcwwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zeponcn.com | udp |
| US | 8.8.8.8:53 | iyhyfqfqbex.org | udp |
| US | 8.8.8.8:53 | kmonya.net | udp |
| US | 8.8.8.8:53 | wymwsguiwcymao.net | udp |
| US | 8.8.8.8:53 | oagirkdsholapet.com | udp |
| US | 8.8.8.8:53 | lvlobkn.com | udp |
| US | 8.8.8.8:53 | ugsymeiq.net | udp |
| US | 8.8.8.8:53 | mmmiiueoya.info | udp |
| US | 8.8.8.8:53 | fckafafox.org | udp |
| US | 8.8.8.8:53 | ppdyrwfox.cc | udp |
| US | 8.8.8.8:53 | qcgqsgeoya.biz | udp |
| US | 8.8.8.8:53 | cemisaiugkeq.net | udp |
| US | 8.8.8.8:53 | bncurifox.org | udp |
| US | 8.8.8.8:53 | gcrivwnansnan.com | udp |
| US | 8.8.8.8:53 | oisqasiugkeq.info | udp |
| US | 8.8.8.8:53 | maqjaqeoya.biz | udp |
| US | 8.8.8.8:53 | qkobvsdsholapet.com | udp |
| US | 8.8.8.8:53 | cfjmjadsholapet.com | udp |
| US | 8.8.8.8:53 | cogbysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sucksk.net | udp |
| US | 8.8.8.8:53 | llichwfox.org | udp |
| US | 8.8.8.8:53 | corjkwnansnan.org | udp |
| US | 8.8.8.8:53 | qmqeymiq.info | udp |
| US | 8.8.8.8:53 | wymjkaiugkeq.info | udp |
| US | 8.8.8.8:53 | ynqtvwnansnan.com | udp |
| US | 8.8.8.8:53 | vkjrosfox.com | udp |
| US | 8.8.8.8:53 | mawrpcuiwcymao.net | udp |
| US | 8.8.8.8:53 | aoooma.biz | udp |
| US | 8.8.8.8:53 | brtyzcn.org | udp |
| US | 8.8.8.8:53 | dbnyiafox.com | udp |
| US | 8.8.8.8:53 | yyiosk.net | udp |
| US | 8.8.8.8:53 | ciabcgeoya.info | udp |
| US | 8.8.8.8:53 | apmejodsholapet.com | udp |
| US | 8.8.8.8:53 | yxvccgfqbex.org | udp |
| US | 8.8.8.8:53 | qaeqiueoya.biz | udp |
| US | 8.8.8.8:53 | cwgsacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gxaztwnansnan.org | udp |
| US | 8.8.8.8:53 | qwlghodsholapet.org | udp |
| US | 8.8.8.8:53 | syemxyeoya.net | udp |
| US | 8.8.8.8:53 | aqoxoeiq.net | udp |
| US | 8.8.8.8:53 | ejzyxufqbex.org | udp |
| US | 8.8.8.8:53 | xedzmcn.cc | udp |
| US | 8.8.8.8:53 | ooeufo.net | udp |
| US | 8.8.8.8:53 | suipigeoya.biz | udp |
| US | 8.8.8.8:53 | cxmdqkdsholapet.com | udp |
| US | 8.8.8.8:53 | srpymufqbex.cc | udp |
| US | 8.8.8.8:53 | qsaovsiugkeq.info | udp |
| US | 8.8.8.8:53 | wgaokiiugkeq.info | udp |
| US | 8.8.8.8:53 | owdorufqbex.org | udp |
| US | 8.8.8.8:53 | uvpkrodsholapet.org | udp |
| US | 8.8.8.8:53 | aquaisiugkeq.net | udp |
| US | 8.8.8.8:53 | giqjsguiwcymao.info | udp |
| US | 8.8.8.8:53 | rlhytcn.cc | udp |
| US | 8.8.8.8:53 | zajmwsn.org | udp |
| US | 8.8.8.8:53 | acqghgeoya.biz | udp |
| US | 8.8.8.8:53 | uqwuck.biz | udp |
| US | 8.8.8.8:53 | sqjuvqfqbex.com | udp |
| US | 8.8.8.8:53 | owzezqfqbex.com | udp |
| US | 8.8.8.8:53 | waioxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | meskia.biz | udp |
| US | 8.8.8.8:53 | alwkvwnansnan.com | udp |
| US | 8.8.8.8:53 | ekfqhkdsholapet.com | udp |
| US | 8.8.8.8:53 | gyejqguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wyywyqeoya.net | udp |
| US | 8.8.8.8:53 | rdrwlkn.cc | udp |
| US | 8.8.8.8:53 | vybkxifox.org | udp |
| US | 8.8.8.8:53 | igsvswiugkeq.info | udp |
| US | 8.8.8.8:53 | scssga.info | udp |
| US | 8.8.8.8:53 | qukgqmnansnan.org | udp |
| US | 8.8.8.8:53 | wfxqsmnansnan.com | udp |
| US | 8.8.8.8:53 | uyieteiq.net | udp |
| US | 8.8.8.8:53 | mseoyk.net | udp |
| US | 8.8.8.8:53 | loiqlafox.org | udp |
| US | 8.8.8.8:53 | ipbgfufqbex.cc | udp |
| US | 8.8.8.8:53 | mymqnwiq.net | udp |
| US | 8.8.8.8:53 | iaoano.biz | udp |
| US | 8.8.8.8:53 | xfjijgn.org | udp |
| US | 8.8.8.8:53 | vspfdafox.com | udp |
| US | 8.8.8.8:53 | kwuqhk.info | udp |
| US | 8.8.8.8:53 | wssizueoya.net | udp |
| US | 8.8.8.8:53 | spmjewnansnan.cc | udp |
| US | 8.8.8.8:53 | pulwlifox.com | udp |
| US | 8.8.8.8:53 | emicys.biz | udp |
| US | 8.8.8.8:53 | mmwikwiq.net | udp |
| US | 8.8.8.8:53 | ioqmfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sbdwpenansnan.com | udp |
| US | 8.8.8.8:53 | yokaos.info | udp |
| US | 8.8.8.8:53 | osobjiiugkeq.info | udp |
| US | 8.8.8.8:53 | chjjgqfqbex.com | udp |
| US | 8.8.8.8:53 | wuhthanansnan.cc | udp |
| US | 8.8.8.8:53 | kckzkueoya.net | udp |
| US | 8.8.8.8:53 | aeeeuaiq.info | udp |
| US | 8.8.8.8:53 | epeeuanansnan.cc | udp |
| US | 8.8.8.8:53 | emdctqfqbex.org | udp |
| US | 8.8.8.8:53 | eywsgo.info | udp |
| US | 8.8.8.8:53 | acwdqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | mhdevufqbex.com | udp |
| US | 8.8.8.8:53 | divsdkn.org | udp |
| US | 8.8.8.8:53 | cmeigsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | yaabuueoya.net | udp |
| US | 8.8.8.8:53 | ldjpbcn.org | udp |
| US | 8.8.8.8:53 | gnnpbqfqbex.cc | udp |
| US | 8.8.8.8:53 | qseecaiugkeq.info | udp |
| US | 8.8.8.8:53 | iuqxtyeoya.info | udp |
| US | 8.8.8.8:53 | fxguasfox.cc | udp |
| US | 8.8.8.8:53 | wkrzlgfqbex.org | udp |
| US | 8.8.8.8:53 | mmqtqwiugkeq.net | udp |
| US | 8.8.8.8:53 | wmkdhs.net | udp |
| US | 8.8.8.8:53 | vahpqcn.com | udp |
| US | 8.8.8.8:53 | uurmdyfqbex.org | udp |
| US | 8.8.8.8:53 | kccamwiq.net | udp |
| US | 8.8.8.8:53 | sqigrmiq.net | udp |
| US | 8.8.8.8:53 | ypkibmnansnan.org | udp |
| US | 8.8.8.8:53 | uxbibodsholapet.com | udp |
| US | 8.8.8.8:53 | emgwmsiugkeq.info | udp |
| US | 8.8.8.8:53 | ackbia.biz | udp |
| US | 8.8.8.8:53 | lwohpwfox.cc | udp |
| US | 8.8.8.8:53 | krjgewnansnan.cc | udp |
| US | 8.8.8.8:53 | wsocyguiwcymao.info | udp |
| US | 8.8.8.8:53 | qyesak.net | udp |
| US | 8.8.8.8:53 | qgryvufqbex.org | udp |
| US | 8.8.8.8:53 | krxihodsholapet.org | udp |
| US | 8.8.8.8:53 | coegcguiwcymao.info | udp |
| US | 8.8.8.8:53 | qsoiia.net | udp |
| US | 8.8.8.8:53 | qlnxyqfqbex.org | udp |
| US | 8.8.8.8:53 | mrtmzufqbex.com | udp |
| US | 8.8.8.8:53 | sgiwpk.info | udp |
| US | 8.8.8.8:53 | igoebaiq.biz | udp |
| US | 8.8.8.8:53 | bgusvsfox.org | udp |
| US | 8.8.8.8:53 | vvxlzkn.org | udp |
| US | 8.8.8.8:53 | iqcvia.info | udp |
| US | 8.8.8.8:53 | samqsk.net | udp |
| US | 8.8.8.8:53 | gqckhmnansnan.cc | udp |
| US | 8.8.8.8:53 | dwdyrgn.cc | udp |
| US | 8.8.8.8:53 | cioguwiq.net | udp |
| US | 8.8.8.8:53 | iwuoyaiq.net | udp |
| US | 8.8.8.8:53 | oumofadsholapet.org | udp |
| US | 8.8.8.8:53 | xmrutifox.org | udp |
| US | 8.8.8.8:53 | wwiossiugkeq.biz | udp |
| US | 8.8.8.8:53 | auaela.info | udp |
| US | 8.8.8.8:53 | avhixufqbex.cc | udp |
| US | 8.8.8.8:53 | mjdldodsholapet.com | udp |
| US | 8.8.8.8:53 | cuisbueoya.biz | udp |
| US | 8.8.8.8:53 | oemxjs.net | udp |
| US | 8.8.8.8:53 | skanymnansnan.com | udp |
| US | 8.8.8.8:53 | yaruuenansnan.com | udp |
| US | 8.8.8.8:53 | qqgpgwiq.biz | udp |
| US | 8.8.8.8:53 | uyuouaiugkeq.biz | udp |
| US | 8.8.8.8:53 | luzkdsn.com | udp |
| US | 8.8.8.8:53 | srhrjadsholapet.com | udp |
| US | 8.8.8.8:53 | wiacxueoya.net | udp |
| US | 8.8.8.8:53 | immzqmiq.biz | udp |
| US | 8.8.8.8:53 | lnmuhsfox.cc | udp |
| US | 8.8.8.8:53 | gnbbnenansnan.com | udp |
| US | 8.8.8.8:53 | yseaesiugkeq.biz | udp |
| US | 8.8.8.8:53 | lnnepkn.org | udp |
| US | 8.8.8.8:53 | uhfkomnansnan.cc | udp |
| US | 8.8.8.8:53 | wgguvwiq.net | udp |
| US | 8.8.8.8:53 | kigfwaiq.info | udp |
| US | 8.8.8.8:53 | vduuvsfox.com | udp |
| US | 8.8.8.8:53 | zilqmwfox.cc | udp |
| US | 8.8.8.8:53 | qomemmiq.biz | udp |
| US | 8.8.8.8:53 | ywkzieiq.info | udp |
| US | 8.8.8.8:53 | miaxradsholapet.com | udp |
| US | 8.8.8.8:53 | mdxllodsholapet.org | udp |
| US | 8.8.8.8:53 | qauziguiwcymao.biz | udp |
| US | 8.8.8.8:53 | sisnaaiq.info | udp |
| US | 8.8.8.8:53 | owvrlyfqbex.com | udp |
| US | 8.8.8.8:53 | hhfkqafox.com | udp |
| US | 8.8.8.8:53 | ccmddsuiwcymao.info | udp |
| US | 8.8.8.8:53 | eyuhsgeoya.info | udp |
| US | 8.8.8.8:53 | onifrenansnan.com | udp |
| US | 8.8.8.8:53 | ibjszanansnan.cc | udp |
| US | 8.8.8.8:53 | sewwjgeoya.biz | udp |
| US | 8.8.8.8:53 | mkasraiugkeq.info | udp |
| US | 8.8.8.8:53 | qdwyeanansnan.org | udp |
| US | 8.8.8.8:53 | wttlpodsholapet.org | udp |
| US | 8.8.8.8:53 | cmukpueoya.info | udp |
| US | 8.8.8.8:53 | ggcrco.biz | udp |
| US | 8.8.8.8:53 | qbmiukdsholapet.org | udp |
| US | 8.8.8.8:53 | ikzwzadsholapet.org | udp |
| US | 8.8.8.8:53 | qsoagsiugkeq.info | udp |
| US | 8.8.8.8:53 | wqwqdmiq.biz | udp |
| US | 8.8.8.8:53 | vrsejafox.org | udp |
| US | 8.8.8.8:53 | rbruuwfox.cc | udp |
| US | 8.8.8.8:53 | uqcgoyeoya.net | udp |
| US | 8.8.8.8:53 | eymxuwiq.biz | udp |
| US | 8.8.8.8:53 | cgzjnqfqbex.com | udp |
| US | 8.8.8.8:53 | wvfsyodsholapet.org | udp |
| US | 8.8.8.8:53 | umcbuueoya.biz | udp |
| US | 8.8.8.8:53 | eeiykwiugkeq.info | udp |
| US | 8.8.8.8:53 | anuujmnansnan.cc | udp |
| US | 8.8.8.8:53 | ustxrsdsholapet.com | udp |
| US | 8.8.8.8:53 | mwamsaiq.biz | udp |
| US | 8.8.8.8:53 | auyqhcuiwcymao.net | udp |
| US | 8.8.8.8:53 | psmcrafox.com | udp |
| US | 8.8.8.8:53 | fuxylcn.org | udp |
| US | 8.8.8.8:53 | ummyyk.biz | udp |
| US | 8.8.8.8:53 | wgiyfguiwcymao.info | udp |
| US | 8.8.8.8:53 | bznopsn.cc | udp |
| US | 8.8.8.8:53 | xyrmtafox.cc | udp |
| US | 8.8.8.8:53 | kwiueeiq.net | udp |
| US | 8.8.8.8:53 | gcmmxk.net | udp |
| US | 8.8.8.8:53 | ituqnmnansnan.com | udp |
| US | 8.8.8.8:53 | mjjdhanansnan.cc | udp |
| US | 8.8.8.8:53 | wcqjasuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iksmjs.biz | udp |
| US | 8.8.8.8:53 | vkqkgifox.com | udp |
| US | 8.8.8.8:53 | xcbifafox.org | udp |
| US | 8.8.8.8:53 | suaeggeoya.info | udp |
| US | 8.8.8.8:53 | ucwshguiwcymao.info | udp |
| US | 8.8.8.8:53 | bzdyzcn.com | udp |
| US | 8.8.8.8:53 | dzlslafox.org | udp |
| US | 8.8.8.8:53 | smsygiiugkeq.biz | udp |
| US | 8.8.8.8:53 | mouuyguiwcymao.info | udp |
| US | 8.8.8.8:53 | xjffbgn.org | udp |
| US | 8.8.8.8:53 | hofmhifox.com | udp |
| US | 8.8.8.8:53 | iqqqkueoya.biz | udp |
| US | 8.8.8.8:53 | qgeoqueoya.biz | udp |
| US | 8.8.8.8:53 | obnstufqbex.cc | udp |
| US | 8.8.8.8:53 | mzbkrgfqbex.cc | udp |
| US | 8.8.8.8:53 | qecqoaiq.info | udp |
| US | 8.8.8.8:53 | qkuwus.net | udp |
| US | 8.8.8.8:53 | gzyqcanansnan.com | udp |
| US | 8.8.8.8:53 | yunmdkdsholapet.cc | udp |
| US | 8.8.8.8:53 | gsueaa.net | udp |
| US | 8.8.8.8:53 | aokysaiq.info | udp |
| US | 8.8.8.8:53 | haddlsn.cc | udp |
| US | 8.8.8.8:53 | ahzykanansnan.com | udp |
| US | 8.8.8.8:53 | kgeylk.net | udp |
| US | 8.8.8.8:53 | kyamwiiugkeq.biz | udp |
| US | 8.8.8.8:53 | kdrwtgfqbex.org | udp |
| US | 8.8.8.8:53 | qhzcuodsholapet.cc | udp |
| US | 8.8.8.8:53 | aogxyyeoya.info | udp |
| US | 8.8.8.8:53 | ycespwnansnan.org | udp |
| US | 8.8.8.8:53 | qmdwwwnansnan.com | udp |
| US | 8.8.8.8:53 | sgmswsuiwcymao.info | udp |
| US | 8.8.8.8:53 | buuexifox.org | udp |
| US | 8.8.8.8:53 | xybxdwfox.com | udp |
| US | 8.8.8.8:53 | uoiousuiwcymao.net | udp |
| US | 8.8.8.8:53 | ywazeeiq.net | udp |
| US | 8.8.8.8:53 | pkpcqcn.org | udp |
| US | 8.8.8.8:53 | qinmjgfqbex.com | udp |
| US | 8.8.8.8:53 | gcokls.info | udp |
| US | 8.8.8.8:53 | cusmbeiq.net | udp |
| US | 8.8.8.8:53 | kfeiwodsholapet.com | udp |
| US | 8.8.8.8:53 | lxtezafox.cc | udp |
| US | 8.8.8.8:53 | wqgqmcuiwcymao.info | udp |
| US | 8.8.8.8:53 | yceewcuiwcymao.net | udp |
| US | 8.8.8.8:53 | fhurfifox.org | udp |
| US | 8.8.8.8:53 | ytxnbwnansnan.org | udp |
| US | 8.8.8.8:53 | gyyyyueoya.info | udp |
| US | 8.8.8.8:53 | kygmyo.biz | udp |
| US | 8.8.8.8:53 | bhdyjcn.org | udp |
| US | 8.8.8.8:53 | iftlfwnansnan.org | udp |
| US | 8.8.8.8:53 | omilys.info | udp |
| US | 8.8.8.8:53 | sgaixo.biz | udp |
| US | 8.8.8.8:53 | ilyepodsholapet.cc | udp |
| US | 8.8.8.8:53 | esnsvwnansnan.org | udp |
| US | 8.8.8.8:53 | mikyaa.info | udp |
| US | 8.8.8.8:53 | uusunguiwcymao.net | udp |
| US | 8.8.8.8:53 | kseukadsholapet.org | udp |
| US | 8.8.8.8:53 | smreqgfqbex.cc | udp |
| US | 8.8.8.8:53 | seqyeyeoya.net | udp |
| US | 8.8.8.8:53 | gcgkxwiq.biz | udp |
| US | 8.8.8.8:53 | gxcutenansnan.cc | udp |
| US | 8.8.8.8:53 | qmcnxiiugkeq.biz | udp |
| US | 8.8.8.8:53 | kmkffmiq.biz | udp |
| US | 8.8.8.8:53 | bcjvhcn.com | udp |
| US | 8.8.8.8:53 | hsbmggn.org | udp |
| US | 8.8.8.8:53 | kqwapqeoya.info | udp |
| US | 8.8.8.8:53 | ieuafodsholapet.org | udp |
| US | 8.8.8.8:53 | othrpsdsholapet.cc | udp |
| US | 8.8.8.8:53 | mqsqvmiq.net | udp |
| US | 8.8.8.8:53 | kwknca.biz | udp |
| US | 8.8.8.8:53 | wepmhqfqbex.cc | udp |
| US | 8.8.8.8:53 | gocnniiugkeq.biz | udp |
| US | 8.8.8.8:53 | oqiyoqeoya.biz | udp |
| US | 8.8.8.8:53 | kpfgngfqbex.cc | udp |
| US | 8.8.8.8:53 | zshqrgn.com | udp |
| US | 8.8.8.8:53 | waeqtyeoya.info | udp |
| US | 8.8.8.8:53 | msynqaiq.info | udp |
| US | 8.8.8.8:53 | vxufowfox.cc | udp |
| US | 8.8.8.8:53 | ecbqeqfqbex.org | udp |
| US | 8.8.8.8:53 | ammgoeiq.net | udp |
| US | 8.8.8.8:53 | mgqiqsiugkeq.net | udp |
| US | 8.8.8.8:53 | gnoztsdsholapet.org | udp |
| US | 8.8.8.8:53 | iwdwnmnansnan.org | udp |
| US | 8.8.8.8:53 | yeccawiugkeq.biz | udp |
| US | 8.8.8.8:53 | qwgmeaiq.info | udp |
| US | 8.8.8.8:53 | yenfbgfqbex.org | udp |
| US | 8.8.8.8:53 | jellksn.cc | udp |
| US | 8.8.8.8:53 | ygeneqeoya.net | udp |
| US | 8.8.8.8:53 | imctpkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | lcikrafox.cc | udp |
| US | 8.8.8.8:53 | qmjsqanansnan.org | udp |
| US | 8.8.8.8:53 | smuixueoya.net | udp |
| US | 8.8.8.8:53 | imymucuiwcymao.biz | udp |
| US | 8.8.8.8:53 | jdhywkn.org | udp |
| US | 8.8.8.8:53 | dbxqlwfox.cc | udp |
| US | 8.8.8.8:53 | uowsgaiugkeq.biz | udp |
| US | 8.8.8.8:53 | koecoaiq.net | udp |
| US | 8.8.8.8:53 | wyjthyfqbex.org | udp |
| US | 8.8.8.8:53 | dnxuzkn.com | udp |
| US | 8.8.8.8:53 | gigrasiugkeq.biz | udp |
| US | 8.8.8.8:53 | qqgorsuiwcymao.info | udp |
| US | 8.8.8.8:53 | slfymyfqbex.cc | udp |
| US | 8.8.8.8:53 | aitotmnansnan.cc | udp |
| US | 8.8.8.8:53 | suyuygeoya.net | udp |
| US | 8.8.8.8:53 | eemizgeoya.net | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bjpilcn.org | udp |
| US | 8.8.8.8:53 | nfftmcn.org | udp |
| US | 8.8.8.8:53 | magwuaiq.info | udp |
| US | 8.8.8.8:53 | suemqwiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcjwngfqbex.org | udp |
| US | 8.8.8.8:53 | vojczgn.com | udp |
| US | 8.8.8.8:53 | kisujgeoya.biz | udp |
| US | 8.8.8.8:53 | gkmyryeoya.info | udp |
| US | 8.8.8.8:53 | kthmiqfqbex.org | udp |
| US | 8.8.8.8:53 | mevyxadsholapet.com | udp |
| US | 8.8.8.8:53 | uewaqs.net | udp |
| US | 8.8.8.8:53 | wyionwiq.net | udp |
| US | 8.8.8.8:53 | uokqhodsholapet.cc | udp |
| US | 8.8.8.8:53 | xsxoasn.org | udp |
| US | 8.8.8.8:53 | umgcpaiq.net | udp |
| US | 8.8.8.8:53 | anbkvyfqbex.com | udp |
| US | 8.8.8.8:53 | jqjluifox.cc | udp |
| US | 8.8.8.8:53 | ooihyaiq.biz | udp |
| US | 8.8.8.8:53 | aosyhaiugkeq.info | udp |
| US | 8.8.8.8:53 | yadnsufqbex.org | udp |
| US | 8.8.8.8:53 | uecbgs.biz | udp |
| US | 8.8.8.8:53 | iuockyeoya.biz | udp |
| US | 8.8.8.8:53 | xzdiekn.com | udp |
| US | 8.8.8.8:53 | yvnvuwnansnan.cc | udp |
| US | 8.8.8.8:53 | gmigjwiugkeq.biz | udp |
| US | 8.8.8.8:53 | oowwxwiugkeq.net | udp |
| US | 8.8.8.8:53 | iwprvodsholapet.com | udp |
| US | 8.8.8.8:53 | wuowgeiq.biz | udp |
| US | 8.8.8.8:53 | aucersdsholapet.org | udp |
| US | 8.8.8.8:53 | axxursdsholapet.com | udp |
| US | 8.8.8.8:53 | swkmqyeoya.biz | udp |
| US | 8.8.8.8:53 | waohaeiq.net | udp |
| US | 8.8.8.8:53 | vukzeifox.org | udp |
| US | 8.8.8.8:53 | rzjifgn.org | udp |
| US | 8.8.8.8:53 | agmqnkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mesfcwiugkeq.biz | udp |
| US | 8.8.8.8:53 | crvchufqbex.org | udp |
| US | 8.8.8.8:53 | wvzckufqbex.cc | udp |
| US | 8.8.8.8:53 | koqjlaiugkeq.net | udp |
| US | 8.8.8.8:53 | ekkddyeoya.info | udp |
| US | 8.8.8.8:53 | bqpqzgn.cc | udp |
| US | 8.8.8.8:53 | skhaxsdsholapet.com | udp |
| US | 8.8.8.8:53 | wwomdgeoya.net | udp |
| US | 8.8.8.8:53 | magfqyeoya.info | udp |
| US | 8.8.8.8:53 | jegjfwfox.com | udp |
| US | 8.8.8.8:53 | iitwoadsholapet.org | udp |
| US | 8.8.8.8:53 | ikcokiiugkeq.info | udp |
| US | 8.8.8.8:53 | guuyjs.biz | udp |
| US | 8.8.8.8:53 | zoayaifox.com | udp |
| US | 8.8.8.8:53 | dmbymifox.org | udp |
| US | 8.8.8.8:53 | gwosyaiugkeq.net | udp |
| US | 8.8.8.8:53 | gqaileiq.biz | udp |
| US | 8.8.8.8:53 | zbgmgafox.com | udp |
| US | 8.8.8.8:53 | crdkagfqbex.cc | udp |
| US | 8.8.8.8:53 | ciymwmiq.net | udp |
| US | 8.8.8.8:53 | wieaeo.info | udp |
| US | 8.8.8.8:53 | quiydsdsholapet.cc | udp |
| US | 8.8.8.8:53 | qhtenwnansnan.org | udp |
| US | 8.8.8.8:53 | emigvyeoya.info | udp |
| US | 8.8.8.8:53 | mumvpueoya.biz | udp |
| US | 8.8.8.8:53 | reqjwwfox.com | udp |
| US | 8.8.8.8:53 | ezfnqqfqbex.org | udp |
| US | 8.8.8.8:53 | qakvzaiugkeq.net | udp |
| US | 8.8.8.8:53 | eoggisuiwcymao.net | udp |
| US | 8.8.8.8:53 | ohaqlsdsholapet.com | udp |
| US | 8.8.8.8:53 | idtflenansnan.com | udp |
| US | 8.8.8.8:53 | omykao.info | udp |
| US | 8.8.8.8:53 | umwogaiugkeq.biz | udp |
| US | 8.8.8.8:53 | cekulodsholapet.cc | udp |
| US | 8.8.8.8:53 | vlzkzgn.com | udp |
| US | 8.8.8.8:53 | syasoaiq.net | udp |
| US | 8.8.8.8:53 | askicgeoya.biz | udp |
| US | 8.8.8.8:53 | spognkdsholapet.com | udp |
| US | 8.8.8.8:53 | jvjiugn.com | udp |
| US | 8.8.8.8:53 | cawoxaiq.biz | udp |
| US | 8.8.8.8:53 | ukcqgsiugkeq.net | udp |
| US | 8.8.8.8:53 | hydiosn.org | udp |
| US | 8.8.8.8:53 | jbnccgn.cc | udp |
| US | 8.8.8.8:53 | ayancaiugkeq.net | udp |
| US | 8.8.8.8:53 | kyuoaeiq.info | udp |
| US | 8.8.8.8:53 | qyymjodsholapet.cc | udp |
| US | 8.8.8.8:53 | hlpitcn.cc | udp |
| US | 8.8.8.8:53 | uyynlwiugkeq.info | udp |
| US | 8.8.8.8:53 | keyues.biz | udp |
| US | 8.8.8.8:53 | iplcqufqbex.org | udp |
| US | 8.8.8.8:53 | wpfdnenansnan.com | udp |
| US | 8.8.8.8:53 | mosogiiugkeq.net | udp |
| US | 8.8.8.8:53 | qkvlhyfqbex.com | udp |
| US | 8.8.8.8:53 | uqhnzkdsholapet.cc | udp |
| US | 8.8.8.8:53 | yqstysiugkeq.info | udp |
| US | 8.8.8.8:53 | oyuoraiugkeq.biz | udp |
| US | 8.8.8.8:53 | tmoypifox.org | udp |
| US | 8.8.8.8:53 | kahctenansnan.cc | udp |
| US | 8.8.8.8:53 | yymasgeoya.info | udp |
| US | 8.8.8.8:53 | egieogeoya.biz | udp |
| US | 8.8.8.8:53 | zcostafox.com | udp |
| US | 8.8.8.8:53 | jvbofgn.com | udp |
| US | 8.8.8.8:53 | eyksms.info | udp |
| US | 8.8.8.8:53 | iokmds.info | udp |
| US | 8.8.8.8:53 | amyenwnansnan.org | udp |
| US | 8.8.8.8:53 | ygbtlwnansnan.org | udp |
| US | 8.8.8.8:53 | maqlksuiwcymao.net | udp |
| US | 8.8.8.8:53 | yqibgwiq.net | udp |
| US | 8.8.8.8:53 | jajixcn.com | udp |
| US | 8.8.8.8:53 | wvzkpanansnan.cc | udp |
| US | 8.8.8.8:53 | cscsccuiwcymao.info | udp |
| US | 8.8.8.8:53 | yyogtadsholapet.com | udp |
| US | 8.8.8.8:53 | wrdadsdsholapet.org | udp |
| US | 8.8.8.8:53 | qsceeaiugkeq.info | udp |
| US | 8.8.8.8:53 | kiqsliiugkeq.net | udp |
| US | 8.8.8.8:53 | pkyutwfox.cc | udp |
| US | 8.8.8.8:53 | qrppekdsholapet.org | udp |
| US | 8.8.8.8:53 | kuuoryeoya.net | udp |
| US | 8.8.8.8:53 | imyvcs.net | udp |
| US | 8.8.8.8:53 | exuaqadsholapet.cc | udp |
| US | 8.8.8.8:53 | milybenansnan.cc | udp |
| US | 8.8.8.8:53 | uugnsqeoya.net | udp |
| US | 8.8.8.8:53 | qcwmoaiq.net | udp |
| US | 8.8.8.8:53 | ixiytenansnan.com | udp |
| US | 8.8.8.8:53 | ctheeenansnan.com | udp |
| US | 8.8.8.8:53 | usaqosiugkeq.net | udp |
| US | 8.8.8.8:53 | ezrusadsholapet.org | udp |
| US | 8.8.8.8:53 | oaypfiiugkeq.info | udp |
| US | 8.8.8.8:53 | wugqgeiq.net | udp |
| US | 8.8.8.8:53 | ojgyvadsholapet.org | udp |
| US | 8.8.8.8:53 | rvxxbwfox.org | udp |
| US | 8.8.8.8:53 | yqsifkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ayechs.net | udp |
| US | 8.8.8.8:53 | ofskdadsholapet.com | udp |
| US | 8.8.8.8:53 | catgfufqbex.cc | udp |
| US | 8.8.8.8:53 | gyeowk.info | udp |
| US | 8.8.8.8:53 | iukowqeoya.net | udp |
| US | 8.8.8.8:53 | yewmqsiugkeq.net | udp |
| US | 8.8.8.8:53 | uogomk.biz | udp |
| US | 8.8.8.8:53 | cebgxgfqbex.com | udp |
| US | 8.8.8.8:53 | gelqzanansnan.org | udp |
| US | 8.8.8.8:53 | kiapso.biz | udp |
| US | 8.8.8.8:53 | sgmgsyeoya.info | udp |
| US | 8.8.8.8:53 | qhbxvqfqbex.cc | udp |
| US | 8.8.8.8:53 | kvpcjkdsholapet.com | udp |
| US | 8.8.8.8:53 | kqgjss.info | udp |
| US | 8.8.8.8:53 | eeyeywiugkeq.info | udp |
| US | 8.8.8.8:53 | arogxenansnan.org | udp |
| US | 8.8.8.8:53 | crxkyqfqbex.cc | udp |
| US | 8.8.8.8:53 | isgkbqeoya.biz | udp |
| US | 8.8.8.8:53 | acudmkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zwpczcn.com | udp |
| US | 8.8.8.8:53 | wiczfguiwcymao.info | udp |
| US | 8.8.8.8:53 | qmyaekuiwcymao.info | udp |
| US | 8.8.8.8:53 | lhlyfgn.org | udp |
| US | 8.8.8.8:53 | vxbulcn.org | udp |
| US | 8.8.8.8:53 | cgiwxmiq.biz | udp |
| US | 8.8.8.8:53 | eoscuueoya.net | udp |
| US | 8.8.8.8:53 | djjkpkn.com | udp |
| US | 8.8.8.8:53 | qwhmpodsholapet.cc | udp |
| US | 8.8.8.8:53 | ckqqvsiugkeq.info | udp |
| US | 8.8.8.8:53 | uwmrieiq.net | udp |
| US | 8.8.8.8:53 | bgryrcn.com | udp |
| US | 8.8.8.8:53 | brjrpkn.cc | udp |
| US | 8.8.8.8:53 | aykuueiq.info | udp |
| US | 8.8.8.8:53 | aaswasuiwcymao.net | udp |
| US | 8.8.8.8:53 | iawxrwnansnan.com | udp |
| US | 8.8.8.8:53 | bcnrpafox.com | udp |
| US | 8.8.8.8:53 | mocwqcuiwcymao.info | udp |
| US | 8.8.8.8:53 | ieoqks.info | udp |
| US | 8.8.8.8:53 | wuwmiadsholapet.cc | udp |
| US | 8.8.8.8:53 | tgtilwfox.com | udp |
| US | 8.8.8.8:53 | yeqehs.info | udp |
| US | 8.8.8.8:53 | cayoiwiugkeq.biz | udp |
| US | 8.8.8.8:53 | vlxchgn.org | udp |
| US | 8.8.8.8:53 | iqtwvadsholapet.org | udp |
| US | 8.8.8.8:53 | wmcesiiugkeq.net | udp |
| US | 8.8.8.8:53 | caawamiq.biz | udp |
| US | 8.8.8.8:53 | dqnvskn.cc | udp |
| US | 8.8.8.8:53 | nxtaygn.cc | udp |
| US | 8.8.8.8:53 | maqnjqeoya.net | udp |
| US | 8.8.8.8:53 | sgmiimiq.biz | udp |
| US | 8.8.8.8:53 | lftmngn.cc | udp |
| US | 8.8.8.8:53 | moogfk.net | udp |
| US | 8.8.8.8:53 | mmebgiiugkeq.biz | udp |
| US | 8.8.8.8:53 | jfmlbifox.cc | udp |
| US | 8.8.8.8:53 | mwhxdodsholapet.org | udp |
| US | 8.8.8.8:53 | uqeheaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gywsws.net | udp |
| US | 8.8.8.8:53 | wfsqtwnansnan.org | udp |
| US | 8.8.8.8:53 | cvxvhufqbex.org | udp |
| US | 8.8.8.8:53 | eugtgaiq.biz | udp |
| US | 8.8.8.8:53 | qossaueoya.biz | udp |
| US | 8.8.8.8:53 | jgkwfifox.com | udp |
| US | 8.8.8.8:53 | cxrejwnansnan.cc | udp |
| US | 8.8.8.8:53 | ciowdiiugkeq.biz | udp |
| US | 8.8.8.8:53 | ekmwwk.biz | udp |
| US | 8.8.8.8:53 | xsvuckn.com | udp |
| US | 8.8.8.8:53 | yrvgjufqbex.org | udp |
| US | 8.8.8.8:53 | caiedgeoya.info | udp |
| US | 8.8.8.8:53 | iooiwa.info | udp |
| US | 8.8.8.8:53 | xiryzkn.cc | udp |
| US | 8.8.8.8:53 | mwtjmenansnan.cc | udp |
| US | 8.8.8.8:53 | mykbms.net | udp |
| US | 8.8.8.8:53 | oeopseiq.net | udp |
| US | 8.8.8.8:53 | jvlzrkn.cc | udp |
| US | 8.8.8.8:53 | kljiaqfqbex.cc | udp |
| US | 8.8.8.8:53 | myukkwiugkeq.info | udp |
| US | 8.8.8.8:53 | wccioa.net | udp |
| US | 8.8.8.8:53 | kdlwdyfqbex.org | udp |
| US | 8.8.8.8:53 | qfpptanansnan.cc | udp |
| US | 8.8.8.8:53 | casyncuiwcymao.info | udp |
| US | 8.8.8.8:53 | qwofqqeoya.biz | udp |
| US | 8.8.8.8:53 | ktienmnansnan.cc | udp |
| US | 8.8.8.8:53 | wgjetanansnan.cc | udp |
| US | 8.8.8.8:53 | wegcsqeoya.info | udp |
| US | 8.8.8.8:53 | ayiggaiq.biz | udp |
| US | 8.8.8.8:53 | wutwxgfqbex.cc | udp |
| US | 8.8.8.8:53 | wgfkjanansnan.cc | udp |
| US | 8.8.8.8:53 | asuwvueoya.info | udp |
| US | 8.8.8.8:53 | mcojfgeoya.biz | udp |
| US | 8.8.8.8:53 | qidsfqfqbex.com | udp |
| US | 8.8.8.8:53 | xopuxafox.org | udp |
| US | 8.8.8.8:53 | emuyko.biz | udp |
| US | 8.8.8.8:53 | wkyhas.net | udp |
| US | 8.8.8.8:53 | pkwjuafox.cc | udp |
| US | 8.8.8.8:53 | elzmkodsholapet.org | udp |
| US | 8.8.8.8:53 | sskgwyeoya.net | udp |
| US | 8.8.8.8:53 | deknaifox.org | udp |
| US | 8.8.8.8:53 | uidoeyfqbex.cc | udp |
| US | 8.8.8.8:53 | iisbqgeoya.info | udp |
| US | 8.8.8.8:53 | geyymwiugkeq.biz | udp |
| US | 8.8.8.8:53 | spsdcenansnan.cc | udp |
| US | 8.8.8.8:53 | qdzuxanansnan.cc | udp |
| US | 8.8.8.8:53 | goscfqeoya.info | udp |
| US | 8.8.8.8:53 | wookuwiq.info | udp |
| US | 8.8.8.8:53 | hwpufgn.cc | udp |
| US | 8.8.8.8:53 | ekycya.net | udp |
| US | 8.8.8.8:53 | qgyioo.biz | udp |
| US | 8.8.8.8:53 | hudkvkn.com | udp |
| US | 8.8.8.8:53 | mwpqjgfqbex.com | udp |
| US | 8.8.8.8:53 | mmesemiq.info | udp |
| US | 8.8.8.8:53 | wyiecwiq.net | udp |
| US | 8.8.8.8:53 | brxcxkn.org | udp |
| US | 8.8.8.8:53 | kmheegfqbex.org | udp |
| US | 8.8.8.8:53 | agkudkuiwcymao.info | udp |
| US | 8.8.8.8:53 | ouwyzodsholapet.cc | udp |
| US | 8.8.8.8:53 | ltbudafox.com | udp |
| US | 8.8.8.8:53 | ciolusiugkeq.info | udp |
| US | 8.8.8.8:53 | wcieomiq.biz | udp |
| US | 8.8.8.8:53 | hlbcmgn.cc | udp |
| US | 8.8.8.8:53 | denmywfox.cc | udp |
| US | 8.8.8.8:53 | guefgwiugkeq.net | udp |
| US | 8.8.8.8:53 | momwha.info | udp |
| US | 8.8.8.8:53 | qmwmumnansnan.cc | udp |
| US | 8.8.8.8:53 | snxuhgfqbex.cc | udp |
| US | 8.8.8.8:53 | esmmbkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ywocqa.info | udp |
| US | 8.8.8.8:53 | hinypcn.com | udp |
| US | 8.8.8.8:53 | cuhglyfqbex.cc | udp |
| US | 8.8.8.8:53 | symmbs.info | udp |
| US | 8.8.8.8:53 | jchwngn.cc | udp |
| US | 8.8.8.8:53 | rxflwcn.org | udp |
| US | 8.8.8.8:53 | uomjxkuiwcymao.info | udp |
| US | 8.8.8.8:53 | yckzwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gyluhufqbex.org | udp |
| US | 8.8.8.8:53 | jndgxcn.com | udp |
| US | 8.8.8.8:53 | wuizjueoya.info | udp |
| US | 8.8.8.8:53 | koiczkuiwcymao.info | udp |
| US | 8.8.8.8:53 | tnvszcn.cc | udp |
| US | 8.8.8.8:53 | wovvzkdsholapet.com | udp |
| US | 8.8.8.8:53 | gsuidsiugkeq.biz | udp |
| US | 8.8.8.8:53 | iiafomiq.info | udp |
| US | 8.8.8.8:53 | csuqnodsholapet.cc | udp |
| US | 8.8.8.8:53 | wijrdufqbex.cc | udp |
| US | 8.8.8.8:53 | swemaiiugkeq.biz | udp |
| US | 8.8.8.8:53 | gmqcksuiwcymao.biz | udp |
| US | 8.8.8.8:53 | pkhscsn.com | udp |
| US | 8.8.8.8:53 | esosxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | cwqxaeiq.info | udp |
| US | 8.8.8.8:53 | whbfkufqbex.com | udp |
| US | 8.8.8.8:53 | lkrkpcn.com | udp |
| US | 8.8.8.8:53 | gogmesuiwcymao.info | udp |
| US | 8.8.8.8:53 | gcscliiugkeq.biz | udp |
| US | 8.8.8.8:53 | mtmkvkdsholapet.com | udp |
| US | 8.8.8.8:53 | gepgxsdsholapet.cc | udp |
| US | 8.8.8.8:53 | iqqhqqeoya.info | udp |
| US | 8.8.8.8:53 | gewufguiwcymao.net | udp |
| US | 8.8.8.8:53 | cgygnadsholapet.com | udp |
| US | 8.8.8.8:53 | zqnbfwfox.org | udp |
| US | 8.8.8.8:53 | wugvekuiwcymao.biz | udp |
| US | 8.8.8.8:53 | eyiewyeoya.info | udp |
| US | 8.8.8.8:53 | untorgfqbex.org | udp |
| US | 8.8.8.8:53 | oapqrqfqbex.cc | udp |
| US | 8.8.8.8:53 | yskuss.biz | udp |
| US | 8.8.8.8:53 | sqyiaaiugkeq.net | udp |
| US | 8.8.8.8:53 | edxmfqfqbex.org | udp |
| US | 8.8.8.8:53 | qvbmxodsholapet.cc | udp |
| US | 8.8.8.8:53 | ywkeoueoya.info | udp |
| US | 8.8.8.8:53 | ucsgamiq.info | udp |
| US | 8.8.8.8:53 | yhcobodsholapet.com | udp |
| US | 8.8.8.8:53 | zgjubsn.com | udp |
| US | 8.8.8.8:53 | qwuntiiugkeq.info | udp |
| US | 8.8.8.8:53 | qhoeqmnansnan.cc | udp |
| US | 8.8.8.8:53 | aaxefanansnan.cc | udp |
| US | 8.8.8.8:53 | sqcwos.biz | udp |
| US | 8.8.8.8:53 | kymrgwiq.net | udp |
| US | 8.8.8.8:53 | pwestsfox.org | udp |
| US | 8.8.8.8:53 | gajkjwnansnan.com | udp |
| US | 8.8.8.8:53 | mmaxwqeoya.info | udp |
| US | 8.8.8.8:53 | yasupiiugkeq.net | udp |
| US | 8.8.8.8:53 | uqgkoodsholapet.org | udp |
| US | 8.8.8.8:53 | rsxszcn.cc | udp |
| US | 8.8.8.8:53 | asqqlcuiwcymao.net | udp |
| US | 8.8.8.8:53 | mowwqaiq.info | udp |
| US | 8.8.8.8:53 | wnomzadsholapet.cc | udp |
| US | 8.8.8.8:53 | bmhwjafox.com | udp |
| US | 8.8.8.8:53 | eeqivcuiwcymao.info | udp |
| US | 8.8.8.8:53 | iccshaiq.biz | udp |
| US | 8.8.8.8:53 | ljnexkn.com | udp |
| US | 8.8.8.8:53 | gvhwpsdsholapet.com | udp |
| US | 8.8.8.8:53 | qqmsgyeoya.net | udp |
| US | 8.8.8.8:53 | qyguza.net | udp |
| US | 8.8.8.8:53 | wjzuyqfqbex.org | udp |
| US | 8.8.8.8:53 | vwzvvsfox.com | udp |
| US | 8.8.8.8:53 | csydsaiq.info | udp |
| US | 8.8.8.8:53 | kqecimiq.net | udp |
| US | 8.8.8.8:53 | imtrayfqbex.cc | udp |
| US | 8.8.8.8:53 | hwtydgn.cc | udp |
| US | 8.8.8.8:53 | ieednsuiwcymao.net | udp |
| US | 8.8.8.8:53 | qoomewiq.info | udp |
| US | 8.8.8.8:53 | wwgspodsholapet.org | udp |
| US | 8.8.8.8:53 | qptclanansnan.org | udp |
| US | 8.8.8.8:53 | mmskygeoya.info | udp |
| US | 8.8.8.8:53 | kkmcns.info | udp |
| US | 8.8.8.8:53 | prnsvsn.org | udp |
| US | 8.8.8.8:53 | mibjcenansnan.com | udp |
| US | 8.8.8.8:53 | miwdgkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kqkmgsiugkeq.info | udp |
| US | 8.8.8.8:53 | kwrepgfqbex.com | udp |
| US | 8.8.8.8:53 | wvlydodsholapet.org | udp |
| US | 8.8.8.8:53 | wicubqeoya.net | udp |
| US | 8.8.8.8:53 | saifymiq.biz | udp |
| US | 8.8.8.8:53 | rhptqgn.org | udp |
| US | 8.8.8.8:53 | bipqusn.com | udp |
| US | 8.8.8.8:53 | ycmoraiugkeq.biz | udp |
| US | 8.8.8.8:53 | kiatcs.net | udp |
| US | 8.8.8.8:53 | rasanwfox.com | udp |
| US | 8.8.8.8:53 | jdzukwfox.com | udp |
| US | 8.8.8.8:53 | wecsmk.biz | udp |
| US | 8.8.8.8:53 | wymsqcuiwcymao.info | udp |
| US | 8.8.8.8:53 | yxhtzgfqbex.cc | udp |
| US | 8.8.8.8:53 | merknsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sgyxmyeoya.biz | udp |
| US | 8.8.8.8:53 | aksfgiiugkeq.biz | udp |
| US | 8.8.8.8:53 | abiymmnansnan.org | udp |
| US | 8.8.8.8:53 | cupytwnansnan.org | udp |
| US | 8.8.8.8:53 | qiwidkuiwcymao.net | udp |
| US | 8.8.8.8:53 | ieiqosuiwcymao.net | udp |
| US | 8.8.8.8:53 | flyieafox.com | udp |
| US | 8.8.8.8:53 | jrhbnwfox.com | udp |
| US | 8.8.8.8:53 | eoiyzguiwcymao.net | udp |
| US | 8.8.8.8:53 | suwioa.net | udp |
| US | 8.8.8.8:53 | gjphzyfqbex.cc | udp |
| US | 8.8.8.8:53 | ygxommnansnan.cc | udp |
| US | 8.8.8.8:53 | qkmkeo.net | udp |
| US | 8.8.8.8:53 | iuiqaiiugkeq.net | udp |
| US | 8.8.8.8:53 | xtqmvafox.cc | udp |
| US | 8.8.8.8:53 | eozulanansnan.org | udp |
| US | 8.8.8.8:53 | oeaejo.net | udp |
| US | 8.8.8.8:53 | ggghksiugkeq.info | udp |
| US | 8.8.8.8:53 | nnmcmafox.com | udp |
| US | 8.8.8.8:53 | ilxnhenansnan.cc | udp |
| US | 8.8.8.8:53 | womcco.info | udp |
| US | 8.8.8.8:53 | smsaraiugkeq.net | udp |
| US | 8.8.8.8:53 | kssmvwnansnan.org | udp |
| US | 8.8.8.8:53 | zjdkbifox.cc | udp |
| US | 8.8.8.8:53 | gwyujiiugkeq.info | udp |
| US | 8.8.8.8:53 | ciqeakuiwcymao.info | udp |
| US | 8.8.8.8:53 | iiwobadsholapet.org | udp |
| US | 8.8.8.8:53 | fmzmbsn.org | udp |
| US | 8.8.8.8:53 | kkaqqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | ywxqtgfqbex.org | udp |
| US | 8.8.8.8:53 | evzwfanansnan.com | udp |
| US | 8.8.8.8:53 | sagkaa.biz | udp |
| US | 8.8.8.8:53 | omuwcsuiwcymao.info | udp |
| US | 8.8.8.8:53 | kkuwjadsholapet.org | udp |
| US | 8.8.8.8:53 | ecyrwmiq.biz | udp |
| US | 8.8.8.8:53 | suyuyo.biz | udp |
| US | 8.8.8.8:53 | fdwbrifox.com | udp |
| US | 8.8.8.8:53 | nwryzsfox.com | udp |
| US | 8.8.8.8:53 | mgaxpkuiwcymao.net | udp |
| US | 8.8.8.8:53 | ohailenansnan.org | udp |
| US | 8.8.8.8:53 | sptnzyfqbex.org | udp |
| US | 8.8.8.8:53 | acceliiugkeq.net | udp |
| US | 8.8.8.8:53 | muigfaiq.info | udp |
| US | 8.8.8.8:53 | kmaytadsholapet.org | udp |
| US | 8.8.8.8:53 | rcnxtafox.com | udp |
| US | 8.8.8.8:53 | kakmngeoya.biz | udp |
| US | 8.8.8.8:53 | aceuksiugkeq.net | udp |
| US | 8.8.8.8:53 | hgcemafox.org | udp |
| US | 8.8.8.8:53 | nsdilwfox.cc | udp |
| US | 8.8.8.8:53 | suguoyeoya.biz | udp |
| US | 8.8.8.8:53 | mgijcyeoya.biz | udp |
| US | 8.8.8.8:53 | mmjmygfqbex.cc | udp |
| US | 8.8.8.8:53 | grdksanansnan.org | udp |
| US | 8.8.8.8:53 | quyeps.info | udp |
| US | 8.8.8.8:53 | eagjdk.info | udp |
| US | 8.8.8.8:53 | mwqkbmnansnan.com | udp |
| US | 8.8.8.8:53 | qcvwpenansnan.org | udp |
| US | 8.8.8.8:53 | omenowiugkeq.biz | udp |
| US | 8.8.8.8:53 | kqwkkiiugkeq.info | udp |
| US | 8.8.8.8:53 | jpqoqafox.com | udp |
| US | 8.8.8.8:53 | ksxutufqbex.cc | udp |
| US | 8.8.8.8:53 | komiksiugkeq.biz | udp |
| US | 8.8.8.8:53 | alvljufqbex.com | udp |
| US | 8.8.8.8:53 | rjxwfkn.org | udp |
| US | 8.8.8.8:53 | mqsuxguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wawqwmiq.biz | udp |
| US | 8.8.8.8:53 | ejpvuyfqbex.com | udp |
| US | 8.8.8.8:53 | gyskesuiwcymao.net | udp |
| US | 8.8.8.8:53 | qkguoyeoya.biz | udp |
| US | 8.8.8.8:53 | xinwpcn.org | udp |
| US | 8.8.8.8:53 | aozcyadsholapet.cc | udp |
| US | 8.8.8.8:53 | qwmssaiq.net | udp |
| US | 8.8.8.8:53 | meauoguiwcymao.info | udp |
| US | 8.8.8.8:53 | wnqwgenansnan.com | udp |
| US | 8.8.8.8:53 | irbgzodsholapet.com | udp |
| US | 8.8.8.8:53 | ysqcvkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kqweccuiwcymao.net | udp |
| US | 8.8.8.8:53 | pnholkn.org | udp |
| US | 8.8.8.8:53 | aygbcaiq.biz | udp |
| US | 8.8.8.8:53 | qucozeiq.biz | udp |
| US | 8.8.8.8:53 | sgekvmnansnan.org | udp |
| US | 8.8.8.8:53 | rqnqnwfox.org | udp |
| US | 8.8.8.8:53 | uquwueiq.biz | udp |
| US | 8.8.8.8:53 | cmwuacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | kiwcdsdsholapet.cc | udp |
| US | 8.8.8.8:53 | zxjaxkn.cc | udp |
| US | 8.8.8.8:53 | mqkkha.net | udp |
| US | 8.8.8.8:53 | woakfeiq.biz | udp |
| US | 8.8.8.8:53 | zexahgn.cc | udp |
| US | 8.8.8.8:53 | axvqxufqbex.cc | udp |
| US | 8.8.8.8:53 | gquuzkuiwcymao.info | udp |
| US | 8.8.8.8:53 | aaiuwqeoya.net | udp |
| US | 8.8.8.8:53 | pghqjkn.cc | udp |
| US | 8.8.8.8:53 | uzvqlwnansnan.cc | udp |
| US | 8.8.8.8:53 | ykucaa.biz | udp |
| US | 8.8.8.8:53 | qcssiiiugkeq.biz | udp |
| US | 8.8.8.8:53 | aqgatkdsholapet.com | udp |
| US | 8.8.8.8:53 | gcbudqfqbex.org | udp |
| US | 8.8.8.8:53 | kyaqjqeoya.info | udp |
| US | 8.8.8.8:53 | igmyto.biz | udp |
| US | 8.8.8.8:53 | ojjadufqbex.com | udp |
| US | 8.8.8.8:53 | lnbalkn.cc | udp |
| US | 8.8.8.8:53 | qamusaiq.net | udp |
| US | 8.8.8.8:53 | iqifpwiq.info | udp |
| US | 8.8.8.8:53 | pnlqxcn.org | udp |
| US | 8.8.8.8:53 | kyxapgfqbex.com | udp |
| US | 8.8.8.8:53 | qwypusiugkeq.net | udp |
| US | 8.8.8.8:53 | umywasiugkeq.net | udp |
| US | 8.8.8.8:53 | ahkucsdsholapet.org | udp |
| US | 8.8.8.8:53 | ynvyrenansnan.com | udp |
| US | 8.8.8.8:53 | gaoumyeoya.info | udp |
| US | 8.8.8.8:53 | unyxzwnansnan.cc | udp |
| US | 8.8.8.8:53 | lzdkmgn.com | udp |
| US | 8.8.8.8:53 | ygeergeoya.info | udp |
| US | 8.8.8.8:53 | geisjwiugkeq.net | udp |
| US | 8.8.8.8:53 | rxmprsfox.cc | udp |
| US | 8.8.8.8:53 | emzbngfqbex.com | udp |
| US | 8.8.8.8:53 | sqalbaiq.biz | udp |
| US | 8.8.8.8:53 | amauqaiq.info | udp |
| US | 8.8.8.8:53 | geubesdsholapet.cc | udp |
| US | 8.8.8.8:53 | bspscsfox.org | udp |
| US | 8.8.8.8:53 | keublkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kyoeeguiwcymao.info | udp |
| US | 8.8.8.8:53 | tslyqsn.cc | udp |
| US | 8.8.8.8:53 | qzfunsdsholapet.com | udp |
| US | 8.8.8.8:53 | oeewscuiwcymao.biz | udp |
| US | 8.8.8.8:53 | qqwkxeiq.biz | udp |
| US | 8.8.8.8:53 | xxmaeifox.org | udp |
| US | 8.8.8.8:53 | uzpyfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | ciggia.biz | udp |
| US | 8.8.8.8:53 | ymrhnqfqbex.cc | udp |
| US | 8.8.8.8:53 | pcxalgn.org | udp |
| US | 8.8.8.8:53 | icgwrwiq.info | udp |
| US | 8.8.8.8:53 | wjdgayfqbex.com | udp |
| US | 8.8.8.8:53 | utpaimnansnan.com | udp |
| US | 8.8.8.8:53 | qkoooa.info | udp |
| US | 8.8.8.8:53 | qbhdgqfqbex.cc | udp |
| US | 8.8.8.8:53 | kargdqfqbex.org | udp |
| US | 8.8.8.8:53 | ckwnyo.info | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | goegkmiq.info | udp |
| US | 8.8.8.8:53 | mhvhuwnansnan.cc | udp |
| US | 8.8.8.8:53 | usijwsiugkeq.biz | udp |
| US | 8.8.8.8:53 | aoiykwiugkeq.net | udp |
| US | 8.8.8.8:53 | olwmqmnansnan.cc | udp |
| US | 8.8.8.8:53 | smdgmodsholapet.com | udp |
| US | 8.8.8.8:53 | cyaucwiugkeq.net | udp |
| US | 8.8.8.8:53 | msmqgeiq.net | udp |
| US | 8.8.8.8:53 | ouaivenansnan.org | udp |
| US | 8.8.8.8:53 | ccrkmmnansnan.org | udp |
| US | 8.8.8.8:53 | qcqgncuiwcymao.biz | udp |
| US | 8.8.8.8:53 | cieivs.net | udp |
| US | 8.8.8.8:53 | tlbocsn.org | udp |
| US | 8.8.8.8:53 | qpfxjqfqbex.cc | udp |
| US | 8.8.8.8:53 | gmgqys.biz | udp |
| US | 8.8.8.8:53 | wamyva.net | udp |
| US | 8.8.8.8:53 | oxkohanansnan.cc | udp |
| US | 8.8.8.8:53 | wgzstkdsholapet.cc | udp |
| US | 8.8.8.8:53 | qiwwws.net | udp |
| US | 8.8.8.8:53 | nrpwvkn.org | udp |
| US | 8.8.8.8:53 | sofgjyfqbex.org | udp |
| US | 8.8.8.8:53 | soyuwiiugkeq.info | udp |
| US | 8.8.8.8:53 | ywyyoguiwcymao.info | udp |
| US | 8.8.8.8:53 | qxdwlyfqbex.cc | udp |
| US | 8.8.8.8:53 | cnnpvgfqbex.com | udp |
| US | 8.8.8.8:53 | gqegxaiugkeq.net | udp |
| US | 8.8.8.8:53 | eoicomiq.biz | udp |
| US | 8.8.8.8:53 | tkaunafox.com | udp |
| US | 8.8.8.8:53 | jbnscgn.org | udp |
| US | 8.8.8.8:53 | qkmowk.net | udp |
| US | 8.8.8.8:53 | mwcxwqeoya.net | udp |
| US | 8.8.8.8:53 | ufvxtgfqbex.com | udp |
| US | 8.8.8.8:53 | gvhapwnansnan.org | udp |
| US | 8.8.8.8:53 | omugoguiwcymao.biz | udp |
| US | 8.8.8.8:53 | sqsswaiugkeq.net | udp |
| US | 8.8.8.8:53 | fvniwcn.com | udp |
| US | 8.8.8.8:53 | yspusodsholapet.org | udp |
| US | 8.8.8.8:53 | ywqyma.info | udp |
| US | 8.8.8.8:53 | oaoxko.net | udp |
| US | 8.8.8.8:53 | uxllwufqbex.cc | udp |
| US | 8.8.8.8:53 | xwvnlkn.cc | udp |
| US | 8.8.8.8:53 | mmqxggeoya.biz | udp |
| US | 8.8.8.8:53 | oaiavsuiwcymao.info | udp |
| US | 8.8.8.8:53 | pdpagcn.com | udp |
| US | 8.8.8.8:53 | kghezufqbex.org | udp |
| US | 8.8.8.8:53 | qscagiiugkeq.info | udp |
| US | 8.8.8.8:53 | gowiaguiwcymao.biz | udp |
| US | 8.8.8.8:53 | jkfmzsfox.cc | udp |
| US | 8.8.8.8:53 | wmuiysiugkeq.biz | udp |
| US | 8.8.8.8:53 | kupapmnansnan.com | udp |
| US | 8.8.8.8:53 | ugmqsguiwcymao.biz | udp |
| US | 8.8.8.8:53 | kkamwwiq.biz | udp |
| US | 8.8.8.8:53 | fksytsfox.cc | udp |
| US | 8.8.8.8:53 | shnslodsholapet.cc | udp |
| US | 8.8.8.8:53 | suaksiiugkeq.net | udp |
| US | 8.8.8.8:53 | qccsnsuiwcymao.info | udp |
| US | 8.8.8.8:53 | ggsltenansnan.cc | udp |
| US | 8.8.8.8:53 | gcxzranansnan.com | udp |
| US | 8.8.8.8:53 | qawgmaiugkeq.info | udp |
| US | 8.8.8.8:53 | kwcmukuiwcymao.info | udp |
| US | 8.8.8.8:53 | ihsqtsdsholapet.cc | udp |
| US | 8.8.8.8:53 | rnbubcn.cc | udp |
| US | 8.8.8.8:53 | swugiwiq.info | udp |
| US | 8.8.8.8:53 | arbydufqbex.org | udp |
| US | 8.8.8.8:53 | quskxqeoya.info | udp |
| US | 8.8.8.8:53 | iqwayk.biz | udp |
| US | 8.8.8.8:53 | obmipkdsholapet.com | udp |
| US | 8.8.8.8:53 | asoqhiiugkeq.net | udp |
| US | 8.8.8.8:53 | mywyiwiugkeq.info | udp |
| US | 8.8.8.8:53 | xnbpnafox.cc | udp |
| US | 8.8.8.8:53 | icwlocuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gkuyos.net | udp |
| US | 8.8.8.8:53 | zuauswfox.cc | udp |
| US | 8.8.8.8:53 | hqdgfwfox.cc | udp |
| US | 8.8.8.8:53 | imelesuiwcymao.net | udp |
| US | 8.8.8.8:53 | ykigoaiq.net | udp |
| US | 8.8.8.8:53 | yqfqbyfqbex.cc | udp |
| US | 8.8.8.8:53 | sixnssdsholapet.org | udp |
| US | 8.8.8.8:53 | gqeoikuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ogeghaiq.net | udp |
| US | 8.8.8.8:53 | qqylhadsholapet.org | udp |
| US | 8.8.8.8:53 | kldfdkdsholapet.com | udp |
| US | 8.8.8.8:53 | usgxnaiugkeq.biz | udp |
| US | 8.8.8.8:53 | qckgaueoya.net | udp |
| US | 8.8.8.8:53 | msmeoadsholapet.cc | udp |
| US | 8.8.8.8:53 | fxdqpkn.com | udp |
| US | 8.8.8.8:53 | kwgsycuiwcymao.info | udp |
| US | 8.8.8.8:53 | iyiypsuiwcymao.net | udp |
| US | 8.8.8.8:53 | emonmanansnan.cc | udp |
| US | 8.8.8.8:53 | mphuxufqbex.org | udp |
| US | 8.8.8.8:53 | yasetcuiwcymao.info | udp |
| US | 8.8.8.8:53 | skqluqeoya.info | udp |
| US | 8.8.8.8:53 | xoyvgsfox.cc | udp |
| US | 8.8.8.8:53 | rxlolwfox.cc | udp |
| US | 8.8.8.8:53 | ameioyeoya.biz | udp |
| US | 8.8.8.8:53 | mmmiecuiwcymao.info | udp |
| US | 8.8.8.8:53 | qbqctwnansnan.org | udp |
| US | 8.8.8.8:53 | jyzucifox.com | udp |
| US | 8.8.8.8:53 | koarak.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
| MD5 | a3492b467622a421ab2ff18ba2762c53 |
| SHA1 | 2e6963888847f0e70d9efe6c99b6cfe3d1b0e1e0 |
| SHA256 | 062efd6997c37d42c5394912d2a59a4105cf789c90824cf56a7dd64569f973fd |
| SHA512 | deb864b71ac1c1b3b65642d5af2f3e82ec3430dedda24a3abe2ec19425c6b1c1aa963d9e8bb60fe9a29228448a50a6392a7899434ba9e500a3ea13f958866a32 |
C:\Windows\SysWOW64\pgttjynfrnrnpisxri.exe
| MD5 | 1123f172c57750172e8d6b3f993d9513 |
| SHA1 | 7656038336d4e81804790f6d23bd0f72b2bb1542 |
| SHA256 | 7c0be0e7c8bb10da6c1dcf2b6e0b56ebc93f18af8a56dc0a479a4d7098d59226 |
| SHA512 | e865ea1b9294607e8b0bcd3423ab543fe167e96251c1f058ebe524e062fb68dcdcebbee03b6422b5d4e08728d58981d895c9119042a3e08e0595d38d34f86fdc |
C:\Users\Admin\AppData\Local\Temp\agixcgk.exe
| MD5 | 99bb071aa0a1d862df72c0ad9b18c1da |
| SHA1 | 0887b1a7aad7dad3717f84572b2596b4c56c5ac4 |
| SHA256 | b5d27a930117fdc84a79e2d784660df9d1d4de6ed394c3c16e62a0bb096ec74c |
| SHA512 | cd16b63419fa41a4e41b35ed69fac4edde6f7a6db9de86388baefc5235a241b49419978d50a9cdc3acf5c7bfa719ac3fa8fa8bf3359b93cc5c457a3b3152493a |
C:\Users\Admin\AppData\Local\ecwdawsrknybkkbnomgnk.cbu
| MD5 | 38b4b21ecab6714c7053d8e1cd2a56e4 |
| SHA1 | a5f0828fb1874bc21c52db7e09d774b55270ce73 |
| SHA256 | 6177636bcfd0b1258c8a36efc2afc7e81518ac20c01a574bd0beed80ab796bc6 |
| SHA512 | ab1d22a092d1c2a3cfb08e3f11f1a81eceadb6e96a81e4fbde5dc22249c6b2a4bf6bf5d1886974bc8e70d6d7704722b6489d8b4ba6108a53e751812720bc6739 |
C:\Users\Admin\AppData\Local\zinfnublpdznhsurdmrjryfpthdrlwyv.qvn
| MD5 | 298656d65ae7278f43e09c37cf78d436 |
| SHA1 | 2fe313b24781f78c9913928261382b3a17b0685c |
| SHA256 | 52ba5991b1041afb5123a67cc63e2e9796a0342d0987c28adffc70c4c8cbe9bc |
| SHA512 | 6bd9e406a8448f3850e8302ef17db986d494b0d99258d5920a3b5fa04bad9abcc08530ad1e0399cc87153d5b71f4a887705dab4122e6e20f0d489eb06bb2c852 |
C:\agixcgk.bat
| MD5 | 63daff54e0942f3e71a8b83e3b4b85c3 |
| SHA1 | daa9a8e73adfae1ea659d588c1ff03769441651f |
| SHA256 | 702d3c6df52613c1e479797bd35216ba811304e71f2a7f3bb20a18c4685ba655 |
| SHA512 | fe2619e4e920364e2f001c96b238addc50e5d2b93e7698d59c2be6cd39016aa51ff1434532806e9dec0182be2ac9012f986a911522a0db8966278f0ca8007818 |