Malware Analysis Report

2025-03-15 00:57

Sample ID 240626-nft4javenn
Target 11d1709b0283773db48c654533d3b83f_JaffaCakes118
SHA256 c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5

Threat Level: Known bad

The file 11d1709b0283773db48c654533d3b83f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Impair Defenses: Safe Mode Boot

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

System policy modification

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 11:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 11:20

Reported

2024-06-26 11:23

Platform

win7-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "neukhwsjwsnwwbycpn.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "aunggyxrhgeqtbbiyzoib.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "aunggyxrhgeqtbbiyzoib.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "xmaojwqfqkdkilgi.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "aunggyxrhgeqtbbiyzoib.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "aunggyxrhgeqtbbiyzoib.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "neukhwsjwsnwwbycpn.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "yqhywmjbpmistzxcqpc.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "xmaojwqfqkdkilgi.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "aunggyxrhgeqtbbiyzoib.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "xmaojwqfqkdkilgi.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "aunggyxrhgeqtbbiyzoib.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "lewonecvkifqszyettha.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "eujyuidtfaucbfbeq.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "lewonecvkifqszyettha.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "lewonecvkifqszyettha.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "lewonecvkifqszyettha.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "neukhwsjwsnwwbycpn.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "eujyuidtfaucbfbeq.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "neukhwsjwsnwwbycpn.exe ." C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "xmaojwqfqkdkilgi.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "neukhwsjwsnwwbycpn.exe" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\xgowlsgpuivwolawbrvemujqensgtumj.uzp C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\caxuyuxvpsukrdhsmrkif.gcf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\caxuyuxvpsukrdhsmrkif.gcf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\xgowlsgpuivwolawbrvemujqensgtumj.uzp C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\SysWOW64\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Program Files (x86)\xgowlsgpuivwolawbrvemujqensgtumj.uzp C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Program Files (x86)\xgowlsgpuivwolawbrvemujqensgtumj.uzp C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\xgowlsgpuivwolawbrvemujqensgtumj.uzp C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\caxuyuxvpsukrdhsmrkif.gcf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\caxuyuxvpsukrdhsmrkif.gcf C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\xgowlsgpuivwolawbrvemujqensgtumj.uzp C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File created C:\Windows\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\lewonecvkifqszyettha.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\neukhwsjwsnwwbycpn.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\eujyuidtfaucbfbeq.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File created C:\Windows\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
File opened for modification C:\Windows\yqhywmjbpmistzxcqpc.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\aunggyxrhgeqtbbiyzoib.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\rmgabuupggfswfgofhxsmg.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
File opened for modification C:\Windows\xmaojwqfqkdkilgi.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2932 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2856 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2856 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe C:\Users\Admin\AppData\Local\Temp\aehku.exe
PID 2932 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2932 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2932 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
PID 2932 wrote to memory of 1848 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\aehku.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe

"C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\aehku.exe

"C:\Users\Admin\AppData\Local\Temp\aehku.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\aehku.exe

"C:\Users\Admin\AppData\Local\Temp\aehku.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe

"C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
BY 178.124.8.134:29951 tcp
US 8.8.8.8:53 mymqeo.info udp
US 8.8.8.8:53 tfomvifox.cc udp
US 8.8.8.8:53 korzjmnansnan.cc udp
US 8.8.8.8:53 isuslk.biz udp
BY 178.124.8.134:29951 tcp
US 8.8.8.8:53 qakayaiq.biz udp
US 8.8.8.8:53 dlradsn.org udp
US 162.249.65.162:80 dlradsn.org tcp
US 8.8.8.8:53 zipagcn.cc udp
US 8.8.8.8:53 eyusaaiugkeq.biz udp
US 8.8.8.8:53 gcikqkuiwcymao.info udp
US 8.8.8.8:53 mstgnqfqbex.org udp
US 8.8.8.8:53 ggblkkdsholapet.org udp
US 8.8.8.8:53 ckopbcuiwcymao.net udp
US 8.8.8.8:53 ymazfyeoya.info udp
US 8.8.8.8:53 kckspkdsholapet.com udp
US 8.8.8.8:53 fajgnsn.com udp
US 8.8.8.8:53 umqrio.biz udp
US 8.8.8.8:53 eueymsuiwcymao.info udp
US 8.8.8.8:53 deagvafox.org udp
US 8.8.8.8:53 vfrvvcn.org udp
US 8.8.8.8:53 ygsink.info udp
US 8.8.8.8:53 agadss.biz udp
US 8.8.8.8:53 ivqvrodsholapet.com udp
US 8.8.8.8:53 ynrvwgfqbex.org udp
US 8.8.8.8:53 ciuzwaiq.net udp
US 8.8.8.8:53 uioezo.biz udp
US 8.8.8.8:53 ohwiomnansnan.org udp
US 8.8.8.8:53 ayhwaufqbex.org udp
US 8.8.8.8:53 qgasocuiwcymao.info udp
US 8.8.8.8:53 isspqkuiwcymao.biz udp
US 8.8.8.8:53 iiuhlwnansnan.cc udp
US 8.8.8.8:53 rxfmdwfox.org udp
US 8.8.8.8:53 esowayeoya.biz udp
US 8.8.8.8:53 swatnk.biz udp
US 8.8.8.8:53 czyhvkdsholapet.org udp
US 8.8.8.8:53 wofrnanansnan.com udp
US 8.8.8.8:53 wwwkqwiugkeq.info udp
US 8.8.8.8:53 yokivaiq.info udp
US 8.8.8.8:53 lksrusfox.org udp
US 8.8.8.8:53 kufamkdsholapet.cc udp
US 8.8.8.8:53 wskoageoya.net udp
US 8.8.8.8:53 ykkges.info udp
US 8.8.8.8:53 ubcmvadsholapet.org udp
US 8.8.8.8:53 nbjmgafox.org udp
US 8.8.8.8:53 ccquxqeoya.net udp
US 8.8.8.8:53 gisahqeoya.info udp
US 8.8.8.8:53 xsymfsfox.cc udp
US 8.8.8.8:53 synfeanansnan.com udp
US 8.8.8.8:53 ocusqyeoya.biz udp
US 8.8.8.8:53 sguxwcuiwcymao.biz udp
US 8.8.8.8:53 dnfjlkn.com udp
US 8.8.8.8:53 dthuzifox.cc udp
US 8.8.8.8:53 qmgwwmiq.biz udp
US 8.8.8.8:53 qikukwiq.net udp
US 8.8.8.8:53 joqanifox.cc udp
US 8.8.8.8:53 mmxsxqfqbex.cc udp
US 8.8.8.8:53 ooqyhwiq.info udp
US 8.8.8.8:53 iekazkuiwcymao.info udp
US 8.8.8.8:53 bpyxjwfox.org udp
US 8.8.8.8:53 umdhukdsholapet.cc udp
US 8.8.8.8:53 uukgzaiq.biz udp
US 8.8.8.8:53 uqcwwkuiwcymao.net udp
US 8.8.8.8:53 zeponcn.com udp
US 8.8.8.8:53 iyhyfqfqbex.org udp
US 8.8.8.8:53 kmonya.net udp
US 8.8.8.8:53 wymwsguiwcymao.net udp
US 8.8.8.8:53 oagirkdsholapet.com udp
US 8.8.8.8:53 lvlobkn.com udp
US 8.8.8.8:53 ugsymeiq.net udp
US 8.8.8.8:53 mmmiiueoya.info udp
US 8.8.8.8:53 fckafafox.org udp
US 8.8.8.8:53 ppdyrwfox.cc udp
US 8.8.8.8:53 qcgqsgeoya.biz udp
US 8.8.8.8:53 cemisaiugkeq.net udp
US 8.8.8.8:53 bncurifox.org udp
US 8.8.8.8:53 gcrivwnansnan.com udp
US 8.8.8.8:53 oisqasiugkeq.info udp
US 8.8.8.8:53 maqjaqeoya.biz udp
US 8.8.8.8:53 qkobvsdsholapet.com udp
US 8.8.8.8:53 cfjmjadsholapet.com udp
US 8.8.8.8:53 cogbysiugkeq.biz udp
US 8.8.8.8:53 sucksk.net udp
US 8.8.8.8:53 llichwfox.org udp
US 8.8.8.8:53 corjkwnansnan.org udp
US 8.8.8.8:53 qmqeymiq.info udp
US 8.8.8.8:53 wymjkaiugkeq.info udp
US 8.8.8.8:53 ynqtvwnansnan.com udp
US 8.8.8.8:53 vkjrosfox.com udp
US 8.8.8.8:53 mawrpcuiwcymao.net udp
US 8.8.8.8:53 aoooma.biz udp
US 8.8.8.8:53 brtyzcn.org udp
US 8.8.8.8:53 dbnyiafox.com udp
US 8.8.8.8:53 yyiosk.net udp
US 8.8.8.8:53 ciabcgeoya.info udp
US 8.8.8.8:53 apmejodsholapet.com udp
US 8.8.8.8:53 yxvccgfqbex.org udp
US 8.8.8.8:53 qaeqiueoya.biz udp
US 8.8.8.8:53 cwgsacuiwcymao.biz udp
US 8.8.8.8:53 gxaztwnansnan.org udp
US 8.8.8.8:53 qwlghodsholapet.org udp
US 8.8.8.8:53 syemxyeoya.net udp
US 8.8.8.8:53 ejzyxufqbex.org udp
US 8.8.8.8:53 xedzmcn.cc udp
US 8.8.8.8:53 ooeufo.net udp
US 8.8.8.8:53 suipigeoya.biz udp
US 8.8.8.8:53 cxmdqkdsholapet.com udp
US 8.8.8.8:53 srpymufqbex.cc udp
US 8.8.8.8:53 qsaovsiugkeq.info udp
US 8.8.8.8:53 wgaokiiugkeq.info udp
US 8.8.8.8:53 owdorufqbex.org udp
US 8.8.8.8:53 uvpkrodsholapet.org udp
US 8.8.8.8:53 aquaisiugkeq.net udp
US 8.8.8.8:53 giqjsguiwcymao.info udp
US 8.8.8.8:53 rlhytcn.cc udp
US 8.8.8.8:53 zajmwsn.org udp
US 8.8.8.8:53 acqghgeoya.biz udp
US 8.8.8.8:53 uqwuck.biz udp
US 8.8.8.8:53 sqjuvqfqbex.com udp
US 8.8.8.8:53 owzezqfqbex.com udp
US 8.8.8.8:53 waioxcuiwcymao.net udp
US 8.8.8.8:53 meskia.biz udp
US 8.8.8.8:53 alwkvwnansnan.com udp
US 8.8.8.8:53 ekfqhkdsholapet.com udp
US 8.8.8.8:53 gyejqguiwcymao.biz udp
US 8.8.8.8:53 wyywyqeoya.net udp
US 8.8.8.8:53 rdrwlkn.cc udp
US 8.8.8.8:53 vybkxifox.org udp
US 8.8.8.8:53 igsvswiugkeq.info udp
US 8.8.8.8:53 scssga.info udp
US 8.8.8.8:53 qukgqmnansnan.org udp
US 8.8.8.8:53 wfxqsmnansnan.com udp
US 8.8.8.8:53 uyieteiq.net udp
US 8.8.8.8:53 mseoyk.net udp
US 8.8.8.8:53 loiqlafox.org udp
US 8.8.8.8:53 ipbgfufqbex.cc udp
US 8.8.8.8:53 mymqnwiq.net udp
US 8.8.8.8:53 iaoano.biz udp
US 8.8.8.8:53 xfjijgn.org udp
US 8.8.8.8:53 vspfdafox.com udp
US 8.8.8.8:53 kwuqhk.info udp
US 8.8.8.8:53 wssizueoya.net udp
US 8.8.8.8:53 spmjewnansnan.cc udp
US 8.8.8.8:53 pulwlifox.com udp
US 8.8.8.8:53 emicys.biz udp
US 8.8.8.8:53 mmwikwiq.net udp
US 8.8.8.8:53 ioqmfsdsholapet.cc udp
US 8.8.8.8:53 sbdwpenansnan.com udp
US 8.8.8.8:53 yokaos.info udp
US 8.8.8.8:53 osobjiiugkeq.info udp
US 8.8.8.8:53 chjjgqfqbex.com udp
US 8.8.8.8:53 wuhthanansnan.cc udp
US 8.8.8.8:53 kckzkueoya.net udp
US 8.8.8.8:53 aeeeuaiq.info udp
US 8.8.8.8:53 epeeuanansnan.cc udp
US 8.8.8.8:53 emdctqfqbex.org udp
US 8.8.8.8:53 eywsgo.info udp
US 8.8.8.8:53 acwdqkuiwcymao.net udp
US 8.8.8.8:53 mhdevufqbex.com udp
US 8.8.8.8:53 divsdkn.org udp
US 8.8.8.8:53 cmeigsuiwcymao.biz udp
US 8.8.8.8:53 yaabuueoya.net udp
US 8.8.8.8:53 ldjpbcn.org udp
US 8.8.8.8:53 gnnpbqfqbex.cc udp
US 8.8.8.8:53 qseecaiugkeq.info udp
US 8.8.8.8:53 iuqxtyeoya.info udp
US 8.8.8.8:53 fxguasfox.cc udp
US 8.8.8.8:53 wkrzlgfqbex.org udp
US 8.8.8.8:53 mmqtqwiugkeq.net udp
US 8.8.8.8:53 wmkdhs.net udp
US 8.8.8.8:53 vahpqcn.com udp
US 8.8.8.8:53 uurmdyfqbex.org udp
US 8.8.8.8:53 kccamwiq.net udp
US 8.8.8.8:53 sqigrmiq.net udp
US 8.8.8.8:53 ypkibmnansnan.org udp
US 8.8.8.8:53 uxbibodsholapet.com udp
US 8.8.8.8:53 emgwmsiugkeq.info udp
US 8.8.8.8:53 ackbia.biz udp
US 8.8.8.8:53 lwohpwfox.cc udp
US 8.8.8.8:53 krjgewnansnan.cc udp
US 8.8.8.8:53 wsocyguiwcymao.info udp
US 8.8.8.8:53 qyesak.net udp
US 8.8.8.8:53 qgryvufqbex.org udp
US 8.8.8.8:53 krxihodsholapet.org udp
US 8.8.8.8:53 coegcguiwcymao.info udp
US 8.8.8.8:53 qsoiia.net udp
US 8.8.8.8:53 qlnxyqfqbex.org udp
US 8.8.8.8:53 mrtmzufqbex.com udp
US 8.8.8.8:53 sgiwpk.info udp
US 8.8.8.8:53 igoebaiq.biz udp

Files

\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe

MD5 b58393335b3621bfb1fc631823248577
SHA1 315ffce8bae73f153679650cb580659cae1df77a
SHA256 6ea5753634bcae5b7fb519f8556eb8d09b0a7b547e3b0214e7141ce8e92302d9
SHA512 456450a5dceb3f1cdbafb7d5f65766b1c5c0a3de04abaa2601b178b330dcfb217c4f362285055a5bb1daa88fa0dbdfb7810b05d073cc04ea540f7a4b5b9dc053

C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe

MD5 11d1709b0283773db48c654533d3b83f
SHA1 e82a0b7eaa8355619813ccd6f39b6d7d3258bf14
SHA256 c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5
SHA512 ad946f0b6116965014f1cfd1278da83b81cce06a71d1ac4b567de6dc45b406705167eaba28537b52480bce63f247b55dd4cac9aa3fde8bd4ec11bd6558497a6a

\Users\Admin\AppData\Local\Temp\aehku.exe

MD5 3c21dc0dc2a49945388cb3c340526bb9
SHA1 21618db58f0615b6c0001d1302bf6dd5d5ffd823
SHA256 612b3a368c3635c833e79d8aac85f33b65fc94b96289fa1644ac2460f0378e0a
SHA512 42530cb90fc7605eac7174d1cfc390dc42def64836dd22bc911548ea1406c01157a52db9a9761ed5512ea88575f4f2d1beae8e35b14e3b83b4881e27b34f1a9e

C:\Windows\yqhywmjbpmistzxcqpc.exe

MD5 86e39488c87185d1ef8afdae0abbc2a7
SHA1 d0eaded33111411f378134f2edb615cac1690843
SHA256 85f778cd925e2ac0ed00f7cf7483d5690a57e4fde8d4bd5b0c0ae230a4dd3140
SHA512 4c921cb7e5f159d1d198f8e043cbd85c107d0450c5d76e1cec18ff9ca407f68fd8e57a0f4404a193a0dce6da542fc66b889e2cf8f1865d5c30324bb5449adff6

C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf

MD5 4a670038a2be33b0a1134f2bf5057ae6
SHA1 63a8f168ad6e240141719bf64a8319c93b49fbcd
SHA256 738624b4cb1542f29cb2a72a31e855ac327c8f07bb719c70f98942e7da0bce04
SHA512 375bf118d84d3a90ad06104e1a691c6ffb4f3a7b43cf589462c18a3dedf40563252bcf3f8b56d936cd4c2a5235fc1062b1318a21783a19763ecf810ffa64fba5

C:\Users\Admin\AppData\Local\xgowlsgpuivwolawbrvemujqensgtumj.uzp

MD5 56a31c852bf304d34a0fddcee46f998c
SHA1 d4a328436d386e5fbfca17cee41e871e377f79fc
SHA256 1d918a675bc7e7c905a60afc75980dfc92743a17f5a95e21880263e6ce4f6641
SHA512 2abb334f3289787c610929421ccd684ac90ae5c203768f363ee8433e09adecd614f4f20e3c9932fc22d7aa6cb3fdf6b80a0dbf363a405208e9ed9c757ce7bd81

C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf

MD5 e1913aa49844ff74bdd2edeae8741d62
SHA1 e7735eea9d710dd4343f6769a0436605e417ef7d
SHA256 4a01a21a2192c1084e69bca3f68ca1c4960588a1b26e67f4a53f05b2b658620a
SHA512 31856ab4cd4c3864be377fc92ab524c7a04c58ed1e185429a564fa1839775c2020974a0114a73087288a529421517544edd21d386156a792738d042aeab512ca

C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf

MD5 d5fde4b4c804c855e06ef643d2edb098
SHA1 868e4654439cdc47803903beb5c7d81419efc3a1
SHA256 a84f87e887290c3ee5830b36a5e290c0c6724748d89d4e21c9aadabc4c59a3b0
SHA512 0f660c3f2a58c41bd39fe870cab9fb53b120c821176eca64229923b3f5f5e0d31a8e66a4add8243a3a607236140aa3e786cf9cf8c9323162c3bf57b6081f3518

C:\nuagtykr.bat

MD5 ce045705a75776a37cf4ce3ec5be9cf1
SHA1 c56d58094c583ec7280cad0d3d19e7d059f35a6c
SHA256 56032b76eeee6ace3221d07afbb9a1ff750bc04fb393ca3d9e1230d2578009a4
SHA512 a4e427bdeb6ad5b2baf79c9cef0e24c39d1ea35ef53ec9721cc988929e4c814ee5682c2eafccb4fe5de7d4e421cf4254c14bbad6f00ff5c6a9fce1ffbf33ec68

C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf

MD5 fae42abc9acb11e95ef227ba7b766fb7
SHA1 8866a7a7995d0a7ce9f1e60e336adc37ec5bad38
SHA256 f4fc7568fd6bf9ae0ac97c39d4889e9395c34fce0cf38c178d15ea7bef88ccc2
SHA512 4579bca07aec143c97baa7b29a2917ead43557d83e4e7e4f15a5c50f22e1f4b4db6888d1b44c17ed39d16342171f8217d958bb9e712a4286a889e1a69a67d4e0

C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf

MD5 61a49d2de8ce02ba971996f5263e5944
SHA1 75c9516e4681975a869fade5a2f6d8f23eba5936
SHA256 724d2bb195a1e0f28c48d32e7cbad980b27b45daa45b1d598b5a37e894357a69
SHA512 2ba5d30033d21aff8312abfbd27f8d93d2c35dfcb171e0ef12cadd8cd24ffa19cee937e98d57aa3bcd0377f2182286aeead350aff2db6e029e7e811a26790883

C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf

MD5 19af597d0cd56156e9bd5670cba83842
SHA1 abc9da8a33963a7416bf3e2599ebc32b6376555f
SHA256 5e34b8bdf8692e4f2644cf3941de7bad3888dddd26759187472af0a9af950723
SHA512 2b4913793508081990994444012c6362f119c21241c2b7588e11ec58466c216886ff16107d8d1abf2c936ac28124a1d17e60c3b67c22dcb906b9d1d875ce82d6

C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf

MD5 448873b33ba488b4449bd551f2d9527c
SHA1 27db055620268adda1bcfca70a621bb183da26e7
SHA256 1ed6faa18354da638f1c810a33fc33037f52b7de84307926ce2f39e022b36e46
SHA512 89203a255d49a9ff7c7505cc8d3421c7a190bb07d9fdc40fad242a1e2ed34b64bf856c8f34903a66e646b2eba82ac71f37b4e7bb0862a4b4e804d9dd8bf041ea

C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf

MD5 edef2caeda916b6f6d82639cf03a384a
SHA1 1ba3d00549ccb1f43ef2be501d7b06e0015ae977
SHA256 ffe26fdf224af293f61de2b93fc7dcba975b1b46d3f4415e63e432291e186847
SHA512 d6c0c0e5b304b879e7f1cef7ec2d4c0b242f3463a7e03900abd14c78af8c587bd0333d7116910c103f3331be5ba89b2dcc97822898a3725b092006911e895ce2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 11:20

Reported

2024-06-26 11:23

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpcskbpxgiccahpu.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ixpcskbpxgiccahpu.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ixpcskbpxgiccahpu.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "ixpcskbpxgiccahpu.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe ." C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "phcslgarcotqtuepxpka.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "phcslgarcotqtuepxpka.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "bpgshyobiqrkjgmt.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "extkeavnzmsquwhtcvric.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpcskbpxgiccahpu.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "extkeavnzmsquwhtcvric.exe ." C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe ." C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "phcslgarcotqtuepxpka.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "extkeavnzmsquwhtcvric.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "bpgshyobiqrkjgmt.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "ixpcskbpxgiccahpu.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "ctncuohxhswsuudnulf.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ixpcskbpxgiccahpu.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "phcslgarcotqtuepxpka.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ctncuohxhswsuudnulf.exe" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "rhaofyqfoybwxwentj.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "ctncuohxhswsuudnulf.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "rhaofyqfoybwxwentj.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "ixpcskbpxgiccahpu.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpcskbpxgiccahpu.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "extkeavnzmsquwhtcvric.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\bjuajuelmojwpgghfnyenyipqsnatkkl.rci C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\gddywwvrhyiksyndqnnig.fbr C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\gddywwvrhyiksyndqnnig.fbr C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\bjuajuelmojwpgghfnyenyipqsnatkkl.rci C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\bjuajuelmojwpgghfnyenyipqsnatkkl.rci C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Program Files (x86)\bjuajuelmojwpgghfnyenyipqsnatkkl.rci C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\gddywwvrhyiksyndqnnig.fbr C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\bjuajuelmojwpgghfnyenyipqsnatkkl.rci C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\gddywwvrhyiksyndqnnig.fbr C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\bpgshyobiqrkjgmt.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\rhaofyqfoybwxwentj.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\vpmezwslymtsxamzjdasnk.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File created C:\Windows\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\ctncuohxhswsuudnulf.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\phcslgarcotqtuepxpka.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File opened for modification C:\Windows\ixpcskbpxgiccahpu.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
File opened for modification C:\Windows\extkeavnzmsquwhtcvric.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
File created C:\Windows\bjuajuelmojwpgghfnyenyipqsnatkkl.rci C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
PID 748 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
PID 748 wrote to memory of 732 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
PID 732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe
PID 732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe
PID 732 wrote to memory of 1636 N/A C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe
PID 732 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe
PID 732 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe
PID 732 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe C:\Users\Admin\AppData\Local\Temp\ptacho.exe
PID 748 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
PID 748 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
PID 748 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ptacho.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe

"C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\ptacho.exe

"C:\Users\Admin\AppData\Local\Temp\ptacho.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ptacho.exe

"C:\Users\Admin\AppData\Local\Temp\ptacho.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe

"C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.238:80 www.youtube.com tcp
BY 178.124.8.134:29951 tcp
US 8.8.8.8:53 mymqeo.info udp
US 8.8.8.8:53 tfomvifox.cc udp
US 8.8.8.8:53 korzjmnansnan.cc udp
US 8.8.8.8:53 isuslk.biz udp
US 8.8.8.8:53 qakayaiq.biz udp
US 8.8.8.8:53 dlradsn.org udp
US 162.249.65.162:80 dlradsn.org tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 zipagcn.cc udp
US 8.8.8.8:53 eyusaaiugkeq.biz udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 gcikqkuiwcymao.info udp
US 8.8.8.8:53 mstgnqfqbex.org udp
US 8.8.8.8:53 ggblkkdsholapet.org udp
US 8.8.8.8:53 ckopbcuiwcymao.net udp
US 8.8.8.8:53 ymazfyeoya.info udp
US 8.8.8.8:53 kckspkdsholapet.com udp
US 8.8.8.8:53 fajgnsn.com udp
US 8.8.8.8:53 umqrio.biz udp
US 8.8.8.8:53 eueymsuiwcymao.info udp
US 8.8.8.8:53 deagvafox.org udp
US 8.8.8.8:53 vfrvvcn.org udp
US 8.8.8.8:53 ygsink.info udp
US 8.8.8.8:53 agadss.biz udp
US 8.8.8.8:53 ivqvrodsholapet.com udp
US 8.8.8.8:53 ynrvwgfqbex.org udp
US 8.8.8.8:53 ciuzwaiq.net udp
US 8.8.8.8:53 uioezo.biz udp
US 8.8.8.8:53 ohwiomnansnan.org udp
US 8.8.8.8:53 ayhwaufqbex.org udp
US 8.8.8.8:53 qgasocuiwcymao.info udp
US 8.8.8.8:53 isspqkuiwcymao.biz udp
US 8.8.8.8:53 iiuhlwnansnan.cc udp
US 8.8.8.8:53 rxfmdwfox.org udp
US 8.8.8.8:53 esowayeoya.biz udp
US 8.8.8.8:53 swatnk.biz udp
US 8.8.8.8:53 czyhvkdsholapet.org udp
US 8.8.8.8:53 wofrnanansnan.com udp
US 8.8.8.8:53 wwwkqwiugkeq.info udp
US 8.8.8.8:53 yokivaiq.info udp
BY 178.124.8.134:29951 tcp
US 8.8.8.8:53 lksrusfox.org udp
US 8.8.8.8:53 kufamkdsholapet.cc udp
US 8.8.8.8:53 wskoageoya.net udp
US 8.8.8.8:53 ykkges.info udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 ubcmvadsholapet.org udp
US 8.8.8.8:53 nbjmgafox.org udp
US 8.8.8.8:53 ccquxqeoya.net udp
US 8.8.8.8:53 gisahqeoya.info udp
US 8.8.8.8:53 xsymfsfox.cc udp
US 8.8.8.8:53 synfeanansnan.com udp
US 8.8.8.8:53 ocusqyeoya.biz udp
US 8.8.8.8:53 dthuzifox.cc udp
US 8.8.8.8:53 qmgwwmiq.biz udp
US 8.8.8.8:53 qikukwiq.net udp
US 8.8.8.8:53 joqanifox.cc udp
US 8.8.8.8:53 mmxsxqfqbex.cc udp
US 8.8.8.8:53 ooqyhwiq.info udp
US 8.8.8.8:53 iekazkuiwcymao.info udp
US 8.8.8.8:53 bpyxjwfox.org udp
US 8.8.8.8:53 umdhukdsholapet.cc udp
US 8.8.8.8:53 uukgzaiq.biz udp
US 8.8.8.8:53 uqcwwkuiwcymao.net udp
US 8.8.8.8:53 zeponcn.com udp
US 8.8.8.8:53 iyhyfqfqbex.org udp
US 8.8.8.8:53 kmonya.net udp
US 8.8.8.8:53 wymwsguiwcymao.net udp
US 8.8.8.8:53 oagirkdsholapet.com udp
US 8.8.8.8:53 lvlobkn.com udp
US 8.8.8.8:53 ugsymeiq.net udp
US 8.8.8.8:53 mmmiiueoya.info udp
US 8.8.8.8:53 fckafafox.org udp
US 8.8.8.8:53 ppdyrwfox.cc udp
US 8.8.8.8:53 qcgqsgeoya.biz udp
US 8.8.8.8:53 cemisaiugkeq.net udp
US 8.8.8.8:53 bncurifox.org udp
US 8.8.8.8:53 gcrivwnansnan.com udp
US 8.8.8.8:53 oisqasiugkeq.info udp
US 8.8.8.8:53 maqjaqeoya.biz udp
US 8.8.8.8:53 qkobvsdsholapet.com udp
US 8.8.8.8:53 cfjmjadsholapet.com udp
US 8.8.8.8:53 cogbysiugkeq.biz udp
US 8.8.8.8:53 sucksk.net udp
US 8.8.8.8:53 llichwfox.org udp
US 8.8.8.8:53 corjkwnansnan.org udp
US 8.8.8.8:53 qmqeymiq.info udp
US 8.8.8.8:53 wymjkaiugkeq.info udp
US 8.8.8.8:53 ynqtvwnansnan.com udp
US 8.8.8.8:53 vkjrosfox.com udp
US 8.8.8.8:53 mawrpcuiwcymao.net udp
US 8.8.8.8:53 aoooma.biz udp
US 8.8.8.8:53 brtyzcn.org udp
US 8.8.8.8:53 dbnyiafox.com udp
US 8.8.8.8:53 yyiosk.net udp
US 8.8.8.8:53 ciabcgeoya.info udp
US 8.8.8.8:53 apmejodsholapet.com udp
US 8.8.8.8:53 yxvccgfqbex.org udp
US 8.8.8.8:53 qaeqiueoya.biz udp
US 8.8.8.8:53 cwgsacuiwcymao.biz udp
US 8.8.8.8:53 gxaztwnansnan.org udp
US 8.8.8.8:53 qwlghodsholapet.org udp
US 8.8.8.8:53 syemxyeoya.net udp
US 8.8.8.8:53 aqoxoeiq.net udp
US 8.8.8.8:53 ejzyxufqbex.org udp
US 8.8.8.8:53 xedzmcn.cc udp
US 8.8.8.8:53 ooeufo.net udp
US 8.8.8.8:53 suipigeoya.biz udp
US 8.8.8.8:53 cxmdqkdsholapet.com udp
US 8.8.8.8:53 srpymufqbex.cc udp
US 8.8.8.8:53 qsaovsiugkeq.info udp
US 8.8.8.8:53 wgaokiiugkeq.info udp
US 8.8.8.8:53 owdorufqbex.org udp
US 8.8.8.8:53 uvpkrodsholapet.org udp
US 8.8.8.8:53 aquaisiugkeq.net udp
US 8.8.8.8:53 giqjsguiwcymao.info udp
US 8.8.8.8:53 rlhytcn.cc udp
US 8.8.8.8:53 zajmwsn.org udp
US 8.8.8.8:53 acqghgeoya.biz udp
US 8.8.8.8:53 uqwuck.biz udp
US 8.8.8.8:53 sqjuvqfqbex.com udp
US 8.8.8.8:53 owzezqfqbex.com udp
US 8.8.8.8:53 waioxcuiwcymao.net udp
US 8.8.8.8:53 meskia.biz udp
US 8.8.8.8:53 alwkvwnansnan.com udp
US 8.8.8.8:53 ekfqhkdsholapet.com udp
US 8.8.8.8:53 gyejqguiwcymao.biz udp
US 8.8.8.8:53 wyywyqeoya.net udp
US 8.8.8.8:53 rdrwlkn.cc udp
US 8.8.8.8:53 vybkxifox.org udp
US 8.8.8.8:53 igsvswiugkeq.info udp
US 8.8.8.8:53 scssga.info udp
US 8.8.8.8:53 qukgqmnansnan.org udp
US 8.8.8.8:53 wfxqsmnansnan.com udp
US 8.8.8.8:53 uyieteiq.net udp
US 8.8.8.8:53 mseoyk.net udp
US 8.8.8.8:53 loiqlafox.org udp
US 8.8.8.8:53 ipbgfufqbex.cc udp
US 8.8.8.8:53 mymqnwiq.net udp
US 8.8.8.8:53 iaoano.biz udp
US 8.8.8.8:53 xfjijgn.org udp
US 8.8.8.8:53 vspfdafox.com udp
US 8.8.8.8:53 kwuqhk.info udp
US 8.8.8.8:53 wssizueoya.net udp
US 8.8.8.8:53 spmjewnansnan.cc udp
US 8.8.8.8:53 pulwlifox.com udp
US 8.8.8.8:53 emicys.biz udp
US 8.8.8.8:53 mmwikwiq.net udp
US 8.8.8.8:53 ioqmfsdsholapet.cc udp
US 8.8.8.8:53 sbdwpenansnan.com udp
US 8.8.8.8:53 yokaos.info udp
US 8.8.8.8:53 osobjiiugkeq.info udp
US 8.8.8.8:53 chjjgqfqbex.com udp
US 8.8.8.8:53 wuhthanansnan.cc udp
US 8.8.8.8:53 kckzkueoya.net udp
US 8.8.8.8:53 aeeeuaiq.info udp
US 8.8.8.8:53 epeeuanansnan.cc udp
US 8.8.8.8:53 emdctqfqbex.org udp
US 8.8.8.8:53 eywsgo.info udp
US 8.8.8.8:53 acwdqkuiwcymao.net udp
US 8.8.8.8:53 mhdevufqbex.com udp
US 8.8.8.8:53 divsdkn.org udp
US 8.8.8.8:53 cmeigsuiwcymao.biz udp
US 8.8.8.8:53 yaabuueoya.net udp
US 8.8.8.8:53 ldjpbcn.org udp
US 8.8.8.8:53 gnnpbqfqbex.cc udp
US 8.8.8.8:53 qseecaiugkeq.info udp
US 8.8.8.8:53 iuqxtyeoya.info udp
US 8.8.8.8:53 fxguasfox.cc udp
US 8.8.8.8:53 wkrzlgfqbex.org udp
US 8.8.8.8:53 mmqtqwiugkeq.net udp
US 8.8.8.8:53 wmkdhs.net udp
US 8.8.8.8:53 vahpqcn.com udp
US 8.8.8.8:53 uurmdyfqbex.org udp
US 8.8.8.8:53 kccamwiq.net udp
US 8.8.8.8:53 sqigrmiq.net udp
US 8.8.8.8:53 ypkibmnansnan.org udp
US 8.8.8.8:53 uxbibodsholapet.com udp
US 8.8.8.8:53 emgwmsiugkeq.info udp
US 8.8.8.8:53 ackbia.biz udp
US 8.8.8.8:53 lwohpwfox.cc udp
US 8.8.8.8:53 krjgewnansnan.cc udp
US 8.8.8.8:53 wsocyguiwcymao.info udp
US 8.8.8.8:53 qyesak.net udp
US 8.8.8.8:53 qgryvufqbex.org udp
US 8.8.8.8:53 krxihodsholapet.org udp
US 8.8.8.8:53 coegcguiwcymao.info udp
US 8.8.8.8:53 qsoiia.net udp
US 8.8.8.8:53 qlnxyqfqbex.org udp
US 8.8.8.8:53 mrtmzufqbex.com udp
US 8.8.8.8:53 igoebaiq.biz udp
US 8.8.8.8:53 bgusvsfox.org udp
US 8.8.8.8:53 vvxlzkn.org udp
US 8.8.8.8:53 iqcvia.info udp
US 8.8.8.8:53 samqsk.net udp
US 8.8.8.8:53 gqckhmnansnan.cc udp
US 8.8.8.8:53 dwdyrgn.cc udp
US 8.8.8.8:53 cioguwiq.net udp
US 8.8.8.8:53 iwuoyaiq.net udp
US 8.8.8.8:53 oumofadsholapet.org udp
US 8.8.8.8:53 xmrutifox.org udp
US 8.8.8.8:53 wwiossiugkeq.biz udp
US 8.8.8.8:53 auaela.info udp
US 8.8.8.8:53 avhixufqbex.cc udp
US 8.8.8.8:53 cuisbueoya.biz udp
US 8.8.8.8:53 oemxjs.net udp
US 8.8.8.8:53 skanymnansnan.com udp
US 8.8.8.8:53 yaruuenansnan.com udp
US 8.8.8.8:53 qqgpgwiq.biz udp
US 8.8.8.8:53 uyuouaiugkeq.biz udp
US 8.8.8.8:53 luzkdsn.com udp
US 8.8.8.8:53 srhrjadsholapet.com udp
US 8.8.8.8:53 wiacxueoya.net udp
US 8.8.8.8:53 immzqmiq.biz udp
US 8.8.8.8:53 gnbbnenansnan.com udp
US 8.8.8.8:53 yseaesiugkeq.biz udp
US 8.8.8.8:53 ysckmcuiwcymao.info udp
US 8.8.8.8:53 lnnepkn.org udp
US 8.8.8.8:53 uhfkomnansnan.cc udp
US 8.8.8.8:53 wgguvwiq.net udp
US 8.8.8.8:53 kigfwaiq.info udp
US 8.8.8.8:53 vduuvsfox.com udp
US 8.8.8.8:53 zilqmwfox.cc udp
US 8.8.8.8:53 qomemmiq.biz udp
US 8.8.8.8:53 ywkzieiq.info udp
US 8.8.8.8:53 miaxradsholapet.com udp
US 8.8.8.8:53 mdxllodsholapet.org udp
US 8.8.8.8:53 qauziguiwcymao.biz udp
US 8.8.8.8:53 sisnaaiq.info udp
US 8.8.8.8:53 owvrlyfqbex.com udp
US 8.8.8.8:53 hhfkqafox.com udp
US 8.8.8.8:53 ccmddsuiwcymao.info udp
US 8.8.8.8:53 eyuhsgeoya.info udp
US 8.8.8.8:53 onifrenansnan.com udp
US 8.8.8.8:53 ibjszanansnan.cc udp
US 8.8.8.8:53 sewwjgeoya.biz udp
US 8.8.8.8:53 mkasraiugkeq.info udp
US 8.8.8.8:53 qdwyeanansnan.org udp
US 8.8.8.8:53 wttlpodsholapet.org udp
US 8.8.8.8:53 cmukpueoya.info udp
US 8.8.8.8:53 ggcrco.biz udp
US 8.8.8.8:53 qbmiukdsholapet.org udp
US 8.8.8.8:53 ikzwzadsholapet.org udp
US 8.8.8.8:53 qsoagsiugkeq.info udp
US 8.8.8.8:53 wqwqdmiq.biz udp
US 8.8.8.8:53 vrsejafox.org udp
US 8.8.8.8:53 rbruuwfox.cc udp
US 8.8.8.8:53 uqcgoyeoya.net udp
US 8.8.8.8:53 eymxuwiq.biz udp
US 8.8.8.8:53 cgzjnqfqbex.com udp
US 8.8.8.8:53 wvfsyodsholapet.org udp
US 8.8.8.8:53 umcbuueoya.biz udp
US 8.8.8.8:53 eeiykwiugkeq.info udp
US 8.8.8.8:53 anuujmnansnan.cc udp
US 8.8.8.8:53 ustxrsdsholapet.com udp
US 8.8.8.8:53 mwamsaiq.biz udp
US 8.8.8.8:53 auyqhcuiwcymao.net udp
US 8.8.8.8:53 psmcrafox.com udp
US 8.8.8.8:53 fuxylcn.org udp
US 8.8.8.8:53 ummyyk.biz udp
US 8.8.8.8:53 wgiyfguiwcymao.info udp
US 8.8.8.8:53 bznopsn.cc udp
US 8.8.8.8:53 xyrmtafox.cc udp
US 8.8.8.8:53 kwiueeiq.net udp
US 8.8.8.8:53 gcmmxk.net udp
US 8.8.8.8:53 ituqnmnansnan.com udp
US 8.8.8.8:53 mjjdhanansnan.cc udp
US 8.8.8.8:53 wcqjasuiwcymao.biz udp
US 8.8.8.8:53 iksmjs.biz udp
US 8.8.8.8:53 vkqkgifox.com udp
US 8.8.8.8:53 xcbifafox.org udp
US 8.8.8.8:53 suaeggeoya.info udp
US 8.8.8.8:53 ucwshguiwcymao.info udp
US 8.8.8.8:53 bzdyzcn.com udp
US 8.8.8.8:53 dzlslafox.org udp
US 8.8.8.8:53 smsygiiugkeq.biz udp
US 8.8.8.8:53 mouuyguiwcymao.info udp
US 8.8.8.8:53 xjffbgn.org udp
US 8.8.8.8:53 hofmhifox.com udp
US 8.8.8.8:53 iqqqkueoya.biz udp
US 8.8.8.8:53 qgeoqueoya.biz udp
US 8.8.8.8:53 obnstufqbex.cc udp
US 8.8.8.8:53 mzbkrgfqbex.cc udp
US 8.8.8.8:53 qecqoaiq.info udp
US 8.8.8.8:53 qkuwus.net udp
US 8.8.8.8:53 gzyqcanansnan.com udp
US 8.8.8.8:53 yunmdkdsholapet.cc udp
US 8.8.8.8:53 gsueaa.net udp
US 8.8.8.8:53 aokysaiq.info udp
US 8.8.8.8:53 haddlsn.cc udp
US 8.8.8.8:53 ahzykanansnan.com udp
US 8.8.8.8:53 kgeylk.net udp
US 8.8.8.8:53 kyamwiiugkeq.biz udp
US 8.8.8.8:53 kdrwtgfqbex.org udp
US 8.8.8.8:53 qhzcuodsholapet.cc udp
US 8.8.8.8:53 cyqceiiugkeq.biz udp
US 8.8.8.8:53 aogxyyeoya.info udp
US 8.8.8.8:53 ycespwnansnan.org udp
US 8.8.8.8:53 qmdwwwnansnan.com udp
US 8.8.8.8:53 wmcocueoya.biz udp
US 8.8.8.8:53 sgmswsuiwcymao.info udp
US 8.8.8.8:53 buuexifox.org udp
US 8.8.8.8:53 xybxdwfox.com udp
US 8.8.8.8:53 uoiousuiwcymao.net udp
US 8.8.8.8:53 ywazeeiq.net udp
US 8.8.8.8:53 pkpcqcn.org udp
US 8.8.8.8:53 qinmjgfqbex.com udp
US 8.8.8.8:53 gcokls.info udp
US 8.8.8.8:53 cusmbeiq.net udp
US 8.8.8.8:53 kfeiwodsholapet.com udp
US 8.8.8.8:53 lxtezafox.cc udp
US 8.8.8.8:53 wqgqmcuiwcymao.info udp
US 8.8.8.8:53 yceewcuiwcymao.net udp
US 8.8.8.8:53 fhurfifox.org udp
US 8.8.8.8:53 ytxnbwnansnan.org udp
US 8.8.8.8:53 gyyyyueoya.info udp
US 8.8.8.8:53 kygmyo.biz udp
US 8.8.8.8:53 bhdyjcn.org udp
US 8.8.8.8:53 iftlfwnansnan.org udp
US 8.8.8.8:53 omilys.info udp
US 8.8.8.8:53 sgaixo.biz udp
US 8.8.8.8:53 ilyepodsholapet.cc udp
US 8.8.8.8:53 esnsvwnansnan.org udp
US 8.8.8.8:53 mikyaa.info udp
US 8.8.8.8:53 uusunguiwcymao.net udp
US 8.8.8.8:53 kseukadsholapet.org udp
US 8.8.8.8:53 smreqgfqbex.cc udp
US 8.8.8.8:53 seqyeyeoya.net udp
US 8.8.8.8:53 gcgkxwiq.biz udp
US 8.8.8.8:53 gxcutenansnan.cc udp
US 8.8.8.8:53 bbjfrsfox.org udp
US 8.8.8.8:53 qmcnxiiugkeq.biz udp
US 8.8.8.8:53 kmkffmiq.biz udp
US 8.8.8.8:53 bcjvhcn.com udp
US 8.8.8.8:53 hsbmggn.org udp
US 8.8.8.8:53 kqwapqeoya.info udp
US 8.8.8.8:53 ssugjsuiwcymao.biz udp
US 8.8.8.8:53 ieuafodsholapet.org udp
US 8.8.8.8:53 othrpsdsholapet.cc udp
US 8.8.8.8:53 mqsqvmiq.net udp
US 8.8.8.8:53 kwknca.biz udp
US 8.8.8.8:53 jbnoxgn.org udp
US 8.8.8.8:53 wepmhqfqbex.cc udp
US 8.8.8.8:53 gocnniiugkeq.biz udp
US 8.8.8.8:53 oqiyoqeoya.biz udp
US 8.8.8.8:53 kpfgngfqbex.cc udp
US 8.8.8.8:53 zshqrgn.com udp
US 8.8.8.8:53 waeqtyeoya.info udp
US 8.8.8.8:53 msynqaiq.info udp
US 8.8.8.8:53 vxufowfox.cc udp
US 8.8.8.8:53 ecbqeqfqbex.org udp
US 8.8.8.8:53 ammgoeiq.net udp
US 8.8.8.8:53 mgqiqsiugkeq.net udp
US 8.8.8.8:53 gnoztsdsholapet.org udp
US 8.8.8.8:53 iwdwnmnansnan.org udp
US 8.8.8.8:53 yeccawiugkeq.biz udp
US 8.8.8.8:53 qwgmeaiq.info udp
US 8.8.8.8:53 yenfbgfqbex.org udp
US 8.8.8.8:53 jellksn.cc udp
US 8.8.8.8:53 ygeneqeoya.net udp
US 8.8.8.8:53 imctpkuiwcymao.biz udp
US 8.8.8.8:53 lcikrafox.cc udp
US 8.8.8.8:53 qmjsqanansnan.org udp
US 8.8.8.8:53 smuixueoya.net udp
US 8.8.8.8:53 imymucuiwcymao.biz udp
US 8.8.8.8:53 jdhywkn.org udp
US 8.8.8.8:53 dbxqlwfox.cc udp
US 8.8.8.8:53 uowsgaiugkeq.biz udp
US 8.8.8.8:53 koecoaiq.net udp
US 8.8.8.8:53 wyjthyfqbex.org udp
US 8.8.8.8:53 dnxuzkn.com udp
US 8.8.8.8:53 gigrasiugkeq.biz udp
US 8.8.8.8:53 qqgorsuiwcymao.info udp
US 8.8.8.8:53 slfymyfqbex.cc udp
US 8.8.8.8:53 suyuygeoya.net udp
US 8.8.8.8:53 eemizgeoya.net udp
US 8.8.8.8:53 bjpilcn.org udp
US 8.8.8.8:53 nfftmcn.org udp
US 8.8.8.8:53 magwuaiq.info udp
US 8.8.8.8:53 suemqwiugkeq.biz udp
US 8.8.8.8:53 gcjwngfqbex.org udp
US 8.8.8.8:53 vojczgn.com udp
US 8.8.8.8:53 kisujgeoya.biz udp
US 8.8.8.8:53 gkmyryeoya.info udp
US 8.8.8.8:53 kthmiqfqbex.org udp
US 8.8.8.8:53 mevyxadsholapet.com udp
US 8.8.8.8:53 uewaqs.net udp
US 8.8.8.8:53 uokqhodsholapet.cc udp
US 8.8.8.8:53 xsxoasn.org udp
US 8.8.8.8:53 ywgica.net udp
US 8.8.8.8:53 umgcpaiq.net udp
US 8.8.8.8:53 anbkvyfqbex.com udp
US 8.8.8.8:53 jqjluifox.cc udp
US 8.8.8.8:53 ooihyaiq.biz udp
US 8.8.8.8:53 aosyhaiugkeq.info udp
US 8.8.8.8:53 yadnsufqbex.org udp
US 8.8.8.8:53 hkveycn.cc udp
US 8.8.8.8:53 uecbgs.biz udp
US 8.8.8.8:53 iuockyeoya.biz udp
US 8.8.8.8:53 xzdiekn.com udp
US 8.8.8.8:53 yvnvuwnansnan.cc udp
US 8.8.8.8:53 gmigjwiugkeq.biz udp
US 8.8.8.8:53 oowwxwiugkeq.net udp
US 8.8.8.8:53 sstdtqfqbex.cc udp
US 8.8.8.8:53 iwprvodsholapet.com udp
US 8.8.8.8:53 icyvcaiugkeq.biz udp
US 8.8.8.8:53 wuowgeiq.biz udp
US 8.8.8.8:53 aucersdsholapet.org udp
US 8.8.8.8:53 axxursdsholapet.com udp
US 8.8.8.8:53 swkmqyeoya.biz udp
US 8.8.8.8:53 waohaeiq.net udp
US 8.8.8.8:53 vukzeifox.org udp
US 8.8.8.8:53 rzjifgn.org udp
US 8.8.8.8:53 agmqnkuiwcymao.info udp
US 8.8.8.8:53 mesfcwiugkeq.biz udp
US 8.8.8.8:53 crvchufqbex.org udp
US 8.8.8.8:53 wvzckufqbex.cc udp
US 8.8.8.8:53 koqjlaiugkeq.net udp
US 8.8.8.8:53 ekkddyeoya.info udp
US 8.8.8.8:53 bqpqzgn.cc udp
US 8.8.8.8:53 skhaxsdsholapet.com udp
US 8.8.8.8:53 magfqyeoya.info udp
US 8.8.8.8:53 jegjfwfox.com udp
US 8.8.8.8:53 iitwoadsholapet.org udp
US 8.8.8.8:53 ikcokiiugkeq.info udp
US 8.8.8.8:53 guuyjs.biz udp
US 8.8.8.8:53 zoayaifox.com udp
US 8.8.8.8:53 dmbymifox.org udp
US 8.8.8.8:53 gwosyaiugkeq.net udp
US 8.8.8.8:53 gqaileiq.biz udp
US 8.8.8.8:53 zbgmgafox.com udp
US 8.8.8.8:53 crdkagfqbex.cc udp
US 8.8.8.8:53 ciymwmiq.net udp
US 8.8.8.8:53 wieaeo.info udp
US 8.8.8.8:53 quiydsdsholapet.cc udp
US 8.8.8.8:53 emigvyeoya.info udp
US 8.8.8.8:53 mumvpueoya.biz udp
US 8.8.8.8:53 reqjwwfox.com udp
US 8.8.8.8:53 ezfnqqfqbex.org udp
US 8.8.8.8:53 qakvzaiugkeq.net udp
US 8.8.8.8:53 eoggisuiwcymao.net udp
US 8.8.8.8:53 ohaqlsdsholapet.com udp
US 8.8.8.8:53 idtflenansnan.com udp
US 8.8.8.8:53 omykao.info udp
US 8.8.8.8:53 umwogaiugkeq.biz udp
US 8.8.8.8:53 cekulodsholapet.cc udp
US 8.8.8.8:53 vlzkzgn.com udp
US 8.8.8.8:53 syasoaiq.net udp
US 8.8.8.8:53 askicgeoya.biz udp
US 8.8.8.8:53 spognkdsholapet.com udp
US 8.8.8.8:53 jvjiugn.com udp
US 8.8.8.8:53 ukcqgsiugkeq.net udp
US 8.8.8.8:53 hydiosn.org udp
US 8.8.8.8:53 jbnccgn.cc udp
US 8.8.8.8:53 kyuoaeiq.info udp
US 8.8.8.8:53 qyymjodsholapet.cc udp
US 8.8.8.8:53 hlpitcn.cc udp
US 8.8.8.8:53 uyynlwiugkeq.info udp
US 8.8.8.8:53 keyues.biz udp
US 8.8.8.8:53 iplcqufqbex.org udp
US 8.8.8.8:53 wpfdnenansnan.com udp
US 8.8.8.8:53 umseiaiugkeq.net udp
US 8.8.8.8:53 mosogiiugkeq.net udp
US 8.8.8.8:53 qkvlhyfqbex.com udp
US 8.8.8.8:53 uqhnzkdsholapet.cc udp
US 8.8.8.8:53 yqstysiugkeq.info udp
US 8.8.8.8:53 oyuoraiugkeq.biz udp
US 8.8.8.8:53 tmoypifox.org udp
US 8.8.8.8:53 kahctenansnan.cc udp
US 8.8.8.8:53 yymasgeoya.info udp
US 8.8.8.8:53 egieogeoya.biz udp
US 8.8.8.8:53 zcostafox.com udp
US 8.8.8.8:53 jvbofgn.com udp
US 8.8.8.8:53 eyksms.info udp
US 8.8.8.8:53 iokmds.info udp
US 8.8.8.8:53 amyenwnansnan.org udp
US 8.8.8.8:53 ygbtlwnansnan.org udp
US 8.8.8.8:53 maqlksuiwcymao.net udp
US 8.8.8.8:53 yqibgwiq.net udp
US 8.8.8.8:53 jajixcn.com udp
US 8.8.8.8:53 wvzkpanansnan.cc udp
US 8.8.8.8:53 okeismiq.biz udp
US 8.8.8.8:53 cscsccuiwcymao.info udp
US 8.8.8.8:53 yyogtadsholapet.com udp
US 8.8.8.8:53 wrdadsdsholapet.org udp
US 8.8.8.8:53 qsceeaiugkeq.info udp
US 8.8.8.8:53 kiqsliiugkeq.net udp
US 8.8.8.8:53 pkyutwfox.cc udp
US 8.8.8.8:53 qrppekdsholapet.org udp
US 8.8.8.8:53 kuuoryeoya.net udp
US 8.8.8.8:53 imyvcs.net udp
US 8.8.8.8:53 exuaqadsholapet.cc udp
US 8.8.8.8:53 milybenansnan.cc udp
US 8.8.8.8:53 uugnsqeoya.net udp
US 8.8.8.8:53 qcwmoaiq.net udp
US 8.8.8.8:53 ixiytenansnan.com udp
US 8.8.8.8:53 ctheeenansnan.com udp
US 8.8.8.8:53 usaqosiugkeq.net udp
US 8.8.8.8:53 gcqcceiq.info udp
US 8.8.8.8:53 pqvghcn.org udp
US 8.8.8.8:53 ezrusadsholapet.org udp
US 8.8.8.8:53 oaypfiiugkeq.info udp
US 8.8.8.8:53 wugqgeiq.net udp
US 8.8.8.8:53 ojgyvadsholapet.org udp
US 8.8.8.8:53 rvxxbwfox.org udp
US 8.8.8.8:53 yqsifkuiwcymao.biz udp
US 8.8.8.8:53 ayechs.net udp
US 8.8.8.8:53 ofskdadsholapet.com udp
US 8.8.8.8:53 catgfufqbex.cc udp
US 8.8.8.8:53 gyeowk.info udp
US 8.8.8.8:53 iukowqeoya.net udp
US 8.8.8.8:53 aefkxyfqbex.com udp
US 8.8.8.8:53 zyzgrcn.org udp
US 8.8.8.8:53 yewmqsiugkeq.net udp
US 8.8.8.8:53 uogomk.biz udp
US 8.8.8.8:53 cebgxgfqbex.com udp
US 8.8.8.8:53 gelqzanansnan.org udp
US 8.8.8.8:53 kiapso.biz udp
US 8.8.8.8:53 sgmgsyeoya.info udp
US 8.8.8.8:53 qhbxvqfqbex.cc udp
US 8.8.8.8:53 kvpcjkdsholapet.com udp
US 8.8.8.8:53 kqgjss.info udp
US 8.8.8.8:53 eeyeywiugkeq.info udp
US 8.8.8.8:53 arogxenansnan.org udp
US 8.8.8.8:53 crxkyqfqbex.cc udp
US 8.8.8.8:53 isgkbqeoya.biz udp
US 8.8.8.8:53 acudmkuiwcymao.net udp
US 8.8.8.8:53 wxwffkdsholapet.org udp
US 8.8.8.8:53 zwpczcn.com udp
US 8.8.8.8:53 wiczfguiwcymao.info udp
US 8.8.8.8:53 qmyaekuiwcymao.info udp
US 8.8.8.8:53 lhlyfgn.org udp
US 8.8.8.8:53 vxbulcn.org udp
US 8.8.8.8:53 cgiwxmiq.biz udp
US 8.8.8.8:53 eoscuueoya.net udp
US 8.8.8.8:53 djjkpkn.com udp
US 8.8.8.8:53 ckqqvsiugkeq.info udp
US 8.8.8.8:53 uwmrieiq.net udp
US 8.8.8.8:53 bgryrcn.com udp
US 8.8.8.8:53 brjrpkn.cc udp
US 8.8.8.8:53 aykuueiq.info udp
US 8.8.8.8:53 aaswasuiwcymao.net udp
US 8.8.8.8:53 iawxrwnansnan.com udp
US 8.8.8.8:53 bcnrpafox.com udp
US 8.8.8.8:53 mocwqcuiwcymao.info udp
US 8.8.8.8:53 wuwmiadsholapet.cc udp
US 8.8.8.8:53 tgtilwfox.com udp
US 8.8.8.8:53 yeqehs.info udp
US 8.8.8.8:53 cayoiwiugkeq.biz udp
US 8.8.8.8:53 vlxchgn.org udp
US 8.8.8.8:53 iqtwvadsholapet.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 wmcesiiugkeq.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 caawamiq.biz udp
US 8.8.8.8:53 dqnvskn.cc udp
US 8.8.8.8:53 nxtaygn.cc udp
US 8.8.8.8:53 maqnjqeoya.net udp
US 8.8.8.8:53 sgmiimiq.biz udp
US 8.8.8.8:53 yxbudqfqbex.org udp
US 8.8.8.8:53 lftmngn.cc udp
US 8.8.8.8:53 moogfk.net udp
US 8.8.8.8:53 mmebgiiugkeq.biz udp
US 8.8.8.8:53 jfmlbifox.cc udp
US 8.8.8.8:53 mwhxdodsholapet.org udp
US 8.8.8.8:53 uqeheaiugkeq.biz udp
US 8.8.8.8:53 gywsws.net udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 wfsqtwnansnan.org udp
US 8.8.8.8:53 cvxvhufqbex.org udp
US 8.8.8.8:53 eugtgaiq.biz udp
US 8.8.8.8:53 qossaueoya.biz udp
US 8.8.8.8:53 cxrejwnansnan.cc udp
US 8.8.8.8:53 ciowdiiugkeq.biz udp
US 8.8.8.8:53 ekmwwk.biz udp
US 8.8.8.8:53 xsvuckn.com udp
US 8.8.8.8:53 yrvgjufqbex.org udp
US 8.8.8.8:53 caiedgeoya.info udp
US 8.8.8.8:53 iooiwa.info udp
US 8.8.8.8:53 xiryzkn.cc udp
US 8.8.8.8:53 mwtjmenansnan.cc udp
US 8.8.8.8:53 mykbms.net udp
US 8.8.8.8:53 oeopseiq.net udp
US 8.8.8.8:53 jvlzrkn.cc udp
US 8.8.8.8:53 kljiaqfqbex.cc udp
US 8.8.8.8:53 myukkwiugkeq.info udp
US 8.8.8.8:53 wccioa.net udp
US 8.8.8.8:53 kdlwdyfqbex.org udp
US 8.8.8.8:53 qfpptanansnan.cc udp
US 8.8.8.8:53 casyncuiwcymao.info udp
US 8.8.8.8:53 qwofqqeoya.biz udp
US 8.8.8.8:53 ktienmnansnan.cc udp
US 8.8.8.8:53 wgjetanansnan.cc udp
US 8.8.8.8:53 wegcsqeoya.info udp
US 8.8.8.8:53 wutwxgfqbex.cc udp
US 8.8.8.8:53 wgfkjanansnan.cc udp
US 8.8.8.8:53 asuwvueoya.info udp
US 8.8.8.8:53 mcojfgeoya.biz udp
US 8.8.8.8:53 qidsfqfqbex.com udp
US 8.8.8.8:53 xopuxafox.org udp
US 8.8.8.8:53 emuyko.biz udp
US 8.8.8.8:53 wkyhas.net udp
US 8.8.8.8:53 pkwjuafox.cc udp
US 8.8.8.8:53 elzmkodsholapet.org udp
US 8.8.8.8:53 ummchsiugkeq.info udp
US 8.8.8.8:53 sskgwyeoya.net udp
US 8.8.8.8:53 deknaifox.org udp
US 8.8.8.8:53 uidoeyfqbex.cc udp
US 8.8.8.8:53 iisbqgeoya.info udp
US 8.8.8.8:53 geyymwiugkeq.biz udp
US 8.8.8.8:53 spsdcenansnan.cc udp
US 8.8.8.8:53 qdzuxanansnan.cc udp
US 8.8.8.8:53 goscfqeoya.info udp
US 8.8.8.8:53 wookuwiq.info udp
US 8.8.8.8:53 hwpufgn.cc udp
US 8.8.8.8:53 grhcgqfqbex.cc udp
US 8.8.8.8:53 ekycya.net udp
US 8.8.8.8:53 qgyioo.biz udp
US 8.8.8.8:53 hudkvkn.com udp
US 8.8.8.8:53 mwpqjgfqbex.com udp
US 8.8.8.8:53 mmesemiq.info udp
US 8.8.8.8:53 wyiecwiq.net udp
US 8.8.8.8:53 kmheegfqbex.org udp
US 8.8.8.8:53 agkudkuiwcymao.info udp
US 8.8.8.8:53 kekylmiq.biz udp
US 8.8.8.8:53 ouwyzodsholapet.cc udp
US 8.8.8.8:53 ltbudafox.com udp
US 8.8.8.8:53 ciolusiugkeq.info udp
US 8.8.8.8:53 wcieomiq.biz udp
US 8.8.8.8:53 hlbcmgn.cc udp
US 8.8.8.8:53 denmywfox.cc udp
US 8.8.8.8:53 guefgwiugkeq.net udp
US 8.8.8.8:53 momwha.info udp
US 8.8.8.8:53 qmwmumnansnan.cc udp
US 8.8.8.8:53 snxuhgfqbex.cc udp
US 8.8.8.8:53 esmmbkuiwcymao.biz udp
US 8.8.8.8:53 ywocqa.info udp
US 8.8.8.8:53 hinypcn.com udp
US 8.8.8.8:53 cuhglyfqbex.cc udp
US 8.8.8.8:53 wokeqiiugkeq.net udp
US 8.8.8.8:53 jchwngn.cc udp
US 8.8.8.8:53 rxflwcn.org udp
US 8.8.8.8:53 uomjxkuiwcymao.info udp
US 8.8.8.8:53 yckzwcuiwcymao.biz udp
US 8.8.8.8:53 gyluhufqbex.org udp
US 8.8.8.8:53 jndgxcn.com udp
US 8.8.8.8:53 koiczkuiwcymao.info udp
US 8.8.8.8:53 tnvszcn.cc udp
US 8.8.8.8:53 wovvzkdsholapet.com udp
US 8.8.8.8:53 gsuidsiugkeq.biz udp
US 8.8.8.8:53 iiafomiq.info udp
US 8.8.8.8:53 csuqnodsholapet.cc udp
US 8.8.8.8:53 wijrdufqbex.cc udp
US 8.8.8.8:53 swemaiiugkeq.biz udp
US 8.8.8.8:53 gmqcksuiwcymao.biz udp
US 8.8.8.8:53 pkhscsn.com udp
US 8.8.8.8:53 oehugkdsholapet.cc udp
US 8.8.8.8:53 esosxcuiwcymao.net udp
US 8.8.8.8:53 cwqxaeiq.info udp
US 8.8.8.8:53 whbfkufqbex.com udp
US 8.8.8.8:53 lkrkpcn.com udp
US 8.8.8.8:53 gogmesuiwcymao.info udp
US 8.8.8.8:53 gcscliiugkeq.biz udp
US 8.8.8.8:53 mtmkvkdsholapet.com udp
US 8.8.8.8:53 gepgxsdsholapet.cc udp
US 8.8.8.8:53 iqqhqqeoya.info udp
US 8.8.8.8:53 gewufguiwcymao.net udp
US 8.8.8.8:53 cgygnadsholapet.com udp
US 8.8.8.8:53 zqnbfwfox.org udp
US 8.8.8.8:53 wugvekuiwcymao.biz udp
US 8.8.8.8:53 eyiewyeoya.info udp
US 8.8.8.8:53 untorgfqbex.org udp
US 8.8.8.8:53 oapqrqfqbex.cc udp
US 8.8.8.8:53 yskuss.biz udp
US 8.8.8.8:53 sqyiaaiugkeq.net udp
US 8.8.8.8:53 edxmfqfqbex.org udp
US 8.8.8.8:53 qvbmxodsholapet.cc udp
US 8.8.8.8:53 ywkeoueoya.info udp
US 8.8.8.8:53 yhcobodsholapet.com udp
US 8.8.8.8:53 zgjubsn.com udp
US 8.8.8.8:53 qwuntiiugkeq.info udp
US 8.8.8.8:53 ecquoueoya.biz udp
US 8.8.8.8:53 qhoeqmnansnan.cc udp
US 8.8.8.8:53 aaxefanansnan.cc udp
US 8.8.8.8:53 sqcwos.biz udp
US 8.8.8.8:53 kymrgwiq.net udp
US 8.8.8.8:53 pwestsfox.org udp
US 8.8.8.8:53 gajkjwnansnan.com udp
US 8.8.8.8:53 mmaxwqeoya.info udp
US 8.8.8.8:53 yasupiiugkeq.net udp
US 8.8.8.8:53 uqgkoodsholapet.org udp
US 8.8.8.8:53 rsxszcn.cc udp
US 8.8.8.8:53 asqqlcuiwcymao.net udp
US 8.8.8.8:53 mowwqaiq.info udp
US 8.8.8.8:53 wnomzadsholapet.cc udp
US 8.8.8.8:53 bmhwjafox.com udp
US 8.8.8.8:53 eeqivcuiwcymao.info udp
US 8.8.8.8:53 iccshaiq.biz udp
US 8.8.8.8:53 ljnexkn.com udp
US 8.8.8.8:53 gvhwpsdsholapet.com udp
US 8.8.8.8:53 qqmsgyeoya.net udp
US 8.8.8.8:53 qyguza.net udp
US 8.8.8.8:53 wjzuyqfqbex.org udp
US 8.8.8.8:53 vwzvvsfox.com udp
US 8.8.8.8:53 csydsaiq.info udp
US 8.8.8.8:53 kqecimiq.net udp
US 8.8.8.8:53 imtrayfqbex.cc udp
US 8.8.8.8:53 hwtydgn.cc udp
US 8.8.8.8:53 ieednsuiwcymao.net udp
US 8.8.8.8:53 qoomewiq.info udp
US 8.8.8.8:53 wwgspodsholapet.org udp
US 8.8.8.8:53 qptclanansnan.org udp
US 8.8.8.8:53 mmskygeoya.info udp
US 8.8.8.8:53 kkmcns.info udp
US 8.8.8.8:53 prnsvsn.org udp
US 8.8.8.8:53 mibjcenansnan.com udp
US 8.8.8.8:53 miwdgkuiwcymao.net udp
US 8.8.8.8:53 kqkmgsiugkeq.info udp
US 8.8.8.8:53 kwrepgfqbex.com udp
US 8.8.8.8:53 wvlydodsholapet.org udp
US 8.8.8.8:53 wicubqeoya.net udp
US 8.8.8.8:53 saifymiq.biz udp
US 8.8.8.8:53 rhptqgn.org udp
US 8.8.8.8:53 bipqusn.com udp
US 8.8.8.8:53 ycmoraiugkeq.biz udp
US 8.8.8.8:53 kiatcs.net udp
US 8.8.8.8:53 rasanwfox.com udp
US 8.8.8.8:53 jdzukwfox.com udp
US 8.8.8.8:53 wecsmk.biz udp
US 8.8.8.8:53 wymsqcuiwcymao.info udp
US 8.8.8.8:53 yxhtzgfqbex.cc udp
US 8.8.8.8:53 merknsdsholapet.cc udp
US 8.8.8.8:53 sgyxmyeoya.biz udp
US 8.8.8.8:53 aksfgiiugkeq.biz udp
US 8.8.8.8:53 abiymmnansnan.org udp
US 8.8.8.8:53 cupytwnansnan.org udp
US 8.8.8.8:53 qiwidkuiwcymao.net udp
US 8.8.8.8:53 ieiqosuiwcymao.net udp
US 8.8.8.8:53 flyieafox.com udp
US 8.8.8.8:53 jrhbnwfox.com udp
US 8.8.8.8:53 eoiyzguiwcymao.net udp
US 8.8.8.8:53 suwioa.net udp
US 8.8.8.8:53 gjphzyfqbex.cc udp
US 8.8.8.8:53 ygxommnansnan.cc udp
US 8.8.8.8:53 qkmkeo.net udp
US 8.8.8.8:53 iuiqaiiugkeq.net udp
US 8.8.8.8:53 xtqmvafox.cc udp
US 8.8.8.8:53 eozulanansnan.org udp
US 8.8.8.8:53 oeaejo.net udp
US 8.8.8.8:53 ggghksiugkeq.info udp
US 8.8.8.8:53 nnmcmafox.com udp
US 8.8.8.8:53 ilxnhenansnan.cc udp
US 8.8.8.8:53 womcco.info udp
US 8.8.8.8:53 kssmvwnansnan.org udp
US 8.8.8.8:53 zjdkbifox.cc udp
US 8.8.8.8:53 gwyujiiugkeq.info udp
US 8.8.8.8:53 ciqeakuiwcymao.info udp
US 8.8.8.8:53 iiwobadsholapet.org udp
US 8.8.8.8:53 fmzmbsn.org udp
US 8.8.8.8:53 kkaqqkuiwcymao.net udp
US 8.8.8.8:53 symiageoya.info udp
US 8.8.8.8:53 ywxqtgfqbex.org udp
US 8.8.8.8:53 evzwfanansnan.com udp
US 8.8.8.8:53 sagkaa.biz udp
US 8.8.8.8:53 omuwcsuiwcymao.info udp
US 8.8.8.8:53 kkuwjadsholapet.org udp
US 8.8.8.8:53 wldlpenansnan.cc udp
US 8.8.8.8:53 ecyrwmiq.biz udp
US 8.8.8.8:53 suyuyo.biz udp
US 8.8.8.8:53 mgaxpkuiwcymao.net udp
US 8.8.8.8:53 wyoodwiugkeq.net udp
US 8.8.8.8:53 ohailenansnan.org udp
US 8.8.8.8:53 sptnzyfqbex.org udp
US 8.8.8.8:53 acceliiugkeq.net udp
US 8.8.8.8:53 muigfaiq.info udp
US 8.8.8.8:53 kmaytadsholapet.org udp
US 8.8.8.8:53 rcnxtafox.com udp
US 8.8.8.8:53 kakmngeoya.biz udp
US 8.8.8.8:53 hgcemafox.org udp
US 8.8.8.8:53 nsdilwfox.cc udp
US 8.8.8.8:53 suguoyeoya.biz udp
US 8.8.8.8:53 mgijcyeoya.biz udp
US 8.8.8.8:53 mmjmygfqbex.cc udp
US 8.8.8.8:53 grdksanansnan.org udp
US 8.8.8.8:53 quyeps.info udp
US 8.8.8.8:53 eagjdk.info udp
US 8.8.8.8:53 mwqkbmnansnan.com udp
US 8.8.8.8:53 qcvwpenansnan.org udp
US 8.8.8.8:53 omenowiugkeq.biz udp
US 8.8.8.8:53 kqwkkiiugkeq.info udp
US 8.8.8.8:53 jpqoqafox.com udp
US 8.8.8.8:53 ksxutufqbex.cc udp
US 8.8.8.8:53 komiksiugkeq.biz udp
US 8.8.8.8:53 alvljufqbex.com udp
US 8.8.8.8:53 rjxwfkn.org udp
US 8.8.8.8:53 mqsuxguiwcymao.biz udp
US 8.8.8.8:53 wawqwmiq.biz udp
US 8.8.8.8:53 rdkkkifox.org udp
US 8.8.8.8:53 gyskesuiwcymao.net udp
US 8.8.8.8:53 qkguoyeoya.biz udp
US 8.8.8.8:53 xinwpcn.org udp
US 8.8.8.8:53 aozcyadsholapet.cc udp
US 8.8.8.8:53 meauoguiwcymao.info udp
US 8.8.8.8:53 wnqwgenansnan.com udp
US 8.8.8.8:53 irbgzodsholapet.com udp
US 8.8.8.8:53 ysqcvkuiwcymao.net udp
US 8.8.8.8:53 kqweccuiwcymao.net udp
US 8.8.8.8:53 pnholkn.org udp
US 8.8.8.8:53 kadyianansnan.org udp
US 8.8.8.8:53 aygbcaiq.biz udp
US 8.8.8.8:53 qucozeiq.biz udp
US 8.8.8.8:53 sgekvmnansnan.org udp
US 8.8.8.8:53 rqnqnwfox.org udp
US 8.8.8.8:53 uquwueiq.biz udp
US 8.8.8.8:53 cmwuacuiwcymao.biz udp
US 8.8.8.8:53 kiwcdsdsholapet.cc udp
US 8.8.8.8:53 zxjaxkn.cc udp
US 8.8.8.8:53 woakfeiq.biz udp
US 8.8.8.8:53 zexahgn.cc udp
US 8.8.8.8:53 axvqxufqbex.cc udp
US 8.8.8.8:53 gquuzkuiwcymao.info udp
US 8.8.8.8:53 aaiuwqeoya.net udp
US 8.8.8.8:53 pghqjkn.cc udp
US 8.8.8.8:53 uzvqlwnansnan.cc udp
US 8.8.8.8:53 ykucaa.biz udp
US 8.8.8.8:53 qcssiiiugkeq.biz udp
US 8.8.8.8:53 aqgatkdsholapet.com udp
US 8.8.8.8:53 gcbudqfqbex.org udp
US 8.8.8.8:53 kyaqjqeoya.info udp
US 8.8.8.8:53 ojjadufqbex.com udp
US 8.8.8.8:53 lnbalkn.cc udp
US 8.8.8.8:53 qamusaiq.net udp
US 8.8.8.8:53 iqifpwiq.info udp
US 8.8.8.8:53 pnlqxcn.org udp
US 8.8.8.8:53 kyxapgfqbex.com udp
US 8.8.8.8:53 qwypusiugkeq.net udp
US 8.8.8.8:53 umywasiugkeq.net udp
US 8.8.8.8:53 ahkucsdsholapet.org udp
US 8.8.8.8:53 ynvyrenansnan.com udp
US 8.8.8.8:53 gaoumyeoya.info udp
US 8.8.8.8:53 qgeygo.biz udp
US 8.8.8.8:53 unyxzwnansnan.cc udp
US 8.8.8.8:53 lzdkmgn.com udp
US 8.8.8.8:53 ygeergeoya.info udp
US 8.8.8.8:53 geisjwiugkeq.net udp
US 8.8.8.8:53 rxmprsfox.cc udp
US 8.8.8.8:53 emzbngfqbex.com udp
US 8.8.8.8:53 sqalbaiq.biz udp
US 8.8.8.8:53 amauqaiq.info udp
US 8.8.8.8:53 geubesdsholapet.cc udp
US 8.8.8.8:53 bspscsfox.org udp
US 8.8.8.8:53 keublkuiwcymao.net udp
US 8.8.8.8:53 kyoeeguiwcymao.info udp
US 8.8.8.8:53 tslyqsn.cc udp
US 8.8.8.8:53 qzfunsdsholapet.com udp
US 8.8.8.8:53 oeewscuiwcymao.biz udp
US 8.8.8.8:53 qqwkxeiq.biz udp
US 8.8.8.8:53 xxmaeifox.org udp
US 8.8.8.8:53 uzpyfsdsholapet.cc udp
US 8.8.8.8:53 ciggia.biz udp
US 8.8.8.8:53 ymrhnqfqbex.cc udp
US 8.8.8.8:53 pcxalgn.org udp
US 8.8.8.8:53 ukgfpiiugkeq.biz udp
US 8.8.8.8:53 wjdgayfqbex.com udp
US 8.8.8.8:53 utpaimnansnan.com udp
US 8.8.8.8:53 msakxcuiwcymao.info udp
US 8.8.8.8:53 qkoooa.info udp
US 8.8.8.8:53 qbhdgqfqbex.cc udp
US 8.8.8.8:53 kargdqfqbex.org udp
US 8.8.8.8:53 ckwnyo.info udp
US 8.8.8.8:53 goegkmiq.info udp
US 8.8.8.8:53 jkyudafox.cc udp
US 8.8.8.8:53 mhvhuwnansnan.cc udp
US 8.8.8.8:53 usijwsiugkeq.biz udp
US 8.8.8.8:53 aoiykwiugkeq.net udp
US 8.8.8.8:53 olwmqmnansnan.cc udp
US 8.8.8.8:53 smdgmodsholapet.com udp
US 8.8.8.8:53 cyaucwiugkeq.net udp
US 8.8.8.8:53 msmqgeiq.net udp
US 8.8.8.8:53 ouaivenansnan.org udp
US 8.8.8.8:53 ccrkmmnansnan.org udp
US 8.8.8.8:53 qcqgncuiwcymao.biz udp
US 8.8.8.8:53 cieivs.net udp
US 8.8.8.8:53 tlbocsn.org udp
US 8.8.8.8:53 qpfxjqfqbex.cc udp
US 8.8.8.8:53 gmgqys.biz udp
US 8.8.8.8:53 wamyva.net udp
US 8.8.8.8:53 oxkohanansnan.cc udp
US 8.8.8.8:53 wgzstkdsholapet.cc udp
US 8.8.8.8:53 qiwwws.net udp
US 8.8.8.8:53 mmqmmyeoya.info udp
US 8.8.8.8:53 nrpwvkn.org udp
US 8.8.8.8:53 sofgjyfqbex.org udp
US 8.8.8.8:53 soyuwiiugkeq.info udp
US 8.8.8.8:53 ywyyoguiwcymao.info udp
US 8.8.8.8:53 qxdwlyfqbex.cc udp
US 8.8.8.8:53 cnnpvgfqbex.com udp
US 8.8.8.8:53 gqegxaiugkeq.net udp
US 8.8.8.8:53 eoicomiq.biz udp
US 8.8.8.8:53 tkaunafox.com udp
US 8.8.8.8:53 jbnscgn.org udp
US 8.8.8.8:53 qkmowk.net udp
US 8.8.8.8:53 mwcxwqeoya.net udp
US 8.8.8.8:53 gvhapwnansnan.org udp
US 8.8.8.8:53 omugoguiwcymao.biz udp
US 8.8.8.8:53 sqsswaiugkeq.net udp
US 8.8.8.8:53 fvniwcn.com udp
US 8.8.8.8:53 ywqyma.info udp
US 8.8.8.8:53 oaoxko.net udp
US 8.8.8.8:53 uxllwufqbex.cc udp
US 8.8.8.8:53 xwvnlkn.cc udp
US 8.8.8.8:53 mmqxggeoya.biz udp
US 8.8.8.8:53 oaiavsuiwcymao.info udp
US 8.8.8.8:53 pdpagcn.com udp
US 8.8.8.8:53 kghezufqbex.org udp
US 8.8.8.8:53 qscagiiugkeq.info udp
US 8.8.8.8:53 gowiaguiwcymao.biz udp
US 8.8.8.8:53 bccyxifox.org udp
US 8.8.8.8:53 jkfmzsfox.cc udp
US 8.8.8.8:53 wqaqgkuiwcymao.biz udp
US 8.8.8.8:53 wmuiysiugkeq.biz udp
US 8.8.8.8:53 sgbenqfqbex.cc udp
US 8.8.8.8:53 kupapmnansnan.com udp
US 8.8.8.8:53 ugmqsguiwcymao.biz udp
US 8.8.8.8:53 kkamwwiq.biz udp
US 8.8.8.8:53 fksytsfox.cc udp
US 8.8.8.8:53 shnslodsholapet.cc udp
US 8.8.8.8:53 suaksiiugkeq.net udp
US 8.8.8.8:53 qccsnsuiwcymao.info udp
US 8.8.8.8:53 ggsltenansnan.cc udp
US 8.8.8.8:53 gcxzranansnan.com udp
US 8.8.8.8:53 qawgmaiugkeq.info udp
US 8.8.8.8:53 kwcmukuiwcymao.info udp
US 8.8.8.8:53 ihsqtsdsholapet.cc udp
US 8.8.8.8:53 rnbubcn.cc udp
US 8.8.8.8:53 soexaiiugkeq.info udp
US 8.8.8.8:53 myzsrqfqbex.com udp
US 8.8.8.8:53 quskxqeoya.info udp
US 8.8.8.8:53 iqwayk.biz udp
US 8.8.8.8:53 obmipkdsholapet.com udp
US 8.8.8.8:53 qgxckenansnan.com udp
US 8.8.8.8:53 asoqhiiugkeq.net udp
US 8.8.8.8:53 mywyiwiugkeq.info udp
US 8.8.8.8:53 apesfmnansnan.org udp
US 8.8.8.8:53 xnbpnafox.cc udp
US 8.8.8.8:53 icwlocuiwcymao.biz udp
US 8.8.8.8:53 gkuyos.net udp
US 8.8.8.8:53 zuauswfox.cc udp
US 8.8.8.8:53 hqdgfwfox.cc udp
US 8.8.8.8:53 imelesuiwcymao.net udp
US 8.8.8.8:53 ykigoaiq.net udp
US 8.8.8.8:53 yqfqbyfqbex.cc udp
US 8.8.8.8:53 sixnssdsholapet.org udp
US 8.8.8.8:53 ogeghaiq.net udp
US 8.8.8.8:53 qqylhadsholapet.org udp
US 8.8.8.8:53 kldfdkdsholapet.com udp
US 8.8.8.8:53 usgxnaiugkeq.biz udp
US 8.8.8.8:53 qckgaueoya.net udp
US 8.8.8.8:53 msmeoadsholapet.cc udp
US 8.8.8.8:53 fxdqpkn.com udp
US 8.8.8.8:53 kwgsycuiwcymao.info udp
US 8.8.8.8:53 iyiypsuiwcymao.net udp
US 8.8.8.8:53 emonmanansnan.cc udp
US 8.8.8.8:53 mphuxufqbex.org udp
US 8.8.8.8:53 yasetcuiwcymao.info udp
US 8.8.8.8:53 skqluqeoya.info udp
US 8.8.8.8:53 xoyvgsfox.cc udp
US 8.8.8.8:53 rxlolwfox.cc udp
US 8.8.8.8:53 ameioyeoya.biz udp
US 8.8.8.8:53 qbqctwnansnan.org udp
US 8.8.8.8:53 jyzucifox.com udp
US 8.8.8.8:53 koarak.net udp
US 8.8.8.8:53 ikepswiq.info udp
US 8.8.8.8:53 bapnrkn.cc udp
US 8.8.8.8:53 tuhgwcn.cc udp
US 8.8.8.8:53 qcsmryeoya.info udp
US 8.8.8.8:53 oqecyaiugkeq.biz udp
US 8.8.8.8:53 xwvgtsn.cc udp
US 8.8.8.8:53 jqvxdafox.cc udp
US 8.8.8.8:53 ycwgrgeoya.biz udp
US 8.8.8.8:53 qqwggwiugkeq.biz udp
US 8.8.8.8:53 pkpycifox.com udp
US 8.8.8.8:53 ssogkguiwcymao.info udp
US 8.8.8.8:53 oycegguiwcymao.biz udp
US 8.8.8.8:53 ruieyafox.org udp
US 8.8.8.8:53 syvoqyfqbex.org udp
US 8.8.8.8:53 osqguwiugkeq.biz udp
US 8.8.8.8:53 soccvo.info udp
US 8.8.8.8:53 xwqgiafox.org udp
US 8.8.8.8:53 dyrqpsfox.cc udp
US 8.8.8.8:53 yuusoqeoya.info udp
US 8.8.8.8:53 oocqps.net udp
US 8.8.8.8:53 ahiudsdsholapet.com udp
US 8.8.8.8:53 rozbdkn.cc udp
US 8.8.8.8:53 ieyziwiugkeq.biz udp
US 8.8.8.8:53 ywksayeoya.net udp
US 8.8.8.8:53 rthapgn.cc udp
US 8.8.8.8:53 rwlqzafox.org udp
US 8.8.8.8:53 wuaecguiwcymao.net udp
US 8.8.8.8:53 qmsskwiugkeq.info udp
US 8.8.8.8:53 iuimamnansnan.cc udp
US 8.8.8.8:53 owduxsdsholapet.org udp
US 8.8.8.8:53 ewkcaeiq.net udp
US 8.8.8.8:53 ioyuwkuiwcymao.net udp
US 8.8.8.8:53 uvikfsdsholapet.cc udp
US 8.8.8.8:53 fbroywfox.com udp
US 8.8.8.8:53 wiaubkuiwcymao.info udp
US 8.8.8.8:53 euupxqeoya.info udp
US 8.8.8.8:53 wtiuzodsholapet.org udp
US 8.8.8.8:53 ghfclqfqbex.org udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe

MD5 b58393335b3621bfb1fc631823248577
SHA1 315ffce8bae73f153679650cb580659cae1df77a
SHA256 6ea5753634bcae5b7fb519f8556eb8d09b0a7b547e3b0214e7141ce8e92302d9
SHA512 456450a5dceb3f1cdbafb7d5f65766b1c5c0a3de04abaa2601b178b330dcfb217c4f362285055a5bb1daa88fa0dbdfb7810b05d073cc04ea540f7a4b5b9dc053

C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe

MD5 11d1709b0283773db48c654533d3b83f
SHA1 e82a0b7eaa8355619813ccd6f39b6d7d3258bf14
SHA256 c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5
SHA512 ad946f0b6116965014f1cfd1278da83b81cce06a71d1ac4b567de6dc45b406705167eaba28537b52480bce63f247b55dd4cac9aa3fde8bd4ec11bd6558497a6a

C:\Users\Admin\AppData\Local\Temp\ptacho.exe

MD5 98c529f7da6878ab2353226aeb57033c
SHA1 d8dcdc2d603b2902be8e131844058a99a12e7de5
SHA256 78411a2638a164517cc02cccfb8761bf6accaf43fd99e89c2fab7139a233c5ae
SHA512 7f3425faa88a525a908d9717400cc55a95415e24da16dc00a86cdeaaf191d5d785809b61411add42e361a7003a49cbb722d2d313dc173518600d0a6541a89e78

C:\Users\Admin\AppData\Local\gddywwvrhyiksyndqnnig.fbr

MD5 b9b70be48a822c29530f5aa0336abe95
SHA1 6339238b4546613554fb3bf1a82f1476c3ae8b90
SHA256 31ed8227338c62790edefb49bd658420d4a402d2662978af498b3215a680d1bf
SHA512 38ec0183c5549bbd0b126f9f5e22f67087a8122e4463efe4717f90922db138d23a1ab390b5c17dbdf0a2355a395cd65330fadacd984c43ee931475ecde079bbc

C:\Users\Admin\AppData\Local\bjuajuelmojwpgghfnyenyipqsnatkkl.rci

MD5 a16c320c8559071b86a35d0782911030
SHA1 62c25e066937b8abddda0754cd9344441e4535ee
SHA256 b44dcc6c98dc63afcf8ff4cda3145a1b00a7392a55ba4eb7ededb32f6ec1cee9
SHA512 23a1fe88ce28133e38a96ced62e0a86c3c4cf7d562130d05b36b853e016a68d37f8c5611e1070b79f735192a2685ad1cab0b97eee4992e93e52638f31ca7af9c

C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr

MD5 682b3f2e21d7a149d7439aef9b5ad39f
SHA1 111bb00c4bc96e894362f2cc43163391dc024858
SHA256 a1f930a42042c19ab4811bea450068b87d17047f1d8a33b40a43a501bbb6b6b2
SHA512 e472a469d0fc654e62275b5ff7938310bdc186c820f7b41d38efdc5791b3e443c1dd29ba0eba33d144288113c2d60a741c64515668455554fb923de98e19349f

C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr

MD5 734ce331210b40713394968e6dc4c93e
SHA1 5f17cc0e12729ed311ed54f0ab3b76d2ce3c63c7
SHA256 c17803f1bb82285ba2a94cbd9d138978528a2577f285241cbc8033d1437cff06
SHA512 8ff4fefb3ce6a4315672bb84948f4428c72026bbce88c7ce17eba00976e57616ba8d8ad00ea88d64ce041e779ec967b4a7aae453975d3f2413e2e9bfa9ce02c8

C:\Users\Admin\AppData\Local\gddywwvrhyiksyndqnnig.fbr

MD5 0d303dbc8eb4d2b04919ee5644c89505
SHA1 752b58c02afc0fd5f6eea544d445dade7d9dcf38
SHA256 6c4ab9bf25a58b406732ce758f8e1f160cdb90907b543c75cc4d04520418455b
SHA512 87319e0aa12c688a17a8ca384e5b64e0975af3bf11ae1a493123f8394980cdbad7df041ac1c4bec33d6dd42b4c06153ef0a78e0bd9964b4357eb25ba1a2798fb

C:\Users\Admin\AppData\Local\gddywwvrhyiksyndqnnig.fbr

MD5 11bb0ae60e75d1a45fecbe6689417d25
SHA1 2577ac29f0f4e599ac8707e6a48aac6548cc9b7a
SHA256 2a233b2e841b2d36dc61c2922e5bde93261fac4eec9988977c3076b7d2bb377c
SHA512 4f247715720cee667034161ad294b589f62570d434447ce37f2023398d53683e70cd53b0665e81eb114f3430e5087d9e7661ad838c7ccd1667121ecc369ca570

C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr

MD5 115b8cf5d79efbedcab1cc58b5eb08c2
SHA1 4ab322bd9b41a59ae85f66e96fc802f4d0390806
SHA256 e3223efaaef2888bdadee996c613d571322ca03e19d6c4b47f621fdd51644ea9
SHA512 f8a7b6a3fd6d5b070d812294a6b5e997499e435f0e4ad2a1a6665c38c8c58497de5045cba3cf71be4cc57b434002671a369340c4a6ae7458790209ba80ea3f6d

C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr

MD5 5cd04cb66b441a05b3e013ef9cc30e8e
SHA1 bd7e3f1d5c6cfd08c3a46b96933d415ad6b8477c
SHA256 9d9bc7a03a7cd6ef38e18946540328bb9ec81bd51c5a5fc703d90b54e6c746b1
SHA512 9bca44f962c62b41886888360d492e7d6b113e061e5882f44748d959da21eeb09ef9e17ec8215d67637aeaaed7a5e6888865e7d96cbce8179285375d86d0bdb9

C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr

MD5 0c8728caf4a05598caabb348cf9cdf5b
SHA1 0fa1dddb1ce4f7afc340bb7df7a0ae660933806c
SHA256 59e0e8254b911d499aea45a682b8f12093a61bb6bd0db1c4fed35ffa318c24eb
SHA512 092082a3ffdd5a90de32dc36e7c0bfbe8f95acf3621b451ff92703307cc1730dc91e89c0856763441ad5685f99fcc1f90bfb27a15e7d128a0bcbd4a04a350c86