Malware Analysis Report

2025-03-15 00:56

Sample ID 240626-l4b7hssbqj
Target 119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118
SHA256 39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9

Threat Level: Known bad

The file 119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Impair Defenses: Safe Mode Boot

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 10:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 10:04

Reported

2024-06-26 10:07

Platform

win7-20240220-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "viaujyqetjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mwlcoapamzxuz = "cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vcoclugoxh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "jawungcunhmqcfddnafw.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "jawungcunhmqcfddnafw.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "viaujyqetjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "cqjeukdsizbcllgdk.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "viaujyqetjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "jawungcunhmqcfddnafw.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "lauqhysizruwghdbju.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "jawungcunhmqcfddnafw.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "viaujyqetjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "viaujyqetjkksrlh.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cqjeukdsizbcllgdk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\viaujyqetjkksrlh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\nyogtgwivjigmj = "lauqhysizruwghdbju.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "yqnmgaxqkflqdhghsgmeb.exe ." C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wmhewojaslpsdfcbkwa.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qctmaofsgvvubzs = "wmhewojaslpsdfcbkwa.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nwkalwkufrok = "C:\\Users\\Admin\\AppData\\Local\\Temp\\viaujyqetjkksrlh.exe ." C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "jawungcunhmqcfddnafw.exe" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qylakuhqalh = "cqjeukdsizbcllgdk.exe" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\pqwehkqsvzocyltdxujkqybekm.tiw C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\Windows\SysWOW64\pqwehkqsvzocyltdxujkqybekm.tiw C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\Windows\SysWOW64\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\SysWOW64\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\SysWOW64\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Program Files (x86)\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\Program Files (x86)\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\Windows\pqwehkqsvzocyltdxujkqybekm.tiw C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File created C:\Windows\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\viaujyqetjkksrlh.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\piggbwuojfmsgllnzovomm.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\wmhewojaslpsdfcbkwa.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\yqnmgaxqkflqdhghsgmeb.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\jawungcunhmqcfddnafw.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
File opened for modification C:\Windows\cqjeukdsizbcllgdk.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\lauqhysizruwghdbju.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\pqwehkqsvzocyltdxujkqybekm.tiw C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
File opened for modification C:\Windows\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2732 wrote to memory of 2840 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2840 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2840 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe C:\Users\Admin\AppData\Local\Temp\wajuagp.exe
PID 2732 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2732 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2732 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe
PID 2732 wrote to memory of 1036 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\wajuagp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\wajuagp.exe

"C:\Users\Admin\AppData\Local\Temp\wajuagp.exe" "-C:\Users\Admin\AppData\Local\Temp\viaujyqetjkksrlh.exe"

C:\Users\Admin\AppData\Local\Temp\wajuagp.exe

"C:\Users\Admin\AppData\Local\Temp\wajuagp.exe" "-C:\Users\Admin\AppData\Local\Temp\viaujyqetjkksrlh.exe"

C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

"C:\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.myspace.com udp
US 34.111.176.156:80 www.myspace.com tcp
EG 41.196.181.116:21271 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 okgawo.com udp
US 8.8.8.8:53 dzuzrg.info udp
IT 87.120.81.208:33558 tcp
US 8.8.8.8:53 fthwmiym.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 tepyknfqpj.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
BG 95.43.42.86:37703 tcp
US 8.8.8.8:53 vupwbcmwhchx.info udp
US 8.8.8.8:53 prdtgxaz.info udp
US 8.8.8.8:53 umckwaoo.com udp
MD 89.149.97.4:38927 tcp
US 8.8.8.8:53 iiljlpjlejfh.net udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 krzzzlbqlm.net udp
US 8.8.8.8:53 wdqzak.info udp
US 8.8.8.8:53 hhkvhrpast.info udp
LT 78.61.122.246:36338 tcp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 dqlfhoz.org udp
FR 88.213.228.136:29152 tcp
US 8.8.8.8:53 tbljgbiadn.info udp
US 8.8.8.8:53 qaxyvsymzas.info udp
US 8.8.8.8:53 esikaeyw.org udp
US 8.8.8.8:53 gybkkuekoig.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 bfbajlfop.com udp
US 8.8.8.8:53 bcxkxkjwfcy.net udp
US 8.8.8.8:53 kumwqauksm.com udp
LV 194.19.247.150:19465 tcp
US 8.8.8.8:53 hkzpou.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 nrhguvbcvdds.net udp
US 8.8.8.8:53 dmnabmbkfebu.net udp
US 8.8.8.8:53 wjzlzlrc.info udp
RO 188.173.109.176:40325 tcp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 kwckumqq.org udp
US 8.8.8.8:53 vvnyfkdnjb.net udp
US 8.8.8.8:53 bznxfufj.net udp
GR 195.97.108.248:18645 tcp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 actwoqxmp.net udp
FR 88.213.228.136:29152 tcp
US 8.8.8.8:53 coahuct.net udp
US 8.8.8.8:53 bvncnlle.net udp
US 8.8.8.8:53 hkyxoq.net udp
US 8.8.8.8:53 huvibmcyr.com udp
US 8.8.8.8:53 bkjahm.info udp
US 8.8.8.8:53 uqmmeguw.com udp
US 8.8.8.8:53 kifwpkacq.info udp
US 8.8.8.8:53 uxxemyqar.net udp
US 8.8.8.8:53 kyvoyzx.info udp
BG 90.154.234.86:43662 tcp
US 8.8.8.8:53 swkoukockemu.org udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 atierp.info udp
US 8.8.8.8:53 fmllrsnh.info udp
ES 81.172.9.69:14608 tcp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 sibwxylmi.net udp
US 88.216.101.148:41213 tcp
US 8.8.8.8:53 njpbxbpb.net udp
US 8.8.8.8:53 fmypvadav.info udp
US 8.8.8.8:53 zifajtgr.net udp
BG 85.239.148.214:20967 tcp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 qgqsiawgwkum.com udp
US 8.8.8.8:53 krufud.info udp
BE 109.89.182.248:28942 tcp
US 8.8.8.8:53 xircigkoicc.net udp
US 8.8.8.8:53 ocgycuqsec.com udp
US 8.8.8.8:53 ostdxxh.info udp
BG 178.254.249.210:30057 tcp
US 8.8.8.8:53 pjpdjv.net udp
US 8.8.8.8:53 vupryswurgx.com udp

Files

\Users\Admin\AppData\Local\Temp\bwztizaelgj.exe

MD5 5203b6ea0901877fbf2d8d6f6d8d338e
SHA1 c803e92561921b38abe13239c1fd85605b570936
SHA256 0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512 d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

C:\Windows\SysWOW64\lauqhysizruwghdbju.exe

MD5 119d697d77ef4e3e1d3fc4dd8cd38c61
SHA1 d5813b6bc34f4856f267cd97ff397f19d1ad12e2
SHA256 39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9
SHA512 dd663ee160ca0c9952500e47ca79a5b6f4f18de1e35d45ec10de2a61b4b658b6080c82b8a2c1a4dfa6141da158e077a647e8ce1c3a90b91a6d1bd579b3f02ba9

\Users\Admin\AppData\Local\Temp\wajuagp.exe

MD5 2a82cc530bc71a4e729d806f51d50ed5
SHA1 be807cf095f7fc22155246f228c620af00fd559a
SHA256 9b61ed505691f6b92304be9a84a4da44696b2e3d37fe14415b11d382939fc9df
SHA512 3868c9a2e348cef895871f9e4b1a667f12a91d247aa22bf1ad87df8ae8d5695291d4cfebfdde2e36b2da6216b9742187d01f87aaa7de91091850ae56c8fdbf7e

C:\Users\Admin\AppData\Local\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 abc410a1591647eed43f15344620a2bc
SHA1 5ffecd135fd890a2a9fc1b85a120e046ce849c64
SHA256 c2b05447314f47d839179b0c6a10c42fd75b075c1cf261adb2aaea221909af25
SHA512 04cbaffb28463eef5de7984ca1969f1fc473056d1f3a344daa5813a3279882681d1677aca4d42e5a39b6d303308a7731be338b54f3eababbc5d87ed74fa32a99

C:\Users\Admin\AppData\Local\qctmaofsgvvubzsnsaamdwkypcqffeljcxckk.ngu

MD5 b636973d98954d636b50cff67cab174e
SHA1 62ff88f9507a28c04b78e56a13285ece0c19a7e6
SHA256 f1069a485c92db455a024bdd5f17cd89977aeddf665bb61b5ed1b5b01f4300d4
SHA512 6e0587b531e41a04830a764f9f564338f9deff1b03e88e9ab7f466be75bc18c776cdef266dcaf1bbfa390657ce4e2d57915c90ed2c13db2c08587d600edd06ff

C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 8cfa27375b4a50a14d1e54b743a15fee
SHA1 8d6eb50e02b4214b64c8d4b27e5b059db6ea127e
SHA256 7d5a95dab19dbd872c40d7b36eb5a9fda53314c4eac87d7dbb1529d23a798ec5
SHA512 1aab6db1b4f1e84960c761e83bdb0faf025254addea53d4648f5d1d61ab1a32b106474df624ab54464d88fe7d8ab89fcaf53669baf7aace3e17e5775ef9dcacb

C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 b5ca00ab85bd076f76a5e47bdcfdc9be
SHA1 4c5769e25ee5d3a06c317dd8237442c85baafb6f
SHA256 224e44ed82a69aa32767712ffe24f4775bdaabfcd0c56f9b60127ab51b3f6708
SHA512 1aa2ea083ab7049fd675672875bf205b0482cd5c3a50c8a9059d3d91dcf8ff316ef49bdbca7f335f3cade3e7cf5b994c01cc11d4e3faf7e559cf79278562dcdc

C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 c54bc7e62ca08a19525f5f95912173d8
SHA1 9a5d00214b4d6fb06c222b4603b1377e2e95b1c7
SHA256 5069839f0a17c5e0676ccfb8b65d00a08aca336096b1c0f623cd41a27d8d51e6
SHA512 b8ffd0f923d7f5d0eb4f7ba46396fcd44b9f227c460d7a260deca2d114aef4eedd95fe3eeffd1d062ef39fb6e3c5812a1cec84c4b131621b3aa83dd763f07c6e

C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 1ae0066870e30a6e2e1f8fd6b22a118e
SHA1 c7b4c65baf85300cee95ffd1b0a3bf8be35b2edd
SHA256 bef59d859bface0838e64649ed5cbf7dadc6d079a9d1c9aad3670ea89974d6a0
SHA512 9b05afb0af9814caca2063cb8882743e2ef3b142f00b79d5739858e0b6105e336d34d6de36966a4f20027a68824ef0ad42c2b564eaa785bcfc040a16182cf3ed

C:\Users\Admin\AppData\Local\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 0001986b725dd16384fc6bce3110c57d
SHA1 a5912c8970603e924ba48ce195d601ab8a096a41
SHA256 2d2767d52533b4d289f905cd222834e5098a4a2dfa3c35985fb93d41e233af6e
SHA512 ae7248476a81631d6c1a955e7d844b6867b8d15ba6e0869bfa20f4c24158e5a3e6d8269f04a1fd18bc4773cddf7a0ccface688e63ee6ce11adca3ccb2d729fc3

C:\Program Files (x86)\pqwehkqsvzocyltdxujkqybekm.tiw

MD5 ab26253bf8c37529ec7ea738821fe36b
SHA1 7109386e3b79fb6b4c7bda301ee32a622294e060
SHA256 d2993dab7a0bd5b24e3f74e00bf3d43b2356c8a9a1016153bcfc7f7b3cbe9d7a
SHA512 9027e38c7496f792e578f5edae15e20c4d0e872b50b15f94245b583221f294e5b6cb594aa5b9742d3cced4fa2eeee1da4690ad28dcdfaacdb98341b632235819

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 10:04

Reported

2024-06-26 10:07

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vblpzcp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\udqxkqgowg = "brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ibypmccumgtrxvzugnex.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ujcpiuqesirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ibypmccumgtrxvzugnex.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "xrphfwxqjesryxcyltlfd.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "vnjzvkjarkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "xrphfwxqjesryxcyltlfd.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "ujcpiuqesirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrphfwxqjesryxcyltlfd.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "brlztgdshyidgbcud.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "brlztgdshyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibypmccumgtrxvzugnex.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\brlztgdshyidgbcud.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krchswkq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\mxmvkskueqvl = "xrphfwxqjesryxcyltlfd.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "ujcpiuqesirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "ujcpiuqesirlnhhy.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bjvbnshov = "vnjzvkjarkwtyvysdjz.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mzqbscwiuiphhz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lxnxnwpalyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kbwlgusiyqbxbxzsch.exe ." C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\krchswkq = "vnjzvkjarkwtyvysdjz.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pznvjqhqzko = "ujcpiuqesirlnhhy.exe" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\hjppvudefielahuytjjlrrxwf.hkg C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File created C:\Windows\SysWOW64\hjppvudefielahuytjjlrrxwf.hkg C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File created C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Program Files (x86)\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\hjppvudefielahuytjjlrrxwf.hkg C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File created C:\Windows\hjppvudefielahuytjjlrrxwf.hkg C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\vnjzvkjarkwtyvysdjz.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ujcpiuqesirlnhhy.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\brlztgdshyidgbcud.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ibypmccumgtrxvzugnex.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\kbwlgusiyqbxbxzsch.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\xrphfwxqjesryxcyltlfd.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File opened for modification C:\Windows\ojibasuoiettbbhesbupoh.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
File created C:\Windows\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1712 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1712 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1712 wrote to memory of 1360 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1360 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe
PID 1360 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe
PID 1360 wrote to memory of 5100 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe
PID 1360 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe
PID 1360 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe
PID 1360 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\inwzik.exe
PID 1712 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1712 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1712 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\inwzik.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\119d697d77ef4e3e1d3fc4dd8cd38c61_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\inwzik.exe

"C:\Users\Admin\AppData\Local\Temp\inwzik.exe" "-C:\Users\Admin\AppData\Local\Temp\ujcpiuqesirlnhhy.exe"

C:\Users\Admin\AppData\Local\Temp\inwzik.exe

"C:\Users\Admin\AppData\Local\Temp\inwzik.exe" "-C:\Users\Admin\AppData\Local\Temp\ujcpiuqesirlnhhy.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\119d697d77ef4e3e1d3fc4dd8cd38c61_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.200.46:80 www.youtube.com tcp
BG 46.47.122.190:36359 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 emfevccuwzsk.info udp
US 8.8.8.8:53 tsoftrbjro.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 ryxctjzgg.com udp
US 8.8.8.8:53 aoieqa.org udp
US 8.8.8.8:53 tszocqe.org udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
LT 213.164.122.219:13395 tcp
US 8.8.8.8:53 mkbwfgfja.info udp
US 8.8.8.8:53 zrdjzfpso.net udp
US 8.8.8.8:53 qqhwxmscfmt.info udp
US 8.8.8.8:53 hgecxtcchyi.org udp
US 8.8.8.8:53 lpllzersuj.info udp
US 8.8.8.8:53 jkvaba.net udp
US 8.8.8.8:53 uimescouwmsm.com udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 datrxkxgvqhi.net udp
US 8.8.8.8:53 dsjvnelr.net udp
US 8.8.8.8:53 strfwkb.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 nzlidup.info udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 tmbwtoxxnog.com udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 bcnxdfnqjbh.info udp
US 8.8.8.8:53 ouumqemi.com udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 eikaeweguw.org udp
US 8.8.8.8:53 ulruodrzrkp.info udp
US 8.8.8.8:53 lrsdgchnvd.net udp
US 8.8.8.8:53 dplenrxv.info udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 cktstug.net udp
US 8.8.8.8:53 fzfetmzob.com udp
US 8.8.8.8:53 wishvg.net udp
US 8.8.8.8:53 fcbghgzuhfd.net udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 bkzwvij.info udp
US 8.8.8.8:53 sibwxylmi.net udp
US 8.8.8.8:53 elnwxj.info udp
US 8.8.8.8:53 zvyxohnch.com udp
US 8.8.8.8:53 winweim.net udp
US 8.8.8.8:53 qwnesauan.info udp
US 8.8.8.8:53 ewwkquqqcwmo.com udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 qqsusc.org udp
US 8.8.8.8:53 ydkqpibxwk.net udp
US 8.8.8.8:53 lotrnnxljihl.info udp
US 8.8.8.8:53 kqewfwt.info udp
US 8.8.8.8:53 ucykzbrebjxz.net udp
US 8.8.8.8:53 annbogzfdfx.info udp
US 8.8.8.8:53 jxvuwkfron.info udp
US 8.8.8.8:53 xbptoctu.net udp
US 8.8.8.8:53 ihtqvgrxtyt.info udp
US 8.8.8.8:53 sdnkjyyvt.net udp
US 8.8.8.8:53 klfmhllih.net udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 vcyniene.net udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 lmzqnek.info udp
US 8.8.8.8:53 jcmmskdxqxza.net udp
US 8.8.8.8:53 zedhwdeisode.net udp
US 8.8.8.8:53 qvfymojzov.info udp
US 8.8.8.8:53 qxeednhfvqtb.info udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
RO 188.173.109.176:40325 tcp
US 8.8.8.8:53 swccfklax.info udp
US 8.8.8.8:53 ccxavypgfey.net udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 jhtyxqmnrih.net udp
US 8.8.8.8:53 bfqdtiywxf.info udp
US 8.8.8.8:53 xkcepmhcc.org udp
US 8.8.8.8:53 myxrbcmnqo.info udp
US 8.8.8.8:53 guuzio.net udp
US 8.8.8.8:53 tcbkfhhgr.net udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 augkkwqe.org udp
US 8.8.8.8:53 wqccoy.org udp
US 8.8.8.8:53 vjulrh.info udp
US 8.8.8.8:53 rchtty.info udp
US 8.8.8.8:53 znvwvbuqewo.org udp
US 8.8.8.8:53 rkfbmfkavjbk.info udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
RU 188.191.85.124:41492 tcp
US 8.8.8.8:53 hmbgtmvdp.info udp
US 8.8.8.8:53 nphcjqhmtuy.info udp
US 8.8.8.8:53 keogmuogugkq.org udp
US 8.8.8.8:53 gxyqupivkgsr.net udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 keegqaoiyg.org udp
US 8.8.8.8:53 szdlrllkpgzj.info udp
US 8.8.8.8:53 tipvnsfxx.com udp
US 8.8.8.8:53 sotogai.info udp
US 8.8.8.8:53 lfbejmcydav.info udp
US 8.8.8.8:53 pmkrfbbvvtli.info udp
US 8.8.8.8:53 vobgxuy.net udp
US 8.8.8.8:53 jouzrkl.com udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 kkkrfjzdxncb.net udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 ubhptf.info udp
US 8.8.8.8:53 qdcdyuxd.info udp
US 8.8.8.8:53 igpojblq.info udp
US 8.8.8.8:53 qszmjmvrkmd.net udp
US 8.8.8.8:53 cydkiincrtp.net udp
US 8.8.8.8:53 vkbxok.net udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 qjlnzzsgsq.net udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 kuyceqam.org udp
US 8.8.8.8:53 tpdiieslv.info udp
US 8.8.8.8:53 iugyrn.info udp
US 8.8.8.8:53 gskcam.com udp
US 8.8.8.8:53 jpbjyjqa.info udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 qnplvjjhlc.net udp
US 8.8.8.8:53 elicuatoluz.info udp
US 8.8.8.8:53 dlqzwhks.net udp
US 8.8.8.8:53 wcoumaoyp.net udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 jxnmlsyssku.net udp
US 8.8.8.8:53 beciticqzp.net udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
RU 31.200.225.29:40616 tcp
US 8.8.8.8:53 arfxsp.net udp
US 8.8.8.8:53 plpjmbgvjnyo.info udp
US 8.8.8.8:53 zelcwqhwwud.com udp
US 8.8.8.8:53 csgeec.org udp
US 8.8.8.8:53 qmuhhesi.net udp
US 8.8.8.8:53 khgipydvp.net udp
US 8.8.8.8:53 ssvkcun.net udp
US 8.8.8.8:53 loyodd.info udp
US 8.8.8.8:53 kmxwusnxdap.net udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 yfvocadkvqr.info udp
US 8.8.8.8:53 fvwfjizuchoy.net udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 gceyikok.org udp
US 8.8.8.8:53 ghiriqcj.net udp
US 8.8.8.8:53 dgzhbdlrvsda.info udp
US 8.8.8.8:53 awimwc.com udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 bedibgnot.info udp
US 8.8.8.8:53 pcdtxylthwb.info udp
US 8.8.8.8:53 swizelss.net udp
US 8.8.8.8:53 ivgtjpjebmw.info udp
US 8.8.8.8:53 twldsvwufp.info udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 hjjsqwbn.info udp
US 8.8.8.8:53 fukinrs.net udp
US 8.8.8.8:53 vydmzunvhhnw.info udp
US 8.8.8.8:53 usumyeceyqke.com udp
US 8.8.8.8:53 chailrbazsbf.info udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 tbxaog.net udp
US 8.8.8.8:53 zupkjezuto.info udp
US 8.8.8.8:53 qkemasssmqiy.org udp
US 8.8.8.8:53 csvbnqmfzx.info udp
US 8.8.8.8:53 qixsqzcvbdq.info udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 ofpgjgr.net udp
US 8.8.8.8:53 ucrszfzf.info udp
US 8.8.8.8:53 fmgixl.info udp
US 8.8.8.8:53 siclton.net udp
US 8.8.8.8:53 kygkameq.org udp
US 8.8.8.8:53 kcyyao.com udp
US 8.8.8.8:53 kmqwcsao.org udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 mtyzizjpgx.info udp
US 8.8.8.8:53 rejobabvpmb.net udp
US 8.8.8.8:53 yqomeqcmso.org udp
US 8.8.8.8:53 lyidvwncp.net udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 gbxsqkenmgge.info udp
US 8.8.8.8:53 tajmxrjxlsbo.net udp
US 8.8.8.8:53 kffvvzdg.info udp
US 8.8.8.8:53 bsviypxnbsvf.net udp
US 8.8.8.8:53 mwlzynv.info udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 agvakue.info udp
US 8.8.8.8:53 huzuhkrxe.com udp
US 8.8.8.8:53 saojqqztqqev.info udp
US 8.8.8.8:53 ljjbekvgppwh.info udp
US 8.8.8.8:53 uhcnnwlkby.net udp
US 8.8.8.8:53 uctwril.info udp
US 8.8.8.8:53 gilaiixumtdm.info udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 ewrsakbaheh.info udp
US 8.8.8.8:53 uzpyusq.info udp
US 8.8.8.8:53 cysqke.org udp
US 8.8.8.8:53 bigmdaelhh.info udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 eulcwnpavex.net udp
US 8.8.8.8:53 fsghnbq.com udp
US 8.8.8.8:53 foxqnn.info udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 cjdthc.net udp
US 8.8.8.8:53 swewfar.net udp
US 8.8.8.8:53 kevpfmd.info udp
US 8.8.8.8:53 swnnxngygs.info udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 osroqaxzdejf.net udp
US 8.8.8.8:53 mnknclf.net udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 zsnwxlc.net udp
US 8.8.8.8:53 qunorgdssbx.net udp
US 8.8.8.8:53 eufmhidad.net udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 sykeiaum.org udp
US 8.8.8.8:53 opfxlo.net udp
US 8.8.8.8:53 qqxvlbqzkr.net udp
US 8.8.8.8:53 buntpilhk.com udp
US 8.8.8.8:53 myfivvowvy.info udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 njhepfddx.net udp
US 8.8.8.8:53 deeuxcroj.org udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 cgbspcdonir.net udp
US 8.8.8.8:53 qbsccishncji.info udp
US 8.8.8.8:53 bbowntmclnx.org udp
US 8.8.8.8:53 xmrxau.info udp
US 8.8.8.8:53 kexythjteun.info udp
US 8.8.8.8:53 xjlpbt.net udp
US 8.8.8.8:53 ifrgfrrwxgti.net udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 kasuqmeuwaiw.com udp
US 8.8.8.8:53 ecosygykgyic.org udp
US 8.8.8.8:53 nnpmxpzodoy.net udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 olxmugbar.net udp
US 8.8.8.8:53 iuejasqyl.info udp
US 8.8.8.8:53 gcribajtbtdb.net udp
US 8.8.8.8:53 qrjmoqdkde.info udp
US 8.8.8.8:53 wwwkwmicuqua.com udp
US 8.8.8.8:53 wqeiucsmky.com udp
US 8.8.8.8:53 diyylaa.info udp
US 8.8.8.8:53 jhtohfuezphf.info udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 xdjrlbl.info udp
US 8.8.8.8:53 vwscpev.info udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 zipznkelzju.net udp
US 8.8.8.8:53 tedkwutwn.org udp
US 8.8.8.8:53 thyktyofj.org udp
US 8.8.8.8:53 skqoqooa.org udp
US 8.8.8.8:53 ajjqsuv.net udp
US 8.8.8.8:53 lfawvn.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 rrpukadrhqf.org udp
PT 213.22.247.132:42092 tcp
US 8.8.8.8:53 dgasjspz.net udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 mimcgc.com udp
US 8.8.8.8:53 uerenfmqlpip.net udp
US 8.8.8.8:53 utrzhtwota.net udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
US 8.8.8.8:53 rqbatlrbvex.net udp
US 8.8.8.8:53 arbwykdrvgl.net udp
US 8.8.8.8:53 omxcmrnefd.info udp
US 8.8.8.8:53 ioaabxh.info udp
US 8.8.8.8:53 dkbabspbzpdg.net udp
US 8.8.8.8:53 xyyyzkslyx.info udp
US 8.8.8.8:53 ducibir.org udp
US 8.8.8.8:53 ycetybtmcoj.net udp
US 8.8.8.8:53 ffviokioh.net udp
US 8.8.8.8:53 xxtadztg.info udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 fpybmsbkn.net udp
US 8.8.8.8:53 bkpifkc.info udp
US 8.8.8.8:53 keimwm.com udp
US 8.8.8.8:53 gkqomgpitv.net udp
US 8.8.8.8:53 zanbbon.com udp
US 8.8.8.8:53 kvwateqlpn.net udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 omuycumo.org udp
US 8.8.8.8:53 dkembf.net udp
US 8.8.8.8:53 bzswqwq.info udp
US 8.8.8.8:53 tcpcbgjjfyh.com udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 labndavmlie.org udp
US 8.8.8.8:53 fnqeru.net udp
US 8.8.8.8:53 omfqblqlnzzt.net udp
US 8.8.8.8:53 ukwoaekugmwo.com udp
US 8.8.8.8:53 wmnuhonir.info udp
US 8.8.8.8:53 awmaykwuioge.com udp
US 8.8.8.8:53 wketnwlljum.net udp
US 8.8.8.8:53 eqykkm.com udp
US 8.8.8.8:53 gkpyhnbt.info udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 joipxrvnc.net udp
US 8.8.8.8:53 saosyoui.org udp
US 8.8.8.8:53 ihjkeai.info udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 ewwmosoaaskg.org udp
US 8.8.8.8:53 tagwlkz.info udp
US 8.8.8.8:53 tpdynyingh.info udp
US 8.8.8.8:53 lqkmbnn.net udp
US 8.8.8.8:53 jlqhdyusyqvt.info udp
US 8.8.8.8:53 dgekmtp.info udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
MD 92.115.169.145:37193 tcp
US 8.8.8.8:53 rwnqpg.info udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 yvihbl.net udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 emqgaq.org udp
US 8.8.8.8:53 rkkkexjgzcp.com udp
US 8.8.8.8:53 vypdfshql.info udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 uobozkn.info udp
US 8.8.8.8:53 ecigwsmm.com udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 ledpeaoalg.net udp
US 8.8.8.8:53 knxhpexwgoka.info udp
US 8.8.8.8:53 lfhitctlye.info udp
US 8.8.8.8:53 eegwuiiaqiiw.org udp
US 8.8.8.8:53 mtnykydxqd.net udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 guvybzxuszt.info udp
US 8.8.8.8:53 gqgyoivsn.info udp
US 8.8.8.8:53 jhndfrlznyah.net udp
US 8.8.8.8:53 aobddyq.net udp
US 8.8.8.8:53 ikuqjkjkn.info udp
US 8.8.8.8:53 veppsztexne.org udp
US 8.8.8.8:53 hczzupampc.info udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 wvzwsaxidzd.net udp
US 8.8.8.8:53 zuhezynyk.info udp
US 8.8.8.8:53 xazwpufumgl.org udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 ddvanmqovoh.org udp
US 8.8.8.8:53 ascoueukuu.org udp
US 8.8.8.8:53 euvojgegaz.net udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 gwksxczmtaw.net udp
US 8.8.8.8:53 nwojjx.info udp
US 8.8.8.8:53 qezrfwnutuh.info udp
US 8.8.8.8:53 ikwgghffmqlb.info udp
US 8.8.8.8:53 cffipww.info udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 hoiswxdmmta.org udp
US 8.8.8.8:53 wraoxjjcdq.net udp
US 8.8.8.8:53 lieqheeq.net udp
US 8.8.8.8:53 gvnwjzmmu.info udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 tjpeyyd.info udp
US 8.8.8.8:53 nnrlfcxmvn.net udp
US 8.8.8.8:53 amksmkweea.org udp
US 8.8.8.8:53 zixwrjjcr.org udp
US 8.8.8.8:53 fgdyjwiwzqo.com udp
US 8.8.8.8:53 bojvzljwbrph.info udp
US 8.8.8.8:53 qgkgec.com udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 gyiekitzjhr.net udp
US 8.8.8.8:53 rgpqiig.org udp
US 8.8.8.8:53 hgbujgqhmj.net udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 xubwvoj.org udp
US 8.8.8.8:53 scqygiusceag.com udp
US 8.8.8.8:53 janipz.net udp
US 8.8.8.8:53 wuikqqckugcy.com udp
US 8.8.8.8:53 cagxdeygn.net udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 yggphwf.info udp
US 8.8.8.8:53 uiuqewem.com udp
US 8.8.8.8:53 ysvntwgn.info udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 cifvlnaof.info udp
US 8.8.8.8:53 ysmnmvtrvivb.net udp
US 8.8.8.8:53 tldtxt.info udp
US 8.8.8.8:53 zzsckaty.net udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 uxrgjmtdd.net udp
US 8.8.8.8:53 zyhycji.info udp
US 8.8.8.8:53 vkruxzcgeor.net udp
US 8.8.8.8:53 nnfhdl.net udp
US 8.8.8.8:53 eqphft.info udp
US 8.8.8.8:53 iataras.info udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 kgbmanpf.info udp
US 8.8.8.8:53 zxlqrpiujp.net udp
US 8.8.8.8:53 omusmaqoeo.org udp
US 8.8.8.8:53 mrbeye.net udp
US 8.8.8.8:53 qkokkrmp.net udp
US 8.8.8.8:53 ozopntzb.net udp
US 8.8.8.8:53 nzvioirllsf.org udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 ouyijet.net udp
US 8.8.8.8:53 bqbujfxsfntg.info udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 rssshoawp.org udp
US 8.8.8.8:53 zsxidzxim.com udp
US 8.8.8.8:53 rdomza.net udp
US 8.8.8.8:53 gciywciems.com udp
US 8.8.8.8:53 ieoohldyg.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 rrxvcfevys.net udp
US 8.8.8.8:53 gwwaya.org udp
BR 200.171.225.159:42221 tcp
US 8.8.8.8:53 rqpalmeskea.info udp
US 8.8.8.8:53 zweegzy.net udp
US 8.8.8.8:53 cijyyfx.net udp
US 8.8.8.8:53 pmhpnkfnttaf.info udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 bghtuizz.net udp
US 8.8.8.8:53 lxcnvqh.info udp
US 8.8.8.8:53 kqbcidoqkm.net udp
US 8.8.8.8:53 umtnvpwe.net udp
US 8.8.8.8:53 cuvqjyvutks.net udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 tsnxecjs.net udp
US 8.8.8.8:53 esratsx.info udp
US 8.8.8.8:53 cspapbp.info udp
US 8.8.8.8:53 gsismgyk.com udp
US 8.8.8.8:53 wqqwmavd.net udp
US 8.8.8.8:53 kdrqnh.info udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 mpvehjheew.info udp
US 8.8.8.8:53 riqtkb.info udp
US 8.8.8.8:53 mwaylqhpmgfm.info udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 kyfvuuhqsk.net udp
US 8.8.8.8:53 ttyyjlll.info udp
US 8.8.8.8:53 ubvlgerim.net udp
US 8.8.8.8:53 edkvvfhm.net udp
US 8.8.8.8:53 bypdbeft.net udp
US 8.8.8.8:53 bjhrtzlc.net udp
US 8.8.8.8:53 gakkms.com udp
US 8.8.8.8:53 okpshddqpo.info udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 fgxwvax.com udp
US 8.8.8.8:53 bpdpfhec.net udp
US 8.8.8.8:53 wufaegmef.info udp
US 8.8.8.8:53 wwmalejbofsi.net udp
US 8.8.8.8:53 igwlqmfhgx.net udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 ukqimqykmqik.com udp
US 8.8.8.8:53 wbkkbmhumivz.net udp
US 8.8.8.8:53 vmdkdfruab.info udp
US 8.8.8.8:53 ysdudgtiayk.net udp
US 8.8.8.8:53 scharmc.net udp
US 8.8.8.8:53 vkodxkceuiqp.net udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 mwczybf.info udp
US 8.8.8.8:53 hkobpz.net udp
US 8.8.8.8:53 teywtwk.com udp
US 8.8.8.8:53 iwpiwzbfs.info udp
US 8.8.8.8:53 eqmwwwsw.com udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 fjavevjc.net udp
US 8.8.8.8:53 jrpyucpidvfy.net udp
US 8.8.8.8:53 ozgdrllfxflz.net udp
US 8.8.8.8:53 fouodwotz.net udp
US 8.8.8.8:53 fypmsl.net udp
US 8.8.8.8:53 yhbmhfg.info udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 wksowi.org udp
US 8.8.8.8:53 iszifejqjgj.info udp
US 8.8.8.8:53 csyckcwigawi.org udp
US 8.8.8.8:53 emowggawgw.org udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 hurctkpv.net udp
US 8.8.8.8:53 hdtihmeznq.info udp
US 8.8.8.8:53 ntrjtdvcz.com udp
US 8.8.8.8:53 yazupsk.info udp
US 8.8.8.8:53 rubabyvbyt.net udp
US 8.8.8.8:53 cqwiwuws.com udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 eimwgiceiy.org udp
US 8.8.8.8:53 oiusvmfqdye.net udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 eihkplbkpj.net udp
US 8.8.8.8:53 vzzchys.net udp
US 8.8.8.8:53 gptgrllnwi.net udp
US 8.8.8.8:53 kuzvghumlz.net udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 qgawyuaqcams.org udp
US 8.8.8.8:53 hwrwhcamr.info udp
US 8.8.8.8:53 rixdih.info udp
US 8.8.8.8:53 tfxuog.info udp
US 8.8.8.8:53 ofddurzqxazi.net udp
US 8.8.8.8:53 sjlabidbwbd.net udp
US 8.8.8.8:53 wotyjekexkj.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 gulcbgcwted.info udp
US 8.8.8.8:53 jgisxmd.info udp
US 8.8.8.8:53 fspmkd.info udp
US 8.8.8.8:53 inerqouu.net udp
US 8.8.8.8:53 nbsqnr.net udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 skimwu.org udp
US 8.8.8.8:53 vcrtjytp.net udp
US 8.8.8.8:53 jvtrngxqhoo.info udp
US 8.8.8.8:53 urzkfmh.info udp
US 8.8.8.8:53 fxvwboxva.org udp
US 8.8.8.8:53 zclnjaorbiox.net udp
US 8.8.8.8:53 eilexgaxb.info udp
US 8.8.8.8:53 ywaesvggxoah.net udp
US 8.8.8.8:53 tvxlisajbb.net udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 nggzqtxt.info udp
US 8.8.8.8:53 fubsrzyitvf.com udp
US 8.8.8.8:53 fsgnbqhqscf.org udp
US 8.8.8.8:53 hgmrlyuegjfn.net udp
US 8.8.8.8:53 mksaqa.com udp
US 8.8.8.8:53 ribgflvd.net udp
US 8.8.8.8:53 rolrdzzwn.net udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 akbtgmo.net udp
US 8.8.8.8:53 mogwiuukouyg.org udp
US 8.8.8.8:53 ehzkcnld.net udp
US 8.8.8.8:53 cyocgegamm.org udp
US 8.8.8.8:53 zzcyvepz.net udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 nwdoxsgcr.com udp
US 8.8.8.8:53 asnswkh.net udp
US 8.8.8.8:53 twvihv.info udp
US 8.8.8.8:53 fdznrpnr.info udp
US 8.8.8.8:53 oxabqigwttau.info udp
US 8.8.8.8:53 xdwvxt.info udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 kxnetfamvme.info udp
US 8.8.8.8:53 ngcdfpzmnie.net udp
US 8.8.8.8:53 rqpabgq.net udp
US 8.8.8.8:53 cswoawiyckms.com udp
US 8.8.8.8:53 hrjbfzbklfac.net udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 cuqmnczh.net udp
US 8.8.8.8:53 sxfvqr.info udp
US 8.8.8.8:53 anoczmgryx.info udp
US 8.8.8.8:53 njfnysrmgcb.org udp
US 8.8.8.8:53 lptsdmvyjii.org udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 wfndtrfbhqaz.info udp
US 8.8.8.8:53 dzfydak.net udp
US 8.8.8.8:53 fgufhechx.org udp
US 8.8.8.8:53 etwmda.net udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 ogfaawv.info udp
US 8.8.8.8:53 clbevulktuz.net udp
US 8.8.8.8:53 gieqmisyumsq.com udp
US 8.8.8.8:53 ymhixulyr.net udp
US 8.8.8.8:53 bqvaxanghin.org udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 muikmugmguge.com udp
US 8.8.8.8:53 aujzhqu.net udp
US 8.8.8.8:53 sotahkj.net udp
US 8.8.8.8:53 skwopio.info udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 llfjcrrzse.info udp
US 8.8.8.8:53 nwgrrtjgcefm.info udp
US 8.8.8.8:53 zrjkew.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 alnowudqeyic.net udp
US 8.8.8.8:53 tivthzoalirl.info udp
US 8.8.8.8:53 zqxjtafuj.info udp
US 8.8.8.8:53 wuwmgm.org udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 soxorhz.net udp
US 8.8.8.8:53 nuihnsoi.info udp
US 8.8.8.8:53 dznqyoc.org udp
US 8.8.8.8:53 roxcqadkw.net udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 ifxsydyr.net udp
US 8.8.8.8:53 scyoosmmkqig.org udp
US 8.8.8.8:53 qcsksyqaksss.com udp
US 8.8.8.8:53 dohmvklorih.org udp
US 8.8.8.8:53 lkmiikaximld.info udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 jvemxijgt.org udp
US 8.8.8.8:53 vaqkqmxctjn.org udp
US 8.8.8.8:53 aowewswqsk.com udp
US 8.8.8.8:53 ooygcwgusg.com udp
US 8.8.8.8:53 jtpdhst.org udp
RO 188.173.109.176:40325 tcp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 mwwmeqeeca.com udp
US 8.8.8.8:53 hvswhvklyc.net udp
US 8.8.8.8:53 kksmmcwqcogo.org udp
US 8.8.8.8:53 ssrmjkfst.net udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 dghgtangr.net udp
US 8.8.8.8:53 ezbmtm.info udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 boysiueqo.org udp
US 8.8.8.8:53 ffmghctendtd.info udp
US 8.8.8.8:53 cirqtrvarut.info udp
US 8.8.8.8:53 iidsfgbqx.info udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 gujricess.net udp
US 8.8.8.8:53 xewmjytnq.info udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 nkxapthjcw.info udp
US 8.8.8.8:53 ijnplvnkvsbi.net udp
US 8.8.8.8:53 cwmwuo.org udp
US 8.8.8.8:53 ssikirdidgpa.net udp
US 8.8.8.8:53 eqfijd.info udp
US 8.8.8.8:53 rkwthclcupth.info udp
US 8.8.8.8:53 wamzabvc.info udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 vyemdbyi.info udp
US 8.8.8.8:53 gombukxn.info udp
US 8.8.8.8:53 nkfmhcquz.net udp
US 8.8.8.8:53 grmjfayk.net udp
US 8.8.8.8:53 euwowigysowa.com udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 mgoocc.org udp
US 8.8.8.8:53 kuisxcpct.info udp
US 8.8.8.8:53 yopknumoa.net udp
US 8.8.8.8:53 scouqm.org udp
US 8.8.8.8:53 qvjayyann.net udp
US 8.8.8.8:53 erzhkn.net udp
US 8.8.8.8:53 rmsciw.info udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 bymshsaow.net udp
US 8.8.8.8:53 llseldq.info udp
US 8.8.8.8:53 vpgeplb.org udp
US 8.8.8.8:53 nygysmaan.com udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 csoueisokwsc.org udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 oisguecyscak.org udp
US 8.8.8.8:53 vwzlbkneb.info udp
US 8.8.8.8:53 amrztzpwunon.net udp
US 8.8.8.8:53 xqxwooj.info udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 88.216.101.148:41213 tcp
US 8.8.8.8:53 jdhkvajybsb.com udp
US 8.8.8.8:53 vwacrgroz.info udp
US 8.8.8.8:53 arrvyww.info udp
US 8.8.8.8:53 wieiisyouoqy.com udp
US 8.8.8.8:53 mivsfcbdusk.net udp
US 8.8.8.8:53 bldlfpze.net udp
US 8.8.8.8:53 yeoywkigumga.com udp
US 8.8.8.8:53 nlucmun.com udp
US 8.8.8.8:53 bzhzfgrbfqh.info udp
US 8.8.8.8:53 poyzac.net udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 uxpfus.info udp
US 8.8.8.8:53 kclkkuhnskv.info udp
US 8.8.8.8:53 frynja.info udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 okaeoaluvdt.net udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 depqozhlwl.info udp
US 8.8.8.8:53 hnpkvqz.net udp
US 8.8.8.8:53 ytasvmrxho.info udp
US 8.8.8.8:53 klqrkefrhj.info udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 ukzttgni.info udp
US 8.8.8.8:53 wugokmywicug.com udp
US 8.8.8.8:53 fhnvfh.net udp
US 8.8.8.8:53 votagsuunp.info udp
US 8.8.8.8:53 vyroawnuykm.net udp
US 8.8.8.8:53 pqxyijntravf.info udp
US 8.8.8.8:53 lhbxckxk.info udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 aktvscn.net udp
US 8.8.8.8:53 pmrsnmj.net udp
US 8.8.8.8:53 qooucscums.org udp
US 8.8.8.8:53 qhdoedxamz.net udp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 ojrejsusvjl.info udp
US 8.8.8.8:53 uioyou.org udp
US 8.8.8.8:53 pdmmllhpgq.info udp
US 8.8.8.8:53 ysmcyueu.org udp
US 8.8.8.8:53 xdtnfmoj.info udp
US 8.8.8.8:53 weyrtj.net udp
US 8.8.8.8:53 nonctqbyt.info udp
US 8.8.8.8:53 tvdgizj.info udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 wxbotdr.net udp
US 8.8.8.8:53 emxvfsfooo.info udp
US 8.8.8.8:53 hfjobknf.net udp
US 8.8.8.8:53 bhabiw.net udp
US 8.8.8.8:53 icaayiqseyey.org udp
US 8.8.8.8:53 jfzciyx.org udp
BG 178.254.249.210:30057 tcp
US 162.249.65.164:80 jfzciyx.org tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 emfqfyngt.net udp
US 8.8.8.8:53 mguscssg.org udp
US 8.8.8.8:53 zztbljj.info udp
US 8.8.8.8:53 gmacgcmkeuwi.com udp
US 8.8.8.8:53 sidlvctfcd.net udp
US 8.8.8.8:53 vwayjmqiv.org udp
US 8.8.8.8:53 dhfuqr.info udp
US 8.8.8.8:53 izlwiqbip.net udp
US 8.8.8.8:53 zizwqv.net udp
US 8.8.8.8:53 uuckysl.info udp
US 8.8.8.8:53 pwdhdmz.info udp
US 8.8.8.8:53 hyuifisst.info udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 kujenks.net udp
US 8.8.8.8:53 bnejpopgxpdt.info udp
US 8.8.8.8:53 edgwmadgx.info udp
US 8.8.8.8:53 vwwfvttbgo.net udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 qvikjs.net udp
US 8.8.8.8:53 sckkeaqmagsc.org udp
US 8.8.8.8:53 kwtqzgjguil.net udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 egqsowyswaai.org udp
US 8.8.8.8:53 ypfieh.net udp
US 8.8.8.8:53 dydeow.info udp
US 8.8.8.8:53 asnapiuotwf.net udp
US 8.8.8.8:53 nozntxujcjgz.info udp
US 8.8.8.8:53 rwjxbkcrdmdl.info udp
US 8.8.8.8:53 nkivtgkq.info udp
US 8.8.8.8:53 xfvqmg.info udp
US 8.8.8.8:53 tjnvxldz.info udp
US 8.8.8.8:53 cweqjigvhyks.net udp
US 8.8.8.8:53 resbrspqdecl.info udp
US 8.8.8.8:53 jercysg.org udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 mmcunaees.info udp
US 8.8.8.8:53 pldhbwqapxfa.net udp
US 8.8.8.8:53 thnbztqpphll.info udp
US 8.8.8.8:53 zkjunlsgcez.com udp
US 8.8.8.8:53 nsvkxvpur.info udp
US 8.8.8.8:53 sqoqrunht.info udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
BR 189.46.39.245:17864 tcp
US 8.8.8.8:53 zwtklevdtxvd.info udp
US 8.8.8.8:53 emgmcwgo.com udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 oyiguqig.com udp
US 8.8.8.8:53 rkkodtuz.info udp
US 8.8.8.8:53 eouumo.org udp
US 8.8.8.8:53 uegysgiiksoo.org udp
US 8.8.8.8:53 fibytcpexct.com udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 iaamogwkyw.org udp
US 8.8.8.8:53 lpkvpc.net udp
US 8.8.8.8:53 soyeiuusse.com udp
US 8.8.8.8:53 pafqzpji.net udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 ljthpivgt.info udp
US 8.8.8.8:53 uscogcoaii.com udp
US 8.8.8.8:53 fatiyppe.info udp
US 8.8.8.8:53 anwcqhxohmyr.info udp
US 8.8.8.8:53 tgquhozne.com udp
US 8.8.8.8:53 maiquacsmieo.org udp
US 8.8.8.8:53 qlussiicqjtn.info udp
US 8.8.8.8:53 yceqcskoeg.org udp
US 162.249.65.164:80 yceqcskoeg.org tcp
US 8.8.8.8:53 mqlehcqgtq.net udp
US 8.8.8.8:53 hunyjfpvfmj.com udp
US 8.8.8.8:53 lkxiprzmrjf.info udp
US 8.8.8.8:53 heinbptzwl.net udp
GR 195.97.108.248:18645 tcp
US 8.8.8.8:53 zobtrjxg.info udp
US 8.8.8.8:53 wvumbqjom.net udp
US 8.8.8.8:53 adomofxvpaq.net udp
US 8.8.8.8:53 fbaztkzunhlj.net udp
US 8.8.8.8:53 gymqsmci.com udp
US 8.8.8.8:53 cgwgaguesg.org udp
US 162.249.65.164:80 cgwgaguesg.org tcp
US 8.8.8.8:53 fpvttagkgs.info udp
US 8.8.8.8:53 wlldoij.net udp
US 8.8.8.8:53 gmwaeeykmgqa.com udp
US 8.8.8.8:53 wfjsrv.info udp
US 8.8.8.8:53 qkogdsn.net udp
US 8.8.8.8:53 pqijggpyzms.com udp
US 8.8.8.8:53 aacredkob.net udp
US 8.8.8.8:53 pzahzqww.info udp
US 8.8.8.8:53 stlgfxmthec.info udp
US 8.8.8.8:53 julxerwaocda.net udp
US 8.8.8.8:53 lkrwiqlarsi.org udp
US 8.8.8.8:53 puwydkhopo.net udp
US 8.8.8.8:53 kmvqiujn.info udp
US 8.8.8.8:53 jcxfgsrl.net udp
US 8.8.8.8:53 uuiscskqgywe.com udp
US 8.8.8.8:53 fqfgzun.org udp
US 8.8.8.8:53 kaqiyakuyi.com udp
US 8.8.8.8:53 nkybtwpgzoi.info udp
US 8.8.8.8:53 iekueuww.com udp
US 8.8.8.8:53 yseofalld.info udp
US 8.8.8.8:53 qusuddqo.info udp
US 8.8.8.8:53 oecudfdyb.info udp
US 8.8.8.8:53 auzbawmlc.net udp
US 8.8.8.8:53 eogzwyx.info udp
US 8.8.8.8:53 ljdwwwih.info udp
US 8.8.8.8:53 wgwyvyrrovo.info udp
US 8.8.8.8:53 gwmeafacbwrh.info udp
US 8.8.8.8:53 kzvsamqv.net udp
US 8.8.8.8:53 qkdqch.net udp
US 8.8.8.8:53 koeckawaae.org udp
US 8.8.8.8:53 uqmgwqsous.com udp
US 8.8.8.8:53 hbjswaqvtq.net udp
US 8.8.8.8:53 hqtcxyfcwpf.com udp
US 8.8.8.8:53 eaisokwcuc.com udp
US 8.8.8.8:53 oaewdkdqd.net udp
US 8.8.8.8:53 ammpbmdav.net udp
US 8.8.8.8:53 gwlebvk.info udp
US 8.8.8.8:53 yywowqee.org udp
US 8.8.8.8:53 fpfalqjzmzpx.info udp
US 8.8.8.8:53 qcxitck.info udp
US 8.8.8.8:53 lblxlwomf.net udp
US 8.8.8.8:53 fmmskbruubgy.info udp
US 8.8.8.8:53 wsbmumbkx.info udp
US 8.8.8.8:53 xuqdtunwnhy.com udp
US 8.8.8.8:53 ekamqi.org udp
US 162.249.65.164:80 ekamqi.org tcp
US 89.117.28.85:31554 tcp
US 8.8.8.8:53 xujwhevex.org udp
US 8.8.8.8:53 yadeoqtva.net udp
US 8.8.8.8:53 egikww.com udp
US 8.8.8.8:53 xlhnemw.info udp
US 8.8.8.8:53 cvwpfiesyd.info udp
US 8.8.8.8:53 pmfsryxkbwd.org udp
US 8.8.8.8:53 axjcdy.info udp
US 8.8.8.8:53 zqkuhflmp.com udp
US 8.8.8.8:53 xopgozy.com udp
US 8.8.8.8:53 clkejczwcsb.info udp
US 8.8.8.8:53 fozkdfvij.info udp
US 8.8.8.8:53 qtiwyilyl.info udp
US 8.8.8.8:53 mprsoz.net udp
US 8.8.8.8:53 rtbzbtvimhvm.info udp
US 8.8.8.8:53 zmdxlwjpyt.net udp
US 8.8.8.8:53 hyafbvpm.net udp
US 8.8.8.8:53 waivpb.info udp
US 8.8.8.8:53 rmfptvkpnmaj.info udp
US 8.8.8.8:53 yqocscgqq.info udp
US 8.8.8.8:53 wsrmxavpkcp.info udp
US 8.8.8.8:53 eqcsskwyyiug.org udp
US 162.249.65.164:80 eqcsskwyyiug.org tcp
US 8.8.8.8:53 jdritktaijkh.info udp
US 8.8.8.8:53 gqammsuaaccs.com udp
US 8.8.8.8:53 pgchlxgc.net udp
US 8.8.8.8:53 dmcfjwgkhix.com udp
US 8.8.8.8:53 dboggodwowl.net udp
US 8.8.8.8:53 yakygg.org udp
US 8.8.8.8:53 skcccygwsgeq.com udp
US 8.8.8.8:53 zxroluascqyy.net udp
US 8.8.8.8:53 eweuaigycy.org udp
US 162.249.65.164:80 eweuaigycy.org tcp
BG 89.215.138.156:26824 tcp
US 8.8.8.8:53 ishstyjyxiz.net udp
US 8.8.8.8:53 lurjzfmnqvwz.info udp
US 8.8.8.8:53 laquzwgzt.net udp
US 8.8.8.8:53 fdlbtbn.net udp
US 8.8.8.8:53 ckqqaueogk.com udp
US 8.8.8.8:53 lqlnke.net udp
US 8.8.8.8:53 ridehuxgpun.info udp
US 8.8.8.8:53 qxpsxp.net udp
US 8.8.8.8:53 rgrdpwvmpxbc.net udp
US 8.8.8.8:53 lealnqmc.net udp
US 8.8.8.8:53 hanqpxyc.net udp
US 8.8.8.8:53 xpbamwbey.net udp
US 8.8.8.8:53 nwtgsqm.info udp
US 8.8.8.8:53 esziuqkacah.net udp
US 8.8.8.8:53 rdrsxai.info udp
US 8.8.8.8:53 saueyckqyuqk.org udp
US 8.8.8.8:53 tofgqpotjv.info udp
US 8.8.8.8:53 sorsailspsq.net udp
US 8.8.8.8:53 mozpct.info udp
US 8.8.8.8:53 hixhjyuoqg.net udp
US 8.8.8.8:53 hacvdbw.net udp
US 8.8.8.8:53 fnqsmcftroxg.info udp
US 8.8.8.8:53 bdxfxeb.com udp
US 8.8.8.8:53 xqbizkh.com udp
US 8.8.8.8:53 wzxqqsksmhht.net udp
US 8.8.8.8:53 eiqlwabkgk.net udp
US 8.8.8.8:53 ufxglbnsm.info udp
US 8.8.8.8:53 mcqkcuicka.com udp
US 8.8.8.8:53 kcguuuas.com udp
US 8.8.8.8:53 hjvstwn.net udp
US 8.8.8.8:53 jnhotjhsp.info udp
US 8.8.8.8:53 rbzwrmhia.info udp
US 8.8.8.8:53 tgjoaspsd.info udp
US 8.8.8.8:53 qthhdwv.info udp
US 8.8.8.8:53 ycaunmdur.net udp
US 8.8.8.8:53 ukewcs.org udp
US 8.8.8.8:53 lfciqazfif.net udp
US 8.8.8.8:53 kkcmswukuucg.org udp
US 8.8.8.8:53 azvezycbwg.net udp
US 8.8.8.8:53 smgahlv.info udp
US 8.8.8.8:53 cjjumal.net udp
US 8.8.8.8:53 jwlmww.info udp
US 8.8.8.8:53 jsjezazec.org udp
US 8.8.8.8:53 rxiusoyffavj.net udp
US 8.8.8.8:53 nyxfnzcj.info udp
US 8.8.8.8:53 mcpyyes.net udp
US 8.8.8.8:53 sidraijfba.info udp
US 8.8.8.8:53 qyiwrcy.info udp
US 8.8.8.8:53 ssqegeqoma.org udp
US 8.8.8.8:53 jmpqoflcqb.info udp
US 8.8.8.8:53 nizybszil.info udp
US 8.8.8.8:53 fwcufolqfw.info udp
US 8.8.8.8:53 csprmyfyo.info udp
US 8.8.8.8:53 buhxjy.info udp
US 8.8.8.8:53 fwuwczwuejl.com udp
US 8.8.8.8:53 nczuwyhqckn.info udp
US 8.8.8.8:53 wfhiaw.info udp
US 8.8.8.8:53 iqsgmuyk.org udp
US 8.8.8.8:53 ykhkvljit.info udp
US 8.8.8.8:53 cbxctcnwzyt.net udp
US 8.8.8.8:53 neotjkse.info udp
US 8.8.8.8:53 fbpmabvm.net udp
US 8.8.8.8:53 lkdaczzzwsf.org udp
US 8.8.8.8:53 osiewamga.net udp
US 8.8.8.8:53 zrtplqi.com udp
US 8.8.8.8:53 ukdltgkqjoxu.net udp
US 8.8.8.8:53 ziiyyew.org udp
US 8.8.8.8:53 qcmuuaqiai.org udp
US 8.8.8.8:53 maqeccwiom.org udp
US 8.8.8.8:53 vucoearorcy.info udp
US 8.8.8.8:53 jidptmrndrn.info udp
US 8.8.8.8:53 nefwulmsyx.net udp
US 8.8.8.8:53 affwbqu.net udp
US 8.8.8.8:53 hicfognk.info udp
US 8.8.8.8:53 wsgsgm.com udp
US 8.8.8.8:53 lrbqxqikxvb.info udp
US 8.8.8.8:53 mwlexaj.net udp
US 8.8.8.8:53 znpsldu.org udp
US 162.249.65.164:80 znpsldu.org tcp
RU 46.37.129.166:26325 tcp
US 8.8.8.8:53 qyodlmg.net udp
US 8.8.8.8:53 icoakisgyg.org udp
US 8.8.8.8:53 eqhwcizabib.net udp
US 8.8.8.8:53 dcdfdozwwc.net udp
US 8.8.8.8:53 nkrzvcyyty.info udp
US 8.8.8.8:53 siqhvcvrvngy.net udp
US 8.8.8.8:53 uqiugokgom.org udp
US 8.8.8.8:53 lsewgqsyg.org udp
US 8.8.8.8:53 xihyzezephg.info udp
US 8.8.8.8:53 uzdmbbfhkzjd.net udp
US 8.8.8.8:53 djdjhidqmwh.com udp
US 8.8.8.8:53 xarzyoda.info udp
US 8.8.8.8:53 eikyyyyeoi.com udp
US 8.8.8.8:53 utjggzpczq.info udp
US 8.8.8.8:53 tefnufrk.info udp
US 8.8.8.8:53 dwtabhreevj.org udp
US 8.8.8.8:53 injrpzticu.net udp
US 8.8.8.8:53 eacukk.org udp
US 8.8.8.8:53 uckymuoq.com udp
US 8.8.8.8:53 dpviehriw.info udp
US 8.8.8.8:53 vodbpsvs.info udp
US 8.8.8.8:53 norggwya.info udp
US 8.8.8.8:53 kmkgsypnlw.net udp
US 8.8.8.8:53 nqexaq.info udp
US 8.8.8.8:53 oklpbvpo.net udp
US 8.8.8.8:53 cugcmy.org udp
US 162.249.65.164:80 cugcmy.org tcp
EG 197.162.28.167:25828 tcp
US 8.8.8.8:53 lgkqfveeb.org udp
US 8.8.8.8:53 ongvodx.net udp
US 8.8.8.8:53 uckiuymg.com udp
US 8.8.8.8:53 ufseryl.net udp
US 8.8.8.8:53 kqrhhigmwu.net udp
US 8.8.8.8:53 memgieqoag.com udp
US 8.8.8.8:53 cocyqe.org udp
US 8.8.8.8:53 zwuoogtp.info udp
US 8.8.8.8:53 ptzqoattdkh.info udp
US 8.8.8.8:53 zawufqzwz.net udp
US 8.8.8.8:53 zchcjinclr.info udp
US 8.8.8.8:53 pipgjuqkz.com udp
US 8.8.8.8:53 gzrzmn.net udp
US 8.8.8.8:53 qtfkfsl.net udp
US 8.8.8.8:53 kxzvljbe.info udp
US 8.8.8.8:53 raiobwskm.info udp
US 8.8.8.8:53 bubljjwptt.info udp
US 8.8.8.8:53 hsrugzzjifdv.info udp
US 8.8.8.8:53 lysassfobzx.net udp
US 8.8.8.8:53 qaiogccwyoku.org udp
US 8.8.8.8:53 rpngwjrf.net udp
US 8.8.8.8:53 usogcg.org udp
US 8.8.8.8:53 fooeemnpvf.net udp
US 8.8.8.8:53 xbdyxk.info udp
US 8.8.8.8:53 wogqyl.net udp
US 8.8.8.8:53 odzgbvgd.net udp
US 8.8.8.8:53 weqioeqmayww.org udp
US 8.8.8.8:53 zmyqegryd.com udp
US 8.8.8.8:53 tpirofta.info udp
US 8.8.8.8:53 vklrrkpgb.info udp
US 8.8.8.8:53 aczwxvbote.net udp
US 8.8.8.8:53 awdyvmrwluy.net udp
US 8.8.8.8:53 gshqxwi.info udp
US 8.8.8.8:53 pczqsioovn.info udp
US 8.8.8.8:53 kcvdqev.info udp
DE 85.214.228.140:80 pedyxcrohat.org tcp
US 8.8.8.8:53 wzokqiypnkmr.info udp
US 8.8.8.8:53 xpdiwoqs.info udp
US 8.8.8.8:53 pzbgualauqp.org udp
US 8.8.8.8:53 jtlvjszdqia.info udp
US 8.8.8.8:53 wylodmenp.net udp
US 8.8.8.8:53 keumgq.com udp
US 8.8.8.8:53 geiehohtveh.net udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 wlapddissyxr.net udp
US 8.8.8.8:53 zgukpoc.org udp
US 8.8.8.8:53 gyokiycm.com udp
US 8.8.8.8:53 xbfxvwvlvq.info udp
US 8.8.8.8:53 oyyiqyqm.com udp
US 8.8.8.8:53 ukwmsa.org udp
US 8.8.8.8:53 cangzuv.net udp
US 8.8.8.8:53 cokskmswqiqg.com udp
US 8.8.8.8:53 ebpmvoxyvfj.info udp
US 8.8.8.8:53 sifgpql.net udp
US 8.8.8.8:53 potupbtqjy.net udp
US 8.8.8.8:53 nptfyjjhae.net udp
US 8.8.8.8:53 nmmhxit.com udp
US 8.8.8.8:53 mggkesig.com udp
US 8.8.8.8:53 hjwuhjhg.info udp
US 8.8.8.8:53 ringoqpsset.org udp
US 8.8.8.8:53 owkqqy.org udp
US 8.8.8.8:53 wiksugiosc.com udp
US 8.8.8.8:53 tskzxkeqas.net udp
US 8.8.8.8:53 dslmoth.org udp
US 8.8.8.8:53 kvjrtf.net udp
US 8.8.8.8:53 iioawywisa.com udp
US 8.8.8.8:53 aswgpmnr.net udp
US 8.8.8.8:53 jwbgfgeql.org udp
US 8.8.8.8:53 rtfpamlbvu.info udp
US 8.8.8.8:53 uifbsulfv.info udp
US 8.8.8.8:53 mkzshdrhh.info udp
US 8.8.8.8:53 tiyqhc.info udp
US 8.8.8.8:53 xyzxbgdpb.net udp
US 8.8.8.8:53 dvljzezzxntz.net udp
US 8.8.8.8:53 tfkwzknelaz.info udp
US 8.8.8.8:53 naeynqwvle.info udp
US 8.8.8.8:53 pkpkqulxxup.info udp
US 8.8.8.8:53 lkuqisha.net udp
US 8.8.8.8:53 ylynkijh.info udp
US 8.8.8.8:53 hctgxcnontt.net udp
US 8.8.8.8:53 kukiqyyyss.com udp
US 8.8.8.8:53 rackqdzkp.com udp
US 8.8.8.8:53 dmafasjgifst.net udp
US 8.8.8.8:53 fvpjbnnznmbz.info udp
US 8.8.8.8:53 ulotynxl.info udp
US 8.8.8.8:53 sihbmwbahgp.info udp
US 8.8.8.8:53 pvjjpl.net udp
US 8.8.8.8:53 ejdaitmphunw.net udp
US 8.8.8.8:53 ckcqwmaq.org udp
US 8.8.8.8:53 cohckyuoagf.net udp
US 8.8.8.8:53 yvyxhjvlbkzg.info udp
US 8.8.8.8:53 vjaymeuwniv.info udp
US 8.8.8.8:53 tpuynuf.info udp
US 8.8.8.8:53 ncdmrcpkn.info udp
RU 78.85.88.148:19772 tcp
US 8.8.8.8:53 lvdgxwh.net udp
US 8.8.8.8:53 xwkrbtcq.info udp
US 8.8.8.8:53 emgphaip.info udp
US 8.8.8.8:53 hptwsjlsdvf.com udp
US 8.8.8.8:53 hrouugxjd.info udp
US 8.8.8.8:53 icwmcwsquaos.com udp
US 8.8.8.8:53 obiyznmidc.net udp
US 8.8.8.8:53 jfovixls.info udp
US 8.8.8.8:53 qiofjv.info udp
US 8.8.8.8:53 fxyaavbh.info udp
US 8.8.8.8:53 paxfesz.net udp
US 8.8.8.8:53 tentfybfvrts.net udp
US 8.8.8.8:53 vcrvurd.net udp
US 8.8.8.8:53 ubmktezas.net udp
US 8.8.8.8:53 auivab.net udp
US 8.8.8.8:53 tgbezcime.net udp
US 162.249.65.164:80 cugcmy.org tcp
US 8.8.8.8:53 rdzobezkwwd.org udp
US 8.8.8.8:53 iogcyekuiqko.com udp
US 8.8.8.8:53 vyjwfc.info udp
US 8.8.8.8:53 kvhvli.net udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 nuvifgdamtn.com udp
US 8.8.8.8:53 tepyknfqpj.net udp
US 8.8.8.8:53 usrknajptoc.info udp
US 8.8.8.8:53 sdfcrpvhajbk.net udp
US 8.8.8.8:53 zeypzyfwd.net udp
US 8.8.8.8:53 bkiukmk.net udp
US 162.249.65.164:80 cugcmy.org tcp
LV 194.19.247.150:19465 tcp
US 8.8.8.8:53 mkbwfgfja.info udp
US 8.8.8.8:53 mwcceg.org udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 iupvlwofnqs.info udp
US 162.249.65.164:80 cugcmy.org tcp
US 8.8.8.8:53 ddepjzmilwnm.info udp
US 8.8.8.8:53 xqxuokp.info udp
US 8.8.8.8:53 avtkhyrmpe.info udp
BG 46.47.122.190:36359 tcp
US 8.8.8.8:53 tbljgbiadn.info udp
US 8.8.8.8:53 amcelww.info udp
US 8.8.8.8:53 joqukgtsi.com udp
US 8.8.8.8:53 payknnfwd.org udp
US 8.8.8.8:53 dglapaaeb.info udp
US 8.8.8.8:53 myywyq.com udp
US 8.8.8.8:53 iijeavl.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 tmbwtoxxnog.com udp
US 8.8.8.8:53 qwntlbq.net udp
US 8.8.8.8:53 mwvmbgpnnsh.info udp
US 8.8.8.8:53 pvjwxgrwtrio.info udp
US 8.8.8.8:53 scmqeyswwqog.org udp
US 8.8.8.8:53 tjldthng.info udp
US 8.8.8.8:53 cebcoetuudr.net udp
US 8.8.8.8:53 jlxwjrscdo.net udp
US 8.8.8.8:53 qqfyswldd.info udp
US 8.8.8.8:53 fyluhgqubz.net udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 plyqwryarhgd.info udp
US 8.8.8.8:53 wifqxwxsl.net udp
US 8.8.8.8:53 zqfsuyn.org udp
US 8.8.8.8:53 gzukviikx.net udp
US 8.8.8.8:53 giioymcimwmg.com udp
US 8.8.8.8:53 axdlde.info udp
US 8.8.8.8:53 jklowhgu.info udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 rbbitee.net udp
US 8.8.8.8:53 ouymmggyecsa.org udp
US 8.8.8.8:53 esrqlplelqt.net udp
US 8.8.8.8:53 fzfetmzob.com udp
US 8.8.8.8:53 rukiivnqi.org udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 vmqiyotgcmj.info udp
US 8.8.8.8:53 frxwvzgkecgt.net udp
US 8.8.8.8:53 kbcmkiqa.net udp

Files

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

MD5 5203b6ea0901877fbf2d8d6f6d8d338e
SHA1 c803e92561921b38abe13239c1fd85605b570936
SHA256 0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512 d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

C:\Windows\SysWOW64\kbwlgusiyqbxbxzsch.exe

MD5 119d697d77ef4e3e1d3fc4dd8cd38c61
SHA1 d5813b6bc34f4856f267cd97ff397f19d1ad12e2
SHA256 39009dfb1eed35a9341ff3cd4043d74eb6a77e75690369366d9f89e0b4227ec9
SHA512 dd663ee160ca0c9952500e47ca79a5b6f4f18de1e35d45ec10de2a61b4b658b6080c82b8a2c1a4dfa6141da158e077a647e8ce1c3a90b91a6d1bd579b3f02ba9

C:\Users\Admin\AppData\Local\Temp\inwzik.exe

MD5 7f01ce4020078dfe88c53f124635ffe6
SHA1 0b4d9bd03760e90ff7a0ab4dc892eee01c71ee47
SHA256 eb19af7b9f9049c2915c02e68354bb03353ffdc30fa041f1446a2f907e168b26
SHA512 981d27c76b74a95b30f32634dce8869335efe0e4b9d2f2b301b785dcd70034726b56c5f2dde81801516517c1f3b211dab9448a0e99f517f1c7ff2242051903b2

C:\Users\Admin\AppData\Local\hjppvudefielahuytjjlrrxwf.hkg

MD5 78c1edabf01589b2c017633f00186413
SHA1 bba0a56fbb56856366865dad514abf5d04b41e79
SHA256 81ac538c05004a3b5d6cd538e99def3a89c2c56b967ec0a7075ef3115bd6c1ac
SHA512 f244d1e71d2d4142539736993e454c1543b7c66bf438f9138f1d9b1090790ea882fe573560830dab6e257bdaacf6dbcadcbc37ab2f65b1159ca5d83ff2b78bae

C:\Users\Admin\AppData\Local\mzqbscwiuiphhzxmsteritkuoamahzzrpekl.jal

MD5 f42f0240d244671b35fc9070021ebafe
SHA1 bdc78903b638d8e2a4f1d62187036a9419c0d3b1
SHA256 499d76a167f75fc4e859723bf95cfeddcaada6d5fea1ea093c9b9505d75e5711
SHA512 a303a200a45797aa0eb54b6e0546466a925e7cbb68e71496038c3432ec6e7f95cdf9abadacd2f7c64ec7dd6a631c0fc7a54655c9491a977a15707d39f56ad9ad

C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg

MD5 f61114d3dc44fab1b0e0c5da52533cc3
SHA1 8255772a492bef27b4faaa149aacaf1eaa152c40
SHA256 d89399a0a5783cc4233999d6eedb983ddf3bddca0ab2c56385bc215ec20cb44c
SHA512 9c525568103874eefc9379e9c9309e58b8e510712301effa5f359ffb889ff3469f5badceaae210907c6a906de89e09b4310c633d2d7d13eb59409611755782c3

C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg

MD5 2e6d19b0255627d1c302641cfe5deae8
SHA1 e89388a3b8e43c09696b7d001108c71263741026
SHA256 1fb0ceaf90f5da5600c2ff7672391499fd071be7647ff9e8e6be03731c8cc768
SHA512 34dfb5b98430763334d093baa8165cec532cb49c64b6a4de11505d021721c737489a9b15285dbf9f28c0b5a389944b4dbc2b0984947e1a525d764e09cada74de

C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg

MD5 1a1404f7bddafbebfb7e52ec80bf0a75
SHA1 bca1c33ce8f56ccb8f96a35b74bb4f77c2fe0dee
SHA256 bc3e914e41f860ad412d663045d9a071ecef1ac80a35b8692bc1fd0cc3df869a
SHA512 035baad65e20d804f9439019b5b49cb6de74f5d19cdbf2fb8629ae4a9e4c8c1a039a9aff4366e31eb49c60fa37b8c98426dfd458874f65a32caea9471a25737f

C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg

MD5 313728018cbc3aa5e0ddbf0662900ea0
SHA1 c6b7ec5dc47996c5dc5c3aa9d876068a7f36b9e2
SHA256 a480bfda5e71ba10888a91b6d0953dfa0d298ad73a880506a6258cb24b6bc94e
SHA512 0ad45057a4898ce11f819e2dd0f0b50cba5e543690952a54df965d6e3e8ad2a000673e491948c25e64e150c4fd095fa577b95b33b44f2ff466943ebebc527a0a

C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg

MD5 80cbf8c71336b94330b288e739899c53
SHA1 c83ed62c16e63b12c74ac247ecbcf90826004be8
SHA256 3df825d579321ac52da4fefecf26a06bcacbd07886dcf466bf9bcb1f35b6d322
SHA512 cccd0aab27da6e948acd8a903c0edf65d4b0024a0438a9aee6282a5a328ce0a7793ed68ed21b22b1e2356cd64cd25aa8a79bf46032f0116c759a70a274d66402

C:\Program Files (x86)\hjppvudefielahuytjjlrrxwf.hkg

MD5 d4b7ed96673d66ffb7487f0868a34392
SHA1 6a19c50213e5cb8e89d504992fb887988f0a6750
SHA256 8de70dc5d885624dcd3a938c6f13ae438d8001bcc6f072b61b2f7af8564f705a
SHA512 032ad5c9743412708f06d2e52e2b30fd54447beda8ee4606f232a096c2564d18503d838e89a1ef7a3b5448933f2ea0d337fc6474cbd0c7fbfda48dbd71d39dea