Malware Analysis Report

2025-03-15 00:56

Sample ID 240626-lt69xayepa
Target 11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118
SHA256 c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b

Threat Level: Known bad

The file 11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Adds policy Run key to start application

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 09:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 09:50

Reported

2024-06-26 09:53

Platform

win7-20231129-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "jgaqnlaxkfikuyxqhrfc.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\coxcobfrt = "ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\jsyajt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "voeqjdohqhgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "wslawthdpjlmvywoena.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "jgaqnlaxkfikuyxqhrfc.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "jgaqnlaxkfikuyxqhrfc.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgaqnlaxkfikuyxqhrfc.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "wslawthdpjlmvywoena.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\visylzeruf = "voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "jgaqnlaxkfikuyxqhrfc.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "ywrigfvthdhkvaaumxmkf.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "ywrigfvthdhkvaaumxmkf.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "wslawthdpjlmvywoena.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "ywrigfvthdhkvaaumxmkf.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "jgaqnlaxkfikuyxqhrfc.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncowlbixcpke = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "jgaqnlaxkfikuyxqhrfc.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "voeqjdohqhgekkfu.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ywrigfvthdhkvaaumxmkf.exe ." C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\qepwkzftxjd = "jgaqnlaxkfikuyxqhrfc.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lweitfit = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe ." C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lgymhdqlwpqqyaxodl.exe" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cwnaupbvfxxwdeaqe.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mcpyofndjxtor = "C:\\Users\\Admin\\AppData\\Local\\Temp\\voeqjdohqhgekkfu.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\wgnqaln = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wslawthdpjlmvywoena.exe" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\iorqwdbhdhtexksuunkqtsyfd.fjv C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\Windows\SysWOW64\iorqwdbhdhtexksuunkqtsyfd.fjv C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\Windows\SysWOW64\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\SysWOW64\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\SysWOW64\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Program Files (x86)\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\Program Files (x86)\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\iorqwdbhdhtexksuunkqtsyfd.fjv C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\Windows\iorqwdbhdhtexksuunkqtsyfd.fjv C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File created C:\Windows\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\pokcbbsrgdimyefatfvuqi.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\lgymhdqlwpqqyaxodl.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\ywrigfvthdhkvaaumxmkf.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\jgaqnlaxkfikuyxqhrfc.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\voeqjdohqhgekkfu.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
File opened for modification C:\Windows\cwnaupbvfxxwdeaqe.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
File opened for modification C:\Windows\wslawthdpjlmvywoena.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2380 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2380 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2380 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2372 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2372 wrote to memory of 2468 N/A C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe C:\Users\Admin\AppData\Local\Temp\jsyajt.exe
PID 2380 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2380 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2380 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe
PID 2380 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jsyajt.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\jsyajt.exe

"C:\Users\Admin\AppData\Local\Temp\jsyajt.exe" "-C:\Users\Admin\AppData\Local\Temp\voeqjdohqhgekkfu.exe"

C:\Users\Admin\AppData\Local\Temp\jsyajt.exe

"C:\Users\Admin\AppData\Local\Temp\jsyajt.exe" "-C:\Users\Admin\AppData\Local\Temp\voeqjdohqhgekkfu.exe"

C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

"C:\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.wikipedia.org udp
NL 185.15.59.224:80 www.wikipedia.org tcp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
LT 78.61.84.37:30728 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 caawuiiksw.com udp
US 8.8.8.8:53 dfpimmls.net udp
LT 78.61.84.37:30728 tcp
US 8.8.8.8:53 kvhvli.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 tfiwnvcaf.org udp
US 8.8.8.8:53 uuzqrv.net udp
US 8.8.8.8:53 pmvuoxax.net udp
US 8.8.8.8:53 tepyknfqpj.net udp
US 8.8.8.8:53 dxunadygn.org udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 heylzdxbfmj.net udp
US 8.8.8.8:53 bstckcjwbmc.com udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 amnudcijncde.net udp
US 8.8.8.8:53 misipok.net udp
US 8.8.8.8:53 qqsummsaom.com udp
US 8.8.8.8:53 aafcic.info udp
US 8.8.8.8:53 iymeim.org udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 hrowho.net udp
US 8.8.8.8:53 chfexbbdunrp.net udp
US 8.8.8.8:53 qaxyvsymzas.info udp
US 8.8.8.8:53 remlfmfdaz.net udp
US 8.8.8.8:53 awowcxnzde.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 yavjrbwldmn.net udp
US 8.8.8.8:53 vueusddp.net udp
US 8.8.8.8:53 evbkdgdwpwt.net udp
US 8.8.8.8:53 hkzpou.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 pobimdpjepjr.info udp
US 8.8.8.8:53 tgdtwkjaafc.com udp
US 8.8.8.8:53 sbkfzk.info udp
US 8.8.8.8:53 bmxmwor.org udp
US 8.8.8.8:53 kzjozwgi.info udp
US 8.8.8.8:53 typpguimjs.info udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 oqqkwoskyi.org udp
US 8.8.8.8:53 fuhhdoyf.net udp
US 8.8.8.8:53 pxncoedltqd.info udp
US 8.8.8.8:53 iwumquiwsu.org udp
US 8.8.8.8:53 ncusnlcx.info udp
US 8.8.8.8:53 yqwiwiqqge.com udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 emrahjygcgoo.net udp
US 8.8.8.8:53 rnalnehlxv.net udp
US 8.8.8.8:53 nwzrawvk.info udp
US 8.8.8.8:53 nzxugtv.org udp
US 8.8.8.8:53 cwggia.org udp
US 8.8.8.8:53 swtprdxgjyv.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 fzfetmzob.com udp
US 8.8.8.8:53 hfreyramirlz.info udp
US 8.8.8.8:53 vshgvc.info udp
US 8.8.8.8:53 mqwbjsnufuov.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 nqwjrxqaev.net udp
US 8.8.8.8:53 ymhluaqf.net udp
US 8.8.8.8:53 suzoxigsd.info udp
US 8.8.8.8:53 hjpkaljirhqu.info udp
US 8.8.8.8:53 lzzqgigv.info udp

Files

\Users\Admin\AppData\Local\Temp\xqrmcmuvhab.exe

MD5 6b264e51cd15be9ac4db53885731d655
SHA1 caed76100baf0a781f2eb928e6f129677a2363bd
SHA256 ab1b60ed324e7e7882c1c17793ef3bc8c7a8f16598f088a0df4733759f9052d7
SHA512 117bb751bb153da2150d5c57a8181fdb663799cb3ec91b0fd5ca94ddbf7e880c831f9ffa4d8ce708e0897fd57de120b087805aa7b61f6f6c71a1d82ad28ed717

C:\Windows\SysWOW64\lgymhdqlwpqqyaxodl.exe

MD5 11936a465ab10ea08fcf71f74f34b2a5
SHA1 0c4c88dd3575f8eb6ef45b3aeed5fa92e5df1e36
SHA256 c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b
SHA512 cfd45b9cfd01045710a575f75bcda2b5ed1545f61c43f12fddaa3749a8f0fab79d4d09166165bd51d64429fa7951f071892050646dbba30cc47b5249fe2dbb7d

\Users\Admin\AppData\Local\Temp\jsyajt.exe

MD5 da91f581ff0dfd94b0909eb8a1b60e10
SHA1 33e2535fe9874925e8fddf612fd96396bd6fbb8f
SHA256 a4ff2d60ade5ac95a00167757266f96553675eba9a310e53c4dbcd0fb8fc86c9
SHA512 0f9dfb73c9a2077f51e282c4523c95e388b3ee37e65a854ccda4f41a4f834baa883b974acc2333a3252c69b7c1fb84d25e333ca569ead2070d1930f5fb5d41f5

C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 b1251e794fe5c576499d9fab92030002
SHA1 d638e873ee0c23e85cf417b014147e75557bddcd
SHA256 aef796689158bab92d84ad6032ee1c67d6fe39a4916459885da9968004fa5588
SHA512 be038c0622c310f966b0b6f122cd104e30f58948a989d30d5b44212e955e2d26a3e2f4f749465af859109c802ed6c705995163518ebe9a6687c147153a20c848

C:\Users\Admin\AppData\Local\nesctlulsheaecvitxfwkuldmdkzwswunalp.ocm

MD5 51878cbd76e815a4825e1691c0db0947
SHA1 690c735d80735325ca6c479edc6548820cf45571
SHA256 b0e7cde448121213024133dc2a81c83db2a92735520c233effa7ef4a1336aaa9
SHA512 e0cf487571449ee803556dc9602916a727e19869f8d8bad615b49a99ca8b46aa9a085fba52d7615e8418391fe27df3ae8696130d954ad01268eb28c805499964

C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 1d0cdf74eb38f3f8064d5f9ae82ad6af
SHA1 68b256244c38441a31753bbe24061c35c3d2c4a0
SHA256 61cffa57a165893cf2651c59ad2a6ef63e744ae710a36ddd401038cb87e903cb
SHA512 f7aeec661b9ab4e153c520d194e81cf27f01e01aab53bcc704dd8a03fa920b206aeba3d71df6523b5ad3e7e2a996fc9cb86f8fccd9fad2798fc6a77623942bef

C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 5682b4cb776a4bda90c4e573fb4cad68
SHA1 c0d5faebdf4fcf8e39d9decfb4c0ea4c1ed6ddd3
SHA256 f70e2b4a2fd1d3d5d8603bf44b5e2294920d2fc4f5ab9266702c53c8c7f2e605
SHA512 ddc5203519593f73e4bdcc759150008f75e8ee2871d40eaab7d5b779f6d81a54ac63ab904a80b3d2387ec79b09298af4b875e378037ef053b5de0ab784a72941

C:\visylzeruf.bat

MD5 f3b225d1c41cb13d83abd881029ee9e5
SHA1 6edb94940d32508491f2878039051a8c09ae2433
SHA256 49778c98fd0c9e864a9257be57de64e560d1f75f2d4d6117fdc1b3a31b4c9cc0
SHA512 8b8be77053a56ffb5bf657e4151c88d1d94976231fdcf4e25337930a2dffc17d1503524d1d999040e556fcca8654abad8c93712ed92bfed023dee419117299fd

C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 38e64c79eae884670f966246911c78aa
SHA1 771637f7706e567da85dc570564c0dd1b61c8912
SHA256 463c04754e3420a782c0fcd214133c04a6a1c7d39eeb918d1f6efe5171b025d8
SHA512 c47fc922d8d9ee3a357c0ec1bd15e6dd59c5ae2d7317b67a9f5ca1c58f19c1432f3a61bb793d8466e43026f6343d3727ae253a9dbdf5acd4721f7bc2d684e074

C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 c0a67dd58aff92095f0be18c1e82ff80
SHA1 85272e445a96d8fa226d50d9a108b71e9889d6d4
SHA256 bac6e356bb199cdc47fa61f251217bfbf912e19acc8e70ab8aa83404d6c34ed9
SHA512 d7975df4e4db107bb76753de5f7ba18620fcc9c5fdb721bee9e76a742b82b55c4f09b336cd187c1fe7cf1b94fb5326f7482368be373868c38442c548b631982e

C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 5bb272c6ff81c6b32c46e02dfaacd4a8
SHA1 10d0610fb768d5454e6502d6ab4d2237244c0f92
SHA256 06bb7bebe9a149e4e3cc939583c8a9f09d8de171a808f0189793f07a1f7acb0a
SHA512 ff9694929a1c8e5b35fa0931e68adb2457c5d9e32ddb150f772971ed585a982d94785dd85e443d1fd7efe5d154d0438f02ef0b7bf2559c8987f23825ad7052c7

C:\Program Files (x86)\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 e20a8d6f0042a95706bc1da2edf2166b
SHA1 ecb409819f4dc18f094244f8d01373833c4636a7
SHA256 133a31a747bf6a581dd182400106f080b43c44e19661672c14b63ce7fa1fb50c
SHA512 bbbdc31ec452588f8c74f85818e56efa8724c27edd54232e76ddd3d6f0fd33d485ffed9acc58f7637a2c3eca7ee7a33b4eada297110d830b64d42798facbebe8

C:\Users\Admin\AppData\Local\iorqwdbhdhtexksuunkqtsyfd.fjv

MD5 7cc638c39f8241f9542929d7064428a8
SHA1 6b5a60e117601b03214d13dad81e598932908d4e
SHA256 2311245bb8940fd146c3af536f89a0593dbcb1039f636a5fe2b880b973f19b85
SHA512 709690e1b9ab727b50d0e8f858ca92e00814bcf20c7f40545bfb10ec8cc91ebd0918484f2561b81454a4834a8bc115c88a768a723477b8c5bf1dd22b9740c33f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 09:50

Reported

2024-06-26 09:53

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qtfmrfkq = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ddmqs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "alfuhdqeubvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "odbullcuozxdbfamtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "alfuhdqeubvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "alfuhdqeubvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "odbullcuozxdbfamtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "bpmeutjatdafcfzkqma.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "bpmeutjatdafcfzkqma.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "dtsmefxqlxwdchdqywmlf.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\alfuhdqeubvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "dtsmefxqlxwdchdqywmlf.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vbqaizhqbds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "odbullcuozxdbfamtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmefxqlxwdchdqywmlf.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "qdzqfdsiajfjfhakpk.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\szpajbkugjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\opzeht = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "alfuhdqeubvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\aftcjzgoyz = "htoespdsjrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "qdzqfdsiajfjfhakpk.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\odbullcuozxdbfamtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\opzeht = "htoespdsjrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hlygmbhox = "odbullcuozxdbfamtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bdouylp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qdzqfdsiajfjfhakpk.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File created C:\Windows\SysWOW64\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created C:\Windows\SysWOW64\nlsuuddehbixervqgmkrttccd.ahw C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\nlsuuddehbixervqgmkrttccd.ahw C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\SysWOW64\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Program Files (x86)\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created C:\Program Files (x86)\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created C:\Windows\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\nlsuuddehbixervqgmkrttccd.ahw C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\alfuhdqeubvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\bpmeutjatdafcfzkqma.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File created C:\Windows\nlsuuddehbixervqgmkrttccd.ahw C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\htoespdsjrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\dtsmefxqlxwdchdqywmlf.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\ullgzbuokxxffliwfevvqj.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
File opened for modification C:\Windows\qdzqfdsiajfjfhakpk.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\odbullcuozxdbfamtqfd.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4612 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 4612 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 4612 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 1288 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
PID 1288 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
PID 1288 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
PID 1288 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
PID 1288 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
PID 1288 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\ddmqs.exe
PID 4612 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 4612 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 4612 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ddmqs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11936a465ab10ea08fcf71f74f34b2a5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\ddmqs.exe

"C:\Users\Admin\AppData\Local\Temp\ddmqs.exe" "-C:\Users\Admin\AppData\Local\Temp\alfuhdqeubvxrriq.exe"

C:\Users\Admin\AppData\Local\Temp\ddmqs.exe

"C:\Users\Admin\AppData\Local\Temp\ddmqs.exe" "-C:\Users\Admin\AppData\Local\Temp\alfuhdqeubvxrriq.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\11936a465ab10ea08fcf71f74f34b2a5_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
LT 78.61.84.37:30728 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 yopwjwjsqop.net udp
US 8.8.8.8:53 hftkbek.info udp
US 8.8.8.8:53 dfpimmls.net udp
US 8.8.8.8:53 fbzdiwnuua.net udp
US 8.8.8.8:53 iumwcmsowooq.org udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 gkucss.org udp
US 8.8.8.8:53 dxunadygn.org udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
LT 78.61.84.37:30728 tcp
US 8.8.8.8:53 mkbwfgfja.info udp
US 8.8.8.8:53 xpuofamvn.net udp
US 8.8.8.8:53 ujoljttsxq.info udp
US 8.8.8.8:53 zjknnj.net udp
US 8.8.8.8:53 htbbrj.info udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 wwqauiqygw.com udp
US 8.8.8.8:53 dqbxzw.info udp
US 8.8.8.8:53 strfwkb.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 ceoawsgi.org udp
US 8.8.8.8:53 myywyq.com udp
US 8.8.8.8:53 omrovha.info udp
US 8.8.8.8:53 zszkaeh.info udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 esjbhdu.info udp
US 8.8.8.8:53 rcooyyufog.info udp
US 8.8.8.8:53 wdnjotcjyy.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 eoagosgwciko.org udp
US 8.8.8.8:53 cmjgovzct.net udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 kwckumqq.org udp
US 8.8.8.8:53 jyhaqklvpb.info udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 wavkxwurx.net udp
US 8.8.8.8:53 kifwpkacq.info udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 sizwlrukex.net udp
US 8.8.8.8:53 tvdcmuwq.net udp
US 8.8.8.8:53 gyewka.com udp
US 8.8.8.8:53 qepigszxy.net udp
US 8.8.8.8:53 vshgvc.info udp
US 8.8.8.8:53 mqwbjsnufuov.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 wuyiscocum.com udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bkbqosd.org udp
US 8.8.8.8:53 zvyxohnch.com udp
US 8.8.8.8:53 fmypvadav.info udp
US 8.8.8.8:53 zifajtgr.net udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 oyukffd.info udp
US 8.8.8.8:53 jhksssu.org udp
US 8.8.8.8:53 iyfakc.net udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 amlkhohh.net udp
US 8.8.8.8:53 rxssbjxwvnbx.info udp
US 8.8.8.8:53 nonzhqr.com udp
US 8.8.8.8:53 omeacmcwkems.org udp
US 8.8.8.8:53 aicyyswwcyiq.org udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 auestap.net udp
US 8.8.8.8:53 jlbwik.net udp
US 8.8.8.8:53 vlaoyd.info udp
US 8.8.8.8:53 wyrczwwyzdv.net udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
US 8.8.8.8:53 hcdpyfzoqwwj.info udp
US 8.8.8.8:53 vivuws.net udp
US 8.8.8.8:53 tlfszgkgsxbs.net udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 jhtyxqmnrih.net udp
US 8.8.8.8:53 pdsfrq.info udp
US 8.8.8.8:53 hgbvyitomdx.info udp
US 8.8.8.8:53 oersrezixj.net udp
US 8.8.8.8:53 gagklyptpuua.info udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 mujluotetkp.info udp
US 8.8.8.8:53 rfbyvmf.com udp
US 8.8.8.8:53 zxqghaacdvx.com udp
US 8.8.8.8:53 fqdidqzrtyv.net udp
US 8.8.8.8:53 yeousecg.org udp
US 8.8.8.8:53 ebjwpxjaca.net udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 nimaejfoe.info udp
US 8.8.8.8:53 thkaqwgt.info udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
US 8.8.8.8:53 vsrdzzosvzub.net udp
US 8.8.8.8:53 mcpmrapul.net udp
US 8.8.8.8:53 xcxhgqscep.info udp
US 8.8.8.8:53 haocagfwlld.com udp
US 8.8.8.8:53 gxyqupivkgsr.net udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 keegqaoiyg.org udp
US 8.8.8.8:53 bmggjybdrea.net udp
US 8.8.8.8:53 uslcaoh.net udp
US 8.8.8.8:53 lfbejmcydav.info udp
US 8.8.8.8:53 afsjeira.net udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 pfnndcwyocr.com udp
US 8.8.8.8:53 szpcvlgxv.info udp
US 8.8.8.8:53 rjzdzooua.net udp
US 8.8.8.8:53 xpcwxu.net udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 yoscaaumysio.com udp
US 8.8.8.8:53 azwzvzkuvl.net udp
US 8.8.8.8:53 ngxsnhkfka.info udp
US 8.8.8.8:53 vfvwfiqbooq.com udp
US 8.8.8.8:53 anepmshg.net udp
US 8.8.8.8:53 ugoouggq.org udp
US 8.8.8.8:53 dskgsmo.org udp
US 8.8.8.8:53 vjaaiwiohhnt.info udp
US 8.8.8.8:53 qjlnzzsgsq.net udp
US 8.8.8.8:53 xkdmpzg.info udp
US 8.8.8.8:53 grtgwgl.net udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 olxlpiruul.info udp
US 8.8.8.8:53 pynigjtrbmf.net udp
US 8.8.8.8:53 cucqeu.com udp
US 8.8.8.8:53 kqzbjonbtr.net udp
US 8.8.8.8:53 txjuhr.net udp
US 8.8.8.8:53 xbtmaylz.info udp
US 8.8.8.8:53 oqkemiiy.org udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
US 8.8.8.8:53 haeexpfreyp.info udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 bsacdxti.net udp
US 8.8.8.8:53 aqawuk.com udp
US 8.8.8.8:53 dwxvyylfkkp.net udp
US 8.8.8.8:53 vprfnajvrf.info udp
US 8.8.8.8:53 qakucoqu.com udp
US 8.8.8.8:53 dngfnjmhzh.info udp
US 8.8.8.8:53 okpxvyphpp.net udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 xbwcwctiyhl.com udp
US 8.8.8.8:53 tkkzngjoasi.net udp
US 8.8.8.8:53 kzregcstp.info udp
US 8.8.8.8:53 byyiiguqlnd.net udp
US 8.8.8.8:53 bdzocmjyrye.info udp
US 8.8.8.8:53 lofaxof.info udp
US 8.8.8.8:53 jmjlock.info udp
US 8.8.8.8:53 twldsvwufp.info udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 zcrnroheh.com udp
US 8.8.8.8:53 shapix.info udp
US 8.8.8.8:53 sfbeagrmb.info udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 pjmxbtcf.info udp
US 8.8.8.8:53 gocqeyegs.net udp
US 8.8.8.8:53 sbquvspvnr.info udp
US 8.8.8.8:53 jvdysfpwqkz.net udp
US 8.8.8.8:53 keiwuwkawe.info udp
US 8.8.8.8:53 qixsqzcvbdq.info udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 fwurxqqtpr.info udp
US 8.8.8.8:53 wuecqyoy.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 nicmpwzhnvm.org udp
US 8.8.8.8:53 uugmca.org udp
US 8.8.8.8:53 kygkameq.org udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 hnnpywhixxp.org udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 uwmockmqwq.com udp
US 8.8.8.8:53 qgyawesesksq.com udp
US 8.8.8.8:53 zyhazsa.net udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 fsuhsbzkpmzv.info udp
US 8.8.8.8:53 pvubsi.info udp
US 8.8.8.8:53 ukkybsbyb.info udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 dnvwgput.net udp
US 8.8.8.8:53 kesgkqiioc.org udp
US 8.8.8.8:53 meeergp.info udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 jyztkwv.org udp
US 8.8.8.8:53 swthasg.net udp
US 8.8.8.8:53 blmhxkqb.info udp
US 8.8.8.8:53 lzpczfbmgn.net udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 vqsocch.net udp
US 8.8.8.8:53 lmgotrmgblb.com udp
US 8.8.8.8:53 hffvbvek.net udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 puwkehhqio.net udp
US 8.8.8.8:53 eavoyojisjw.net udp
US 8.8.8.8:53 rnportgex.net udp
US 8.8.8.8:53 fqjrxepl.net udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 csmemqacms.com udp
US 8.8.8.8:53 kxylvf.net udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 gaptfe.info udp
US 8.8.8.8:53 qeuceamsss.com udp
US 8.8.8.8:53 cnbkqiiyzke.info udp
US 8.8.8.8:53 isqgmwkogkss.com udp
US 8.8.8.8:53 zhbjld.net udp
US 8.8.8.8:53 vwirgcdspgh.org udp
US 8.8.8.8:53 mqiqmeoawq.org udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 dsryrhamwnz.info udp
US 8.8.8.8:53 wqvgtb.info udp
US 8.8.8.8:53 psbgycgfes.info udp
US 8.8.8.8:53 bwkkvuoo.net udp
US 8.8.8.8:53 acdmuqqgd.net udp
US 8.8.8.8:53 qtcwlyz.info udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 egtyronwtqd.info udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 zczmzftka.info udp
US 8.8.8.8:53 joryogszyppf.info udp
US 8.8.8.8:53 uwzexhzsz.net udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 mfapyy.info udp
US 8.8.8.8:53 ukrbvtdgtugm.net udp
US 8.8.8.8:53 zjgeniywftt.net udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 cpdwvgkwoad.info udp
US 8.8.8.8:53 qrjmoqdkde.info udp
US 8.8.8.8:53 nbpunrsm.info udp
US 8.8.8.8:53 byobubtzgk.net udp
US 8.8.8.8:53 xodpyddbjg.info udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 ddvkbsdu.net udp
US 8.8.8.8:53 bprudwm.com udp
US 8.8.8.8:53 fuaorehxf.info udp
US 8.8.8.8:53 wouocakiscqa.com udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 bjuqtm.net udp
US 8.8.8.8:53 qjqztor.info udp
US 8.8.8.8:53 keztjb.info udp
US 8.8.8.8:53 pmkdbuhgsup.com udp
US 8.8.8.8:53 cseysyssqo.org udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 vzzivev.org udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
US 8.8.8.8:53 rwrmpvr.com udp
US 8.8.8.8:53 dkbabspbzpdg.net udp
US 8.8.8.8:53 ungana.net udp
DE 62.112.59.77:80 ungana.net tcp
US 8.8.8.8:53 lxgefpwsjgy.com udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 paleecbdv.com udp
US 8.8.8.8:53 weqgqycgiyky.com udp
US 8.8.8.8:53 keimwm.com udp
US 8.8.8.8:53 ajiawbfs.info udp
US 8.8.8.8:53 dovpnbswrh.info udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 bugypshttqn.net udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 infnnzeqdsit.info udp
US 8.8.8.8:53 xudpna.net udp
US 8.8.8.8:53 cmwwhix.net udp
US 8.8.8.8:53 omfqblqlnzzt.net udp
US 8.8.8.8:53 fogvtnlnwy.net udp
US 8.8.8.8:53 awmaykwuioge.com udp
US 8.8.8.8:53 tzpixn.info udp
US 8.8.8.8:53 pszykgsj.info udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 vizmvajllndv.net udp
US 8.8.8.8:53 77.59.112.62.in-addr.arpa udp
US 8.8.8.8:53 bamvpccavoz.info udp
US 8.8.8.8:53 zgemqixxf.org udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 vghjjgwkqpn.net udp
US 8.8.8.8:53 kfekbulrl.info udp
US 8.8.8.8:53 uqzzbcefq.net udp
US 8.8.8.8:53 yvlsfvpux.info udp
US 8.8.8.8:53 vpjcrsjmhbl.info udp
US 8.8.8.8:53 eyxedngwdajd.info udp
US 8.8.8.8:53 mhdwxbfyhu.info udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 jynafia.com udp
US 8.8.8.8:53 zjakyyvztlyu.net udp
US 8.8.8.8:53 uyltmxbazbji.info udp
US 8.8.8.8:53 xwkcvw.info udp
US 8.8.8.8:53 pgrqcwu.org udp
US 8.8.8.8:53 weceuysoak.com udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 sqsemeseqgkm.com udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 wiimye.com udp
US 8.8.8.8:53 iemeeysgyg.org udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 uobozkn.info udp
US 8.8.8.8:53 rgzffwvu.info udp
US 8.8.8.8:53 jqaixfwuxei.org udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 knxhpexwgoka.info udp
US 8.8.8.8:53 tczokis.net udp
US 8.8.8.8:53 iufodh.net udp
US 8.8.8.8:53 xpwihsr.com udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 pjhrlaeshqj.com udp
US 8.8.8.8:53 abzwylazcw.info udp
US 8.8.8.8:53 jqrlhuvhswm.com udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 yklvdhpblu.net udp
US 8.8.8.8:53 pdpqbwij.net udp
US 8.8.8.8:53 zuhezynyk.info udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 obkaxsd.net udp
US 8.8.8.8:53 heptjyfeg.info udp
US 8.8.8.8:53 cyqows.org udp
US 8.8.8.8:53 jzqggjl.net udp
US 8.8.8.8:53 ebfnuehzhb.info udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 cemsogke.com udp
US 8.8.8.8:53 nwojjx.info udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 aavovqk.net udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 mhezzutwv.info udp
US 8.8.8.8:53 voydyxpr.info udp
US 8.8.8.8:53 wnrehy.info udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 guccmmuy.org udp
US 8.8.8.8:53 vwvmdfauvldk.net udp
US 8.8.8.8:53 cxktaijx.net udp
US 8.8.8.8:53 iorsfssgb.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 qobxbbykcvai.net udp
US 8.8.8.8:53 cfbgfclmu.info udp
US 8.8.8.8:53 nvtmjs.info udp
US 8.8.8.8:53 xwgzfhwt.info udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 qjuogr.info udp
US 8.8.8.8:53 ciximql.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 yryuexaqzpyx.net udp
US 8.8.8.8:53 gydcehncpl.net udp
US 8.8.8.8:53 sidhbbpefhr.net udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 rnfuhqousmp.net udp
US 8.8.8.8:53 zedbvwf.info udp
US 8.8.8.8:53 eelbdcuyxer.net udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 pmpgkv.info udp
US 8.8.8.8:53 wlhgfyh.net udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 qpnsccbcj.info udp
US 8.8.8.8:53 dcpgvybk.info udp
US 8.8.8.8:53 zklkpufwfdtw.net udp
US 8.8.8.8:53 vvpnjauj.net udp
US 8.8.8.8:53 mrbeye.net udp
US 8.8.8.8:53 foozlggmrek.net udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 tqmwzylxxmp.net udp
US 8.8.8.8:53 pnkyhif.com udp
US 8.8.8.8:53 equeey.com udp
US 8.8.8.8:53 aimowt.net udp
US 8.8.8.8:53 xsdbuapyb.net udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 ieoohldyg.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 dgnidon.net udp
US 8.8.8.8:53 vtxapohaj.net udp
US 8.8.8.8:53 xvbgtqtzdv.net udp
US 8.8.8.8:53 fkpikjzbvsr.org udp
US 8.8.8.8:53 qkiiaiaayeae.com udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 efifbywu.info udp
US 8.8.8.8:53 denudgtylel.net udp
US 8.8.8.8:53 rjzdyij.info udp
US 8.8.8.8:53 fbfiqvdrlk.info udp
US 8.8.8.8:53 hvothij.info udp
US 8.8.8.8:53 gsismgyk.com udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 gmkmsgca.org udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 igaqcawsyqke.org udp
US 8.8.8.8:53 ecyyfmw.info udp
US 8.8.8.8:53 yaoqpybov.net udp
US 8.8.8.8:53 jswzrtvvyj.info udp
US 8.8.8.8:53 qbsxek.net udp
US 8.8.8.8:53 yqfctmjhsewj.net udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 ewdsgoxclsr.info udp
US 8.8.8.8:53 ksqrtq.info udp
US 8.8.8.8:53 qkncfekcx.info udp
US 8.8.8.8:53 becorbdubzgx.net udp
US 8.8.8.8:53 tpjvqqzaiu.info udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 cdyifm.info udp
US 8.8.8.8:53 wgaacavqxhs.info udp
US 8.8.8.8:53 wuiokm.com udp
US 8.8.8.8:53 csfprf.net udp
US 8.8.8.8:53 ygciyyqy.org udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 lkutjcgidkx.com udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 cwqoigaq.com udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 oqbqgup.info udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 zlalikjqeyhk.net udp
US 8.8.8.8:53 ptedzwuatk.net udp
US 8.8.8.8:53 gihptc.net udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 comesqew.com udp
US 8.8.8.8:53 dpwthhxfnpje.info udp
US 8.8.8.8:53 gsrltzuscnrl.info udp
US 8.8.8.8:53 chvcji.info udp
US 8.8.8.8:53 kwcgdid.net udp
US 8.8.8.8:53 nixmnfqj.net udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 amvqtsul.info udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 tlwwcgs.com udp
US 8.8.8.8:53 wochlgtwb.net udp
US 8.8.8.8:53 ptlljz.net udp
US 8.8.8.8:53 wlndnwzm.info udp
US 8.8.8.8:53 rfzotxjaawn.net udp
US 8.8.8.8:53 kuzvghumlz.net udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 dsjthaghpsak.net udp
US 8.8.8.8:53 zfbxcddidf.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 dkbsifnlvo.info udp
US 8.8.8.8:53 phycnp.net udp
US 8.8.8.8:53 ugogewmggkuk.com udp
US 8.8.8.8:53 pclhwb.info udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 xoppvmtmcbc.info udp
US 8.8.8.8:53 ommkcakc.com udp
US 8.8.8.8:53 pwojuhnlt.info udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 vxjoacz.info udp
US 8.8.8.8:53 mpyrpmlkae.info udp
US 8.8.8.8:53 cprqrw.net udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 mogwiuukouyg.org udp
US 8.8.8.8:53 qorowgdmwfi.net udp
US 8.8.8.8:53 yeqawqiugsac.com udp
US 8.8.8.8:53 puejji.net udp
US 8.8.8.8:53 gzjbtizoy.info udp
US 8.8.8.8:53 zgdiwajcz.com udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 qwigcgykyo.com udp
US 8.8.8.8:53 vnrmkzrrvt.info udp
US 8.8.8.8:53 igqigyeciwmw.org udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 oykhicfqdc.info udp
US 8.8.8.8:53 yfphkpjtxyli.net udp
US 8.8.8.8:53 kogkmgecau.com udp
US 8.8.8.8:53 vzkoodir.info udp
US 8.8.8.8:53 kwdajidsji.info udp
US 8.8.8.8:53 gdvtlpap.info udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 iquqavrwirax.info udp
US 8.8.8.8:53 hfymbfl.net udp
US 8.8.8.8:53 bglmvzxcpb.net udp
US 8.8.8.8:53 bojzyehr.net udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 vodmgtbcfit.com udp
US 8.8.8.8:53 eifkzysshz.info udp
US 8.8.8.8:53 gqsqgqkiqw.com udp
US 8.8.8.8:53 keidxwtnvv.info udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 yuuicqaiuooe.com udp
US 8.8.8.8:53 dqioyndkhu.info udp
US 8.8.8.8:53 qaequchbn.net udp
US 8.8.8.8:53 acssvafkp.net udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 ndryacdqngl.com udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 dkqkpsvkv.info udp
US 8.8.8.8:53 ljatfd.info udp
US 8.8.8.8:53 jtuivovy.net udp
US 8.8.8.8:53 tjbtxgjtrvrq.info udp
US 8.8.8.8:53 gojhxrh.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 sbbjgdnglkj.info udp
US 8.8.8.8:53 prvddfje.net udp
US 8.8.8.8:53 vommdavlld.net udp
US 8.8.8.8:53 unraxur.net udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 soieeseiakec.org udp
US 8.8.8.8:53 cwxoncxmla.info udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 ggwskm.com udp
US 8.8.8.8:53 cyssnpfuybi.info udp
US 8.8.8.8:53 wcvjfgcaq.net udp
US 8.8.8.8:53 gaokak.com udp
US 8.8.8.8:53 scyoosmmkqig.org udp
US 8.8.8.8:53 rvblherphhvh.net udp
US 8.8.8.8:53 nplhqnjotl.net udp
US 8.8.8.8:53 jvnkuin.com udp
US 8.8.8.8:53 msdbpysk.net udp
US 8.8.8.8:53 lupjdsr.com udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 tjpahurkauv.com udp
US 8.8.8.8:53 woqiao.org udp
US 8.8.8.8:53 gmxxmqvmnmu.net udp
US 8.8.8.8:53 ssephjrodqy.net udp
US 8.8.8.8:53 mentnwt.info udp
US 8.8.8.8:53 fjtstfilxuj.com udp
US 8.8.8.8:53 jvvyycbvlsy.com udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 rkblbkrigk.net udp
US 8.8.8.8:53 ggstbdnkvi.net udp
US 8.8.8.8:53 sasuvyfl.info udp
US 8.8.8.8:53 ksgwcinysgh.info udp
US 8.8.8.8:53 awawsoagsiie.com udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 buapnrrvvx.net udp
US 8.8.8.8:53 rdhzis.info udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 sopqktlnz.net udp
US 8.8.8.8:53 mmncloetjqv.info udp
US 8.8.8.8:53 nibkcon.net udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 lwxsgio.org udp
US 8.8.8.8:53 giocgc.com udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 dnfvhgv.com udp
US 8.8.8.8:53 swyqygegyk.org udp
US 8.8.8.8:53 nsdyrsw.org udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 rojwsqumfvt.com udp
US 8.8.8.8:53 dsjoajgdum.info udp
US 8.8.8.8:53 yyjeloy.net udp
US 8.8.8.8:53 trnsxilznx.net udp
US 8.8.8.8:53 wecoue.com udp
US 8.8.8.8:53 mmcoua.org udp
US 8.8.8.8:53 yppmyvzdzqj.info udp
US 8.8.8.8:53 waklzqsihov.net udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 lorulegqpzp.net udp
US 8.8.8.8:53 dkzbrjzih.info udp
US 8.8.8.8:53 kwurft.net udp
US 8.8.8.8:53 srclaozvnv.info udp
US 8.8.8.8:53 ekemoa.org udp
US 8.8.8.8:53 bqqzycvrov.info udp
US 8.8.8.8:53 alzrvxtksauv.info udp
US 8.8.8.8:53 nhhstvlaerb.org udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 yikojgcqb.info udp
US 8.8.8.8:53 zunqpclrhgr.com udp
US 8.8.8.8:53 iwaeykhsn.info udp
US 8.8.8.8:53 guzwcnhbfss.net udp
US 8.8.8.8:53 oypcvtham.net udp
US 8.8.8.8:53 jftgvslddj.net udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 triafu.net udp
US 8.8.8.8:53 hmvcozfilo.info udp
US 8.8.8.8:53 yqqwuqqo.com udp
US 8.8.8.8:53 qrrizh.net udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 qfpyyq.info udp
US 8.8.8.8:53 jfvmfhdw.net udp
US 8.8.8.8:53 vwzlbkneb.info udp
US 8.8.8.8:53 hwrehe.net udp
US 8.8.8.8:53 pvqeoabmnpac.info udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 8.8.8.8:53 jdhkvajybsb.com udp
US 8.8.8.8:53 pmcgqvkadmxu.net udp
US 8.8.8.8:53 xlwjlhi.net udp
US 8.8.8.8:53 rilqxkv.com udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 qgukkqeg.org udp
US 8.8.8.8:53 occyom.org udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 cioyqiguiykw.org udp
US 8.8.8.8:53 amukeg.org udp
US 8.8.8.8:53 drmwxmhcx.org udp
US 8.8.8.8:53 aqhyxevud.net udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 jzkymuyrf.com udp
US 8.8.8.8:53 skwceaukegec.com udp
US 8.8.8.8:53 kowgeoem.org udp
US 8.8.8.8:53 dqhedamixfd.info udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 sgsgeeihs.net udp
US 8.8.8.8:53 vrvxxqjgz.info udp
US 8.8.8.8:53 yrqgfnxxrkzi.net udp
US 8.8.8.8:53 ajuqdlbo.info udp
US 8.8.8.8:53 ovfvabbwro.info udp
US 8.8.8.8:53 votagsuunp.info udp
US 8.8.8.8:53 cxyauzvr.net udp
US 8.8.8.8:53 okuqjlnucx.info udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 wyjido.info udp
US 8.8.8.8:53 ygtsmap.net udp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 fbjiwtlwlgq.org udp
US 8.8.8.8:53 epsuzfuhatia.net udp
US 8.8.8.8:53 qsrybepsv.info udp
US 8.8.8.8:53 weyrtj.net udp
US 8.8.8.8:53 usrvlcjef.net udp
US 8.8.8.8:53 gwpcbpgymb.net udp
US 8.8.8.8:53 ecmywcyo.org udp
US 8.8.8.8:53 xzxgqmdh.net udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 vyfaznqp.info udp
US 8.8.8.8:53 uwjarov.net udp
US 8.8.8.8:53 csigmi.com udp
US 8.8.8.8:53 qqbbwepsf.net udp
US 8.8.8.8:53 jfzciyx.org udp
US 162.249.65.164:80 jfzciyx.org tcp
US 8.8.8.8:53 ssqqzncxzuo.info udp
US 8.8.8.8:53 nmnkazttyj.net udp
US 8.8.8.8:53 xcfcga.net udp
US 8.8.8.8:53 uyblvit.info udp
US 8.8.8.8:53 daqexaxil.net udp
US 8.8.8.8:53 sidlvctfcd.net udp
US 8.8.8.8:53 sweeic.org udp
US 8.8.8.8:53 dymnbvckho.net udp
US 8.8.8.8:53 pcrqltw.info udp
US 8.8.8.8:53 htiutzkuvs.net udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 ikuwmoou.com udp
US 8.8.8.8:53 giwkao.net udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 iqwhgkiihfci.net udp
US 8.8.8.8:53 rnlysjcu.net udp
US 8.8.8.8:53 pwacxydvhei.com udp
US 8.8.8.8:53 kjpftc.info udp
US 8.8.8.8:53 dqvfhasib.info udp
US 8.8.8.8:53 uckswqosuc.org udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 usmecwqwes.com udp
US 8.8.8.8:53 yqnknyjgf.net udp
US 8.8.8.8:53 tirnpwmcwmd.org udp
US 8.8.8.8:53 kydrlkroe.net udp
US 8.8.8.8:53 asnapiuotwf.net udp
US 8.8.8.8:53 pchvvfrm.net udp
US 8.8.8.8:53 nozntxujcjgz.info udp
US 8.8.8.8:53 wudmhqgva.info udp
US 8.8.8.8:53 vubkfchdjeh.org udp
US 8.8.8.8:53 kuikiwiw.org udp
US 8.8.8.8:53 xfvqmg.info udp
US 8.8.8.8:53 resbrspqdecl.info udp
US 8.8.8.8:53 lsmfymawpqur.net udp
US 8.8.8.8:53 pgliatwntj.net udp
US 8.8.8.8:53 imeaoccykw.com udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 xecdqjdrtuxp.net udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 emgmcwgo.com udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 kxofwkbctosv.info udp
US 8.8.8.8:53 eplieonsd.net udp
US 8.8.8.8:53 nttgwkcnho.net udp
US 8.8.8.8:53 eouumo.org udp
US 8.8.8.8:53 ubdvzyaw.net udp
US 8.8.8.8:53 umvihil.net udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 igdirkj.net udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 qjxuvp.net udp
US 8.8.8.8:53 iwwoua.org udp
US 8.8.8.8:53 lerobrcyat.net udp
US 8.8.8.8:53 xgslfgf.info udp
US 8.8.8.8:53 xzwgkgn.com udp
US 8.8.8.8:53 lyzsnxbjbwlp.net udp
US 8.8.8.8:53 asmakousyc.com udp
US 8.8.8.8:53 yceqcskoeg.org udp
US 162.249.65.164:80 yceqcskoeg.org tcp
US 8.8.8.8:53 bvqkrktejqp.org udp
US 8.8.8.8:53 jonmvhv.net udp
US 8.8.8.8:53 ceaamaoesw.org udp
US 8.8.8.8:53 fbaztkzunhlj.net udp
US 8.8.8.8:53 daeslut.com udp
US 8.8.8.8:53 oplefgvifadh.info udp
US 8.8.8.8:53 rwvmggr.net udp
US 8.8.8.8:53 cgwgaguesg.org udp
US 162.249.65.164:80 cgwgaguesg.org tcp
US 8.8.8.8:53 gmfztqpbx.net udp
US 8.8.8.8:53 lmevxsvny.info udp
US 8.8.8.8:53 fnbcxrpye.info udp
US 8.8.8.8:53 tacvvkocr.com udp
US 8.8.8.8:53 ektewszbh.info udp
US 8.8.8.8:53 nrbcqffl.info udp
US 8.8.8.8:53 kuzwyqren.net udp
US 8.8.8.8:53 qkogdsn.net udp
US 8.8.8.8:53 dkmhwrtcf.info udp
US 8.8.8.8:53 uoqgyicmoeem.com udp
US 8.8.8.8:53 julxerwaocda.net udp
US 8.8.8.8:53 mohwhul.info udp
US 8.8.8.8:53 dkvpkzxkx.net udp
US 8.8.8.8:53 nvffdqxrvsw.com udp
US 8.8.8.8:53 nkybtwpgzoi.info udp
US 8.8.8.8:53 clivok.info udp
US 8.8.8.8:53 mwrpbud.net udp
US 8.8.8.8:53 ywqgsu.org udp
US 8.8.8.8:53 nyjkgjppmmbg.info udp
US 8.8.8.8:53 gwmeafacbwrh.info udp
US 8.8.8.8:53 wosywmyqoe.com udp
US 8.8.8.8:53 ijkjfqvkwpn.net udp
US 8.8.8.8:53 zgvkedwoyy.net udp
US 8.8.8.8:53 qkdqch.net udp
US 8.8.8.8:53 zkgygiou.info udp
US 8.8.8.8:53 fwpycoihj.com udp
US 8.8.8.8:53 jiuacev.com udp
US 8.8.8.8:53 bvhpfy.info udp
US 8.8.8.8:53 hdwubtwe.info udp
US 8.8.8.8:53 eaisokwcuc.com udp
US 8.8.8.8:53 gzhynesg.info udp
US 8.8.8.8:53 xjhemu.info udp
US 8.8.8.8:53 fpfalqjzmzpx.info udp
US 8.8.8.8:53 zztdzeju.info udp
US 8.8.8.8:53 lblxlwomf.net udp
US 8.8.8.8:53 tupgihtn.info udp
US 8.8.8.8:53 fnfiremjh.com udp
US 8.8.8.8:53 yaammaya.com udp
US 8.8.8.8:53 hqtptex.info udp
US 8.8.8.8:53 qeifcghkp.net udp
US 8.8.8.8:53 ekamqi.org udp
US 162.249.65.164:80 ekamqi.org tcp
US 8.8.8.8:53 iubmab.info udp
US 8.8.8.8:53 kotdpcvug.net udp
US 8.8.8.8:53 mwjmyuhxiuhw.net udp
US 8.8.8.8:53 zjnnisjzumd.net udp
US 8.8.8.8:53 cvwpfiesyd.info udp
US 8.8.8.8:53 wmdgzor.info udp
US 8.8.8.8:53 zqkuhflmp.com udp
US 8.8.8.8:53 zdbwlcrw.net udp
US 8.8.8.8:53 qyywgqiauwcc.org udp
US 8.8.8.8:53 xopgozy.com udp
US 8.8.8.8:53 vaxyfjcgmsd.net udp
US 8.8.8.8:53 ownfpcvxhj.info udp
US 8.8.8.8:53 mprsoz.net udp
US 8.8.8.8:53 rtbzbtvimhvm.info udp
US 8.8.8.8:53 tnckauukrs.net udp
US 8.8.8.8:53 hyafbvpm.net udp
US 8.8.8.8:53 rmfptvkpnmaj.info udp
US 8.8.8.8:53 fyodnnektx.info udp
US 8.8.8.8:53 yqocscgqq.info udp
US 8.8.8.8:53 uwcsweakowqk.org udp
US 8.8.8.8:53 egwcmoiuguye.org udp
US 8.8.8.8:53 oylmvun.net udp
US 8.8.8.8:53 nuqrzqrr.info udp
US 8.8.8.8:53 eqcsskwyyiug.org udp
US 162.249.65.164:80 eqcsskwyyiug.org tcp
US 8.8.8.8:53 uyvqhzjypkv.net udp
US 8.8.8.8:53 kwrdfcn.info udp
US 8.8.8.8:53 pgchlxgc.net udp
US 8.8.8.8:53 jsnojd.net udp
US 8.8.8.8:53 eweuaigycy.org udp
US 162.249.65.164:80 eweuaigycy.org tcp
US 8.8.8.8:53 nizucgjddq.net udp
US 8.8.8.8:53 rcsyvxxdvvxv.info udp
US 8.8.8.8:53 wirugkhuf.net udp
US 8.8.8.8:53 ishstyjyxiz.net udp
US 8.8.8.8:53 ksycecmwkkmu.com udp
US 8.8.8.8:53 ewamtbtiy.info udp
US 8.8.8.8:53 xasyayq.net udp
US 8.8.8.8:53 ckqqaueogk.com udp
US 8.8.8.8:53 owcmwkggcc.org udp
US 8.8.8.8:53 rgrdpwvmpxbc.net udp
US 8.8.8.8:53 lhpfwwpq.info udp
US 8.8.8.8:53 xipicosem.com udp
US 8.8.8.8:53 ewaeouugwaig.org udp
US 8.8.8.8:53 xozdwzew.net udp
US 8.8.8.8:53 gzzhsqoo.info udp
US 8.8.8.8:53 sstpocwyrkb.info udp
US 8.8.8.8:53 qudcwcvobcp.info udp
US 8.8.8.8:53 xdjykqfwj.net udp
US 8.8.8.8:53 euvbfsbmjfez.net udp
US 8.8.8.8:53 epjzhicydgq.net udp
US 8.8.8.8:53 wrbltynwfcg.net udp
US 8.8.8.8:53 rdrsxai.info udp
US 8.8.8.8:53 ijnrupwgmw.info udp
US 8.8.8.8:53 todegidiiqb.info udp
US 8.8.8.8:53 fnqsmcftroxg.info udp
US 8.8.8.8:53 bazljq.net udp
US 8.8.8.8:53 krvfwznyra.net udp
US 8.8.8.8:53 wzxqqsksmhht.net udp
US 8.8.8.8:53 fosrfmktf.info udp
US 8.8.8.8:53 zqzlwtsib.info udp
US 8.8.8.8:53 hqhepkjva.net udp
US 8.8.8.8:53 erzyipbzld.info udp
US 8.8.8.8:53 kcguuuas.com udp
US 8.8.8.8:53 utdopipdxc.info udp
US 8.8.8.8:53 ectihsr.info udp
US 8.8.8.8:53 wyuiqkv.net udp
US 8.8.8.8:53 jnhotjhsp.info udp
US 8.8.8.8:53 anfcgboo.info udp
US 8.8.8.8:53 ycaunmdur.net udp
US 8.8.8.8:53 mjvwpl.net udp
US 8.8.8.8:53 jwlmww.info udp
US 8.8.8.8:53 crqbtqj.info udp
US 8.8.8.8:53 louqjfr.info udp
US 8.8.8.8:53 hppqtx.info udp
US 8.8.8.8:53 qyiwrcy.info udp
US 8.8.8.8:53 astalutajej.info udp
US 8.8.8.8:53 puqjbobk.net udp
US 8.8.8.8:53 damqftj.com udp
US 8.8.8.8:53 nizybszil.info udp
US 8.8.8.8:53 otjneshvxgn.info udp
US 8.8.8.8:53 wemiqw.org udp
US 8.8.8.8:53 eiaqzoncakn.net udp
US 8.8.8.8:53 ykhkvljit.info udp
US 8.8.8.8:53 tesznu.info udp
US 8.8.8.8:53 neotjkse.info udp
US 8.8.8.8:53 romrtblupu.net udp
US 8.8.8.8:53 uwaekcyseggi.org udp
US 8.8.8.8:53 gkfyhjh.info udp
US 8.8.8.8:53 leolzd.info udp
US 8.8.8.8:53 ukdltgkqjoxu.net udp
US 8.8.8.8:53 ieprwgvxkx.net udp
US 8.8.8.8:53 qwyztb.info udp
US 8.8.8.8:53 ywjcdwrljdzy.info udp
US 8.8.8.8:53 nefwulmsyx.net udp
US 8.8.8.8:53 vekatucoeac.com udp
US 8.8.8.8:53 lrbqxqikxvb.info udp
US 8.8.8.8:53 rycmkqswqjq.info udp
US 8.8.8.8:53 uohyimrkg.net udp
US 8.8.8.8:53 znpsldu.org udp
US 162.249.65.164:80 znpsldu.org tcp
US 8.8.8.8:53 gyzufdenqsnh.net udp
US 8.8.8.8:53 incdxol.net udp
US 8.8.8.8:53 pawyif.info udp
US 8.8.8.8:53 aovxmktl.info udp
US 8.8.8.8:53 jcgvkkgsngge.net udp
US 8.8.8.8:53 tanoeecmzn.info udp
US 8.8.8.8:53 nkrzvcyyty.info udp
US 8.8.8.8:53 dsqiryl.net udp
US 8.8.8.8:53 bfmavgevut.net udp
US 8.8.8.8:53 loogvzecd.com udp
US 8.8.8.8:53 djdjhidqmwh.com udp
US 8.8.8.8:53 womqsomwiuwu.org udp
US 8.8.8.8:53 lbdnfn.net udp
US 8.8.8.8:53 cbpmrwpsc.info udp
US 8.8.8.8:53 kufyxxtijq.net udp
US 8.8.8.8:53 asrxpsf.info udp
US 8.8.8.8:53 miswccdu.net udp
US 8.8.8.8:53 nisgdqrqtoo.com udp
US 8.8.8.8:53 lmqgpqpivo.info udp
US 8.8.8.8:53 tnqkazvppy.info udp
US 8.8.8.8:53 uckymuoq.com udp
US 8.8.8.8:53 pmiqqgs.org udp
US 8.8.8.8:53 veoqwcpwnuh.org udp
US 8.8.8.8:53 kmuogs.com udp
US 8.8.8.8:53 aczyvkf.info udp
US 8.8.8.8:53 vutqzcnht.org udp
US 8.8.8.8:53 dkditsf.org udp
US 8.8.8.8:53 qsuznipox.net udp
US 8.8.8.8:53 nzddyrzegz.net udp
US 8.8.8.8:53 aotovfsijge.info udp
US 8.8.8.8:53 kmkgsypnlw.net udp
US 8.8.8.8:53 tkksbxkoub.info udp
US 8.8.8.8:53 cugcmy.org udp
US 162.249.65.164:80 cugcmy.org tcp
US 8.8.8.8:53 abhmvt.net udp
US 8.8.8.8:53 szzbdsdup.net udp
US 8.8.8.8:53 ufseryl.net udp
US 8.8.8.8:53 kqrhhigmwu.net udp
US 8.8.8.8:53 rivbnc.info udp
US 8.8.8.8:53 uijktvyyjbr.net udp
US 8.8.8.8:53 zelshmrjztq.org udp
US 8.8.8.8:53 teuatocapp.info udp
US 8.8.8.8:53 peeyqdfdv.info udp
US 8.8.8.8:53 zawufqzwz.net udp
US 8.8.8.8:53 rqxvbjiw.net udp
US 8.8.8.8:53 nktwrnrqh.info udp
US 8.8.8.8:53 inxepid.net udp
US 8.8.8.8:53 raiobwskm.info udp
US 8.8.8.8:53 wkqfjur.info udp
US 8.8.8.8:53 flmlbmahpnjb.net udp
US 8.8.8.8:53 jovoxkg.org udp
US 8.8.8.8:53 lysassfobzx.net udp
US 8.8.8.8:53 dceqbix.net udp
US 8.8.8.8:53 nhuaav.net udp
US 8.8.8.8:53 xsdupfknuc.net udp
US 8.8.8.8:53 oanywlgak.net udp
US 8.8.8.8:53 aueidzxm.net udp
US 8.8.8.8:53 fjnozbjwi.org udp
US 8.8.8.8:53 xbdyxk.info udp
US 8.8.8.8:53 yawysiawqy.com udp
US 8.8.8.8:53 vkhjhgagd.org udp
US 8.8.8.8:53 wxkqlivqzob.info udp
US 8.8.8.8:53 roldfkgp.net udp
US 8.8.8.8:53 cwdeffi.info udp
US 8.8.8.8:53 vklrrkpgb.info udp
US 8.8.8.8:53 ktqhzfum.net udp
US 8.8.8.8:53 bdzwhfiyemap.info udp
US 8.8.8.8:53 vqqykhawjuwv.info udp
US 8.8.8.8:53 menmpcpew.net udp
US 8.8.8.8:53 gshqxwi.info udp
US 8.8.8.8:53 sacbpw.info udp
US 8.8.8.8:53 cwxmfkhpudxc.info udp
US 8.8.8.8:53 admyee.info udp
US 8.8.8.8:53 qsrhpkyqfq.net udp
US 8.8.8.8:53 javmcaomrw.info udp
US 8.8.8.8:53 fepynwvhfcy.info udp
US 8.8.8.8:53 pedyxcrohat.org udp
DE 85.214.228.140:80 pedyxcrohat.org tcp
US 8.8.8.8:53 hkigtaasb.com udp
US 8.8.8.8:53 nlhdhusjxyrj.info udp
US 8.8.8.8:53 emuuqqqa.com udp
US 8.8.8.8:53 geiehohtveh.net udp
US 8.8.8.8:53 gyokiycm.com udp
US 8.8.8.8:53 lcqojurkpsl.info udp
US 8.8.8.8:53 bozcuxdkeuv.com udp
US 8.8.8.8:53 mcbqdgrajsk.info udp
US 8.8.8.8:53 vlhmlajqqwb.net udp
US 8.8.8.8:53 fyjyyaxrto.info udp
US 8.8.8.8:53 feyhndndk.com udp
US 8.8.8.8:53 sifgpql.net udp
US 8.8.8.8:53 potupbtqjy.net udp
US 8.8.8.8:53 lutyrz.info udp
US 8.8.8.8:53 deygjyhyxkw.com udp
US 8.8.8.8:53 nmmhxit.com udp
US 8.8.8.8:53 olplyo.net udp
US 8.8.8.8:53 mggkesig.com udp
US 8.8.8.8:53 uemkamsqow.org udp
US 8.8.8.8:53 tujamdpg.info udp
US 8.8.8.8:53 dslmoth.org udp
US 8.8.8.8:53 kvjrtf.net udp
US 8.8.8.8:53 vvwyysuir.net udp
US 8.8.8.8:53 tipmbyvqn.net udp
US 8.8.8.8:53 ffzzhcdggx.net udp
US 8.8.8.8:53 mkzshdrhh.info udp
US 8.8.8.8:53 nmxelvnqckb.com udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 jeozwmdscvr.info udp
US 8.8.8.8:53 vgiklhfpgl.net udp
US 8.8.8.8:53 pkpkqulxxup.info udp
US 8.8.8.8:53 rrpfczxrlrde.net udp
US 8.8.8.8:53 megwbze.info udp
US 8.8.8.8:53 acdwjiv.net udp
US 8.8.8.8:53 nqqcmtvdrat.net udp
US 8.8.8.8:53 qqmugsmios.com udp
US 8.8.8.8:53 albmeolor.info udp
US 8.8.8.8:53 bfviveu.com udp
US 8.8.8.8:53 anfelyjorzjt.net udp
US 8.8.8.8:53 csaosk.org udp
US 8.8.8.8:53 ejdaitmphunw.net udp
US 8.8.8.8:53 fwcgyavpj.info udp
US 8.8.8.8:53 quugayumwyiw.com udp
US 8.8.8.8:53 yvyxhjvlbkzg.info udp
US 8.8.8.8:53 vqwgriddx.net udp
US 8.8.8.8:53 fmrssfsyt.com udp
US 8.8.8.8:53 tzzmpypupj.info udp
US 8.8.8.8:53 eikmsppmjz.net udp
US 8.8.8.8:53 isdmpotju.net udp
US 8.8.8.8:53 ogweky.com udp
US 8.8.8.8:53 ncdmrcpkn.info udp
US 8.8.8.8:53 rpsifxhwuw.info udp
US 8.8.8.8:53 bolnsnhzu.net udp
US 8.8.8.8:53 mupmejzte.info udp
US 8.8.8.8:53 hrouugxjd.info udp
US 8.8.8.8:53 awukyuqcccgc.org udp
US 8.8.8.8:53 auqaasc.net udp
US 8.8.8.8:53 nywjdatjjd.info udp
US 8.8.8.8:53 hwhstmmyxyf.info udp
US 8.8.8.8:53 vkvepunyzyn.net udp
US 8.8.8.8:53 qiofjv.info udp
US 8.8.8.8:53 ldzizscm.info udp
US 8.8.8.8:53 dudqhanok.net udp
US 8.8.8.8:53 lctmxcjohxl.info udp
US 8.8.8.8:53 vftisywmnsn.org udp
US 8.8.8.8:53 tgbezcime.net udp
US 162.249.65.164:80 cugcmy.org tcp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 caawuiiksw.com udp
US 8.8.8.8:53 fnuvje.net udp
US 8.8.8.8:53 scgwkioykc.org udp
US 8.8.8.8:53 nscdhdux.net udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 mkwiwy.com udp
US 8.8.8.8:53 znjvajxz.net udp
US 8.8.8.8:53 igtlcezwn.info udp
US 8.8.8.8:53 uwekyc.org udp
US 8.8.8.8:53 yaepjtgv.info udp
US 8.8.8.8:53 bkiukmk.net udp
US 162.249.65.164:80 cugcmy.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

MD5 b7d881d5c0258783b86990956db21c4e
SHA1 669b5a6ee6ccb481e38cdfdaa2373aba2bcecfe5
SHA256 c8bbf69eca31b1066977c1a727ca6cd32bb56ab503625182bfbe502d9fba004d
SHA512 5f79b1c845504cae1f52d722384ad55fbc2e45c270d5fb8d22d0a04bba8518cb5b22ae76c8c09e1578f7ba6543edbd32b6ef600169279e9f95d0b675ddd98c09

C:\Windows\SysWOW64\qdzqfdsiajfjfhakpk.exe

MD5 11936a465ab10ea08fcf71f74f34b2a5
SHA1 0c4c88dd3575f8eb6ef45b3aeed5fa92e5df1e36
SHA256 c94affbe6570c331c05c4fc1d272d17086646b37a0cb76cc168b01540debe38b
SHA512 cfd45b9cfd01045710a575f75bcda2b5ed1545f61c43f12fddaa3749a8f0fab79d4d09166165bd51d64429fa7951f071892050646dbba30cc47b5249fe2dbb7d

C:\Users\Admin\AppData\Local\Temp\ddmqs.exe

MD5 5c117f33ce66b60f039e501dbea9218e
SHA1 f4cf52b8524dfefe10c25185c2b62aae08d73bee
SHA256 9056915ee604c4932da811d8cddb1dd291a647c1fed62a36081cf91819438cf1
SHA512 d55c8bdde3ec7bc3da29226fd23060bee1c143023c7b6302d9e1cbb8bc06ecd47c289e57008252608401213bd59501eedd9bfba1be3bc23fc8de013ff992bfee

C:\Users\Admin\AppData\Local\nlsuuddehbixervqgmkrttccd.ahw

MD5 d480ea070f0fd31fb27ee613429941b0
SHA1 dd9100dadee7996fe4c53ab4b51351155e8bbbf7
SHA256 84a69c6ecafb38c5727cfd080251d10af5600d3ce7a57b5cf7e400a072138f3f
SHA512 f4186e36d5ba486acf148c0bec91fd51badb1d265e7c73811aac7e865ce5f361e99d773a43e1815753ab91a35b478b82ade711cedb90bcb0df5b1b830681ddbe

C:\Users\Admin\AppData\Local\sbtgrlwiwbttljyefwfxkvpamafxxpncijaj.ozt

MD5 59e416d8ddf2027ff0769aa8ac671e28
SHA1 13079f92a56dc9fca4530ee316804c37c3750d4d
SHA256 6a323c0ce36b88f8552248096c092fe141ff81d6207c45db5c9f61d357cba303
SHA512 60870005045887e202d6a26cdc448ca988c3daff445149847125f94bd7bb8db711d07839647e721d127c7456260d30703fac4b17c0c3ed6c2effa5b47247e885

C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw

MD5 9265ffec6aac5fb408c65fec145326c9
SHA1 5ab388333c2e75329221116c69b2ca127794d3b0
SHA256 a80384cbc3d2f1e275ac13dcb0ce3962f8b0780e48c0015333a0ce53c09fd899
SHA512 061253f3daf3f89d1f92a9fe4cb30f4740aa08a74c757f3a44ac430c95abbf49adb2283b5f1131cff5cf78e2dee198099eaa76dc159853c23e7bcb19368914f8

C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw

MD5 1bb6d5efedb9c105bc5384380524888e
SHA1 48ca533f5e5c1d0615b0767c7292b66be5da8bdc
SHA256 be0fa690d1fff616ea3971b1bd0b2b5d85dda8508c989a150ae96b4a560285fa
SHA512 7cdd698e9710716a81e192bb5596fed328d6d0b8d87297ac8791c465d399d9db210d4dac0a1a9d48c3cf6e6e0b8f242878a77e8a9831ccefb13ae2f42357c144

C:\hlygmbhox.bat

MD5 93b0729b16938215c9ff2fdb4fe02d93
SHA1 9c02ec08eb76c7ef7bc2231b36c6c957dc4456b1
SHA256 b6580508efcc287adcdea5d66f7c0b9d054bc8d8c54936f4caf8c4437aced5ef
SHA512 db475575ae91b20809350927942478444565b013d81b89d58640c98a86851c59467c42703054dae8717515d9529db52be6dd18d3ffc17b96e44e4de79503d69d

C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw

MD5 269f252bb4f65079078218acdb32c755
SHA1 700db7ac550cb673cdd7c3cbaa4bdf206d40b55a
SHA256 9c15476a6eb1b167f5dbdfbd7dc5d34cef578a18dd3b996b462f7e737ee93d82
SHA512 4e7db453110c995860a22651a4f798a3e5f351affcfe6f4754481d4e9400e5e1e57dfd12b4aba0d8cb9ef3d2de68fed49bc8ea51cd1cbf0be783bee1b5cd1589

C:\Users\Admin\AppData\Local\nlsuuddehbixervqgmkrttccd.ahw

MD5 3d071c6d64e755acebc9ff07770fc251
SHA1 f7d7d21b5e0cafc619af48ad02d77e980e4274f3
SHA256 1b7ea628616eeced30c423dceefd78dfe3c21eaf8dc0ec98e7d6afd8ff4d811f
SHA512 23f8de3a58d6b035c3fba239253b0de73d81780c168d52f15994c22b32db025b1131d7f023104e1f0048e95d39cb85d7e3292128a9ecf79e099a0f17f1e4d849

C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw

MD5 55cdf6565c85540d61ca26d4cd73941d
SHA1 55599443dc8d96e9b03ea2568a21a52598280d1b
SHA256 790524775b14526cdcc08c3f3a249bc7aadac4836a043068228ebeec71a764ca
SHA512 bad352514e9393bbeb082821e1e0b8f7409d55d472f053c8ffa3e30b6b60566e7b0374b96ffb4b53f6ce6413a432c1c98ffafb24b8c8c9b093d11956f8feaa48

C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw

MD5 32a9f03b87402343c2a5b846f3095728
SHA1 2977a42957fc82a642ef785ce0b4452ab9c8eafa
SHA256 b74ffb4235e05468fc9bd9621940b3a437969947f46a447c0207781ed932aef9
SHA512 303287ea28d7386b75a33dd717cff728e2d12072daf20aefe794dfad35b16d1a7e1a463a62075660e34a531a53fbafce64ecfc53ddc504f69654c91c154d0ba6

C:\Program Files (x86)\nlsuuddehbixervqgmkrttccd.ahw

MD5 40560ecb30b8ad7299725b7ee94a42a3
SHA1 feb746695aec1dbb23af29e797d8a5546e96ed29
SHA256 cd7ca00d706b36df129c8700bc0d2a0ef99bea6436769c6a8c043af027fa468c
SHA512 cc862118feb207390355a51af0c546eb418c379a3424b38881718dfebb2fdb98b8728fe728e6b3d2ff51ff0ba65e5b569a2eb773d6b68ecbcd3b62dd99d08b9b