Analysis Overview
SHA256
c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b
Threat Level: Known bad
The file 11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Adds policy Run key to start application
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 09:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 09:50
Reported
2024-06-26 09:53
Platform
win7-20231129-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "jgaqnlaxkfikuyxqhrfc.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "voeqjdohqhgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "wslawthdpjlmvywoena.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "jgaqnlaxkfikuyxqhrfc.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "jgaqnlaxkfikuyxqhrfc.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "wslawthdpjlmvywoena.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "jgaqnlaxkfikuyxqhrfc.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "ywrigfvthdhkvaaumxmkf.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "ywrigfvthdhkvaaumxmkf.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "wslawthdpjlmvywoena.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "ywrigfvthdhkvaaumxmkf.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "jgaqnlaxkfikuyxqhrfc.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "jgaqnlaxkfikuyxqhrfc.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "voeqjdohqhgekkfu.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe ." | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "jgaqnlaxkfikuyxqhrfc.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\iorqwdbhdhtexksuunkqtsyfd.fjv | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\Windows\SysWOW64\iorqwdbhdhtexksuunkqtsyfd.fjv | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\Windows\SysWOW64\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Program Files (x86)\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\Program Files (x86)\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\iorqwdbhdhtexksuunkqtsyfd.fjv | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\Windows\iorqwdbhdhtexksuunkqtsyfd.fjv | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File created | C:\Windows\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\pokcbbsrgdimyefatfvuqi.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\lgymhdqlwpqqyaxodl.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\ywrigfvthdhkvaaumxmkf.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\jgaqnlaxkfikuyxqhrfc.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\voeqjdohqhgekkfu.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| File opened for modification | C:\Windows\cwnaupbvfxxwdeaqe.exe | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| File opened for modification | C:\Windows\wslawthdpjlmvywoena.exe | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jsyajt.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
"C:\Users\Admin\AppData\Local\Temp\jsyajt.exe" "-C:\Users\Admin\AppData\Local\Temp\voeqjdohqhgekkfu.exe"
C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
"C:\Users\Admin\AppData\Local\Temp\jsyajt.exe" "-C:\Users\Admin\AppData\Local\Temp\voeqjdohqhgekkfu.exe"
C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.wikipedia.org | udp |
| NL | 185.15.59.224:80 | www.wikipedia.org | tcp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| LT | 78.61.84.37:30728 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | caawuiiksw.com | udp |
| US | 8.8.8.8:53 | dfpimmls.net | udp |
| LT | 78.61.84.37:30728 | tcp | |
| US | 8.8.8.8:53 | kvhvli.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | tfiwnvcaf.org | udp |
| US | 8.8.8.8:53 | uuzqrv.net | udp |
| US | 8.8.8.8:53 | pmvuoxax.net | udp |
| US | 8.8.8.8:53 | tepyknfqpj.net | udp |
| US | 8.8.8.8:53 | dxunadygn.org | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | heylzdxbfmj.net | udp |
| US | 8.8.8.8:53 | bstckcjwbmc.com | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | amnudcijncde.net | udp |
| US | 8.8.8.8:53 | misipok.net | udp |
| US | 8.8.8.8:53 | qqsummsaom.com | udp |
| US | 8.8.8.8:53 | aafcic.info | udp |
| US | 8.8.8.8:53 | iymeim.org | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | hrowho.net | udp |
| US | 8.8.8.8:53 | chfexbbdunrp.net | udp |
| US | 8.8.8.8:53 | qaxyvsymzas.info | udp |
| US | 8.8.8.8:53 | remlfmfdaz.net | udp |
| US | 8.8.8.8:53 | awowcxnzde.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | yavjrbwldmn.net | udp |
| US | 8.8.8.8:53 | vueusddp.net | udp |
| US | 8.8.8.8:53 | evbkdgdwpwt.net | udp |
| US | 8.8.8.8:53 | hkzpou.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | pobimdpjepjr.info | udp |
| US | 8.8.8.8:53 | tgdtwkjaafc.com | udp |
| US | 8.8.8.8:53 | sbkfzk.info | udp |
| US | 8.8.8.8:53 | bmxmwor.org | udp |
| US | 8.8.8.8:53 | kzjozwgi.info | udp |
| US | 8.8.8.8:53 | typpguimjs.info | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | oqqkwoskyi.org | udp |
| US | 8.8.8.8:53 | fuhhdoyf.net | udp |
| US | 8.8.8.8:53 | pxncoedltqd.info | udp |
| US | 8.8.8.8:53 | iwumquiwsu.org | udp |
| US | 8.8.8.8:53 | ncusnlcx.info | udp |
| US | 8.8.8.8:53 | yqwiwiqqge.com | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | emrahjygcgoo.net | udp |
| US | 8.8.8.8:53 | rnalnehlxv.net | udp |
| US | 8.8.8.8:53 | nwzrawvk.info | udp |
| US | 8.8.8.8:53 | nzxugtv.org | udp |
| US | 8.8.8.8:53 | cwggia.org | udp |
| US | 8.8.8.8:53 | swtprdxgjyv.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | fzfetmzob.com | udp |
| US | 8.8.8.8:53 | hfreyramirlz.info | udp |
| US | 8.8.8.8:53 | vshgvc.info | udp |
| US | 8.8.8.8:53 | mqwbjsnufuov.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | nqwjrxqaev.net | udp |
| US | 8.8.8.8:53 | ymhluaqf.net | udp |
| US | 8.8.8.8:53 | suzoxigsd.info | udp |
| US | 8.8.8.8:53 | hjpkaljirhqu.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
Files
\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
| MD5 | 6b264e51cd15be9ac4db53885731d655 |
| SHA1 | caed76100baf0a781f2eb928e6f129677a2363bd |
| SHA256 | ab1b60ed324e7e7882c1c17793ef3bc8c7a8f16598f088a0df4733759f9052d7 |
| SHA512 | 117bb751bb153da2150d5c57a8181fdb663799cb3ec91b0fd5ca94ddbf7e880c831f9ffa4d8ce708e0897fd57de120b087805aa7b61f6f6c71a1d82ad28ed717 |
C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe
| MD5 | 11936a465ab10ea08fcf71f74f34b2a5 |
| SHA1 | 0c4c88dd3575f8eb6ef45b3aeed5fa92e5df1e36 |
| SHA256 | c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b |
| SHA512 | cfd45b9cfd01045710a575f75bcda2b5ed1545f61c43f12fddaa3749a8f0fab79d4d09166165bd51d64429fa7951f071892050646dbba30cc47b5249fe2dbb7d |
\Users\Admin\AppData\Local\Temp\jsyajt.exe
| MD5 | da91f581ff0dfd94b0909eb8a1b60e10 |
| SHA1 | 33e2535fe9874925e8fddf612fd96396bd6fbb8f |
| SHA256 | a4ff2d60ade5ac95a00167757266f96553675eba9a310e53c4dbcd0fb8fc86c9 |
| SHA512 | 0f9dfb73c9a2077f51e282c4523c95e388b3ee37e65a854ccda4f41a4f834baa883b974acc2333a3252c69b7c1fb84d25e333ca569ead2070d1930f5fb5d41f5 |
C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | b1251e794fe5c576499d9fab92030002 |
| SHA1 | d638e873ee0c23e85cf417b014147e75557bddcd |
| SHA256 | aef796689158bab92d84ad6032ee1c67d6fe39a4916459885da9968004fa5588 |
| SHA512 | be038c0622c310f966b0b6f122cd104e30f58948a989d30d5b44212e955e2d26a3e2f4f749465af859109c802ed6c705995163518ebe9a6687c147153a20c848 |
C:\Users\Admin\AppData\Local\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm
| MD5 | 51878cbd76e815a4825e1691c0db0947 |
| SHA1 | 690c735d80735325ca6c479edc6548820cf45571 |
| SHA256 | b0e7cde448121213024133dc2a81c83db2a92735520c233effa7ef4a1336aaa9 |
| SHA512 | e0cf487571449ee803556dc9602916a727e19869f8d8bad615b49a99ca8b46aa9a085fba52d7615e8418391fe27df3ae8696130d954ad01268eb28c805499964 |
C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | 1d0cdf74eb38f3f8064d5f9ae82ad6af |
| SHA1 | 68b256244c38441a31753bbe24061c35c3d2c4a0 |
| SHA256 | 61cffa57a165893cf2651c59ad2a6ef63e744ae710a36ddd401038cb87e903cb |
| SHA512 | f7aeec661b9ab4e153c520d194e81cf27f01e01aab53bcc704dd8a03fa920b206aeba3d71df6523b5ad3e7e2a996fc9cb86f8fccd9fad2798fc6a77623942bef |
C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | 5682b4cb776a4bda90c4e573fb4cad68 |
| SHA1 | c0d5faebdf4fcf8e39d9decfb4c0ea4c1ed6ddd3 |
| SHA256 | f70e2b4a2fd1d3d5d8603bf44b5e2294920d2fc4f5ab9266702c53c8c7f2e605 |
| SHA512 | ddc5203519593f73e4bdcc759150008f75e8ee2871d40eaab7d5b779f6d81a54ac63ab904a80b3d2387ec79b09298af4b875e378037ef053b5de0ab784a72941 |
C:\visylzeruf.bat
| MD5 | f3b225d1c41cb13d83abd881029ee9e5 |
| SHA1 | 6edb94940d32508491f2878039051a8c09ae2433 |
| SHA256 | 49778c98fd0c9e864a9257be57de64e560d1f75f2d4d6117fdc1b3a31b4c9cc0 |
| SHA512 | 8b8be77053a56ffb5bf657e4151c88d1d94976231fdcf4e25337930a2dffc17d1503524d1d999040e556fcca8654abad8c93712ed92bfed023dee419117299fd |
C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | 38e64c79eae884670f966246911c78aa |
| SHA1 | 771637f7706e567da85dc570564c0dd1b61c8912 |
| SHA256 | 463c04754e3420a782c0fcd214133c04a6a1c7d39eeb918d1f6efe5171b025d8 |
| SHA512 | c47fc922d8d9ee3a357c0ec1bd15e6dd59c5ae2d7317b67a9f5ca1c58f19c1432f3a61bb793d8466e43026f6343d3727ae253a9dbdf5acd4721f7bc2d684e074 |
C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | c0a67dd58aff92095f0be18c1e82ff80 |
| SHA1 | 85272e445a96d8fa226d50d9a108b71e9889d6d4 |
| SHA256 | bac6e356bb199cdc47fa61f251217bfbf912e19acc8e70ab8aa83404d6c34ed9 |
| SHA512 | d7975df4e4db107bb76753de5f7ba18620fcc9c5fdb721bee9e76a742b82b55c4f09b336cd187c1fe7cf1b94fb5326f7482368be373868c38442c548b631982e |
C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | 5bb272c6ff81c6b32c46e02dfaacd4a8 |
| SHA1 | 10d0610fb768d5454e6502d6ab4d2237244c0f92 |
| SHA256 | 06bb7bebe9a149e4e3cc939583c8a9f09d8de171a808f0189793f07a1f7acb0a |
| SHA512 | ff9694929a1c8e5b35fa0931e68adb2457c5d9e32ddb150f772971ed585a982d94785dd85e443d1fd7efe5d154d0438f02ef0b7bf2559c8987f23825ad7052c7 |
C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | e20a8d6f0042a95706bc1da2edf2166b |
| SHA1 | ecb409819f4dc18f094244f8d01373833c4636a7 |
| SHA256 | 133a31a747bf6a581dd182400106f080b43c44e19661672c14b63ce7fa1fb50c |
| SHA512 | bbbdc31ec452588f8c74f85818e56efa8724c27edd54232e76ddd3d6f0fd33d485ffed9acc58f7637a2c3eca7ee7a33b4eada297110d830b64d42798facbebe8 |
C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv
| MD5 | 7cc638c39f8241f9542929d7064428a8 |
| SHA1 | 6b5a60e117601b03214d13dad81e598932908d4e |
| SHA256 | 2311245bb8940fd146c3af536f89a0593dbcb1039f636a5fe2b880b973f19b85 |
| SHA512 | 709690e1b9ab727b50d0e8f858ca92e00814bcf20c7f40545bfb10ec8cc91ebd0918484f2561b81454a4834a8bc115c88a768a723477b8c5bf1dd22b9740c33f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 09:50
Reported
2024-06-26 09:53
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "alfuhdqeubvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "odbullcuozxdbfamtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "alfuhdqeubvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "alfuhdqeubvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "odbullcuozxdbfamtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "bpmeutjatdafcfzkqma.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "bpmeutjatdafcfzkqma.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "dtsmefxqlxwdchdqywmlf.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "dtsmefxqlxwdchdqywmlf.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "odbullcuozxdbfamtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "qdzqfdsiajfjfhakpk.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "alfuhdqeubvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "qdzqfdsiajfjfhakpk.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "htoespdsjrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "odbullcuozxdbfamtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\SysWOW64\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | C:\Windows\SysWOW64\nlsuuddehbixervqgmkrttccd.ahw | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nlsuuddehbixervqgmkrttccd.ahw | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Program Files (x86)\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | C:\Program Files (x86)\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | C:\Windows\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\nlsuuddehbixervqgmkrttccd.ahw | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\alfuhdqeubvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\bpmeutjatdafcfzkqma.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File created | C:\Windows\nlsuuddehbixervqgmkrttccd.ahw | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\htoespdsjrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\dtsmefxqlxwdchdqywmlf.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\ullgzbuokxxffliwfevvqj.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| File opened for modification | C:\Windows\qdzqfdsiajfjfhakpk.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\odbullcuozxdbfamtqfd.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ddmqs.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
"C:\Users\Admin\AppData\Local\Temp\ddmqs.exe" "-C:\Users\Admin\AppData\Local\Temp\alfuhdqeubvxrriq.exe"
C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
"C:\Users\Admin\AppData\Local\Temp\ddmqs.exe" "-C:\Users\Admin\AppData\Local\Temp\alfuhdqeubvxrriq.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| LT | 78.61.84.37:30728 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yopwjwjsqop.net | udp |
| US | 8.8.8.8:53 | hftkbek.info | udp |
| US | 8.8.8.8:53 | dfpimmls.net | udp |
| US | 8.8.8.8:53 | fbzdiwnuua.net | udp |
| US | 8.8.8.8:53 | iumwcmsowooq.org | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | gkucss.org | udp |
| US | 8.8.8.8:53 | dxunadygn.org | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| LT | 78.61.84.37:30728 | tcp | |
| US | 8.8.8.8:53 | mkbwfgfja.info | udp |
| US | 8.8.8.8:53 | xpuofamvn.net | udp |
| US | 8.8.8.8:53 | ujoljttsxq.info | udp |
| US | 8.8.8.8:53 | zjknnj.net | udp |
| US | 8.8.8.8:53 | htbbrj.info | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | wwqauiqygw.com | udp |
| US | 8.8.8.8:53 | dqbxzw.info | udp |
| US | 8.8.8.8:53 | strfwkb.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | ceoawsgi.org | udp |
| US | 8.8.8.8:53 | myywyq.com | udp |
| US | 8.8.8.8:53 | omrovha.info | udp |
| US | 8.8.8.8:53 | zszkaeh.info | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | esjbhdu.info | udp |
| US | 8.8.8.8:53 | rcooyyufog.info | udp |
| US | 8.8.8.8:53 | wdnjotcjyy.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | eoagosgwciko.org | udp |
| US | 8.8.8.8:53 | cmjgovzct.net | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | kwckumqq.org | udp |
| US | 8.8.8.8:53 | jyhaqklvpb.info | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | wavkxwurx.net | udp |
| US | 8.8.8.8:53 | kifwpkacq.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | sizwlrukex.net | udp |
| US | 8.8.8.8:53 | tvdcmuwq.net | udp |
| US | 8.8.8.8:53 | gyewka.com | udp |
| US | 8.8.8.8:53 | qepigszxy.net | udp |
| US | 8.8.8.8:53 | vshgvc.info | udp |
| US | 8.8.8.8:53 | mqwbjsnufuov.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | wuyiscocum.com | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bkbqosd.org | udp |
| US | 8.8.8.8:53 | zvyxohnch.com | udp |
| US | 8.8.8.8:53 | fmypvadav.info | udp |
| US | 8.8.8.8:53 | zifajtgr.net | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | oyukffd.info | udp |
| US | 8.8.8.8:53 | jhksssu.org | udp |
| US | 8.8.8.8:53 | iyfakc.net | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | amlkhohh.net | udp |
| US | 8.8.8.8:53 | rxssbjxwvnbx.info | udp |
| US | 8.8.8.8:53 | nonzhqr.com | udp |
| US | 8.8.8.8:53 | omeacmcwkems.org | udp |
| US | 8.8.8.8:53 | aicyyswwcyiq.org | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | auestap.net | udp |
| US | 8.8.8.8:53 | jlbwik.net | udp |
| US | 8.8.8.8:53 | vlaoyd.info | udp |
| US | 8.8.8.8:53 | wyrczwwyzdv.net | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| US | 8.8.8.8:53 | hcdpyfzoqwwj.info | udp |
| US | 8.8.8.8:53 | vivuws.net | udp |
| US | 8.8.8.8:53 | tlfszgkgsxbs.net | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | jhtyxqmnrih.net | udp |
| US | 8.8.8.8:53 | pdsfrq.info | udp |
| US | 8.8.8.8:53 | hgbvyitomdx.info | udp |
| US | 8.8.8.8:53 | oersrezixj.net | udp |
| US | 8.8.8.8:53 | gagklyptpuua.info | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | mujluotetkp.info | udp |
| US | 8.8.8.8:53 | rfbyvmf.com | udp |
| US | 8.8.8.8:53 | zxqghaacdvx.com | udp |
| US | 8.8.8.8:53 | fqdidqzrtyv.net | udp |
| US | 8.8.8.8:53 | yeousecg.org | udp |
| US | 8.8.8.8:53 | ebjwpxjaca.net | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | nimaejfoe.info | udp |
| US | 8.8.8.8:53 | thkaqwgt.info | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| US | 8.8.8.8:53 | vsrdzzosvzub.net | udp |
| US | 8.8.8.8:53 | mcpmrapul.net | udp |
| US | 8.8.8.8:53 | xcxhgqscep.info | udp |
| US | 8.8.8.8:53 | haocagfwlld.com | udp |
| US | 8.8.8.8:53 | gxyqupivkgsr.net | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | keegqaoiyg.org | udp |
| US | 8.8.8.8:53 | bmggjybdrea.net | udp |
| US | 8.8.8.8:53 | uslcaoh.net | udp |
| US | 8.8.8.8:53 | lfbejmcydav.info | udp |
| US | 8.8.8.8:53 | afsjeira.net | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | pfnndcwyocr.com | udp |
| US | 8.8.8.8:53 | szpcvlgxv.info | udp |
| US | 8.8.8.8:53 | rjzdzooua.net | udp |
| US | 8.8.8.8:53 | xpcwxu.net | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | yoscaaumysio.com | udp |
| US | 8.8.8.8:53 | azwzvzkuvl.net | udp |
| US | 8.8.8.8:53 | ngxsnhkfka.info | udp |
| US | 8.8.8.8:53 | vfvwfiqbooq.com | udp |
| US | 8.8.8.8:53 | anepmshg.net | udp |
| US | 8.8.8.8:53 | ugoouggq.org | udp |
| US | 8.8.8.8:53 | dskgsmo.org | udp |
| US | 8.8.8.8:53 | vjaaiwiohhnt.info | udp |
| US | 8.8.8.8:53 | qjlnzzsgsq.net | udp |
| US | 8.8.8.8:53 | xkdmpzg.info | udp |
| US | 8.8.8.8:53 | grtgwgl.net | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | olxlpiruul.info | udp |
| US | 8.8.8.8:53 | pynigjtrbmf.net | udp |
| US | 8.8.8.8:53 | cucqeu.com | udp |
| US | 8.8.8.8:53 | kqzbjonbtr.net | udp |
| US | 8.8.8.8:53 | txjuhr.net | udp |
| US | 8.8.8.8:53 | xbtmaylz.info | udp |
| US | 8.8.8.8:53 | oqkemiiy.org | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| US | 8.8.8.8:53 | haeexpfreyp.info | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | bsacdxti.net | udp |
| US | 8.8.8.8:53 | aqawuk.com | udp |
| US | 8.8.8.8:53 | dwxvyylfkkp.net | udp |
| US | 8.8.8.8:53 | vprfnajvrf.info | udp |
| US | 8.8.8.8:53 | qakucoqu.com | udp |
| US | 8.8.8.8:53 | dngfnjmhzh.info | udp |
| US | 8.8.8.8:53 | okpxvyphpp.net | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | xbwcwctiyhl.com | udp |
| US | 8.8.8.8:53 | tkkzngjoasi.net | udp |
| US | 8.8.8.8:53 | kzregcstp.info | udp |
| US | 8.8.8.8:53 | byyiiguqlnd.net | udp |
| US | 8.8.8.8:53 | bdzocmjyrye.info | udp |
| US | 8.8.8.8:53 | lofaxof.info | udp |
| US | 8.8.8.8:53 | jmjlock.info | udp |
| US | 8.8.8.8:53 | twldsvwufp.info | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | zcrnroheh.com | udp |
| US | 8.8.8.8:53 | shapix.info | udp |
| US | 8.8.8.8:53 | sfbeagrmb.info | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | pjmxbtcf.info | udp |
| US | 8.8.8.8:53 | gocqeyegs.net | udp |
| US | 8.8.8.8:53 | sbquvspvnr.info | udp |
| US | 8.8.8.8:53 | jvdysfpwqkz.net | udp |
| US | 8.8.8.8:53 | keiwuwkawe.info | udp |
| US | 8.8.8.8:53 | qixsqzcvbdq.info | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | fwurxqqtpr.info | udp |
| US | 8.8.8.8:53 | wuecqyoy.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nicmpwzhnvm.org | udp |
| US | 8.8.8.8:53 | uugmca.org | udp |
| US | 8.8.8.8:53 | kygkameq.org | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | hnnpywhixxp.org | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | uwmockmqwq.com | udp |
| US | 8.8.8.8:53 | qgyawesesksq.com | udp |
| US | 8.8.8.8:53 | zyhazsa.net | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | fsuhsbzkpmzv.info | udp |
| US | 8.8.8.8:53 | pvubsi.info | udp |
| US | 8.8.8.8:53 | ukkybsbyb.info | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | dnvwgput.net | udp |
| US | 8.8.8.8:53 | kesgkqiioc.org | udp |
| US | 8.8.8.8:53 | meeergp.info | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | jyztkwv.org | udp |
| US | 8.8.8.8:53 | swthasg.net | udp |
| US | 8.8.8.8:53 | blmhxkqb.info | udp |
| US | 8.8.8.8:53 | lzpczfbmgn.net | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | vqsocch.net | udp |
| US | 8.8.8.8:53 | lmgotrmgblb.com | udp |
| US | 8.8.8.8:53 | hffvbvek.net | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | puwkehhqio.net | udp |
| US | 8.8.8.8:53 | eavoyojisjw.net | udp |
| US | 8.8.8.8:53 | rnportgex.net | udp |
| US | 8.8.8.8:53 | fqjrxepl.net | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | csmemqacms.com | udp |
| US | 8.8.8.8:53 | kxylvf.net | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | gaptfe.info | udp |
| US | 8.8.8.8:53 | qeuceamsss.com | udp |
| US | 8.8.8.8:53 | cnbkqiiyzke.info | udp |
| US | 8.8.8.8:53 | isqgmwkogkss.com | udp |
| US | 8.8.8.8:53 | zhbjld.net | udp |
| US | 8.8.8.8:53 | vwirgcdspgh.org | udp |
| US | 8.8.8.8:53 | mqiqmeoawq.org | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | dsryrhamwnz.info | udp |
| US | 8.8.8.8:53 | wqvgtb.info | udp |
| US | 8.8.8.8:53 | psbgycgfes.info | udp |
| US | 8.8.8.8:53 | bwkkvuoo.net | udp |
| US | 8.8.8.8:53 | acdmuqqgd.net | udp |
| US | 8.8.8.8:53 | qtcwlyz.info | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | egtyronwtqd.info | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | zczmzftka.info | udp |
| US | 8.8.8.8:53 | joryogszyppf.info | udp |
| US | 8.8.8.8:53 | uwzexhzsz.net | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | mfapyy.info | udp |
| US | 8.8.8.8:53 | ukrbvtdgtugm.net | udp |
| US | 8.8.8.8:53 | zjgeniywftt.net | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | cpdwvgkwoad.info | udp |
| US | 8.8.8.8:53 | qrjmoqdkde.info | udp |
| US | 8.8.8.8:53 | nbpunrsm.info | udp |
| US | 8.8.8.8:53 | byobubtzgk.net | udp |
| US | 8.8.8.8:53 | xodpyddbjg.info | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | ddvkbsdu.net | udp |
| US | 8.8.8.8:53 | bprudwm.com | udp |
| US | 8.8.8.8:53 | fuaorehxf.info | udp |
| US | 8.8.8.8:53 | wouocakiscqa.com | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | bjuqtm.net | udp |
| US | 8.8.8.8:53 | qjqztor.info | udp |
| US | 8.8.8.8:53 | keztjb.info | udp |
| US | 8.8.8.8:53 | pmkdbuhgsup.com | udp |
| US | 8.8.8.8:53 | cseysyssqo.org | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | vzzivev.org | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| US | 8.8.8.8:53 | rwrmpvr.com | udp |
| US | 8.8.8.8:53 | dkbabspbzpdg.net | udp |
| US | 8.8.8.8:53 | ungana.net | udp |
| DE | 62.112.59.77:80 | ungana.net | tcp |
| US | 8.8.8.8:53 | lxgefpwsjgy.com | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | paleecbdv.com | udp |
| US | 8.8.8.8:53 | weqgqycgiyky.com | udp |
| US | 8.8.8.8:53 | keimwm.com | udp |
| US | 8.8.8.8:53 | ajiawbfs.info | udp |
| US | 8.8.8.8:53 | dovpnbswrh.info | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | bugypshttqn.net | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | infnnzeqdsit.info | udp |
| US | 8.8.8.8:53 | xudpna.net | udp |
| US | 8.8.8.8:53 | cmwwhix.net | udp |
| US | 8.8.8.8:53 | omfqblqlnzzt.net | udp |
| US | 8.8.8.8:53 | fogvtnlnwy.net | udp |
| US | 8.8.8.8:53 | awmaykwuioge.com | udp |
| US | 8.8.8.8:53 | tzpixn.info | udp |
| US | 8.8.8.8:53 | pszykgsj.info | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | vizmvajllndv.net | udp |
| US | 8.8.8.8:53 | 77.59.112.62.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bamvpccavoz.info | udp |
| US | 8.8.8.8:53 | zgemqixxf.org | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | vghjjgwkqpn.net | udp |
| US | 8.8.8.8:53 | kfekbulrl.info | udp |
| US | 8.8.8.8:53 | uqzzbcefq.net | udp |
| US | 8.8.8.8:53 | yvlsfvpux.info | udp |
| US | 8.8.8.8:53 | vpjcrsjmhbl.info | udp |
| US | 8.8.8.8:53 | eyxedngwdajd.info | udp |
| US | 8.8.8.8:53 | mhdwxbfyhu.info | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | jynafia.com | udp |
| US | 8.8.8.8:53 | zjakyyvztlyu.net | udp |
| US | 8.8.8.8:53 | uyltmxbazbji.info | udp |
| US | 8.8.8.8:53 | xwkcvw.info | udp |
| US | 8.8.8.8:53 | pgrqcwu.org | udp |
| US | 8.8.8.8:53 | weceuysoak.com | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | sqsemeseqgkm.com | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | wiimye.com | udp |
| US | 8.8.8.8:53 | iemeeysgyg.org | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | uobozkn.info | udp |
| US | 8.8.8.8:53 | rgzffwvu.info | udp |
| US | 8.8.8.8:53 | jqaixfwuxei.org | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | knxhpexwgoka.info | udp |
| US | 8.8.8.8:53 | tczokis.net | udp |
| US | 8.8.8.8:53 | iufodh.net | udp |
| US | 8.8.8.8:53 | xpwihsr.com | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | pjhrlaeshqj.com | udp |
| US | 8.8.8.8:53 | abzwylazcw.info | udp |
| US | 8.8.8.8:53 | jqrlhuvhswm.com | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | yklvdhpblu.net | udp |
| US | 8.8.8.8:53 | pdpqbwij.net | udp |
| US | 8.8.8.8:53 | zuhezynyk.info | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | obkaxsd.net | udp |
| US | 8.8.8.8:53 | heptjyfeg.info | udp |
| US | 8.8.8.8:53 | cyqows.org | udp |
| US | 8.8.8.8:53 | jzqggjl.net | udp |
| US | 8.8.8.8:53 | ebfnuehzhb.info | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | cemsogke.com | udp |
| US | 8.8.8.8:53 | nwojjx.info | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | aavovqk.net | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | mhezzutwv.info | udp |
| US | 8.8.8.8:53 | voydyxpr.info | udp |
| US | 8.8.8.8:53 | wnrehy.info | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | guccmmuy.org | udp |
| US | 8.8.8.8:53 | vwvmdfauvldk.net | udp |
| US | 8.8.8.8:53 | cxktaijx.net | udp |
| US | 8.8.8.8:53 | iorsfssgb.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | qobxbbykcvai.net | udp |
| US | 8.8.8.8:53 | cfbgfclmu.info | udp |
| US | 8.8.8.8:53 | nvtmjs.info | udp |
| US | 8.8.8.8:53 | xwgzfhwt.info | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | qjuogr.info | udp |
| US | 8.8.8.8:53 | ciximql.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | yryuexaqzpyx.net | udp |
| US | 8.8.8.8:53 | gydcehncpl.net | udp |
| US | 8.8.8.8:53 | sidhbbpefhr.net | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | rnfuhqousmp.net | udp |
| US | 8.8.8.8:53 | zedbvwf.info | udp |
| US | 8.8.8.8:53 | eelbdcuyxer.net | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | pmpgkv.info | udp |
| US | 8.8.8.8:53 | wlhgfyh.net | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | qpnsccbcj.info | udp |
| US | 8.8.8.8:53 | dcpgvybk.info | udp |
| US | 8.8.8.8:53 | zklkpufwfdtw.net | udp |
| US | 8.8.8.8:53 | vvpnjauj.net | udp |
| US | 8.8.8.8:53 | mrbeye.net | udp |
| US | 8.8.8.8:53 | foozlggmrek.net | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | tqmwzylxxmp.net | udp |
| US | 8.8.8.8:53 | pnkyhif.com | udp |
| US | 8.8.8.8:53 | equeey.com | udp |
| US | 8.8.8.8:53 | aimowt.net | udp |
| US | 8.8.8.8:53 | xsdbuapyb.net | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | ieoohldyg.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | dgnidon.net | udp |
| US | 8.8.8.8:53 | vtxapohaj.net | udp |
| US | 8.8.8.8:53 | xvbgtqtzdv.net | udp |
| US | 8.8.8.8:53 | fkpikjzbvsr.org | udp |
| US | 8.8.8.8:53 | qkiiaiaayeae.com | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | efifbywu.info | udp |
| US | 8.8.8.8:53 | denudgtylel.net | udp |
| US | 8.8.8.8:53 | rjzdyij.info | udp |
| US | 8.8.8.8:53 | fbfiqvdrlk.info | udp |
| US | 8.8.8.8:53 | hvothij.info | udp |
| US | 8.8.8.8:53 | gsismgyk.com | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | gmkmsgca.org | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | igaqcawsyqke.org | udp |
| US | 8.8.8.8:53 | ecyyfmw.info | udp |
| US | 8.8.8.8:53 | yaoqpybov.net | udp |
| US | 8.8.8.8:53 | jswzrtvvyj.info | udp |
| US | 8.8.8.8:53 | qbsxek.net | udp |
| US | 8.8.8.8:53 | yqfctmjhsewj.net | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | ewdsgoxclsr.info | udp |
| US | 8.8.8.8:53 | ksqrtq.info | udp |
| US | 8.8.8.8:53 | qkncfekcx.info | udp |
| US | 8.8.8.8:53 | becorbdubzgx.net | udp |
| US | 8.8.8.8:53 | tpjvqqzaiu.info | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | cdyifm.info | udp |
| US | 8.8.8.8:53 | wgaacavqxhs.info | udp |
| US | 8.8.8.8:53 | wuiokm.com | udp |
| US | 8.8.8.8:53 | csfprf.net | udp |
| US | 8.8.8.8:53 | ygciyyqy.org | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | lkutjcgidkx.com | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | cwqoigaq.com | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | oqbqgup.info | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | zlalikjqeyhk.net | udp |
| US | 8.8.8.8:53 | ptedzwuatk.net | udp |
| US | 8.8.8.8:53 | gihptc.net | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | comesqew.com | udp |
| US | 8.8.8.8:53 | dpwthhxfnpje.info | udp |
| US | 8.8.8.8:53 | gsrltzuscnrl.info | udp |
| US | 8.8.8.8:53 | chvcji.info | udp |
| US | 8.8.8.8:53 | kwcgdid.net | udp |
| US | 8.8.8.8:53 | nixmnfqj.net | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | amvqtsul.info | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | tlwwcgs.com | udp |
| US | 8.8.8.8:53 | wochlgtwb.net | udp |
| US | 8.8.8.8:53 | ptlljz.net | udp |
| US | 8.8.8.8:53 | wlndnwzm.info | udp |
| US | 8.8.8.8:53 | rfzotxjaawn.net | udp |
| US | 8.8.8.8:53 | kuzvghumlz.net | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | dsjthaghpsak.net | udp |
| US | 8.8.8.8:53 | zfbxcddidf.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | dkbsifnlvo.info | udp |
| US | 8.8.8.8:53 | phycnp.net | udp |
| US | 8.8.8.8:53 | ugogewmggkuk.com | udp |
| US | 8.8.8.8:53 | pclhwb.info | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | xoppvmtmcbc.info | udp |
| US | 8.8.8.8:53 | ommkcakc.com | udp |
| US | 8.8.8.8:53 | pwojuhnlt.info | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | vxjoacz.info | udp |
| US | 8.8.8.8:53 | mpyrpmlkae.info | udp |
| US | 8.8.8.8:53 | cprqrw.net | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | mogwiuukouyg.org | udp |
| US | 8.8.8.8:53 | qorowgdmwfi.net | udp |
| US | 8.8.8.8:53 | yeqawqiugsac.com | udp |
| US | 8.8.8.8:53 | puejji.net | udp |
| US | 8.8.8.8:53 | gzjbtizoy.info | udp |
| US | 8.8.8.8:53 | zgdiwajcz.com | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | qwigcgykyo.com | udp |
| US | 8.8.8.8:53 | vnrmkzrrvt.info | udp |
| US | 8.8.8.8:53 | igqigyeciwmw.org | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | oykhicfqdc.info | udp |
| US | 8.8.8.8:53 | yfphkpjtxyli.net | udp |
| US | 8.8.8.8:53 | kogkmgecau.com | udp |
| US | 8.8.8.8:53 | vzkoodir.info | udp |
| US | 8.8.8.8:53 | kwdajidsji.info | udp |
| US | 8.8.8.8:53 | gdvtlpap.info | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | iquqavrwirax.info | udp |
| US | 8.8.8.8:53 | hfymbfl.net | udp |
| US | 8.8.8.8:53 | bglmvzxcpb.net | udp |
| US | 8.8.8.8:53 | bojzyehr.net | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | vodmgtbcfit.com | udp |
| US | 8.8.8.8:53 | eifkzysshz.info | udp |
| US | 8.8.8.8:53 | gqsqgqkiqw.com | udp |
| US | 8.8.8.8:53 | keidxwtnvv.info | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | yuuicqaiuooe.com | udp |
| US | 8.8.8.8:53 | dqioyndkhu.info | udp |
| US | 8.8.8.8:53 | qaequchbn.net | udp |
| US | 8.8.8.8:53 | acssvafkp.net | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | ndryacdqngl.com | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | dkqkpsvkv.info | udp |
| US | 8.8.8.8:53 | ljatfd.info | udp |
| US | 8.8.8.8:53 | jtuivovy.net | udp |
| US | 8.8.8.8:53 | tjbtxgjtrvrq.info | udp |
| US | 8.8.8.8:53 | gojhxrh.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | sbbjgdnglkj.info | udp |
| US | 8.8.8.8:53 | prvddfje.net | udp |
| US | 8.8.8.8:53 | vommdavlld.net | udp |
| US | 8.8.8.8:53 | unraxur.net | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | soieeseiakec.org | udp |
| US | 8.8.8.8:53 | cwxoncxmla.info | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | ggwskm.com | udp |
| US | 8.8.8.8:53 | cyssnpfuybi.info | udp |
| US | 8.8.8.8:53 | wcvjfgcaq.net | udp |
| US | 8.8.8.8:53 | gaokak.com | udp |
| US | 8.8.8.8:53 | scyoosmmkqig.org | udp |
| US | 8.8.8.8:53 | rvblherphhvh.net | udp |
| US | 8.8.8.8:53 | nplhqnjotl.net | udp |
| US | 8.8.8.8:53 | jvnkuin.com | udp |
| US | 8.8.8.8:53 | msdbpysk.net | udp |
| US | 8.8.8.8:53 | lupjdsr.com | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | tjpahurkauv.com | udp |
| US | 8.8.8.8:53 | woqiao.org | udp |
| US | 8.8.8.8:53 | gmxxmqvmnmu.net | udp |
| US | 8.8.8.8:53 | ssephjrodqy.net | udp |
| US | 8.8.8.8:53 | mentnwt.info | udp |
| US | 8.8.8.8:53 | fjtstfilxuj.com | udp |
| US | 8.8.8.8:53 | jvvyycbvlsy.com | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | rkblbkrigk.net | udp |
| US | 8.8.8.8:53 | ggstbdnkvi.net | udp |
| US | 8.8.8.8:53 | sasuvyfl.info | udp |
| US | 8.8.8.8:53 | ksgwcinysgh.info | udp |
| US | 8.8.8.8:53 | awawsoagsiie.com | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | buapnrrvvx.net | udp |
| US | 8.8.8.8:53 | rdhzis.info | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | sopqktlnz.net | udp |
| US | 8.8.8.8:53 | mmncloetjqv.info | udp |
| US | 8.8.8.8:53 | nibkcon.net | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | lwxsgio.org | udp |
| US | 8.8.8.8:53 | giocgc.com | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | dnfvhgv.com | udp |
| US | 8.8.8.8:53 | swyqygegyk.org | udp |
| US | 8.8.8.8:53 | nsdyrsw.org | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | rojwsqumfvt.com | udp |
| US | 8.8.8.8:53 | dsjoajgdum.info | udp |
| US | 8.8.8.8:53 | yyjeloy.net | udp |
| US | 8.8.8.8:53 | trnsxilznx.net | udp |
| US | 8.8.8.8:53 | wecoue.com | udp |
| US | 8.8.8.8:53 | mmcoua.org | udp |
| US | 8.8.8.8:53 | yppmyvzdzqj.info | udp |
| US | 8.8.8.8:53 | waklzqsihov.net | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | lorulegqpzp.net | udp |
| US | 8.8.8.8:53 | dkzbrjzih.info | udp |
| US | 8.8.8.8:53 | kwurft.net | udp |
| US | 8.8.8.8:53 | srclaozvnv.info | udp |
| US | 8.8.8.8:53 | ekemoa.org | udp |
| US | 8.8.8.8:53 | bqqzycvrov.info | udp |
| US | 8.8.8.8:53 | alzrvxtksauv.info | udp |
| US | 8.8.8.8:53 | nhhstvlaerb.org | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | yikojgcqb.info | udp |
| US | 8.8.8.8:53 | zunqpclrhgr.com | udp |
| US | 8.8.8.8:53 | iwaeykhsn.info | udp |
| US | 8.8.8.8:53 | guzwcnhbfss.net | udp |
| US | 8.8.8.8:53 | oypcvtham.net | udp |
| US | 8.8.8.8:53 | jftgvslddj.net | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | triafu.net | udp |
| US | 8.8.8.8:53 | hmvcozfilo.info | udp |
| US | 8.8.8.8:53 | yqqwuqqo.com | udp |
| US | 8.8.8.8:53 | qrrizh.net | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | qfpyyq.info | udp |
| US | 8.8.8.8:53 | jfvmfhdw.net | udp |
| US | 8.8.8.8:53 | vwzlbkneb.info | udp |
| US | 8.8.8.8:53 | hwrehe.net | udp |
| US | 8.8.8.8:53 | pvqeoabmnpac.info | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 8.8.8.8:53 | jdhkvajybsb.com | udp |
| US | 8.8.8.8:53 | pmcgqvkadmxu.net | udp |
| US | 8.8.8.8:53 | xlwjlhi.net | udp |
| US | 8.8.8.8:53 | rilqxkv.com | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | qgukkqeg.org | udp |
| US | 8.8.8.8:53 | occyom.org | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | cioyqiguiykw.org | udp |
| US | 8.8.8.8:53 | amukeg.org | udp |
| US | 8.8.8.8:53 | drmwxmhcx.org | udp |
| US | 8.8.8.8:53 | aqhyxevud.net | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | jzkymuyrf.com | udp |
| US | 8.8.8.8:53 | skwceaukegec.com | udp |
| US | 8.8.8.8:53 | kowgeoem.org | udp |
| US | 8.8.8.8:53 | dqhedamixfd.info | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | sgsgeeihs.net | udp |
| US | 8.8.8.8:53 | vrvxxqjgz.info | udp |
| US | 8.8.8.8:53 | yrqgfnxxrkzi.net | udp |
| US | 8.8.8.8:53 | ajuqdlbo.info | udp |
| US | 8.8.8.8:53 | ovfvabbwro.info | udp |
| US | 8.8.8.8:53 | votagsuunp.info | udp |
| US | 8.8.8.8:53 | cxyauzvr.net | udp |
| US | 8.8.8.8:53 | okuqjlnucx.info | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wyjido.info | udp |
| US | 8.8.8.8:53 | ygtsmap.net | udp |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | fbjiwtlwlgq.org | udp |
| US | 8.8.8.8:53 | epsuzfuhatia.net | udp |
| US | 8.8.8.8:53 | qsrybepsv.info | udp |
| US | 8.8.8.8:53 | weyrtj.net | udp |
| US | 8.8.8.8:53 | usrvlcjef.net | udp |
| US | 8.8.8.8:53 | gwpcbpgymb.net | udp |
| US | 8.8.8.8:53 | ecmywcyo.org | udp |
| US | 8.8.8.8:53 | xzxgqmdh.net | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | vyfaznqp.info | udp |
| US | 8.8.8.8:53 | uwjarov.net | udp |
| US | 8.8.8.8:53 | csigmi.com | udp |
| US | 8.8.8.8:53 | qqbbwepsf.net | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| US | 8.8.8.8:53 | ssqqzncxzuo.info | udp |
| US | 8.8.8.8:53 | nmnkazttyj.net | udp |
| US | 8.8.8.8:53 | xcfcga.net | udp |
| US | 8.8.8.8:53 | uyblvit.info | udp |
| US | 8.8.8.8:53 | daqexaxil.net | udp |
| US | 8.8.8.8:53 | sidlvctfcd.net | udp |
| US | 8.8.8.8:53 | sweeic.org | udp |
| US | 8.8.8.8:53 | dymnbvckho.net | udp |
| US | 8.8.8.8:53 | pcrqltw.info | udp |
| US | 8.8.8.8:53 | htiutzkuvs.net | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | ikuwmoou.com | udp |
| US | 8.8.8.8:53 | giwkao.net | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | iqwhgkiihfci.net | udp |
| US | 8.8.8.8:53 | rnlysjcu.net | udp |
| US | 8.8.8.8:53 | pwacxydvhei.com | udp |
| US | 8.8.8.8:53 | kjpftc.info | udp |
| US | 8.8.8.8:53 | dqvfhasib.info | udp |
| US | 8.8.8.8:53 | uckswqosuc.org | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | usmecwqwes.com | udp |
| US | 8.8.8.8:53 | yqnknyjgf.net | udp |
| US | 8.8.8.8:53 | tirnpwmcwmd.org | udp |
| US | 8.8.8.8:53 | kydrlkroe.net | udp |
| US | 8.8.8.8:53 | asnapiuotwf.net | udp |
| US | 8.8.8.8:53 | pchvvfrm.net | udp |
| US | 8.8.8.8:53 | nozntxujcjgz.info | udp |
| US | 8.8.8.8:53 | wudmhqgva.info | udp |
| US | 8.8.8.8:53 | vubkfchdjeh.org | udp |
| US | 8.8.8.8:53 | kuikiwiw.org | udp |
| US | 8.8.8.8:53 | xfvqmg.info | udp |
| US | 8.8.8.8:53 | resbrspqdecl.info | udp |
| US | 8.8.8.8:53 | lsmfymawpqur.net | udp |
| US | 8.8.8.8:53 | pgliatwntj.net | udp |
| US | 8.8.8.8:53 | imeaoccykw.com | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | xecdqjdrtuxp.net | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | emgmcwgo.com | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | kxofwkbctosv.info | udp |
| US | 8.8.8.8:53 | eplieonsd.net | udp |
| US | 8.8.8.8:53 | nttgwkcnho.net | udp |
| US | 8.8.8.8:53 | eouumo.org | udp |
| US | 8.8.8.8:53 | ubdvzyaw.net | udp |
| US | 8.8.8.8:53 | umvihil.net | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | igdirkj.net | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | qjxuvp.net | udp |
| US | 8.8.8.8:53 | iwwoua.org | udp |
| US | 8.8.8.8:53 | lerobrcyat.net | udp |
| US | 8.8.8.8:53 | xgslfgf.info | udp |
| US | 8.8.8.8:53 | xzwgkgn.com | udp |
| US | 8.8.8.8:53 | lyzsnxbjbwlp.net | udp |
| US | 8.8.8.8:53 | asmakousyc.com | udp |
| US | 8.8.8.8:53 | yceqcskoeg.org | udp |
| US | 162.249.65.164:80 | yceqcskoeg.org | tcp |
| US | 8.8.8.8:53 | bvqkrktejqp.org | udp |
| US | 8.8.8.8:53 | jonmvhv.net | udp |
| US | 8.8.8.8:53 | ceaamaoesw.org | udp |
| US | 8.8.8.8:53 | fbaztkzunhlj.net | udp |
| US | 8.8.8.8:53 | daeslut.com | udp |
| US | 8.8.8.8:53 | oplefgvifadh.info | udp |
| US | 8.8.8.8:53 | rwvmggr.net | udp |
| US | 8.8.8.8:53 | cgwgaguesg.org | udp |
| US | 162.249.65.164:80 | cgwgaguesg.org | tcp |
| US | 8.8.8.8:53 | gmfztqpbx.net | udp |
| US | 8.8.8.8:53 | lmevxsvny.info | udp |
| US | 8.8.8.8:53 | fnbcxrpye.info | udp |
| US | 8.8.8.8:53 | tacvvkocr.com | udp |
| US | 8.8.8.8:53 | ektewszbh.info | udp |
| US | 8.8.8.8:53 | nrbcqffl.info | udp |
| US | 8.8.8.8:53 | kuzwyqren.net | udp |
| US | 8.8.8.8:53 | qkogdsn.net | udp |
| US | 8.8.8.8:53 | dkmhwrtcf.info | udp |
| US | 8.8.8.8:53 | uoqgyicmoeem.com | udp |
| US | 8.8.8.8:53 | julxerwaocda.net | udp |
| US | 8.8.8.8:53 | mohwhul.info | udp |
| US | 8.8.8.8:53 | dkvpkzxkx.net | udp |
| US | 8.8.8.8:53 | nvffdqxrvsw.com | udp |
| US | 8.8.8.8:53 | nkybtwpgzoi.info | udp |
| US | 8.8.8.8:53 | clivok.info | udp |
| US | 8.8.8.8:53 | mwrpbud.net | udp |
| US | 8.8.8.8:53 | ywqgsu.org | udp |
| US | 8.8.8.8:53 | nyjkgjppmmbg.info | udp |
| US | 8.8.8.8:53 | gwmeafacbwrh.info | udp |
| US | 8.8.8.8:53 | wosywmyqoe.com | udp |
| US | 8.8.8.8:53 | ijkjfqvkwpn.net | udp |
| US | 8.8.8.8:53 | zgvkedwoyy.net | udp |
| US | 8.8.8.8:53 | qkdqch.net | udp |
| US | 8.8.8.8:53 | zkgygiou.info | udp |
| US | 8.8.8.8:53 | fwpycoihj.com | udp |
| US | 8.8.8.8:53 | jiuacev.com | udp |
| US | 8.8.8.8:53 | bvhpfy.info | udp |
| US | 8.8.8.8:53 | hdwubtwe.info | udp |
| US | 8.8.8.8:53 | eaisokwcuc.com | udp |
| US | 8.8.8.8:53 | gzhynesg.info | udp |
| US | 8.8.8.8:53 | xjhemu.info | udp |
| US | 8.8.8.8:53 | fpfalqjzmzpx.info | udp |
| US | 8.8.8.8:53 | zztdzeju.info | udp |
| US | 8.8.8.8:53 | lblxlwomf.net | udp |
| US | 8.8.8.8:53 | tupgihtn.info | udp |
| US | 8.8.8.8:53 | fnfiremjh.com | udp |
| US | 8.8.8.8:53 | yaammaya.com | udp |
| US | 8.8.8.8:53 | hqtptex.info | udp |
| US | 8.8.8.8:53 | qeifcghkp.net | udp |
| US | 8.8.8.8:53 | ekamqi.org | udp |
| US | 162.249.65.164:80 | ekamqi.org | tcp |
| US | 8.8.8.8:53 | iubmab.info | udp |
| US | 8.8.8.8:53 | kotdpcvug.net | udp |
| US | 8.8.8.8:53 | mwjmyuhxiuhw.net | udp |
| US | 8.8.8.8:53 | zjnnisjzumd.net | udp |
| US | 8.8.8.8:53 | cvwpfiesyd.info | udp |
| US | 8.8.8.8:53 | wmdgzor.info | udp |
| US | 8.8.8.8:53 | zqkuhflmp.com | udp |
| US | 8.8.8.8:53 | zdbwlcrw.net | udp |
| US | 8.8.8.8:53 | qyywgqiauwcc.org | udp |
| US | 8.8.8.8:53 | xopgozy.com | udp |
| US | 8.8.8.8:53 | vaxyfjcgmsd.net | udp |
| US | 8.8.8.8:53 | ownfpcvxhj.info | udp |
| US | 8.8.8.8:53 | mprsoz.net | udp |
| US | 8.8.8.8:53 | rtbzbtvimhvm.info | udp |
| US | 8.8.8.8:53 | tnckauukrs.net | udp |
| US | 8.8.8.8:53 | hyafbvpm.net | udp |
| US | 8.8.8.8:53 | rmfptvkpnmaj.info | udp |
| US | 8.8.8.8:53 | fyodnnektx.info | udp |
| US | 8.8.8.8:53 | yqocscgqq.info | udp |
| US | 8.8.8.8:53 | uwcsweakowqk.org | udp |
| US | 8.8.8.8:53 | egwcmoiuguye.org | udp |
| US | 8.8.8.8:53 | oylmvun.net | udp |
| US | 8.8.8.8:53 | nuqrzqrr.info | udp |
| US | 8.8.8.8:53 | eqcsskwyyiug.org | udp |
| US | 162.249.65.164:80 | eqcsskwyyiug.org | tcp |
| US | 8.8.8.8:53 | uyvqhzjypkv.net | udp |
| US | 8.8.8.8:53 | kwrdfcn.info | udp |
| US | 8.8.8.8:53 | pgchlxgc.net | udp |
| US | 8.8.8.8:53 | jsnojd.net | udp |
| US | 8.8.8.8:53 | eweuaigycy.org | udp |
| US | 162.249.65.164:80 | eweuaigycy.org | tcp |
| US | 8.8.8.8:53 | nizucgjddq.net | udp |
| US | 8.8.8.8:53 | rcsyvxxdvvxv.info | udp |
| US | 8.8.8.8:53 | wirugkhuf.net | udp |
| US | 8.8.8.8:53 | ishstyjyxiz.net | udp |
| US | 8.8.8.8:53 | ksycecmwkkmu.com | udp |
| US | 8.8.8.8:53 | ewamtbtiy.info | udp |
| US | 8.8.8.8:53 | xasyayq.net | udp |
| US | 8.8.8.8:53 | ckqqaueogk.com | udp |
| US | 8.8.8.8:53 | owcmwkggcc.org | udp |
| US | 8.8.8.8:53 | rgrdpwvmpxbc.net | udp |
| US | 8.8.8.8:53 | lhpfwwpq.info | udp |
| US | 8.8.8.8:53 | xipicosem.com | udp |
| US | 8.8.8.8:53 | ewaeouugwaig.org | udp |
| US | 8.8.8.8:53 | xozdwzew.net | udp |
| US | 8.8.8.8:53 | gzzhsqoo.info | udp |
| US | 8.8.8.8:53 | sstpocwyrkb.info | udp |
| US | 8.8.8.8:53 | qudcwcvobcp.info | udp |
| US | 8.8.8.8:53 | xdjykqfwj.net | udp |
| US | 8.8.8.8:53 | euvbfsbmjfez.net | udp |
| US | 8.8.8.8:53 | epjzhicydgq.net | udp |
| US | 8.8.8.8:53 | wrbltynwfcg.net | udp |
| US | 8.8.8.8:53 | rdrsxai.info | udp |
| US | 8.8.8.8:53 | ijnrupwgmw.info | udp |
| US | 8.8.8.8:53 | todegidiiqb.info | udp |
| US | 8.8.8.8:53 | fnqsmcftroxg.info | udp |
| US | 8.8.8.8:53 | bazljq.net | udp |
| US | 8.8.8.8:53 | krvfwznyra.net | udp |
| US | 8.8.8.8:53 | wzxqqsksmhht.net | udp |
| US | 8.8.8.8:53 | fosrfmktf.info | udp |
| US | 8.8.8.8:53 | zqzlwtsib.info | udp |
| US | 8.8.8.8:53 | hqhepkjva.net | udp |
| US | 8.8.8.8:53 | erzyipbzld.info | udp |
| US | 8.8.8.8:53 | kcguuuas.com | udp |
| US | 8.8.8.8:53 | utdopipdxc.info | udp |
| US | 8.8.8.8:53 | ectihsr.info | udp |
| US | 8.8.8.8:53 | wyuiqkv.net | udp |
| US | 8.8.8.8:53 | jnhotjhsp.info | udp |
| US | 8.8.8.8:53 | anfcgboo.info | udp |
| US | 8.8.8.8:53 | ycaunmdur.net | udp |
| US | 8.8.8.8:53 | mjvwpl.net | udp |
| US | 8.8.8.8:53 | jwlmww.info | udp |
| US | 8.8.8.8:53 | crqbtqj.info | udp |
| US | 8.8.8.8:53 | louqjfr.info | udp |
| US | 8.8.8.8:53 | hppqtx.info | udp |
| US | 8.8.8.8:53 | qyiwrcy.info | udp |
| US | 8.8.8.8:53 | astalutajej.info | udp |
| US | 8.8.8.8:53 | puqjbobk.net | udp |
| US | 8.8.8.8:53 | damqftj.com | udp |
| US | 8.8.8.8:53 | nizybszil.info | udp |
| US | 8.8.8.8:53 | otjneshvxgn.info | udp |
| US | 8.8.8.8:53 | wemiqw.org | udp |
| US | 8.8.8.8:53 | eiaqzoncakn.net | udp |
| US | 8.8.8.8:53 | ykhkvljit.info | udp |
| US | 8.8.8.8:53 | tesznu.info | udp |
| US | 8.8.8.8:53 | neotjkse.info | udp |
| US | 8.8.8.8:53 | romrtblupu.net | udp |
| US | 8.8.8.8:53 | uwaekcyseggi.org | udp |
| US | 8.8.8.8:53 | gkfyhjh.info | udp |
| US | 8.8.8.8:53 | leolzd.info | udp |
| US | 8.8.8.8:53 | ukdltgkqjoxu.net | udp |
| US | 8.8.8.8:53 | ieprwgvxkx.net | udp |
| US | 8.8.8.8:53 | qwyztb.info | udp |
| US | 8.8.8.8:53 | ywjcdwrljdzy.info | udp |
| US | 8.8.8.8:53 | nefwulmsyx.net | udp |
| US | 8.8.8.8:53 | vekatucoeac.com | udp |
| US | 8.8.8.8:53 | lrbqxqikxvb.info | udp |
| US | 8.8.8.8:53 | rycmkqswqjq.info | udp |
| US | 8.8.8.8:53 | uohyimrkg.net | udp |
| US | 8.8.8.8:53 | znpsldu.org | udp |
| US | 162.249.65.164:80 | znpsldu.org | tcp |
| US | 8.8.8.8:53 | gyzufdenqsnh.net | udp |
| US | 8.8.8.8:53 | incdxol.net | udp |
| US | 8.8.8.8:53 | pawyif.info | udp |
| US | 8.8.8.8:53 | aovxmktl.info | udp |
| US | 8.8.8.8:53 | jcgvkkgsngge.net | udp |
| US | 8.8.8.8:53 | tanoeecmzn.info | udp |
| US | 8.8.8.8:53 | nkrzvcyyty.info | udp |
| US | 8.8.8.8:53 | dsqiryl.net | udp |
| US | 8.8.8.8:53 | bfmavgevut.net | udp |
| US | 8.8.8.8:53 | loogvzecd.com | udp |
| US | 8.8.8.8:53 | djdjhidqmwh.com | udp |
| US | 8.8.8.8:53 | womqsomwiuwu.org | udp |
| US | 8.8.8.8:53 | lbdnfn.net | udp |
| US | 8.8.8.8:53 | cbpmrwpsc.info | udp |
| US | 8.8.8.8:53 | kufyxxtijq.net | udp |
| US | 8.8.8.8:53 | asrxpsf.info | udp |
| US | 8.8.8.8:53 | miswccdu.net | udp |
| US | 8.8.8.8:53 | nisgdqrqtoo.com | udp |
| US | 8.8.8.8:53 | lmqgpqpivo.info | udp |
| US | 8.8.8.8:53 | tnqkazvppy.info | udp |
| US | 8.8.8.8:53 | uckymuoq.com | udp |
| US | 8.8.8.8:53 | pmiqqgs.org | udp |
| US | 8.8.8.8:53 | veoqwcpwnuh.org | udp |
| US | 8.8.8.8:53 | kmuogs.com | udp |
| US | 8.8.8.8:53 | aczyvkf.info | udp |
| US | 8.8.8.8:53 | vutqzcnht.org | udp |
| US | 8.8.8.8:53 | dkditsf.org | udp |
| US | 8.8.8.8:53 | qsuznipox.net | udp |
| US | 8.8.8.8:53 | nzddyrzegz.net | udp |
| US | 8.8.8.8:53 | aotovfsijge.info | udp |
| US | 8.8.8.8:53 | kmkgsypnlw.net | udp |
| US | 8.8.8.8:53 | tkksbxkoub.info | udp |
| US | 8.8.8.8:53 | cugcmy.org | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| US | 8.8.8.8:53 | abhmvt.net | udp |
| US | 8.8.8.8:53 | szzbdsdup.net | udp |
| US | 8.8.8.8:53 | ufseryl.net | udp |
| US | 8.8.8.8:53 | kqrhhigmwu.net | udp |
| US | 8.8.8.8:53 | rivbnc.info | udp |
| US | 8.8.8.8:53 | uijktvyyjbr.net | udp |
| US | 8.8.8.8:53 | zelshmrjztq.org | udp |
| US | 8.8.8.8:53 | teuatocapp.info | udp |
| US | 8.8.8.8:53 | peeyqdfdv.info | udp |
| US | 8.8.8.8:53 | zawufqzwz.net | udp |
| US | 8.8.8.8:53 | rqxvbjiw.net | udp |
| US | 8.8.8.8:53 | nktwrnrqh.info | udp |
| US | 8.8.8.8:53 | inxepid.net | udp |
| US | 8.8.8.8:53 | raiobwskm.info | udp |
| US | 8.8.8.8:53 | wkqfjur.info | udp |
| US | 8.8.8.8:53 | flmlbmahpnjb.net | udp |
| US | 8.8.8.8:53 | jovoxkg.org | udp |
| US | 8.8.8.8:53 | lysassfobzx.net | udp |
| US | 8.8.8.8:53 | dceqbix.net | udp |
| US | 8.8.8.8:53 | nhuaav.net | udp |
| US | 8.8.8.8:53 | xsdupfknuc.net | udp |
| US | 8.8.8.8:53 | oanywlgak.net | udp |
| US | 8.8.8.8:53 | aueidzxm.net | udp |
| US | 8.8.8.8:53 | fjnozbjwi.org | udp |
| US | 8.8.8.8:53 | xbdyxk.info | udp |
| US | 8.8.8.8:53 | yawysiawqy.com | udp |
| US | 8.8.8.8:53 | vkhjhgagd.org | udp |
| US | 8.8.8.8:53 | wxkqlivqzob.info | udp |
| US | 8.8.8.8:53 | roldfkgp.net | udp |
| US | 8.8.8.8:53 | cwdeffi.info | udp |
| US | 8.8.8.8:53 | vklrrkpgb.info | udp |
| US | 8.8.8.8:53 | ktqhzfum.net | udp |
| US | 8.8.8.8:53 | bdzwhfiyemap.info | udp |
| US | 8.8.8.8:53 | vqqykhawjuwv.info | udp |
| US | 8.8.8.8:53 | menmpcpew.net | udp |
| US | 8.8.8.8:53 | gshqxwi.info | udp |
| US | 8.8.8.8:53 | sacbpw.info | udp |
| US | 8.8.8.8:53 | cwxmfkhpudxc.info | udp |
| US | 8.8.8.8:53 | admyee.info | udp |
| US | 8.8.8.8:53 | qsrhpkyqfq.net | udp |
| US | 8.8.8.8:53 | javmcaomrw.info | udp |
| US | 8.8.8.8:53 | fepynwvhfcy.info | udp |
| US | 8.8.8.8:53 | pedyxcrohat.org | udp |
| DE | 85.214.228.140:80 | pedyxcrohat.org | tcp |
| US | 8.8.8.8:53 | hkigtaasb.com | udp |
| US | 8.8.8.8:53 | nlhdhusjxyrj.info | udp |
| US | 8.8.8.8:53 | emuuqqqa.com | udp |
| US | 8.8.8.8:53 | geiehohtveh.net | udp |
| US | 8.8.8.8:53 | gyokiycm.com | udp |
| US | 8.8.8.8:53 | lcqojurkpsl.info | udp |
| US | 8.8.8.8:53 | bozcuxdkeuv.com | udp |
| US | 8.8.8.8:53 | mcbqdgrajsk.info | udp |
| US | 8.8.8.8:53 | vlhmlajqqwb.net | udp |
| US | 8.8.8.8:53 | fyjyyaxrto.info | udp |
| US | 8.8.8.8:53 | feyhndndk.com | udp |
| US | 8.8.8.8:53 | sifgpql.net | udp |
| US | 8.8.8.8:53 | potupbtqjy.net | udp |
| US | 8.8.8.8:53 | lutyrz.info | udp |
| US | 8.8.8.8:53 | deygjyhyxkw.com | udp |
| US | 8.8.8.8:53 | nmmhxit.com | udp |
| US | 8.8.8.8:53 | olplyo.net | udp |
| US | 8.8.8.8:53 | mggkesig.com | udp |
| US | 8.8.8.8:53 | uemkamsqow.org | udp |
| US | 8.8.8.8:53 | tujamdpg.info | udp |
| US | 8.8.8.8:53 | dslmoth.org | udp |
| US | 8.8.8.8:53 | kvjrtf.net | udp |
| US | 8.8.8.8:53 | vvwyysuir.net | udp |
| US | 8.8.8.8:53 | tipmbyvqn.net | udp |
| US | 8.8.8.8:53 | ffzzhcdggx.net | udp |
| US | 8.8.8.8:53 | mkzshdrhh.info | udp |
| US | 8.8.8.8:53 | nmxelvnqckb.com | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jeozwmdscvr.info | udp |
| US | 8.8.8.8:53 | vgiklhfpgl.net | udp |
| US | 8.8.8.8:53 | pkpkqulxxup.info | udp |
| US | 8.8.8.8:53 | rrpfczxrlrde.net | udp |
| US | 8.8.8.8:53 | megwbze.info | udp |
| US | 8.8.8.8:53 | acdwjiv.net | udp |
| US | 8.8.8.8:53 | nqqcmtvdrat.net | udp |
| US | 8.8.8.8:53 | qqmugsmios.com | udp |
| US | 8.8.8.8:53 | albmeolor.info | udp |
| US | 8.8.8.8:53 | bfviveu.com | udp |
| US | 8.8.8.8:53 | anfelyjorzjt.net | udp |
| US | 8.8.8.8:53 | csaosk.org | udp |
| US | 8.8.8.8:53 | ejdaitmphunw.net | udp |
| US | 8.8.8.8:53 | fwcgyavpj.info | udp |
| US | 8.8.8.8:53 | quugayumwyiw.com | udp |
| US | 8.8.8.8:53 | yvyxhjvlbkzg.info | udp |
| US | 8.8.8.8:53 | vqwgriddx.net | udp |
| US | 8.8.8.8:53 | fmrssfsyt.com | udp |
| US | 8.8.8.8:53 | tzzmpypupj.info | udp |
| US | 8.8.8.8:53 | eikmsppmjz.net | udp |
| US | 8.8.8.8:53 | isdmpotju.net | udp |
| US | 8.8.8.8:53 | ogweky.com | udp |
| US | 8.8.8.8:53 | ncdmrcpkn.info | udp |
| US | 8.8.8.8:53 | rpsifxhwuw.info | udp |
| US | 8.8.8.8:53 | bolnsnhzu.net | udp |
| US | 8.8.8.8:53 | mupmejzte.info | udp |
| US | 8.8.8.8:53 | hrouugxjd.info | udp |
| US | 8.8.8.8:53 | awukyuqcccgc.org | udp |
| US | 8.8.8.8:53 | auqaasc.net | udp |
| US | 8.8.8.8:53 | nywjdatjjd.info | udp |
| US | 8.8.8.8:53 | hwhstmmyxyf.info | udp |
| US | 8.8.8.8:53 | vkvepunyzyn.net | udp |
| US | 8.8.8.8:53 | qiofjv.info | udp |
| US | 8.8.8.8:53 | ldzizscm.info | udp |
| US | 8.8.8.8:53 | dudqhanok.net | udp |
| US | 8.8.8.8:53 | lctmxcjohxl.info | udp |
| US | 8.8.8.8:53 | vftisywmnsn.org | udp |
| US | 8.8.8.8:53 | tgbezcime.net | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | caawuiiksw.com | udp |
| US | 8.8.8.8:53 | fnuvje.net | udp |
| US | 8.8.8.8:53 | scgwkioykc.org | udp |
| US | 8.8.8.8:53 | nscdhdux.net | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | mkwiwy.com | udp |
| US | 8.8.8.8:53 | znjvajxz.net | udp |
| US | 8.8.8.8:53 | igtlcezwn.info | udp |
| US | 8.8.8.8:53 | uwekyc.org | udp |
| US | 8.8.8.8:53 | yaepjtgv.info | udp |
| US | 8.8.8.8:53 | bkiukmk.net | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
| MD5 | b7d881d5c0258783b86990956db21c4e |
| SHA1 | 669b5a6ee6ccb481e38cdfdaa2373aba2bcecfe5 |
| SHA256 | c8bbf69eca31b1066977c1a727ca6cd32bb56ab503625182bfbe502d9fba004d |
| SHA512 | 5f79b1c845504cae1f52d722384ad55fbc2e45c270d5fb8d22d0a04bba8518cb5b22ae76c8c09e1578f7ba6543edbd32b6ef600169279e9f95d0b675ddd98c09 |
C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe
| MD5 | 11936a465ab10ea08fcf71f74f34b2a5 |
| SHA1 | 0c4c88dd3575f8eb6ef45b3aeed5fa92e5df1e36 |
| SHA256 | c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b |
| SHA512 | cfd45b9cfd01045710a575f75bcda2b5ed1545f61c43f12fddaa3749a8f0fab79d4d09166165bd51d64429fa7951f071892050646dbba30cc47b5249fe2dbb7d |
C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
| MD5 | 5c117f33ce66b60f039e501dbea9218e |
| SHA1 | f4cf52b8524dfefe10c25185c2b62aae08d73bee |
| SHA256 | 9056915ee604c4932da811d8cddb1dd291a647c1fed62a36081cf91819438cf1 |
| SHA512 | d55c8bdde3ec7bc3da29226fd23060bee1c143023c7b6302d9e1cbb8bc06ecd47c289e57008252608401213bd59501eedd9bfba1be3bc23fc8de013ff992bfee |
C:\Users\Admin\AppData\Local\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | d480ea070f0fd31fb27ee613429941b0 |
| SHA1 | dd9100dadee7996fe4c53ab4b51351155e8bbbf7 |
| SHA256 | 84a69c6ecafb38c5727cfd080251d10af5600d3ce7a57b5cf7e400a072138f3f |
| SHA512 | f4186e36d5ba486acf148c0bec91fd51badb1d265e7c73811aac7e865ce5f361e99d773a43e1815753ab91a35b478b82ade711cedb90bcb0df5b1b830681ddbe |
C:\Users\Admin\AppData\Local\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt
| MD5 | 59e416d8ddf2027ff0769aa8ac671e28 |
| SHA1 | 13079f92a56dc9fca4530ee316804c37c3750d4d |
| SHA256 | 6a323c0ce36b88f8552248096c092fe141ff81d6207c45db5c9f61d357cba303 |
| SHA512 | 60870005045887e202d6a26cdc448ca988c3daff445149847125f94bd7bb8db711d07839647e721d127c7456260d30703fac4b17c0c3ed6c2effa5b47247e885 |
C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 9265ffec6aac5fb408c65fec145326c9 |
| SHA1 | 5ab388333c2e75329221116c69b2ca127794d3b0 |
| SHA256 | a80384cbc3d2f1e275ac13dcb0ce3962f8b0780e48c0015333a0ce53c09fd899 |
| SHA512 | 061253f3daf3f89d1f92a9fe4cb30f4740aa08a74c757f3a44ac430c95abbf49adb2283b5f1131cff5cf78e2dee198099eaa76dc159853c23e7bcb19368914f8 |
C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 1bb6d5efedb9c105bc5384380524888e |
| SHA1 | 48ca533f5e5c1d0615b0767c7292b66be5da8bdc |
| SHA256 | be0fa690d1fff616ea3971b1bd0b2b5d85dda8508c989a150ae96b4a560285fa |
| SHA512 | 7cdd698e9710716a81e192bb5596fed328d6d0b8d87297ac8791c465d399d9db210d4dac0a1a9d48c3cf6e6e0b8f242878a77e8a9831ccefb13ae2f42357c144 |
C:\hlygmbhox.bat
| MD5 | 93b0729b16938215c9ff2fdb4fe02d93 |
| SHA1 | 9c02ec08eb76c7ef7bc2231b36c6c957dc4456b1 |
| SHA256 | b6580508efcc287adcdea5d66f7c0b9d054bc8d8c54936f4caf8c4437aced5ef |
| SHA512 | db475575ae91b20809350927942478444565b013d81b89d58640c98a86851c59467c42703054dae8717515d9529db52be6dd18d3ffc17b96e44e4de79503d69d |
C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 269f252bb4f65079078218acdb32c755 |
| SHA1 | 700db7ac550cb673cdd7c3cbaa4bdf206d40b55a |
| SHA256 | 9c15476a6eb1b167f5dbdfbd7dc5d34cef578a18dd3b996b462f7e737ee93d82 |
| SHA512 | 4e7db453110c995860a22651a4f798a3e5f351affcfe6f4754481d4e9400e5e1e57dfd12b4aba0d8cb9ef3d2de68fed49bc8ea51cd1cbf0be783bee1b5cd1589 |
C:\Users\Admin\AppData\Local\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 3d071c6d64e755acebc9ff07770fc251 |
| SHA1 | f7d7d21b5e0cafc619af48ad02d77e980e4274f3 |
| SHA256 | 1b7ea628616eeced30c423dceefd78dfe3c21eaf8dc0ec98e7d6afd8ff4d811f |
| SHA512 | 23f8de3a58d6b035c3fba239253b0de73d81780c168d52f15994c22b32db025b1131d7f023104e1f0048e95d39cb85d7e3292128a9ecf79e099a0f17f1e4d849 |
C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 55cdf6565c85540d61ca26d4cd73941d |
| SHA1 | 55599443dc8d96e9b03ea2568a21a52598280d1b |
| SHA256 | 790524775b14526cdcc08c3f3a249bc7aadac4836a043068228ebeec71a764ca |
| SHA512 | bad352514e9393bbeb082821e1e0b8f7409d55d472f053c8ffa3e30b6b60566e7b0374b96ffb4b53f6ce6413a432c1c98ffafb24b8c8c9b093d11956f8feaa48 |
C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 32a9f03b87402343c2a5b846f3095728 |
| SHA1 | 2977a42957fc82a642ef785ce0b4452ab9c8eafa |
| SHA256 | b74ffb4235e05468fc9bd9621940b3a437969947f46a447c0207781ed932aef9 |
| SHA512 | 303287ea28d7386b75a33dd717cff728e2d12072daf20aefe794dfad35b16d1a7e1a463a62075660e34a531a53fbafce64ecfc53ddc504f69654c91c154d0ba6 |
C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw
| MD5 | 40560ecb30b8ad7299725b7ee94a42a3 |
| SHA1 | feb746695aec1dbb23af29e797d8a5546e96ed29 |
| SHA256 | cd7ca00d706b36df129c8700bc0d2a0ef99bea6436769c6a8c043af027fa468c |
| SHA512 | cc862118feb207390355a51af0c546eb418c379a3424b38881718dfebb2fdb98b8728fe728e6b3d2ff51ff0ba65e5b569a2eb773d6b68ecbcd3b62dd99d08b9b |