Analysis Overview
SHA256
39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9
Threat Level: Known bad
The file 119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Impair Defenses: Safe Mode Boot
Checks whether UAC is enabled
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 10:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 10:04
Reported
2024-06-26 10:07
Platform
win7-20240220-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "viaujyqetjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "jawungcunhmqcfddnafw.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "jawungcunhmqcfddnafw.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "viaujyqetjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "cqjeukdsizbcllgdk.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "viaujyqetjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "jawungcunhmqcfddnafw.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "lauqhysizruwghdbju.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "jawungcunhmqcfddnafw.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "viaujyqetjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "viaujyqetjkksrlh.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "lauqhysizruwghdbju.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "yqnmgaxqkflqdhghsgmeb.exe ." | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "wmhewojaslpsdfcbkwa.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe ." | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "jawungcunhmqcfddnafw.exe" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "cqjeukdsizbcllgdk.exe" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\pqwehkqsvzocyltdxujkqybekm.tiw | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\Windows\SysWOW64\pqwehkqsvzocyltdxujkqybekm.tiw | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\Windows\SysWOW64\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\Program Files (x86)\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\Windows\pqwehkqsvzocyltdxujkqybekm.tiw | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File created | C:\Windows\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\viaujyqetjkksrlh.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\piggbwuojfmsgllnzovomm.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\wmhewojaslpsdfcbkwa.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\yqnmgaxqkflqdhghsgmeb.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\jawungcunhmqcfddnafw.exe | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| File opened for modification | C:\Windows\cqjeukdsizbcllgdk.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\lauqhysizruwghdbju.exe | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\pqwehkqsvzocyltdxujkqybekm.tiw | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| File opened for modification | C:\Windows\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\wajuagp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
"C:\Users\Admin\AppData\Local\Temp\wajuagp.exe" "-C:\Users\Admin\AppData\Local\Temp\viaujyqetjkksrlh.exe"
C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
"C:\Users\Admin\AppData\Local\Temp\wajuagp.exe" "-C:\Users\Admin\AppData\Local\Temp\viaujyqetjkksrlh.exe"
C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.myspace.com | udp |
| US | 34.111.176.156:80 | www.myspace.com | tcp |
| EG | 41.196.181.116:21271 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | okgawo.com | udp |
| US | 8.8.8.8:53 | dzuzrg.info | udp |
| IT | 87.120.81.208:33558 | tcp | |
| US | 8.8.8.8:53 | fthwmiym.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | tepyknfqpj.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| BG | 95.43.42.86:37703 | tcp | |
| US | 8.8.8.8:53 | vupwbcmwhchx.info | udp |
| US | 8.8.8.8:53 | prdtgxaz.info | udp |
| US | 8.8.8.8:53 | umckwaoo.com | udp |
| MD | 89.149.97.4:38927 | tcp | |
| US | 8.8.8.8:53 | iiljlpjlejfh.net | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | krzzzlbqlm.net | udp |
| US | 8.8.8.8:53 | wdqzak.info | udp |
| US | 8.8.8.8:53 | hhkvhrpast.info | udp |
| LT | 78.61.122.246:36338 | tcp | |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | dqlfhoz.org | udp |
| FR | 88.213.228.136:29152 | tcp | |
| US | 8.8.8.8:53 | tbljgbiadn.info | udp |
| US | 8.8.8.8:53 | qaxyvsymzas.info | udp |
| US | 8.8.8.8:53 | esikaeyw.org | udp |
| US | 8.8.8.8:53 | gybkkuekoig.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | bfbajlfop.com | udp |
| US | 8.8.8.8:53 | bcxkxkjwfcy.net | udp |
| US | 8.8.8.8:53 | kumwqauksm.com | udp |
| LV | 194.19.247.150:19465 | tcp | |
| US | 8.8.8.8:53 | hkzpou.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | nrhguvbcvdds.net | udp |
| US | 8.8.8.8:53 | dmnabmbkfebu.net | udp |
| US | 8.8.8.8:53 | wjzlzlrc.info | udp |
| RO | 188.173.109.176:40325 | tcp | |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | kwckumqq.org | udp |
| US | 8.8.8.8:53 | vvnyfkdnjb.net | udp |
| US | 8.8.8.8:53 | bznxfufj.net | udp |
| GR | 195.97.108.248:18645 | tcp | |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | actwoqxmp.net | udp |
| FR | 88.213.228.136:29152 | tcp | |
| US | 8.8.8.8:53 | coahuct.net | udp |
| US | 8.8.8.8:53 | bvncnlle.net | udp |
| US | 8.8.8.8:53 | hkyxoq.net | udp |
| US | 8.8.8.8:53 | huvibmcyr.com | udp |
| US | 8.8.8.8:53 | bkjahm.info | udp |
| US | 8.8.8.8:53 | uqmmeguw.com | udp |
| US | 8.8.8.8:53 | kifwpkacq.info | udp |
| US | 8.8.8.8:53 | uxxemyqar.net | udp |
| US | 8.8.8.8:53 | kyvoyzx.info | udp |
| BG | 90.154.234.86:43662 | tcp | |
| US | 8.8.8.8:53 | swkoukockemu.org | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | atierp.info | udp |
| US | 8.8.8.8:53 | fmllrsnh.info | udp |
| ES | 81.172.9.69:14608 | tcp | |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | sibwxylmi.net | udp |
| US | 88.216.101.148:41213 | tcp | |
| US | 8.8.8.8:53 | njpbxbpb.net | udp |
| US | 8.8.8.8:53 | fmypvadav.info | udp |
| US | 8.8.8.8:53 | zifajtgr.net | udp |
| BG | 85.239.148.214:20967 | tcp | |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | qgqsiawgwkum.com | udp |
| US | 8.8.8.8:53 | krufud.info | udp |
| BE | 109.89.182.248:28942 | tcp | |
| US | 8.8.8.8:53 | xircigkoicc.net | udp |
| US | 8.8.8.8:53 | ocgycuqsec.com | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| BG | 178.254.249.210:30057 | tcp | |
| US | 8.8.8.8:53 | pjpdjv.net | udp |
| US | 8.8.8.8:53 | vupryswurgx.com | udp |
Files
\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
| MD5 | 5203b6ea0901877fbf2d8d6f6d8d338e |
| SHA1 | c803e92561921b38abe13239c1fd85605b570936 |
| SHA256 | 0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060 |
| SHA512 | d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471 |
C:\Windows\SysWOW64\lauqhysizruwghdbju.exe
| MD5 | 119d697d77ef4e3e1d3fc4dd8cd38c61 |
| SHA1 | d5813b6bc34f4856f267cd97ff397f19d1ad12e2 |
| SHA256 | 39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9 |
| SHA512 | dd663ee160ca0c9952500e47ca79a5b6f4f18de1e35d45ec10de2a61b4b658b6080c82b8a2c1a4dfa6141da158e077a647e8ce1c3a90b91a6d1bd579b3f02ba9 |
\Users\Admin\AppData\Local\Temp\wajuagp.exe
| MD5 | 2a82cc530bc71a4e729d806f51d50ed5 |
| SHA1 | be807cf095f7fc22155246f228c620af00fd559a |
| SHA256 | 9b61ed505691f6b92304be9a84a4da44696b2e3d37fe14415b11d382939fc9df |
| SHA512 | 3868c9a2e348cef895871f9e4b1a667f12a91d247aa22bf1ad87df8ae8d5695291d4cfebfdde2e36b2da6216b9742187d01f87aaa7de91091850ae56c8fdbf7e |
C:\Users\Admin\AppData\Local\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | abc410a1591647eed43f15344620a2bc |
| SHA1 | 5ffecd135fd890a2a9fc1b85a120e046ce849c64 |
| SHA256 | c2b05447314f47d839179b0c6a10c42fd75b075c1cf261adb2aaea221909af25 |
| SHA512 | 04cbaffb28463eef5de7984ca1969f1fc473056d1f3a344daa5813a3279882681d1677aca4d42e5a39b6d303308a7731be338b54f3eababbc5d87ed74fa32a99 |
C:\Users\Admin\AppData\Local\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu
| MD5 | b636973d98954d636b50cff67cab174e |
| SHA1 | 62ff88f9507a28c04b78e56a13285ece0c19a7e6 |
| SHA256 | f1069a485c92db455a024bdd5f17cd89977aeddf665bb61b5ed1b5b01f4300d4 |
| SHA512 | 6e0587b531e41a04830a764f9f564338f9deff1b03e88e9ab7f466be75bc18c776cdef266dcaf1bbfa390657ce4e2d57915c90ed2c13db2c08587d600edd06ff |
C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | 8cfa27375b4a50a14d1e54b743a15fee |
| SHA1 | 8d6eb50e02b4214b64c8d4b27e5b059db6ea127e |
| SHA256 | 7d5a95dab19dbd872c40d7b36eb5a9fda53314c4eac87d7dbb1529d23a798ec5 |
| SHA512 | 1aab6db1b4f1e84960c761e83bdb0faf025254addea53d4648f5d1d61ab1a32b106474df624ab54464d88fe7d8ab89fcaf53669baf7aace3e17e5775ef9dcacb |
C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | b5ca00ab85bd076f76a5e47bdcfdc9be |
| SHA1 | 4c5769e25ee5d3a06c317dd8237442c85baafb6f |
| SHA256 | 224e44ed82a69aa32767712ffe24f4775bdaabfcd0c56f9b60127ab51b3f6708 |
| SHA512 | 1aa2ea083ab7049fd675672875bf205b0482cd5c3a50c8a9059d3d91dcf8ff316ef49bdbca7f335f3cade3e7cf5b994c01cc11d4e3faf7e559cf79278562dcdc |
C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | c54bc7e62ca08a19525f5f95912173d8 |
| SHA1 | 9a5d00214b4d6fb06c222b4603b1377e2e95b1c7 |
| SHA256 | 5069839f0a17c5e0676ccfb8b65d00a08aca336096b1c0f623cd41a27d8d51e6 |
| SHA512 | b8ffd0f923d7f5d0eb4f7ba46396fcd44b9f227c460d7a260deca2d114aef4eedd95fe3eeffd1d062ef39fb6e3c5812a1cec84c4b131621b3aa83dd763f07c6e |
C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | 1ae0066870e30a6e2e1f8fd6b22a118e |
| SHA1 | c7b4c65baf85300cee95ffd1b0a3bf8be35b2edd |
| SHA256 | bef59d859bface0838e64649ed5cbf7dadc6d079a9d1c9aad3670ea89974d6a0 |
| SHA512 | 9b05afb0af9814caca2063cb8882743e2ef3b142f00b79d5739858e0b6105e336d34d6de36966a4f20027a68824ef0ad42c2b564eaa785bcfc040a16182cf3ed |
C:\Users\Admin\AppData\Local\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | 0001986b725dd16384fc6bce3110c57d |
| SHA1 | a5912c8970603e924ba48ce195d601ab8a096a41 |
| SHA256 | 2d2767d52533b4d289f905cd222834e5098a4a2dfa3c35985fb93d41e233af6e |
| SHA512 | ae7248476a81631d6c1a955e7d844b6867b8d15ba6e0869bfa20f4c24158e5a3e6d8269f04a1fd18bc4773cddf7a0ccface688e63ee6ce11adca3ccb2d729fc3 |
C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw
| MD5 | ab26253bf8c37529ec7ea738821fe36b |
| SHA1 | 7109386e3b79fb6b4c7bda301ee32a622294e060 |
| SHA256 | d2993dab7a0bd5b24e3f74e00bf3d43b2356c8a9a1016153bcfc7f7b3cbe9d7a |
| SHA512 | 9027e38c7496f792e578f5edae15e20c4d0e872b50b15f94245b583221f294e5b6cb594aa5b9742d3cced4fa2eeee1da4690ad28dcdfaacdb98341b632235819 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 10:04
Reported
2024-06-26 10:07
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ibypmccumgtrxvzugnex.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ujcpiuqesirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ibypmccumgtrxvzugnex.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "xrphfwxqjesryxcyltlfd.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "vnjzvkjarkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "xrphfwxqjesryxcyltlfd.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ujcpiuqesirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "brlztgdshyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "brlztgdshyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "xrphfwxqjesryxcyltlfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "ujcpiuqesirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "ujcpiuqesirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "vnjzvkjarkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "vnjzvkjarkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ujcpiuqesirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hjppvudefielahuytjjlrrxwf.hkg | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File created | C:\Windows\SysWOW64\hjppvudefielahuytjjlrrxwf.hkg | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File created | C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Program Files (x86)\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\hjppvudefielahuytjjlrrxwf.hkg | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File created | C:\Windows\hjppvudefielahuytjjlrrxwf.hkg | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\vnjzvkjarkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ujcpiuqesirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\brlztgdshyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ibypmccumgtrxvzugnex.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\kbwlgusiyqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\xrphfwxqjesryxcyltlfd.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File opened for modification | C:\Windows\ojibasuoiettbbhesbupoh.exe | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| File created | C:\Windows\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\inwzik.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\inwzik.exe
"C:\Users\Admin\AppData\Local\Temp\inwzik.exe" "-C:\Users\Admin\AppData\Local\Temp\ujcpiuqesirlnhhy.exe"
C:\Users\Admin\AppData\Local\Temp\inwzik.exe
"C:\Users\Admin\AppData\Local\Temp\inwzik.exe" "-C:\Users\Admin\AppData\Local\Temp\ujcpiuqesirlnhhy.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.200.46:80 | www.youtube.com | tcp |
| BG | 46.47.122.190:36359 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emfevccuwzsk.info | udp |
| US | 8.8.8.8:53 | tsoftrbjro.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | ryxctjzgg.com | udp |
| US | 8.8.8.8:53 | aoieqa.org | udp |
| US | 8.8.8.8:53 | tszocqe.org | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| LT | 213.164.122.219:13395 | tcp | |
| US | 8.8.8.8:53 | mkbwfgfja.info | udp |
| US | 8.8.8.8:53 | zrdjzfpso.net | udp |
| US | 8.8.8.8:53 | qqhwxmscfmt.info | udp |
| US | 8.8.8.8:53 | hgecxtcchyi.org | udp |
| US | 8.8.8.8:53 | lpllzersuj.info | udp |
| US | 8.8.8.8:53 | jkvaba.net | udp |
| US | 8.8.8.8:53 | uimescouwmsm.com | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | datrxkxgvqhi.net | udp |
| US | 8.8.8.8:53 | dsjvnelr.net | udp |
| US | 8.8.8.8:53 | strfwkb.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | nzlidup.info | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | tmbwtoxxnog.com | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | bcnxdfnqjbh.info | udp |
| US | 8.8.8.8:53 | ouumqemi.com | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | eikaeweguw.org | udp |
| US | 8.8.8.8:53 | ulruodrzrkp.info | udp |
| US | 8.8.8.8:53 | lrsdgchnvd.net | udp |
| US | 8.8.8.8:53 | dplenrxv.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | cktstug.net | udp |
| US | 8.8.8.8:53 | fzfetmzob.com | udp |
| US | 8.8.8.8:53 | wishvg.net | udp |
| US | 8.8.8.8:53 | fcbghgzuhfd.net | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | bkzwvij.info | udp |
| US | 8.8.8.8:53 | sibwxylmi.net | udp |
| US | 8.8.8.8:53 | elnwxj.info | udp |
| US | 8.8.8.8:53 | zvyxohnch.com | udp |
| US | 8.8.8.8:53 | winweim.net | udp |
| US | 8.8.8.8:53 | qwnesauan.info | udp |
| US | 8.8.8.8:53 | ewwkquqqcwmo.com | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | qqsusc.org | udp |
| US | 8.8.8.8:53 | ydkqpibxwk.net | udp |
| US | 8.8.8.8:53 | lotrnnxljihl.info | udp |
| US | 8.8.8.8:53 | kqewfwt.info | udp |
| US | 8.8.8.8:53 | ucykzbrebjxz.net | udp |
| US | 8.8.8.8:53 | annbogzfdfx.info | udp |
| US | 8.8.8.8:53 | jxvuwkfron.info | udp |
| US | 8.8.8.8:53 | xbptoctu.net | udp |
| US | 8.8.8.8:53 | ihtqvgrxtyt.info | udp |
| US | 8.8.8.8:53 | sdnkjyyvt.net | udp |
| US | 8.8.8.8:53 | klfmhllih.net | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | vcyniene.net | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | lmzqnek.info | udp |
| US | 8.8.8.8:53 | jcmmskdxqxza.net | udp |
| US | 8.8.8.8:53 | zedhwdeisode.net | udp |
| US | 8.8.8.8:53 | qvfymojzov.info | udp |
| US | 8.8.8.8:53 | qxeednhfvqtb.info | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| RO | 188.173.109.176:40325 | tcp | |
| US | 8.8.8.8:53 | swccfklax.info | udp |
| US | 8.8.8.8:53 | ccxavypgfey.net | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | jhtyxqmnrih.net | udp |
| US | 8.8.8.8:53 | bfqdtiywxf.info | udp |
| US | 8.8.8.8:53 | xkcepmhcc.org | udp |
| US | 8.8.8.8:53 | myxrbcmnqo.info | udp |
| US | 8.8.8.8:53 | guuzio.net | udp |
| US | 8.8.8.8:53 | tcbkfhhgr.net | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | augkkwqe.org | udp |
| US | 8.8.8.8:53 | wqccoy.org | udp |
| US | 8.8.8.8:53 | vjulrh.info | udp |
| US | 8.8.8.8:53 | rchtty.info | udp |
| US | 8.8.8.8:53 | znvwvbuqewo.org | udp |
| US | 8.8.8.8:53 | rkfbmfkavjbk.info | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| RU | 188.191.85.124:41492 | tcp | |
| US | 8.8.8.8:53 | hmbgtmvdp.info | udp |
| US | 8.8.8.8:53 | nphcjqhmtuy.info | udp |
| US | 8.8.8.8:53 | keogmuogugkq.org | udp |
| US | 8.8.8.8:53 | gxyqupivkgsr.net | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | keegqaoiyg.org | udp |
| US | 8.8.8.8:53 | szdlrllkpgzj.info | udp |
| US | 8.8.8.8:53 | tipvnsfxx.com | udp |
| US | 8.8.8.8:53 | sotogai.info | udp |
| US | 8.8.8.8:53 | lfbejmcydav.info | udp |
| US | 8.8.8.8:53 | pmkrfbbvvtli.info | udp |
| US | 8.8.8.8:53 | vobgxuy.net | udp |
| US | 8.8.8.8:53 | jouzrkl.com | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | kkkrfjzdxncb.net | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | ubhptf.info | udp |
| US | 8.8.8.8:53 | qdcdyuxd.info | udp |
| US | 8.8.8.8:53 | igpojblq.info | udp |
| US | 8.8.8.8:53 | qszmjmvrkmd.net | udp |
| US | 8.8.8.8:53 | cydkiincrtp.net | udp |
| US | 8.8.8.8:53 | vkbxok.net | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | qjlnzzsgsq.net | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | kuyceqam.org | udp |
| US | 8.8.8.8:53 | tpdiieslv.info | udp |
| US | 8.8.8.8:53 | iugyrn.info | udp |
| US | 8.8.8.8:53 | gskcam.com | udp |
| US | 8.8.8.8:53 | jpbjyjqa.info | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | qnplvjjhlc.net | udp |
| US | 8.8.8.8:53 | elicuatoluz.info | udp |
| US | 8.8.8.8:53 | dlqzwhks.net | udp |
| US | 8.8.8.8:53 | wcoumaoyp.net | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | jxnmlsyssku.net | udp |
| US | 8.8.8.8:53 | beciticqzp.net | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| RU | 31.200.225.29:40616 | tcp | |
| US | 8.8.8.8:53 | arfxsp.net | udp |
| US | 8.8.8.8:53 | plpjmbgvjnyo.info | udp |
| US | 8.8.8.8:53 | zelcwqhwwud.com | udp |
| US | 8.8.8.8:53 | csgeec.org | udp |
| US | 8.8.8.8:53 | qmuhhesi.net | udp |
| US | 8.8.8.8:53 | khgipydvp.net | udp |
| US | 8.8.8.8:53 | ssvkcun.net | udp |
| US | 8.8.8.8:53 | loyodd.info | udp |
| US | 8.8.8.8:53 | kmxwusnxdap.net | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | yfvocadkvqr.info | udp |
| US | 8.8.8.8:53 | fvwfjizuchoy.net | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | gceyikok.org | udp |
| US | 8.8.8.8:53 | ghiriqcj.net | udp |
| US | 8.8.8.8:53 | dgzhbdlrvsda.info | udp |
| US | 8.8.8.8:53 | awimwc.com | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | bedibgnot.info | udp |
| US | 8.8.8.8:53 | pcdtxylthwb.info | udp |
| US | 8.8.8.8:53 | swizelss.net | udp |
| US | 8.8.8.8:53 | ivgtjpjebmw.info | udp |
| US | 8.8.8.8:53 | twldsvwufp.info | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | hjjsqwbn.info | udp |
| US | 8.8.8.8:53 | fukinrs.net | udp |
| US | 8.8.8.8:53 | vydmzunvhhnw.info | udp |
| US | 8.8.8.8:53 | usumyeceyqke.com | udp |
| US | 8.8.8.8:53 | chailrbazsbf.info | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | tbxaog.net | udp |
| US | 8.8.8.8:53 | zupkjezuto.info | udp |
| US | 8.8.8.8:53 | qkemasssmqiy.org | udp |
| US | 8.8.8.8:53 | csvbnqmfzx.info | udp |
| US | 8.8.8.8:53 | qixsqzcvbdq.info | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | ofpgjgr.net | udp |
| US | 8.8.8.8:53 | ucrszfzf.info | udp |
| US | 8.8.8.8:53 | fmgixl.info | udp |
| US | 8.8.8.8:53 | siclton.net | udp |
| US | 8.8.8.8:53 | kygkameq.org | udp |
| US | 8.8.8.8:53 | kcyyao.com | udp |
| US | 8.8.8.8:53 | kmqwcsao.org | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | mtyzizjpgx.info | udp |
| US | 8.8.8.8:53 | rejobabvpmb.net | udp |
| US | 8.8.8.8:53 | yqomeqcmso.org | udp |
| US | 8.8.8.8:53 | lyidvwncp.net | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | gbxsqkenmgge.info | udp |
| US | 8.8.8.8:53 | tajmxrjxlsbo.net | udp |
| US | 8.8.8.8:53 | kffvvzdg.info | udp |
| US | 8.8.8.8:53 | bsviypxnbsvf.net | udp |
| US | 8.8.8.8:53 | mwlzynv.info | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | agvakue.info | udp |
| US | 8.8.8.8:53 | huzuhkrxe.com | udp |
| US | 8.8.8.8:53 | saojqqztqqev.info | udp |
| US | 8.8.8.8:53 | ljjbekvgppwh.info | udp |
| US | 8.8.8.8:53 | uhcnnwlkby.net | udp |
| US | 8.8.8.8:53 | uctwril.info | udp |
| US | 8.8.8.8:53 | gilaiixumtdm.info | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | ewrsakbaheh.info | udp |
| US | 8.8.8.8:53 | uzpyusq.info | udp |
| US | 8.8.8.8:53 | cysqke.org | udp |
| US | 8.8.8.8:53 | bigmdaelhh.info | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | eulcwnpavex.net | udp |
| US | 8.8.8.8:53 | fsghnbq.com | udp |
| US | 8.8.8.8:53 | foxqnn.info | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | cjdthc.net | udp |
| US | 8.8.8.8:53 | swewfar.net | udp |
| US | 8.8.8.8:53 | kevpfmd.info | udp |
| US | 8.8.8.8:53 | swnnxngygs.info | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | osroqaxzdejf.net | udp |
| US | 8.8.8.8:53 | mnknclf.net | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | zsnwxlc.net | udp |
| US | 8.8.8.8:53 | qunorgdssbx.net | udp |
| US | 8.8.8.8:53 | eufmhidad.net | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | sykeiaum.org | udp |
| US | 8.8.8.8:53 | opfxlo.net | udp |
| US | 8.8.8.8:53 | qqxvlbqzkr.net | udp |
| US | 8.8.8.8:53 | buntpilhk.com | udp |
| US | 8.8.8.8:53 | myfivvowvy.info | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | njhepfddx.net | udp |
| US | 8.8.8.8:53 | deeuxcroj.org | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | cgbspcdonir.net | udp |
| US | 8.8.8.8:53 | qbsccishncji.info | udp |
| US | 8.8.8.8:53 | bbowntmclnx.org | udp |
| US | 8.8.8.8:53 | xmrxau.info | udp |
| US | 8.8.8.8:53 | kexythjteun.info | udp |
| US | 8.8.8.8:53 | xjlpbt.net | udp |
| US | 8.8.8.8:53 | ifrgfrrwxgti.net | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | kasuqmeuwaiw.com | udp |
| US | 8.8.8.8:53 | ecosygykgyic.org | udp |
| US | 8.8.8.8:53 | nnpmxpzodoy.net | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | olxmugbar.net | udp |
| US | 8.8.8.8:53 | iuejasqyl.info | udp |
| US | 8.8.8.8:53 | gcribajtbtdb.net | udp |
| US | 8.8.8.8:53 | qrjmoqdkde.info | udp |
| US | 8.8.8.8:53 | wwwkwmicuqua.com | udp |
| US | 8.8.8.8:53 | wqeiucsmky.com | udp |
| US | 8.8.8.8:53 | diyylaa.info | udp |
| US | 8.8.8.8:53 | jhtohfuezphf.info | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | xdjrlbl.info | udp |
| US | 8.8.8.8:53 | vwscpev.info | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | zipznkelzju.net | udp |
| US | 8.8.8.8:53 | tedkwutwn.org | udp |
| US | 8.8.8.8:53 | thyktyofj.org | udp |
| US | 8.8.8.8:53 | skqoqooa.org | udp |
| US | 8.8.8.8:53 | ajjqsuv.net | udp |
| US | 8.8.8.8:53 | lfawvn.net | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rrpukadrhqf.org | udp |
| PT | 213.22.247.132:42092 | tcp | |
| US | 8.8.8.8:53 | dgasjspz.net | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | mimcgc.com | udp |
| US | 8.8.8.8:53 | uerenfmqlpip.net | udp |
| US | 8.8.8.8:53 | utrzhtwota.net | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| US | 8.8.8.8:53 | rqbatlrbvex.net | udp |
| US | 8.8.8.8:53 | arbwykdrvgl.net | udp |
| US | 8.8.8.8:53 | omxcmrnefd.info | udp |
| US | 8.8.8.8:53 | ioaabxh.info | udp |
| US | 8.8.8.8:53 | dkbabspbzpdg.net | udp |
| US | 8.8.8.8:53 | xyyyzkslyx.info | udp |
| US | 8.8.8.8:53 | ducibir.org | udp |
| US | 8.8.8.8:53 | ycetybtmcoj.net | udp |
| US | 8.8.8.8:53 | ffviokioh.net | udp |
| US | 8.8.8.8:53 | xxtadztg.info | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | fpybmsbkn.net | udp |
| US | 8.8.8.8:53 | bkpifkc.info | udp |
| US | 8.8.8.8:53 | keimwm.com | udp |
| US | 8.8.8.8:53 | gkqomgpitv.net | udp |
| US | 8.8.8.8:53 | zanbbon.com | udp |
| US | 8.8.8.8:53 | kvwateqlpn.net | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | omuycumo.org | udp |
| US | 8.8.8.8:53 | dkembf.net | udp |
| US | 8.8.8.8:53 | bzswqwq.info | udp |
| US | 8.8.8.8:53 | tcpcbgjjfyh.com | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | labndavmlie.org | udp |
| US | 8.8.8.8:53 | fnqeru.net | udp |
| US | 8.8.8.8:53 | omfqblqlnzzt.net | udp |
| US | 8.8.8.8:53 | ukwoaekugmwo.com | udp |
| US | 8.8.8.8:53 | wmnuhonir.info | udp |
| US | 8.8.8.8:53 | awmaykwuioge.com | udp |
| US | 8.8.8.8:53 | wketnwlljum.net | udp |
| US | 8.8.8.8:53 | eqykkm.com | udp |
| US | 8.8.8.8:53 | gkpyhnbt.info | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | joipxrvnc.net | udp |
| US | 8.8.8.8:53 | saosyoui.org | udp |
| US | 8.8.8.8:53 | ihjkeai.info | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | ewwmosoaaskg.org | udp |
| US | 8.8.8.8:53 | tagwlkz.info | udp |
| US | 8.8.8.8:53 | tpdynyingh.info | udp |
| US | 8.8.8.8:53 | lqkmbnn.net | udp |
| US | 8.8.8.8:53 | jlqhdyusyqvt.info | udp |
| US | 8.8.8.8:53 | dgekmtp.info | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| MD | 92.115.169.145:37193 | tcp | |
| US | 8.8.8.8:53 | rwnqpg.info | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | yvihbl.net | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | emqgaq.org | udp |
| US | 8.8.8.8:53 | rkkkexjgzcp.com | udp |
| US | 8.8.8.8:53 | vypdfshql.info | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | uobozkn.info | udp |
| US | 8.8.8.8:53 | ecigwsmm.com | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | ledpeaoalg.net | udp |
| US | 8.8.8.8:53 | knxhpexwgoka.info | udp |
| US | 8.8.8.8:53 | lfhitctlye.info | udp |
| US | 8.8.8.8:53 | eegwuiiaqiiw.org | udp |
| US | 8.8.8.8:53 | mtnykydxqd.net | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | guvybzxuszt.info | udp |
| US | 8.8.8.8:53 | gqgyoivsn.info | udp |
| US | 8.8.8.8:53 | jhndfrlznyah.net | udp |
| US | 8.8.8.8:53 | aobddyq.net | udp |
| US | 8.8.8.8:53 | ikuqjkjkn.info | udp |
| US | 8.8.8.8:53 | veppsztexne.org | udp |
| US | 8.8.8.8:53 | hczzupampc.info | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | wvzwsaxidzd.net | udp |
| US | 8.8.8.8:53 | zuhezynyk.info | udp |
| US | 8.8.8.8:53 | xazwpufumgl.org | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | ddvanmqovoh.org | udp |
| US | 8.8.8.8:53 | ascoueukuu.org | udp |
| US | 8.8.8.8:53 | euvojgegaz.net | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | gwksxczmtaw.net | udp |
| US | 8.8.8.8:53 | nwojjx.info | udp |
| US | 8.8.8.8:53 | qezrfwnutuh.info | udp |
| US | 8.8.8.8:53 | ikwgghffmqlb.info | udp |
| US | 8.8.8.8:53 | cffipww.info | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | hoiswxdmmta.org | udp |
| US | 8.8.8.8:53 | wraoxjjcdq.net | udp |
| US | 8.8.8.8:53 | lieqheeq.net | udp |
| US | 8.8.8.8:53 | gvnwjzmmu.info | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | tjpeyyd.info | udp |
| US | 8.8.8.8:53 | nnrlfcxmvn.net | udp |
| US | 8.8.8.8:53 | amksmkweea.org | udp |
| US | 8.8.8.8:53 | zixwrjjcr.org | udp |
| US | 8.8.8.8:53 | fgdyjwiwzqo.com | udp |
| US | 8.8.8.8:53 | bojvzljwbrph.info | udp |
| US | 8.8.8.8:53 | qgkgec.com | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | gyiekitzjhr.net | udp |
| US | 8.8.8.8:53 | rgpqiig.org | udp |
| US | 8.8.8.8:53 | hgbujgqhmj.net | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | xubwvoj.org | udp |
| US | 8.8.8.8:53 | scqygiusceag.com | udp |
| US | 8.8.8.8:53 | janipz.net | udp |
| US | 8.8.8.8:53 | wuikqqckugcy.com | udp |
| US | 8.8.8.8:53 | cagxdeygn.net | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | yggphwf.info | udp |
| US | 8.8.8.8:53 | uiuqewem.com | udp |
| US | 8.8.8.8:53 | ysvntwgn.info | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | cifvlnaof.info | udp |
| US | 8.8.8.8:53 | ysmnmvtrvivb.net | udp |
| US | 8.8.8.8:53 | tldtxt.info | udp |
| US | 8.8.8.8:53 | zzsckaty.net | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | uxrgjmtdd.net | udp |
| US | 8.8.8.8:53 | zyhycji.info | udp |
| US | 8.8.8.8:53 | vkruxzcgeor.net | udp |
| US | 8.8.8.8:53 | nnfhdl.net | udp |
| US | 8.8.8.8:53 | eqphft.info | udp |
| US | 8.8.8.8:53 | iataras.info | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | kgbmanpf.info | udp |
| US | 8.8.8.8:53 | zxlqrpiujp.net | udp |
| US | 8.8.8.8:53 | omusmaqoeo.org | udp |
| US | 8.8.8.8:53 | mrbeye.net | udp |
| US | 8.8.8.8:53 | qkokkrmp.net | udp |
| US | 8.8.8.8:53 | ozopntzb.net | udp |
| US | 8.8.8.8:53 | nzvioirllsf.org | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | ouyijet.net | udp |
| US | 8.8.8.8:53 | bqbujfxsfntg.info | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | rssshoawp.org | udp |
| US | 8.8.8.8:53 | zsxidzxim.com | udp |
| US | 8.8.8.8:53 | rdomza.net | udp |
| US | 8.8.8.8:53 | gciywciems.com | udp |
| US | 8.8.8.8:53 | ieoohldyg.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | rrxvcfevys.net | udp |
| US | 8.8.8.8:53 | gwwaya.org | udp |
| BR | 200.171.225.159:42221 | tcp | |
| US | 8.8.8.8:53 | rqpalmeskea.info | udp |
| US | 8.8.8.8:53 | zweegzy.net | udp |
| US | 8.8.8.8:53 | cijyyfx.net | udp |
| US | 8.8.8.8:53 | pmhpnkfnttaf.info | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | bghtuizz.net | udp |
| US | 8.8.8.8:53 | lxcnvqh.info | udp |
| US | 8.8.8.8:53 | kqbcidoqkm.net | udp |
| US | 8.8.8.8:53 | umtnvpwe.net | udp |
| US | 8.8.8.8:53 | cuvqjyvutks.net | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | tsnxecjs.net | udp |
| US | 8.8.8.8:53 | esratsx.info | udp |
| US | 8.8.8.8:53 | cspapbp.info | udp |
| US | 8.8.8.8:53 | gsismgyk.com | udp |
| US | 8.8.8.8:53 | wqqwmavd.net | udp |
| US | 8.8.8.8:53 | kdrqnh.info | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | mpvehjheew.info | udp |
| US | 8.8.8.8:53 | riqtkb.info | udp |
| US | 8.8.8.8:53 | mwaylqhpmgfm.info | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | kyfvuuhqsk.net | udp |
| US | 8.8.8.8:53 | ttyyjlll.info | udp |
| US | 8.8.8.8:53 | ubvlgerim.net | udp |
| US | 8.8.8.8:53 | edkvvfhm.net | udp |
| US | 8.8.8.8:53 | bypdbeft.net | udp |
| US | 8.8.8.8:53 | bjhrtzlc.net | udp |
| US | 8.8.8.8:53 | gakkms.com | udp |
| US | 8.8.8.8:53 | okpshddqpo.info | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | fgxwvax.com | udp |
| US | 8.8.8.8:53 | bpdpfhec.net | udp |
| US | 8.8.8.8:53 | wufaegmef.info | udp |
| US | 8.8.8.8:53 | wwmalejbofsi.net | udp |
| US | 8.8.8.8:53 | igwlqmfhgx.net | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | ukqimqykmqik.com | udp |
| US | 8.8.8.8:53 | wbkkbmhumivz.net | udp |
| US | 8.8.8.8:53 | vmdkdfruab.info | udp |
| US | 8.8.8.8:53 | ysdudgtiayk.net | udp |
| US | 8.8.8.8:53 | scharmc.net | udp |
| US | 8.8.8.8:53 | vkodxkceuiqp.net | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | mwczybf.info | udp |
| US | 8.8.8.8:53 | hkobpz.net | udp |
| US | 8.8.8.8:53 | teywtwk.com | udp |
| US | 8.8.8.8:53 | iwpiwzbfs.info | udp |
| US | 8.8.8.8:53 | eqmwwwsw.com | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | fjavevjc.net | udp |
| US | 8.8.8.8:53 | jrpyucpidvfy.net | udp |
| US | 8.8.8.8:53 | ozgdrllfxflz.net | udp |
| US | 8.8.8.8:53 | fouodwotz.net | udp |
| US | 8.8.8.8:53 | fypmsl.net | udp |
| US | 8.8.8.8:53 | yhbmhfg.info | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | wksowi.org | udp |
| US | 8.8.8.8:53 | iszifejqjgj.info | udp |
| US | 8.8.8.8:53 | csyckcwigawi.org | udp |
| US | 8.8.8.8:53 | emowggawgw.org | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | hurctkpv.net | udp |
| US | 8.8.8.8:53 | hdtihmeznq.info | udp |
| US | 8.8.8.8:53 | ntrjtdvcz.com | udp |
| US | 8.8.8.8:53 | yazupsk.info | udp |
| US | 8.8.8.8:53 | rubabyvbyt.net | udp |
| US | 8.8.8.8:53 | cqwiwuws.com | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | eimwgiceiy.org | udp |
| US | 8.8.8.8:53 | oiusvmfqdye.net | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | eihkplbkpj.net | udp |
| US | 8.8.8.8:53 | vzzchys.net | udp |
| US | 8.8.8.8:53 | gptgrllnwi.net | udp |
| US | 8.8.8.8:53 | kuzvghumlz.net | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | qgawyuaqcams.org | udp |
| US | 8.8.8.8:53 | hwrwhcamr.info | udp |
| US | 8.8.8.8:53 | rixdih.info | udp |
| US | 8.8.8.8:53 | tfxuog.info | udp |
| US | 8.8.8.8:53 | ofddurzqxazi.net | udp |
| US | 8.8.8.8:53 | sjlabidbwbd.net | udp |
| US | 8.8.8.8:53 | wotyjekexkj.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | gulcbgcwted.info | udp |
| US | 8.8.8.8:53 | jgisxmd.info | udp |
| US | 8.8.8.8:53 | fspmkd.info | udp |
| US | 8.8.8.8:53 | inerqouu.net | udp |
| US | 8.8.8.8:53 | nbsqnr.net | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | skimwu.org | udp |
| US | 8.8.8.8:53 | vcrtjytp.net | udp |
| US | 8.8.8.8:53 | jvtrngxqhoo.info | udp |
| US | 8.8.8.8:53 | urzkfmh.info | udp |
| US | 8.8.8.8:53 | fxvwboxva.org | udp |
| US | 8.8.8.8:53 | zclnjaorbiox.net | udp |
| US | 8.8.8.8:53 | eilexgaxb.info | udp |
| US | 8.8.8.8:53 | ywaesvggxoah.net | udp |
| US | 8.8.8.8:53 | tvxlisajbb.net | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | nggzqtxt.info | udp |
| US | 8.8.8.8:53 | fubsrzyitvf.com | udp |
| US | 8.8.8.8:53 | fsgnbqhqscf.org | udp |
| US | 8.8.8.8:53 | hgmrlyuegjfn.net | udp |
| US | 8.8.8.8:53 | mksaqa.com | udp |
| US | 8.8.8.8:53 | ribgflvd.net | udp |
| US | 8.8.8.8:53 | rolrdzzwn.net | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | akbtgmo.net | udp |
| US | 8.8.8.8:53 | mogwiuukouyg.org | udp |
| US | 8.8.8.8:53 | ehzkcnld.net | udp |
| US | 8.8.8.8:53 | cyocgegamm.org | udp |
| US | 8.8.8.8:53 | zzcyvepz.net | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | nwdoxsgcr.com | udp |
| US | 8.8.8.8:53 | asnswkh.net | udp |
| US | 8.8.8.8:53 | twvihv.info | udp |
| US | 8.8.8.8:53 | fdznrpnr.info | udp |
| US | 8.8.8.8:53 | oxabqigwttau.info | udp |
| US | 8.8.8.8:53 | xdwvxt.info | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | kxnetfamvme.info | udp |
| US | 8.8.8.8:53 | ngcdfpzmnie.net | udp |
| US | 8.8.8.8:53 | rqpabgq.net | udp |
| US | 8.8.8.8:53 | cswoawiyckms.com | udp |
| US | 8.8.8.8:53 | hrjbfzbklfac.net | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | cuqmnczh.net | udp |
| US | 8.8.8.8:53 | sxfvqr.info | udp |
| US | 8.8.8.8:53 | anoczmgryx.info | udp |
| US | 8.8.8.8:53 | njfnysrmgcb.org | udp |
| US | 8.8.8.8:53 | lptsdmvyjii.org | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | wfndtrfbhqaz.info | udp |
| US | 8.8.8.8:53 | dzfydak.net | udp |
| US | 8.8.8.8:53 | fgufhechx.org | udp |
| US | 8.8.8.8:53 | etwmda.net | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | ogfaawv.info | udp |
| US | 8.8.8.8:53 | clbevulktuz.net | udp |
| US | 8.8.8.8:53 | gieqmisyumsq.com | udp |
| US | 8.8.8.8:53 | ymhixulyr.net | udp |
| US | 8.8.8.8:53 | bqvaxanghin.org | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | muikmugmguge.com | udp |
| US | 8.8.8.8:53 | aujzhqu.net | udp |
| US | 8.8.8.8:53 | sotahkj.net | udp |
| US | 8.8.8.8:53 | skwopio.info | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | llfjcrrzse.info | udp |
| US | 8.8.8.8:53 | nwgrrtjgcefm.info | udp |
| US | 8.8.8.8:53 | zrjkew.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | alnowudqeyic.net | udp |
| US | 8.8.8.8:53 | tivthzoalirl.info | udp |
| US | 8.8.8.8:53 | zqxjtafuj.info | udp |
| US | 8.8.8.8:53 | wuwmgm.org | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | soxorhz.net | udp |
| US | 8.8.8.8:53 | nuihnsoi.info | udp |
| US | 8.8.8.8:53 | dznqyoc.org | udp |
| US | 8.8.8.8:53 | roxcqadkw.net | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | ifxsydyr.net | udp |
| US | 8.8.8.8:53 | scyoosmmkqig.org | udp |
| US | 8.8.8.8:53 | qcsksyqaksss.com | udp |
| US | 8.8.8.8:53 | dohmvklorih.org | udp |
| US | 8.8.8.8:53 | lkmiikaximld.info | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | jvemxijgt.org | udp |
| US | 8.8.8.8:53 | vaqkqmxctjn.org | udp |
| US | 8.8.8.8:53 | aowewswqsk.com | udp |
| US | 8.8.8.8:53 | ooygcwgusg.com | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| RO | 188.173.109.176:40325 | tcp | |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | mwwmeqeeca.com | udp |
| US | 8.8.8.8:53 | hvswhvklyc.net | udp |
| US | 8.8.8.8:53 | kksmmcwqcogo.org | udp |
| US | 8.8.8.8:53 | ssrmjkfst.net | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | dghgtangr.net | udp |
| US | 8.8.8.8:53 | ezbmtm.info | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | boysiueqo.org | udp |
| US | 8.8.8.8:53 | ffmghctendtd.info | udp |
| US | 8.8.8.8:53 | cirqtrvarut.info | udp |
| US | 8.8.8.8:53 | iidsfgbqx.info | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | gujricess.net | udp |
| US | 8.8.8.8:53 | xewmjytnq.info | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | nkxapthjcw.info | udp |
| US | 8.8.8.8:53 | ijnplvnkvsbi.net | udp |
| US | 8.8.8.8:53 | cwmwuo.org | udp |
| US | 8.8.8.8:53 | ssikirdidgpa.net | udp |
| US | 8.8.8.8:53 | eqfijd.info | udp |
| US | 8.8.8.8:53 | rkwthclcupth.info | udp |
| US | 8.8.8.8:53 | wamzabvc.info | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | vyemdbyi.info | udp |
| US | 8.8.8.8:53 | gombukxn.info | udp |
| US | 8.8.8.8:53 | nkfmhcquz.net | udp |
| US | 8.8.8.8:53 | grmjfayk.net | udp |
| US | 8.8.8.8:53 | euwowigysowa.com | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | mgoocc.org | udp |
| US | 8.8.8.8:53 | kuisxcpct.info | udp |
| US | 8.8.8.8:53 | yopknumoa.net | udp |
| US | 8.8.8.8:53 | scouqm.org | udp |
| US | 8.8.8.8:53 | qvjayyann.net | udp |
| US | 8.8.8.8:53 | erzhkn.net | udp |
| US | 8.8.8.8:53 | rmsciw.info | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | bymshsaow.net | udp |
| US | 8.8.8.8:53 | llseldq.info | udp |
| US | 8.8.8.8:53 | vpgeplb.org | udp |
| US | 8.8.8.8:53 | nygysmaan.com | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | csoueisokwsc.org | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | oisguecyscak.org | udp |
| US | 8.8.8.8:53 | vwzlbkneb.info | udp |
| US | 8.8.8.8:53 | amrztzpwunon.net | udp |
| US | 8.8.8.8:53 | xqxwooj.info | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 88.216.101.148:41213 | tcp | |
| US | 8.8.8.8:53 | jdhkvajybsb.com | udp |
| US | 8.8.8.8:53 | vwacrgroz.info | udp |
| US | 8.8.8.8:53 | arrvyww.info | udp |
| US | 8.8.8.8:53 | wieiisyouoqy.com | udp |
| US | 8.8.8.8:53 | mivsfcbdusk.net | udp |
| US | 8.8.8.8:53 | bldlfpze.net | udp |
| US | 8.8.8.8:53 | yeoywkigumga.com | udp |
| US | 8.8.8.8:53 | nlucmun.com | udp |
| US | 8.8.8.8:53 | bzhzfgrbfqh.info | udp |
| US | 8.8.8.8:53 | poyzac.net | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | uxpfus.info | udp |
| US | 8.8.8.8:53 | kclkkuhnskv.info | udp |
| US | 8.8.8.8:53 | frynja.info | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | okaeoaluvdt.net | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | depqozhlwl.info | udp |
| US | 8.8.8.8:53 | hnpkvqz.net | udp |
| US | 8.8.8.8:53 | ytasvmrxho.info | udp |
| US | 8.8.8.8:53 | klqrkefrhj.info | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | ukzttgni.info | udp |
| US | 8.8.8.8:53 | wugokmywicug.com | udp |
| US | 8.8.8.8:53 | fhnvfh.net | udp |
| US | 8.8.8.8:53 | votagsuunp.info | udp |
| US | 8.8.8.8:53 | vyroawnuykm.net | udp |
| US | 8.8.8.8:53 | pqxyijntravf.info | udp |
| US | 8.8.8.8:53 | lhbxckxk.info | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | aktvscn.net | udp |
| US | 8.8.8.8:53 | pmrsnmj.net | udp |
| US | 8.8.8.8:53 | qooucscums.org | udp |
| US | 8.8.8.8:53 | qhdoedxamz.net | udp |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | ojrejsusvjl.info | udp |
| US | 8.8.8.8:53 | uioyou.org | udp |
| US | 8.8.8.8:53 | pdmmllhpgq.info | udp |
| US | 8.8.8.8:53 | ysmcyueu.org | udp |
| US | 8.8.8.8:53 | xdtnfmoj.info | udp |
| US | 8.8.8.8:53 | weyrtj.net | udp |
| US | 8.8.8.8:53 | nonctqbyt.info | udp |
| US | 8.8.8.8:53 | tvdgizj.info | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | wxbotdr.net | udp |
| US | 8.8.8.8:53 | emxvfsfooo.info | udp |
| US | 8.8.8.8:53 | hfjobknf.net | udp |
| US | 8.8.8.8:53 | bhabiw.net | udp |
| US | 8.8.8.8:53 | icaayiqseyey.org | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| BG | 178.254.249.210:30057 | tcp | |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emfqfyngt.net | udp |
| US | 8.8.8.8:53 | mguscssg.org | udp |
| US | 8.8.8.8:53 | zztbljj.info | udp |
| US | 8.8.8.8:53 | gmacgcmkeuwi.com | udp |
| US | 8.8.8.8:53 | sidlvctfcd.net | udp |
| US | 8.8.8.8:53 | vwayjmqiv.org | udp |
| US | 8.8.8.8:53 | dhfuqr.info | udp |
| US | 8.8.8.8:53 | izlwiqbip.net | udp |
| US | 8.8.8.8:53 | zizwqv.net | udp |
| US | 8.8.8.8:53 | uuckysl.info | udp |
| US | 8.8.8.8:53 | pwdhdmz.info | udp |
| US | 8.8.8.8:53 | hyuifisst.info | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | kujenks.net | udp |
| US | 8.8.8.8:53 | bnejpopgxpdt.info | udp |
| US | 8.8.8.8:53 | edgwmadgx.info | udp |
| US | 8.8.8.8:53 | vwwfvttbgo.net | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | qvikjs.net | udp |
| US | 8.8.8.8:53 | sckkeaqmagsc.org | udp |
| US | 8.8.8.8:53 | kwtqzgjguil.net | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | egqsowyswaai.org | udp |
| US | 8.8.8.8:53 | ypfieh.net | udp |
| US | 8.8.8.8:53 | dydeow.info | udp |
| US | 8.8.8.8:53 | asnapiuotwf.net | udp |
| US | 8.8.8.8:53 | nozntxujcjgz.info | udp |
| US | 8.8.8.8:53 | rwjxbkcrdmdl.info | udp |
| US | 8.8.8.8:53 | nkivtgkq.info | udp |
| US | 8.8.8.8:53 | xfvqmg.info | udp |
| US | 8.8.8.8:53 | tjnvxldz.info | udp |
| US | 8.8.8.8:53 | cweqjigvhyks.net | udp |
| US | 8.8.8.8:53 | resbrspqdecl.info | udp |
| US | 8.8.8.8:53 | jercysg.org | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | mmcunaees.info | udp |
| US | 8.8.8.8:53 | pldhbwqapxfa.net | udp |
| US | 8.8.8.8:53 | thnbztqpphll.info | udp |
| US | 8.8.8.8:53 | zkjunlsgcez.com | udp |
| US | 8.8.8.8:53 | nsvkxvpur.info | udp |
| US | 8.8.8.8:53 | sqoqrunht.info | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| BR | 189.46.39.245:17864 | tcp | |
| US | 8.8.8.8:53 | zwtklevdtxvd.info | udp |
| US | 8.8.8.8:53 | emgmcwgo.com | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | oyiguqig.com | udp |
| US | 8.8.8.8:53 | rkkodtuz.info | udp |
| US | 8.8.8.8:53 | eouumo.org | udp |
| US | 8.8.8.8:53 | uegysgiiksoo.org | udp |
| US | 8.8.8.8:53 | fibytcpexct.com | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | iaamogwkyw.org | udp |
| US | 8.8.8.8:53 | lpkvpc.net | udp |
| US | 8.8.8.8:53 | soyeiuusse.com | udp |
| US | 8.8.8.8:53 | pafqzpji.net | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | ljthpivgt.info | udp |
| US | 8.8.8.8:53 | uscogcoaii.com | udp |
| US | 8.8.8.8:53 | fatiyppe.info | udp |
| US | 8.8.8.8:53 | anwcqhxohmyr.info | udp |
| US | 8.8.8.8:53 | tgquhozne.com | udp |
| US | 8.8.8.8:53 | maiquacsmieo.org | udp |
| US | 8.8.8.8:53 | qlussiicqjtn.info | udp |
| US | 8.8.8.8:53 | yceqcskoeg.org | udp |
| US | 162.249.65.164:80 | yceqcskoeg.org | tcp |
| US | 8.8.8.8:53 | mqlehcqgtq.net | udp |
| US | 8.8.8.8:53 | hunyjfpvfmj.com | udp |
| US | 8.8.8.8:53 | lkxiprzmrjf.info | udp |
| US | 8.8.8.8:53 | heinbptzwl.net | udp |
| GR | 195.97.108.248:18645 | tcp | |
| US | 8.8.8.8:53 | zobtrjxg.info | udp |
| US | 8.8.8.8:53 | wvumbqjom.net | udp |
| US | 8.8.8.8:53 | adomofxvpaq.net | udp |
| US | 8.8.8.8:53 | fbaztkzunhlj.net | udp |
| US | 8.8.8.8:53 | gymqsmci.com | udp |
| US | 8.8.8.8:53 | cgwgaguesg.org | udp |
| US | 162.249.65.164:80 | cgwgaguesg.org | tcp |
| US | 8.8.8.8:53 | fpvttagkgs.info | udp |
| US | 8.8.8.8:53 | wlldoij.net | udp |
| US | 8.8.8.8:53 | gmwaeeykmgqa.com | udp |
| US | 8.8.8.8:53 | wfjsrv.info | udp |
| US | 8.8.8.8:53 | qkogdsn.net | udp |
| US | 8.8.8.8:53 | pqijggpyzms.com | udp |
| US | 8.8.8.8:53 | aacredkob.net | udp |
| US | 8.8.8.8:53 | pzahzqww.info | udp |
| US | 8.8.8.8:53 | stlgfxmthec.info | udp |
| US | 8.8.8.8:53 | julxerwaocda.net | udp |
| US | 8.8.8.8:53 | lkrwiqlarsi.org | udp |
| US | 8.8.8.8:53 | puwydkhopo.net | udp |
| US | 8.8.8.8:53 | kmvqiujn.info | udp |
| US | 8.8.8.8:53 | jcxfgsrl.net | udp |
| US | 8.8.8.8:53 | uuiscskqgywe.com | udp |
| US | 8.8.8.8:53 | fqfgzun.org | udp |
| US | 8.8.8.8:53 | kaqiyakuyi.com | udp |
| US | 8.8.8.8:53 | nkybtwpgzoi.info | udp |
| US | 8.8.8.8:53 | iekueuww.com | udp |
| US | 8.8.8.8:53 | yseofalld.info | udp |
| US | 8.8.8.8:53 | qusuddqo.info | udp |
| US | 8.8.8.8:53 | oecudfdyb.info | udp |
| US | 8.8.8.8:53 | auzbawmlc.net | udp |
| US | 8.8.8.8:53 | eogzwyx.info | udp |
| US | 8.8.8.8:53 | ljdwwwih.info | udp |
| US | 8.8.8.8:53 | wgwyvyrrovo.info | udp |
| US | 8.8.8.8:53 | gwmeafacbwrh.info | udp |
| US | 8.8.8.8:53 | kzvsamqv.net | udp |
| US | 8.8.8.8:53 | qkdqch.net | udp |
| US | 8.8.8.8:53 | koeckawaae.org | udp |
| US | 8.8.8.8:53 | uqmgwqsous.com | udp |
| US | 8.8.8.8:53 | hbjswaqvtq.net | udp |
| US | 8.8.8.8:53 | hqtcxyfcwpf.com | udp |
| US | 8.8.8.8:53 | eaisokwcuc.com | udp |
| US | 8.8.8.8:53 | oaewdkdqd.net | udp |
| US | 8.8.8.8:53 | ammpbmdav.net | udp |
| US | 8.8.8.8:53 | gwlebvk.info | udp |
| US | 8.8.8.8:53 | yywowqee.org | udp |
| US | 8.8.8.8:53 | fpfalqjzmzpx.info | udp |
| US | 8.8.8.8:53 | qcxitck.info | udp |
| US | 8.8.8.8:53 | lblxlwomf.net | udp |
| US | 8.8.8.8:53 | fmmskbruubgy.info | udp |
| US | 8.8.8.8:53 | wsbmumbkx.info | udp |
| US | 8.8.8.8:53 | xuqdtunwnhy.com | udp |
| US | 8.8.8.8:53 | ekamqi.org | udp |
| US | 162.249.65.164:80 | ekamqi.org | tcp |
| US | 89.117.28.85:31554 | tcp | |
| US | 8.8.8.8:53 | xujwhevex.org | udp |
| US | 8.8.8.8:53 | yadeoqtva.net | udp |
| US | 8.8.8.8:53 | egikww.com | udp |
| US | 8.8.8.8:53 | xlhnemw.info | udp |
| US | 8.8.8.8:53 | cvwpfiesyd.info | udp |
| US | 8.8.8.8:53 | pmfsryxkbwd.org | udp |
| US | 8.8.8.8:53 | axjcdy.info | udp |
| US | 8.8.8.8:53 | zqkuhflmp.com | udp |
| US | 8.8.8.8:53 | xopgozy.com | udp |
| US | 8.8.8.8:53 | clkejczwcsb.info | udp |
| US | 8.8.8.8:53 | fozkdfvij.info | udp |
| US | 8.8.8.8:53 | qtiwyilyl.info | udp |
| US | 8.8.8.8:53 | mprsoz.net | udp |
| US | 8.8.8.8:53 | rtbzbtvimhvm.info | udp |
| US | 8.8.8.8:53 | zmdxlwjpyt.net | udp |
| US | 8.8.8.8:53 | hyafbvpm.net | udp |
| US | 8.8.8.8:53 | waivpb.info | udp |
| US | 8.8.8.8:53 | rmfptvkpnmaj.info | udp |
| US | 8.8.8.8:53 | yqocscgqq.info | udp |
| US | 8.8.8.8:53 | wsrmxavpkcp.info | udp |
| US | 8.8.8.8:53 | eqcsskwyyiug.org | udp |
| US | 162.249.65.164:80 | eqcsskwyyiug.org | tcp |
| US | 8.8.8.8:53 | jdritktaijkh.info | udp |
| US | 8.8.8.8:53 | gqammsuaaccs.com | udp |
| US | 8.8.8.8:53 | pgchlxgc.net | udp |
| US | 8.8.8.8:53 | dmcfjwgkhix.com | udp |
| US | 8.8.8.8:53 | dboggodwowl.net | udp |
| US | 8.8.8.8:53 | yakygg.org | udp |
| US | 8.8.8.8:53 | skcccygwsgeq.com | udp |
| US | 8.8.8.8:53 | zxroluascqyy.net | udp |
| US | 8.8.8.8:53 | eweuaigycy.org | udp |
| US | 162.249.65.164:80 | eweuaigycy.org | tcp |
| BG | 89.215.138.156:26824 | tcp | |
| US | 8.8.8.8:53 | ishstyjyxiz.net | udp |
| US | 8.8.8.8:53 | lurjzfmnqvwz.info | udp |
| US | 8.8.8.8:53 | laquzwgzt.net | udp |
| US | 8.8.8.8:53 | fdlbtbn.net | udp |
| US | 8.8.8.8:53 | ckqqaueogk.com | udp |
| US | 8.8.8.8:53 | lqlnke.net | udp |
| US | 8.8.8.8:53 | ridehuxgpun.info | udp |
| US | 8.8.8.8:53 | qxpsxp.net | udp |
| US | 8.8.8.8:53 | rgrdpwvmpxbc.net | udp |
| US | 8.8.8.8:53 | lealnqmc.net | udp |
| US | 8.8.8.8:53 | hanqpxyc.net | udp |
| US | 8.8.8.8:53 | xpbamwbey.net | udp |
| US | 8.8.8.8:53 | nwtgsqm.info | udp |
| US | 8.8.8.8:53 | esziuqkacah.net | udp |
| US | 8.8.8.8:53 | rdrsxai.info | udp |
| US | 8.8.8.8:53 | saueyckqyuqk.org | udp |
| US | 8.8.8.8:53 | tofgqpotjv.info | udp |
| US | 8.8.8.8:53 | sorsailspsq.net | udp |
| US | 8.8.8.8:53 | mozpct.info | udp |
| US | 8.8.8.8:53 | hixhjyuoqg.net | udp |
| US | 8.8.8.8:53 | hacvdbw.net | udp |
| US | 8.8.8.8:53 | fnqsmcftroxg.info | udp |
| US | 8.8.8.8:53 | bdxfxeb.com | udp |
| US | 8.8.8.8:53 | xqbizkh.com | udp |
| US | 8.8.8.8:53 | wzxqqsksmhht.net | udp |
| US | 8.8.8.8:53 | eiqlwabkgk.net | udp |
| US | 8.8.8.8:53 | ufxglbnsm.info | udp |
| US | 8.8.8.8:53 | mcqkcuicka.com | udp |
| US | 8.8.8.8:53 | kcguuuas.com | udp |
| US | 8.8.8.8:53 | hjvstwn.net | udp |
| US | 8.8.8.8:53 | jnhotjhsp.info | udp |
| US | 8.8.8.8:53 | rbzwrmhia.info | udp |
| US | 8.8.8.8:53 | tgjoaspsd.info | udp |
| US | 8.8.8.8:53 | qthhdwv.info | udp |
| US | 8.8.8.8:53 | ycaunmdur.net | udp |
| US | 8.8.8.8:53 | ukewcs.org | udp |
| US | 8.8.8.8:53 | lfciqazfif.net | udp |
| US | 8.8.8.8:53 | kkcmswukuucg.org | udp |
| US | 8.8.8.8:53 | azvezycbwg.net | udp |
| US | 8.8.8.8:53 | smgahlv.info | udp |
| US | 8.8.8.8:53 | cjjumal.net | udp |
| US | 8.8.8.8:53 | jwlmww.info | udp |
| US | 8.8.8.8:53 | jsjezazec.org | udp |
| US | 8.8.8.8:53 | rxiusoyffavj.net | udp |
| US | 8.8.8.8:53 | nyxfnzcj.info | udp |
| US | 8.8.8.8:53 | mcpyyes.net | udp |
| US | 8.8.8.8:53 | sidraijfba.info | udp |
| US | 8.8.8.8:53 | qyiwrcy.info | udp |
| US | 8.8.8.8:53 | ssqegeqoma.org | udp |
| US | 8.8.8.8:53 | jmpqoflcqb.info | udp |
| US | 8.8.8.8:53 | nizybszil.info | udp |
| US | 8.8.8.8:53 | fwcufolqfw.info | udp |
| US | 8.8.8.8:53 | csprmyfyo.info | udp |
| US | 8.8.8.8:53 | buhxjy.info | udp |
| US | 8.8.8.8:53 | fwuwczwuejl.com | udp |
| US | 8.8.8.8:53 | nczuwyhqckn.info | udp |
| US | 8.8.8.8:53 | wfhiaw.info | udp |
| US | 8.8.8.8:53 | iqsgmuyk.org | udp |
| US | 8.8.8.8:53 | ykhkvljit.info | udp |
| US | 8.8.8.8:53 | cbxctcnwzyt.net | udp |
| US | 8.8.8.8:53 | neotjkse.info | udp |
| US | 8.8.8.8:53 | fbpmabvm.net | udp |
| US | 8.8.8.8:53 | lkdaczzzwsf.org | udp |
| US | 8.8.8.8:53 | osiewamga.net | udp |
| US | 8.8.8.8:53 | zrtplqi.com | udp |
| US | 8.8.8.8:53 | ukdltgkqjoxu.net | udp |
| US | 8.8.8.8:53 | ziiyyew.org | udp |
| US | 8.8.8.8:53 | qcmuuaqiai.org | udp |
| US | 8.8.8.8:53 | maqeccwiom.org | udp |
| US | 8.8.8.8:53 | vucoearorcy.info | udp |
| US | 8.8.8.8:53 | jidptmrndrn.info | udp |
| US | 8.8.8.8:53 | nefwulmsyx.net | udp |
| US | 8.8.8.8:53 | affwbqu.net | udp |
| US | 8.8.8.8:53 | hicfognk.info | udp |
| US | 8.8.8.8:53 | wsgsgm.com | udp |
| US | 8.8.8.8:53 | lrbqxqikxvb.info | udp |
| US | 8.8.8.8:53 | mwlexaj.net | udp |
| US | 8.8.8.8:53 | znpsldu.org | udp |
| US | 162.249.65.164:80 | znpsldu.org | tcp |
| RU | 46.37.129.166:26325 | tcp | |
| US | 8.8.8.8:53 | qyodlmg.net | udp |
| US | 8.8.8.8:53 | icoakisgyg.org | udp |
| US | 8.8.8.8:53 | eqhwcizabib.net | udp |
| US | 8.8.8.8:53 | dcdfdozwwc.net | udp |
| US | 8.8.8.8:53 | nkrzvcyyty.info | udp |
| US | 8.8.8.8:53 | siqhvcvrvngy.net | udp |
| US | 8.8.8.8:53 | uqiugokgom.org | udp |
| US | 8.8.8.8:53 | lsewgqsyg.org | udp |
| US | 8.8.8.8:53 | xihyzezephg.info | udp |
| US | 8.8.8.8:53 | uzdmbbfhkzjd.net | udp |
| US | 8.8.8.8:53 | djdjhidqmwh.com | udp |
| US | 8.8.8.8:53 | xarzyoda.info | udp |
| US | 8.8.8.8:53 | eikyyyyeoi.com | udp |
| US | 8.8.8.8:53 | utjggzpczq.info | udp |
| US | 8.8.8.8:53 | tefnufrk.info | udp |
| US | 8.8.8.8:53 | dwtabhreevj.org | udp |
| US | 8.8.8.8:53 | injrpzticu.net | udp |
| US | 8.8.8.8:53 | eacukk.org | udp |
| US | 8.8.8.8:53 | uckymuoq.com | udp |
| US | 8.8.8.8:53 | dpviehriw.info | udp |
| US | 8.8.8.8:53 | vodbpsvs.info | udp |
| US | 8.8.8.8:53 | norggwya.info | udp |
| US | 8.8.8.8:53 | kmkgsypnlw.net | udp |
| US | 8.8.8.8:53 | nqexaq.info | udp |
| US | 8.8.8.8:53 | oklpbvpo.net | udp |
| US | 8.8.8.8:53 | cugcmy.org | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| EG | 197.162.28.167:25828 | tcp | |
| US | 8.8.8.8:53 | lgkqfveeb.org | udp |
| US | 8.8.8.8:53 | ongvodx.net | udp |
| US | 8.8.8.8:53 | uckiuymg.com | udp |
| US | 8.8.8.8:53 | ufseryl.net | udp |
| US | 8.8.8.8:53 | kqrhhigmwu.net | udp |
| US | 8.8.8.8:53 | memgieqoag.com | udp |
| US | 8.8.8.8:53 | cocyqe.org | udp |
| US | 8.8.8.8:53 | zwuoogtp.info | udp |
| US | 8.8.8.8:53 | ptzqoattdkh.info | udp |
| US | 8.8.8.8:53 | zawufqzwz.net | udp |
| US | 8.8.8.8:53 | zchcjinclr.info | udp |
| US | 8.8.8.8:53 | pipgjuqkz.com | udp |
| US | 8.8.8.8:53 | gzrzmn.net | udp |
| US | 8.8.8.8:53 | qtfkfsl.net | udp |
| US | 8.8.8.8:53 | kxzvljbe.info | udp |
| US | 8.8.8.8:53 | raiobwskm.info | udp |
| US | 8.8.8.8:53 | bubljjwptt.info | udp |
| US | 8.8.8.8:53 | hsrugzzjifdv.info | udp |
| US | 8.8.8.8:53 | lysassfobzx.net | udp |
| US | 8.8.8.8:53 | qaiogccwyoku.org | udp |
| US | 8.8.8.8:53 | rpngwjrf.net | udp |
| US | 8.8.8.8:53 | usogcg.org | udp |
| US | 8.8.8.8:53 | fooeemnpvf.net | udp |
| US | 8.8.8.8:53 | xbdyxk.info | udp |
| US | 8.8.8.8:53 | wogqyl.net | udp |
| US | 8.8.8.8:53 | odzgbvgd.net | udp |
| US | 8.8.8.8:53 | weqioeqmayww.org | udp |
| US | 8.8.8.8:53 | zmyqegryd.com | udp |
| US | 8.8.8.8:53 | tpirofta.info | udp |
| US | 8.8.8.8:53 | vklrrkpgb.info | udp |
| US | 8.8.8.8:53 | aczwxvbote.net | udp |
| US | 8.8.8.8:53 | awdyvmrwluy.net | udp |
| US | 8.8.8.8:53 | gshqxwi.info | udp |
| US | 8.8.8.8:53 | pczqsioovn.info | udp |
| US | 8.8.8.8:53 | kcvdqev.info | udp |
| DE | 85.214.228.140:80 | pedyxcrohat.org | tcp |
| US | 8.8.8.8:53 | wzokqiypnkmr.info | udp |
| US | 8.8.8.8:53 | xpdiwoqs.info | udp |
| US | 8.8.8.8:53 | pzbgualauqp.org | udp |
| US | 8.8.8.8:53 | jtlvjszdqia.info | udp |
| US | 8.8.8.8:53 | wylodmenp.net | udp |
| US | 8.8.8.8:53 | keumgq.com | udp |
| US | 8.8.8.8:53 | geiehohtveh.net | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wlapddissyxr.net | udp |
| US | 8.8.8.8:53 | zgukpoc.org | udp |
| US | 8.8.8.8:53 | gyokiycm.com | udp |
| US | 8.8.8.8:53 | xbfxvwvlvq.info | udp |
| US | 8.8.8.8:53 | oyyiqyqm.com | udp |
| US | 8.8.8.8:53 | ukwmsa.org | udp |
| US | 8.8.8.8:53 | cangzuv.net | udp |
| US | 8.8.8.8:53 | cokskmswqiqg.com | udp |
| US | 8.8.8.8:53 | ebpmvoxyvfj.info | udp |
| US | 8.8.8.8:53 | sifgpql.net | udp |
| US | 8.8.8.8:53 | potupbtqjy.net | udp |
| US | 8.8.8.8:53 | nptfyjjhae.net | udp |
| US | 8.8.8.8:53 | nmmhxit.com | udp |
| US | 8.8.8.8:53 | mggkesig.com | udp |
| US | 8.8.8.8:53 | hjwuhjhg.info | udp |
| US | 8.8.8.8:53 | ringoqpsset.org | udp |
| US | 8.8.8.8:53 | owkqqy.org | udp |
| US | 8.8.8.8:53 | wiksugiosc.com | udp |
| US | 8.8.8.8:53 | tskzxkeqas.net | udp |
| US | 8.8.8.8:53 | dslmoth.org | udp |
| US | 8.8.8.8:53 | kvjrtf.net | udp |
| US | 8.8.8.8:53 | iioawywisa.com | udp |
| US | 8.8.8.8:53 | aswgpmnr.net | udp |
| US | 8.8.8.8:53 | jwbgfgeql.org | udp |
| US | 8.8.8.8:53 | rtfpamlbvu.info | udp |
| US | 8.8.8.8:53 | uifbsulfv.info | udp |
| US | 8.8.8.8:53 | mkzshdrhh.info | udp |
| US | 8.8.8.8:53 | tiyqhc.info | udp |
| US | 8.8.8.8:53 | xyzxbgdpb.net | udp |
| US | 8.8.8.8:53 | dvljzezzxntz.net | udp |
| US | 8.8.8.8:53 | tfkwzknelaz.info | udp |
| US | 8.8.8.8:53 | naeynqwvle.info | udp |
| US | 8.8.8.8:53 | pkpkqulxxup.info | udp |
| US | 8.8.8.8:53 | lkuqisha.net | udp |
| US | 8.8.8.8:53 | ylynkijh.info | udp |
| US | 8.8.8.8:53 | hctgxcnontt.net | udp |
| US | 8.8.8.8:53 | kukiqyyyss.com | udp |
| US | 8.8.8.8:53 | rackqdzkp.com | udp |
| US | 8.8.8.8:53 | dmafasjgifst.net | udp |
| US | 8.8.8.8:53 | fvpjbnnznmbz.info | udp |
| US | 8.8.8.8:53 | ulotynxl.info | udp |
| US | 8.8.8.8:53 | sihbmwbahgp.info | udp |
| US | 8.8.8.8:53 | pvjjpl.net | udp |
| US | 8.8.8.8:53 | ejdaitmphunw.net | udp |
| US | 8.8.8.8:53 | ckcqwmaq.org | udp |
| US | 8.8.8.8:53 | cohckyuoagf.net | udp |
| US | 8.8.8.8:53 | yvyxhjvlbkzg.info | udp |
| US | 8.8.8.8:53 | vjaymeuwniv.info | udp |
| US | 8.8.8.8:53 | tpuynuf.info | udp |
| US | 8.8.8.8:53 | ncdmrcpkn.info | udp |
| RU | 78.85.88.148:19772 | tcp | |
| US | 8.8.8.8:53 | lvdgxwh.net | udp |
| US | 8.8.8.8:53 | xwkrbtcq.info | udp |
| US | 8.8.8.8:53 | emgphaip.info | udp |
| US | 8.8.8.8:53 | hptwsjlsdvf.com | udp |
| US | 8.8.8.8:53 | hrouugxjd.info | udp |
| US | 8.8.8.8:53 | icwmcwsquaos.com | udp |
| US | 8.8.8.8:53 | obiyznmidc.net | udp |
| US | 8.8.8.8:53 | jfovixls.info | udp |
| US | 8.8.8.8:53 | qiofjv.info | udp |
| US | 8.8.8.8:53 | fxyaavbh.info | udp |
| US | 8.8.8.8:53 | paxfesz.net | udp |
| US | 8.8.8.8:53 | tentfybfvrts.net | udp |
| US | 8.8.8.8:53 | vcrvurd.net | udp |
| US | 8.8.8.8:53 | ubmktezas.net | udp |
| US | 8.8.8.8:53 | auivab.net | udp |
| US | 8.8.8.8:53 | tgbezcime.net | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| US | 8.8.8.8:53 | rdzobezkwwd.org | udp |
| US | 8.8.8.8:53 | iogcyekuiqko.com | udp |
| US | 8.8.8.8:53 | vyjwfc.info | udp |
| US | 8.8.8.8:53 | kvhvli.net | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | nuvifgdamtn.com | udp |
| US | 8.8.8.8:53 | tepyknfqpj.net | udp |
| US | 8.8.8.8:53 | usrknajptoc.info | udp |
| US | 8.8.8.8:53 | sdfcrpvhajbk.net | udp |
| US | 8.8.8.8:53 | zeypzyfwd.net | udp |
| US | 8.8.8.8:53 | bkiukmk.net | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| LV | 194.19.247.150:19465 | tcp | |
| US | 8.8.8.8:53 | mkbwfgfja.info | udp |
| US | 8.8.8.8:53 | mwcceg.org | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | iupvlwofnqs.info | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| US | 8.8.8.8:53 | ddepjzmilwnm.info | udp |
| US | 8.8.8.8:53 | xqxuokp.info | udp |
| US | 8.8.8.8:53 | avtkhyrmpe.info | udp |
| BG | 46.47.122.190:36359 | tcp | |
| US | 8.8.8.8:53 | tbljgbiadn.info | udp |
| US | 8.8.8.8:53 | amcelww.info | udp |
| US | 8.8.8.8:53 | joqukgtsi.com | udp |
| US | 8.8.8.8:53 | payknnfwd.org | udp |
| US | 8.8.8.8:53 | dglapaaeb.info | udp |
| US | 8.8.8.8:53 | myywyq.com | udp |
| US | 8.8.8.8:53 | iijeavl.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | tmbwtoxxnog.com | udp |
| US | 8.8.8.8:53 | qwntlbq.net | udp |
| US | 8.8.8.8:53 | mwvmbgpnnsh.info | udp |
| US | 8.8.8.8:53 | pvjwxgrwtrio.info | udp |
| US | 8.8.8.8:53 | scmqeyswwqog.org | udp |
| US | 8.8.8.8:53 | tjldthng.info | udp |
| US | 8.8.8.8:53 | cebcoetuudr.net | udp |
| US | 8.8.8.8:53 | jlxwjrscdo.net | udp |
| US | 8.8.8.8:53 | qqfyswldd.info | udp |
| US | 8.8.8.8:53 | fyluhgqubz.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | plyqwryarhgd.info | udp |
| US | 8.8.8.8:53 | wifqxwxsl.net | udp |
| US | 8.8.8.8:53 | zqfsuyn.org | udp |
| US | 8.8.8.8:53 | gzukviikx.net | udp |
| US | 8.8.8.8:53 | giioymcimwmg.com | udp |
| US | 8.8.8.8:53 | axdlde.info | udp |
| US | 8.8.8.8:53 | jklowhgu.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | rbbitee.net | udp |
| US | 8.8.8.8:53 | ouymmggyecsa.org | udp |
| US | 8.8.8.8:53 | esrqlplelqt.net | udp |
| US | 8.8.8.8:53 | fzfetmzob.com | udp |
| US | 8.8.8.8:53 | rukiivnqi.org | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | vmqiyotgcmj.info | udp |
| US | 8.8.8.8:53 | frxwvzgkecgt.net | udp |
| US | 8.8.8.8:53 | kbcmkiqa.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
| MD5 | 5203b6ea0901877fbf2d8d6f6d8d338e |
| SHA1 | c803e92561921b38abe13239c1fd85605b570936 |
| SHA256 | 0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060 |
| SHA512 | d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471 |
C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe
| MD5 | 119d697d77ef4e3e1d3fc4dd8cd38c61 |
| SHA1 | d5813b6bc34f4856f267cd97ff397f19d1ad12e2 |
| SHA256 | 39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9 |
| SHA512 | dd663ee160ca0c9952500e47ca79a5b6f4f18de1e35d45ec10de2a61b4b658b6080c82b8a2c1a4dfa6141da158e077a647e8ce1c3a90b91a6d1bd579b3f02ba9 |
C:\Users\Admin\AppData\Local\Temp\inwzik.exe
| MD5 | 7f01ce4020078dfe88c53f124635ffe6 |
| SHA1 | 0b4d9bd03760e90ff7a0ab4dc892eee01c71ee47 |
| SHA256 | eb19af7b9f9049c2915c02e68354bb03353ffdc30fa041f1446a2f907e168b26 |
| SHA512 | 981d27c76b74a95b30f32634dce8869335efe0e4b9d2f2b301b785dcd70034726b56c5f2dde81801516517c1f3b211dab9448a0e99f517f1c7ff2242051903b2 |
C:\Users\Admin\AppData\Local\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | 78c1edabf01589b2c017633f00186413 |
| SHA1 | bba0a56fbb56856366865dad514abf5d04b41e79 |
| SHA256 | 81ac538c05004a3b5d6cd538e99def3a89c2c56b967ec0a7075ef3115bd6c1ac |
| SHA512 | f244d1e71d2d4142539736993e454c1543b7c66bf438f9138f1d9b1090790ea882fe573560830dab6e257bdaacf6dbcadcbc37ab2f65b1159ca5d83ff2b78bae |
C:\Users\Admin\AppData\Local\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal
| MD5 | f42f0240d244671b35fc9070021ebafe |
| SHA1 | bdc78903b638d8e2a4f1d62187036a9419c0d3b1 |
| SHA256 | 499d76a167f75fc4e859723bf95cfeddcaada6d5fea1ea093c9b9505d75e5711 |
| SHA512 | a303a200a45797aa0eb54b6e0546466a925e7cbb68e71496038c3432ec6e7f95cdf9abadacd2f7c64ec7dd6a631c0fc7a54655c9491a977a15707d39f56ad9ad |
C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | f61114d3dc44fab1b0e0c5da52533cc3 |
| SHA1 | 8255772a492bef27b4faaa149aacaf1eaa152c40 |
| SHA256 | d89399a0a5783cc4233999d6eedb983ddf3bddca0ab2c56385bc215ec20cb44c |
| SHA512 | 9c525568103874eefc9379e9c9309e58b8e510712301effa5f359ffb889ff3469f5badceaae210907c6a906de89e09b4310c633d2d7d13eb59409611755782c3 |
C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | 2e6d19b0255627d1c302641cfe5deae8 |
| SHA1 | e89388a3b8e43c09696b7d001108c71263741026 |
| SHA256 | 1fb0ceaf90f5da5600c2ff7672391499fd071be7647ff9e8e6be03731c8cc768 |
| SHA512 | 34dfb5b98430763334d093baa8165cec532cb49c64b6a4de11505d021721c737489a9b15285dbf9f28c0b5a389944b4dbc2b0984947e1a525d764e09cada74de |
C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | 1a1404f7bddafbebfb7e52ec80bf0a75 |
| SHA1 | bca1c33ce8f56ccb8f96a35b74bb4f77c2fe0dee |
| SHA256 | bc3e914e41f860ad412d663045d9a071ecef1ac80a35b8692bc1fd0cc3df869a |
| SHA512 | 035baad65e20d804f9439019b5b49cb6de74f5d19cdbf2fb8629ae4a9e4c8c1a039a9aff4366e31eb49c60fa37b8c98426dfd458874f65a32caea9471a25737f |
C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | 313728018cbc3aa5e0ddbf0662900ea0 |
| SHA1 | c6b7ec5dc47996c5dc5c3aa9d876068a7f36b9e2 |
| SHA256 | a480bfda5e71ba10888a91b6d0953dfa0d298ad73a880506a6258cb24b6bc94e |
| SHA512 | 0ad45057a4898ce11f819e2dd0f0b50cba5e543690952a54df965d6e3e8ad2a000673e491948c25e64e150c4fd095fa577b95b33b44f2ff466943ebebc527a0a |
C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | 80cbf8c71336b94330b288e739899c53 |
| SHA1 | c83ed62c16e63b12c74ac247ecbcf90826004be8 |
| SHA256 | 3df825d579321ac52da4fefecf26a06bcacbd07886dcf466bf9bcb1f35b6d322 |
| SHA512 | cccd0aab27da6e948acd8a903c0edf65d4b0024a0438a9aee6282a5a328ce0a7793ed68ed21b22b1e2356cd64cd25aa8a79bf46032f0116c759a70a274d66402 |
C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg
| MD5 | d4b7ed96673d66ffb7487f0868a34392 |
| SHA1 | 6a19c50213e5cb8e89d504992fb887988f0a6750 |
| SHA256 | 8de70dc5d885624dcd3a938c6f13ae438d8001bcc6f072b61b2f7af8564f705a |
| SHA512 | 032ad5c9743412708f06d2e52e2b30fd54447beda8ee4606f232a096c2564d18503d838e89a1ef7a3b5448933f2ea0d337fc6474cbd0c7fbfda48dbd71d39dea |