Analysis Overview
SHA256
c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5
Threat Level: Known bad
The file 11d1709b0283773db48c654533d3b83f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Impair Defenses: Safe Mode Boot
Checks whether UAC is enabled
Looks up external IP address via web service
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
System policy modification
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 11:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 11:20
Reported
2024-06-26 11:23
Platform
win7-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "neukhwsjwsnwwbycpn.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "aunggyxrhgeqtbbiyzoib.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "aunggyxrhgeqtbbiyzoib.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yejoaep = "eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ruwy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "xmaojwqfqkdkilgi.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "aunggyxrhgeqtbbiyzoib.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "aunggyxrhgeqtbbiyzoib.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "neukhwsjwsnwwbycpn.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "yqhywmjbpmistzxcqpc.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "xmaojwqfqkdkilgi.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "aunggyxrhgeqtbbiyzoib.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "xmaojwqfqkdkilgi.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "aunggyxrhgeqtbbiyzoib.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "lewonecvkifqszyettha.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aehku = "eujyuidtfaucbfbeq.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "lewonecvkifqszyettha.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "lewonecvkifqszyettha.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aunggyxrhgeqtbbiyzoib.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\aehku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\neukhwsjwsnwwbycpn.exe" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "lewonecvkifqszyettha.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lewonecvkifqszyettha.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xgowlsgpui = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xmaojwqfqkdkilgi.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "neukhwsjwsnwwbycpn.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\emtaouhpt = "eujyuidtfaucbfbeq.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lquyjm = "neukhwsjwsnwwbycpn.exe ." | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sclukshrxma = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqhywmjbpmistzxcqpc.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "xmaojwqfqkdkilgi.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\nuagtykr = "neukhwsjwsnwwbycpn.exe" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xgowlsgpuivwolawbrvemujqensgtumj.uzp | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\caxuyuxvpsukrdhsmrkif.gcf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\caxuyuxvpsukrdhsmrkif.gcf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\xgowlsgpuivwolawbrvemujqensgtumj.uzp | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\SysWOW64\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Program Files (x86)\xgowlsgpuivwolawbrvemujqensgtumj.uzp | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Program Files (x86)\xgowlsgpuivwolawbrvemujqensgtumj.uzp | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\xgowlsgpuivwolawbrvemujqensgtumj.uzp | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\caxuyuxvpsukrdhsmrkif.gcf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\caxuyuxvpsukrdhsmrkif.gcf | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\xgowlsgpuivwolawbrvemujqensgtumj.uzp | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File created | C:\Windows\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\lewonecvkifqszyettha.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\neukhwsjwsnwwbycpn.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\eujyuidtfaucbfbeq.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File created | C:\Windows\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| File opened for modification | C:\Windows\yqhywmjbpmistzxcqpc.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\aunggyxrhgeqtbbiyzoib.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\rmgabuupggfswfgofhxsmg.exe | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| File opened for modification | C:\Windows\xmaojwqfqkdkilgi.exe | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\aehku.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
"C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\aehku.exe
"C:\Users\Admin\AppData\Local\Temp\aehku.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\aehku.exe
"C:\Users\Admin\AppData\Local\Temp\aehku.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
"C:\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| BY | 178.124.8.134:29951 | tcp | |
| US | 8.8.8.8:53 | mymqeo.info | udp |
| US | 8.8.8.8:53 | tfomvifox.cc | udp |
| US | 8.8.8.8:53 | korzjmnansnan.cc | udp |
| US | 8.8.8.8:53 | isuslk.biz | udp |
| BY | 178.124.8.134:29951 | tcp | |
| US | 8.8.8.8:53 | qakayaiq.biz | udp |
| US | 8.8.8.8:53 | dlradsn.org | udp |
| US | 162.249.65.162:80 | dlradsn.org | tcp |
| US | 8.8.8.8:53 | zipagcn.cc | udp |
| US | 8.8.8.8:53 | eyusaaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcikqkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mstgnqfqbex.org | udp |
| US | 8.8.8.8:53 | ggblkkdsholapet.org | udp |
| US | 8.8.8.8:53 | ckopbcuiwcymao.net | udp |
| US | 8.8.8.8:53 | ymazfyeoya.info | udp |
| US | 8.8.8.8:53 | kckspkdsholapet.com | udp |
| US | 8.8.8.8:53 | fajgnsn.com | udp |
| US | 8.8.8.8:53 | umqrio.biz | udp |
| US | 8.8.8.8:53 | eueymsuiwcymao.info | udp |
| US | 8.8.8.8:53 | deagvafox.org | udp |
| US | 8.8.8.8:53 | vfrvvcn.org | udp |
| US | 8.8.8.8:53 | ygsink.info | udp |
| US | 8.8.8.8:53 | agadss.biz | udp |
| US | 8.8.8.8:53 | ivqvrodsholapet.com | udp |
| US | 8.8.8.8:53 | ynrvwgfqbex.org | udp |
| US | 8.8.8.8:53 | ciuzwaiq.net | udp |
| US | 8.8.8.8:53 | uioezo.biz | udp |
| US | 8.8.8.8:53 | ohwiomnansnan.org | udp |
| US | 8.8.8.8:53 | ayhwaufqbex.org | udp |
| US | 8.8.8.8:53 | qgasocuiwcymao.info | udp |
| US | 8.8.8.8:53 | isspqkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iiuhlwnansnan.cc | udp |
| US | 8.8.8.8:53 | rxfmdwfox.org | udp |
| US | 8.8.8.8:53 | esowayeoya.biz | udp |
| US | 8.8.8.8:53 | swatnk.biz | udp |
| US | 8.8.8.8:53 | czyhvkdsholapet.org | udp |
| US | 8.8.8.8:53 | wofrnanansnan.com | udp |
| US | 8.8.8.8:53 | wwwkqwiugkeq.info | udp |
| US | 8.8.8.8:53 | yokivaiq.info | udp |
| US | 8.8.8.8:53 | lksrusfox.org | udp |
| US | 8.8.8.8:53 | kufamkdsholapet.cc | udp |
| US | 8.8.8.8:53 | wskoageoya.net | udp |
| US | 8.8.8.8:53 | ykkges.info | udp |
| US | 8.8.8.8:53 | ubcmvadsholapet.org | udp |
| US | 8.8.8.8:53 | nbjmgafox.org | udp |
| US | 8.8.8.8:53 | ccquxqeoya.net | udp |
| US | 8.8.8.8:53 | gisahqeoya.info | udp |
| US | 8.8.8.8:53 | xsymfsfox.cc | udp |
| US | 8.8.8.8:53 | synfeanansnan.com | udp |
| US | 8.8.8.8:53 | ocusqyeoya.biz | udp |
| US | 8.8.8.8:53 | sguxwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | dnfjlkn.com | udp |
| US | 8.8.8.8:53 | dthuzifox.cc | udp |
| US | 8.8.8.8:53 | qmgwwmiq.biz | udp |
| US | 8.8.8.8:53 | qikukwiq.net | udp |
| US | 8.8.8.8:53 | joqanifox.cc | udp |
| US | 8.8.8.8:53 | mmxsxqfqbex.cc | udp |
| US | 8.8.8.8:53 | ooqyhwiq.info | udp |
| US | 8.8.8.8:53 | iekazkuiwcymao.info | udp |
| US | 8.8.8.8:53 | bpyxjwfox.org | udp |
| US | 8.8.8.8:53 | umdhukdsholapet.cc | udp |
| US | 8.8.8.8:53 | uukgzaiq.biz | udp |
| US | 8.8.8.8:53 | uqcwwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zeponcn.com | udp |
| US | 8.8.8.8:53 | iyhyfqfqbex.org | udp |
| US | 8.8.8.8:53 | kmonya.net | udp |
| US | 8.8.8.8:53 | wymwsguiwcymao.net | udp |
| US | 8.8.8.8:53 | oagirkdsholapet.com | udp |
| US | 8.8.8.8:53 | lvlobkn.com | udp |
| US | 8.8.8.8:53 | ugsymeiq.net | udp |
| US | 8.8.8.8:53 | mmmiiueoya.info | udp |
| US | 8.8.8.8:53 | fckafafox.org | udp |
| US | 8.8.8.8:53 | ppdyrwfox.cc | udp |
| US | 8.8.8.8:53 | qcgqsgeoya.biz | udp |
| US | 8.8.8.8:53 | cemisaiugkeq.net | udp |
| US | 8.8.8.8:53 | bncurifox.org | udp |
| US | 8.8.8.8:53 | gcrivwnansnan.com | udp |
| US | 8.8.8.8:53 | oisqasiugkeq.info | udp |
| US | 8.8.8.8:53 | maqjaqeoya.biz | udp |
| US | 8.8.8.8:53 | qkobvsdsholapet.com | udp |
| US | 8.8.8.8:53 | cfjmjadsholapet.com | udp |
| US | 8.8.8.8:53 | cogbysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sucksk.net | udp |
| US | 8.8.8.8:53 | llichwfox.org | udp |
| US | 8.8.8.8:53 | corjkwnansnan.org | udp |
| US | 8.8.8.8:53 | qmqeymiq.info | udp |
| US | 8.8.8.8:53 | wymjkaiugkeq.info | udp |
| US | 8.8.8.8:53 | ynqtvwnansnan.com | udp |
| US | 8.8.8.8:53 | vkjrosfox.com | udp |
| US | 8.8.8.8:53 | mawrpcuiwcymao.net | udp |
| US | 8.8.8.8:53 | aoooma.biz | udp |
| US | 8.8.8.8:53 | brtyzcn.org | udp |
| US | 8.8.8.8:53 | dbnyiafox.com | udp |
| US | 8.8.8.8:53 | yyiosk.net | udp |
| US | 8.8.8.8:53 | ciabcgeoya.info | udp |
| US | 8.8.8.8:53 | apmejodsholapet.com | udp |
| US | 8.8.8.8:53 | yxvccgfqbex.org | udp |
| US | 8.8.8.8:53 | qaeqiueoya.biz | udp |
| US | 8.8.8.8:53 | cwgsacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gxaztwnansnan.org | udp |
| US | 8.8.8.8:53 | qwlghodsholapet.org | udp |
| US | 8.8.8.8:53 | syemxyeoya.net | udp |
| US | 8.8.8.8:53 | ejzyxufqbex.org | udp |
| US | 8.8.8.8:53 | xedzmcn.cc | udp |
| US | 8.8.8.8:53 | ooeufo.net | udp |
| US | 8.8.8.8:53 | suipigeoya.biz | udp |
| US | 8.8.8.8:53 | cxmdqkdsholapet.com | udp |
| US | 8.8.8.8:53 | srpymufqbex.cc | udp |
| US | 8.8.8.8:53 | qsaovsiugkeq.info | udp |
| US | 8.8.8.8:53 | wgaokiiugkeq.info | udp |
| US | 8.8.8.8:53 | owdorufqbex.org | udp |
| US | 8.8.8.8:53 | uvpkrodsholapet.org | udp |
| US | 8.8.8.8:53 | aquaisiugkeq.net | udp |
| US | 8.8.8.8:53 | giqjsguiwcymao.info | udp |
| US | 8.8.8.8:53 | rlhytcn.cc | udp |
| US | 8.8.8.8:53 | zajmwsn.org | udp |
| US | 8.8.8.8:53 | acqghgeoya.biz | udp |
| US | 8.8.8.8:53 | uqwuck.biz | udp |
| US | 8.8.8.8:53 | sqjuvqfqbex.com | udp |
| US | 8.8.8.8:53 | owzezqfqbex.com | udp |
| US | 8.8.8.8:53 | waioxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | meskia.biz | udp |
| US | 8.8.8.8:53 | alwkvwnansnan.com | udp |
| US | 8.8.8.8:53 | ekfqhkdsholapet.com | udp |
| US | 8.8.8.8:53 | gyejqguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wyywyqeoya.net | udp |
| US | 8.8.8.8:53 | rdrwlkn.cc | udp |
| US | 8.8.8.8:53 | vybkxifox.org | udp |
| US | 8.8.8.8:53 | igsvswiugkeq.info | udp |
| US | 8.8.8.8:53 | scssga.info | udp |
| US | 8.8.8.8:53 | qukgqmnansnan.org | udp |
| US | 8.8.8.8:53 | wfxqsmnansnan.com | udp |
| US | 8.8.8.8:53 | uyieteiq.net | udp |
| US | 8.8.8.8:53 | mseoyk.net | udp |
| US | 8.8.8.8:53 | loiqlafox.org | udp |
| US | 8.8.8.8:53 | ipbgfufqbex.cc | udp |
| US | 8.8.8.8:53 | mymqnwiq.net | udp |
| US | 8.8.8.8:53 | iaoano.biz | udp |
| US | 8.8.8.8:53 | xfjijgn.org | udp |
| US | 8.8.8.8:53 | vspfdafox.com | udp |
| US | 8.8.8.8:53 | kwuqhk.info | udp |
| US | 8.8.8.8:53 | wssizueoya.net | udp |
| US | 8.8.8.8:53 | spmjewnansnan.cc | udp |
| US | 8.8.8.8:53 | pulwlifox.com | udp |
| US | 8.8.8.8:53 | emicys.biz | udp |
| US | 8.8.8.8:53 | mmwikwiq.net | udp |
| US | 8.8.8.8:53 | ioqmfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sbdwpenansnan.com | udp |
| US | 8.8.8.8:53 | yokaos.info | udp |
| US | 8.8.8.8:53 | osobjiiugkeq.info | udp |
| US | 8.8.8.8:53 | chjjgqfqbex.com | udp |
| US | 8.8.8.8:53 | wuhthanansnan.cc | udp |
| US | 8.8.8.8:53 | kckzkueoya.net | udp |
| US | 8.8.8.8:53 | aeeeuaiq.info | udp |
| US | 8.8.8.8:53 | epeeuanansnan.cc | udp |
| US | 8.8.8.8:53 | emdctqfqbex.org | udp |
| US | 8.8.8.8:53 | eywsgo.info | udp |
| US | 8.8.8.8:53 | acwdqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | mhdevufqbex.com | udp |
| US | 8.8.8.8:53 | divsdkn.org | udp |
| US | 8.8.8.8:53 | cmeigsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | yaabuueoya.net | udp |
| US | 8.8.8.8:53 | ldjpbcn.org | udp |
| US | 8.8.8.8:53 | gnnpbqfqbex.cc | udp |
| US | 8.8.8.8:53 | qseecaiugkeq.info | udp |
| US | 8.8.8.8:53 | iuqxtyeoya.info | udp |
| US | 8.8.8.8:53 | fxguasfox.cc | udp |
| US | 8.8.8.8:53 | wkrzlgfqbex.org | udp |
| US | 8.8.8.8:53 | mmqtqwiugkeq.net | udp |
| US | 8.8.8.8:53 | wmkdhs.net | udp |
| US | 8.8.8.8:53 | vahpqcn.com | udp |
| US | 8.8.8.8:53 | uurmdyfqbex.org | udp |
| US | 8.8.8.8:53 | kccamwiq.net | udp |
| US | 8.8.8.8:53 | sqigrmiq.net | udp |
| US | 8.8.8.8:53 | ypkibmnansnan.org | udp |
| US | 8.8.8.8:53 | uxbibodsholapet.com | udp |
| US | 8.8.8.8:53 | emgwmsiugkeq.info | udp |
| US | 8.8.8.8:53 | ackbia.biz | udp |
| US | 8.8.8.8:53 | lwohpwfox.cc | udp |
| US | 8.8.8.8:53 | krjgewnansnan.cc | udp |
| US | 8.8.8.8:53 | wsocyguiwcymao.info | udp |
| US | 8.8.8.8:53 | qyesak.net | udp |
| US | 8.8.8.8:53 | qgryvufqbex.org | udp |
| US | 8.8.8.8:53 | krxihodsholapet.org | udp |
| US | 8.8.8.8:53 | coegcguiwcymao.info | udp |
| US | 8.8.8.8:53 | qsoiia.net | udp |
| US | 8.8.8.8:53 | qlnxyqfqbex.org | udp |
| US | 8.8.8.8:53 | mrtmzufqbex.com | udp |
| US | 8.8.8.8:53 | sgiwpk.info | udp |
| US | 8.8.8.8:53 | igoebaiq.biz | udp |
Files
\Users\Admin\AppData\Local\Temp\uwpndagxegz.exe
| MD5 | b58393335b3621bfb1fc631823248577 |
| SHA1 | 315ffce8bae73f153679650cb580659cae1df77a |
| SHA256 | 6ea5753634bcae5b7fb519f8556eb8d09b0a7b547e3b0214e7141ce8e92302d9 |
| SHA512 | 456450a5dceb3f1cdbafb7d5f65766b1c5c0a3de04abaa2601b178b330dcfb217c4f362285055a5bb1daa88fa0dbdfb7810b05d073cc04ea540f7a4b5b9dc053 |
C:\Windows\SysWOW64\neukhwsjwsnwwbycpn.exe
| MD5 | 11d1709b0283773db48c654533d3b83f |
| SHA1 | e82a0b7eaa8355619813ccd6f39b6d7d3258bf14 |
| SHA256 | c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5 |
| SHA512 | ad946f0b6116965014f1cfd1278da83b81cce06a71d1ac4b567de6dc45b406705167eaba28537b52480bce63f247b55dd4cac9aa3fde8bd4ec11bd6558497a6a |
\Users\Admin\AppData\Local\Temp\aehku.exe
| MD5 | 3c21dc0dc2a49945388cb3c340526bb9 |
| SHA1 | 21618db58f0615b6c0001d1302bf6dd5d5ffd823 |
| SHA256 | 612b3a368c3635c833e79d8aac85f33b65fc94b96289fa1644ac2460f0378e0a |
| SHA512 | 42530cb90fc7605eac7174d1cfc390dc42def64836dd22bc911548ea1406c01157a52db9a9761ed5512ea88575f4f2d1beae8e35b14e3b83b4881e27b34f1a9e |
C:\Windows\yqhywmjbpmistzxcqpc.exe
| MD5 | 86e39488c87185d1ef8afdae0abbc2a7 |
| SHA1 | d0eaded33111411f378134f2edb615cac1690843 |
| SHA256 | 85f778cd925e2ac0ed00f7cf7483d5690a57e4fde8d4bd5b0c0ae230a4dd3140 |
| SHA512 | 4c921cb7e5f159d1d198f8e043cbd85c107d0450c5d76e1cec18ff9ca407f68fd8e57a0f4404a193a0dce6da542fc66b889e2cf8f1865d5c30324bb5449adff6 |
C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | 4a670038a2be33b0a1134f2bf5057ae6 |
| SHA1 | 63a8f168ad6e240141719bf64a8319c93b49fbcd |
| SHA256 | 738624b4cb1542f29cb2a72a31e855ac327c8f07bb719c70f98942e7da0bce04 |
| SHA512 | 375bf118d84d3a90ad06104e1a691c6ffb4f3a7b43cf589462c18a3dedf40563252bcf3f8b56d936cd4c2a5235fc1062b1318a21783a19763ecf810ffa64fba5 |
C:\Users\Admin\AppData\Local\xgowlsgpuivwolawbrvemujqensgtumj.uzp
| MD5 | 56a31c852bf304d34a0fddcee46f998c |
| SHA1 | d4a328436d386e5fbfca17cee41e871e377f79fc |
| SHA256 | 1d918a675bc7e7c905a60afc75980dfc92743a17f5a95e21880263e6ce4f6641 |
| SHA512 | 2abb334f3289787c610929421ccd684ac90ae5c203768f363ee8433e09adecd614f4f20e3c9932fc22d7aa6cb3fdf6b80a0dbf363a405208e9ed9c757ce7bd81 |
C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | e1913aa49844ff74bdd2edeae8741d62 |
| SHA1 | e7735eea9d710dd4343f6769a0436605e417ef7d |
| SHA256 | 4a01a21a2192c1084e69bca3f68ca1c4960588a1b26e67f4a53f05b2b658620a |
| SHA512 | 31856ab4cd4c3864be377fc92ab524c7a04c58ed1e185429a564fa1839775c2020974a0114a73087288a529421517544edd21d386156a792738d042aeab512ca |
C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | d5fde4b4c804c855e06ef643d2edb098 |
| SHA1 | 868e4654439cdc47803903beb5c7d81419efc3a1 |
| SHA256 | a84f87e887290c3ee5830b36a5e290c0c6724748d89d4e21c9aadabc4c59a3b0 |
| SHA512 | 0f660c3f2a58c41bd39fe870cab9fb53b120c821176eca64229923b3f5f5e0d31a8e66a4add8243a3a607236140aa3e786cf9cf8c9323162c3bf57b6081f3518 |
C:\nuagtykr.bat
| MD5 | ce045705a75776a37cf4ce3ec5be9cf1 |
| SHA1 | c56d58094c583ec7280cad0d3d19e7d059f35a6c |
| SHA256 | 56032b76eeee6ace3221d07afbb9a1ff750bc04fb393ca3d9e1230d2578009a4 |
| SHA512 | a4e427bdeb6ad5b2baf79c9cef0e24c39d1ea35ef53ec9721cc988929e4c814ee5682c2eafccb4fe5de7d4e421cf4254c14bbad6f00ff5c6a9fce1ffbf33ec68 |
C:\Program Files (x86)\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | fae42abc9acb11e95ef227ba7b766fb7 |
| SHA1 | 8866a7a7995d0a7ce9f1e60e336adc37ec5bad38 |
| SHA256 | f4fc7568fd6bf9ae0ac97c39d4889e9395c34fce0cf38c178d15ea7bef88ccc2 |
| SHA512 | 4579bca07aec143c97baa7b29a2917ead43557d83e4e7e4f15a5c50f22e1f4b4db6888d1b44c17ed39d16342171f8217d958bb9e712a4286a889e1a69a67d4e0 |
C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | 61a49d2de8ce02ba971996f5263e5944 |
| SHA1 | 75c9516e4681975a869fade5a2f6d8f23eba5936 |
| SHA256 | 724d2bb195a1e0f28c48d32e7cbad980b27b45daa45b1d598b5a37e894357a69 |
| SHA512 | 2ba5d30033d21aff8312abfbd27f8d93d2c35dfcb171e0ef12cadd8cd24ffa19cee937e98d57aa3bcd0377f2182286aeead350aff2db6e029e7e811a26790883 |
C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | 19af597d0cd56156e9bd5670cba83842 |
| SHA1 | abc9da8a33963a7416bf3e2599ebc32b6376555f |
| SHA256 | 5e34b8bdf8692e4f2644cf3941de7bad3888dddd26759187472af0a9af950723 |
| SHA512 | 2b4913793508081990994444012c6362f119c21241c2b7588e11ec58466c216886ff16107d8d1abf2c936ac28124a1d17e60c3b67c22dcb906b9d1d875ce82d6 |
C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | 448873b33ba488b4449bd551f2d9527c |
| SHA1 | 27db055620268adda1bcfca70a621bb183da26e7 |
| SHA256 | 1ed6faa18354da638f1c810a33fc33037f52b7de84307926ce2f39e022b36e46 |
| SHA512 | 89203a255d49a9ff7c7505cc8d3421c7a190bb07d9fdc40fad242a1e2ed34b64bf856c8f34903a66e646b2eba82ac71f37b4e7bb0862a4b4e804d9dd8bf041ea |
C:\Users\Admin\AppData\Local\caxuyuxvpsukrdhsmrkif.gcf
| MD5 | edef2caeda916b6f6d82639cf03a384a |
| SHA1 | 1ba3d00549ccb1f43ef2be501d7b06e0015ae977 |
| SHA256 | ffe26fdf224af293f61de2b93fc7dcba975b1b46d3f4415e63e432291e186847 |
| SHA512 | d6c0c0e5b304b879e7f1cef7ec2d4c0b242f3463a7e03900abd14c78af8c587bd0333d7116910c103f3331be5ba89b2dcc97822898a3725b092006911e895ce2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 11:20
Reported
2024-06-26 11:23
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpcskbpxgiccahpu.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ixpcskbpxgiccahpu.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "ixpcskbpxgiccahpu.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ehnos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rxgkrain = "extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "ixpcskbpxgiccahpu.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe ." | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "phcslgarcotqtuepxpka.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "phcslgarcotqtuepxpka.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "bpgshyobiqrkjgmt.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "extkeavnzmsquwhtcvric.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpcskbpxgiccahpu.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "extkeavnzmsquwhtcvric.exe ." | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe ." | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "phcslgarcotqtuepxpka.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "extkeavnzmsquwhtcvric.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "bpgshyobiqrkjgmt.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "ixpcskbpxgiccahpu.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "ctncuohxhswsuudnulf.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ixpcskbpxgiccahpu.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "phcslgarcotqtuepxpka.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\tdqyjwiruyvk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "ctncuohxhswsuudnulf.exe" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "rhaofyqfoybwxwentj.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "ctncuohxhswsuudnulf.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\bjuajuelmo = "rhaofyqfoybwxwentj.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ipzemwfll = "bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ptacho = "ixpcskbpxgiccahpu.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rhaofyqfoybwxwentj.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ixpcskbpxgiccahpu.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bpgshyobiqrkjgmt.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ptacho = "C:\\Users\\Admin\\AppData\\Local\\Temp\\extkeavnzmsquwhtcvric.exe" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "extkeavnzmsquwhtcvric.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\chpsygn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfryiufnpso = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ctncuohxhswsuudnulf.exe ." | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bjuajuelmojwpgghfnyenyipqsnatkkl.rci | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\gddywwvrhyiksyndqnnig.fbr | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gddywwvrhyiksyndqnnig.fbr | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\bjuajuelmojwpgghfnyenyipqsnatkkl.rci | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\bjuajuelmojwpgghfnyenyipqsnatkkl.rci | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Program Files (x86)\bjuajuelmojwpgghfnyenyipqsnatkkl.rci | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\gddywwvrhyiksyndqnnig.fbr | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\bjuajuelmojwpgghfnyenyipqsnatkkl.rci | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\gddywwvrhyiksyndqnnig.fbr | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\bpgshyobiqrkjgmt.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\rhaofyqfoybwxwentj.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\vpmezwslymtsxamzjdasnk.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File created | C:\Windows\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\ctncuohxhswsuudnulf.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\phcslgarcotqtuepxpka.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File opened for modification | C:\Windows\ixpcskbpxgiccahpu.exe | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| File opened for modification | C:\Windows\extkeavnzmsquwhtcvric.exe | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| File created | C:\Windows\bjuajuelmojwpgghfnyenyipqsnatkkl.rci | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ptacho.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\11d1709b0283773db48c654533d3b83f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
"C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\ptacho.exe
"C:\Users\Admin\AppData\Local\Temp\ptacho.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ptacho.exe
"C:\Users\Admin\AppData\Local\Temp\ptacho.exe" "-c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"
C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
"C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe" "c:\users\admin\appdata\local\temp\11d1709b0283773db48c654533d3b83f_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.187.238:80 | www.youtube.com | tcp |
| BY | 178.124.8.134:29951 | tcp | |
| US | 8.8.8.8:53 | mymqeo.info | udp |
| US | 8.8.8.8:53 | tfomvifox.cc | udp |
| US | 8.8.8.8:53 | korzjmnansnan.cc | udp |
| US | 8.8.8.8:53 | isuslk.biz | udp |
| US | 8.8.8.8:53 | qakayaiq.biz | udp |
| US | 8.8.8.8:53 | dlradsn.org | udp |
| US | 162.249.65.162:80 | dlradsn.org | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zipagcn.cc | udp |
| US | 8.8.8.8:53 | eyusaaiugkeq.biz | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gcikqkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mstgnqfqbex.org | udp |
| US | 8.8.8.8:53 | ggblkkdsholapet.org | udp |
| US | 8.8.8.8:53 | ckopbcuiwcymao.net | udp |
| US | 8.8.8.8:53 | ymazfyeoya.info | udp |
| US | 8.8.8.8:53 | kckspkdsholapet.com | udp |
| US | 8.8.8.8:53 | fajgnsn.com | udp |
| US | 8.8.8.8:53 | umqrio.biz | udp |
| US | 8.8.8.8:53 | eueymsuiwcymao.info | udp |
| US | 8.8.8.8:53 | deagvafox.org | udp |
| US | 8.8.8.8:53 | vfrvvcn.org | udp |
| US | 8.8.8.8:53 | ygsink.info | udp |
| US | 8.8.8.8:53 | agadss.biz | udp |
| US | 8.8.8.8:53 | ivqvrodsholapet.com | udp |
| US | 8.8.8.8:53 | ynrvwgfqbex.org | udp |
| US | 8.8.8.8:53 | ciuzwaiq.net | udp |
| US | 8.8.8.8:53 | uioezo.biz | udp |
| US | 8.8.8.8:53 | ohwiomnansnan.org | udp |
| US | 8.8.8.8:53 | ayhwaufqbex.org | udp |
| US | 8.8.8.8:53 | qgasocuiwcymao.info | udp |
| US | 8.8.8.8:53 | isspqkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iiuhlwnansnan.cc | udp |
| US | 8.8.8.8:53 | rxfmdwfox.org | udp |
| US | 8.8.8.8:53 | esowayeoya.biz | udp |
| US | 8.8.8.8:53 | swatnk.biz | udp |
| US | 8.8.8.8:53 | czyhvkdsholapet.org | udp |
| US | 8.8.8.8:53 | wofrnanansnan.com | udp |
| US | 8.8.8.8:53 | wwwkqwiugkeq.info | udp |
| US | 8.8.8.8:53 | yokivaiq.info | udp |
| BY | 178.124.8.134:29951 | tcp | |
| US | 8.8.8.8:53 | lksrusfox.org | udp |
| US | 8.8.8.8:53 | kufamkdsholapet.cc | udp |
| US | 8.8.8.8:53 | wskoageoya.net | udp |
| US | 8.8.8.8:53 | ykkges.info | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ubcmvadsholapet.org | udp |
| US | 8.8.8.8:53 | nbjmgafox.org | udp |
| US | 8.8.8.8:53 | ccquxqeoya.net | udp |
| US | 8.8.8.8:53 | gisahqeoya.info | udp |
| US | 8.8.8.8:53 | xsymfsfox.cc | udp |
| US | 8.8.8.8:53 | synfeanansnan.com | udp |
| US | 8.8.8.8:53 | ocusqyeoya.biz | udp |
| US | 8.8.8.8:53 | dthuzifox.cc | udp |
| US | 8.8.8.8:53 | qmgwwmiq.biz | udp |
| US | 8.8.8.8:53 | qikukwiq.net | udp |
| US | 8.8.8.8:53 | joqanifox.cc | udp |
| US | 8.8.8.8:53 | mmxsxqfqbex.cc | udp |
| US | 8.8.8.8:53 | ooqyhwiq.info | udp |
| US | 8.8.8.8:53 | iekazkuiwcymao.info | udp |
| US | 8.8.8.8:53 | bpyxjwfox.org | udp |
| US | 8.8.8.8:53 | umdhukdsholapet.cc | udp |
| US | 8.8.8.8:53 | uukgzaiq.biz | udp |
| US | 8.8.8.8:53 | uqcwwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | zeponcn.com | udp |
| US | 8.8.8.8:53 | iyhyfqfqbex.org | udp |
| US | 8.8.8.8:53 | kmonya.net | udp |
| US | 8.8.8.8:53 | wymwsguiwcymao.net | udp |
| US | 8.8.8.8:53 | oagirkdsholapet.com | udp |
| US | 8.8.8.8:53 | lvlobkn.com | udp |
| US | 8.8.8.8:53 | ugsymeiq.net | udp |
| US | 8.8.8.8:53 | mmmiiueoya.info | udp |
| US | 8.8.8.8:53 | fckafafox.org | udp |
| US | 8.8.8.8:53 | ppdyrwfox.cc | udp |
| US | 8.8.8.8:53 | qcgqsgeoya.biz | udp |
| US | 8.8.8.8:53 | cemisaiugkeq.net | udp |
| US | 8.8.8.8:53 | bncurifox.org | udp |
| US | 8.8.8.8:53 | gcrivwnansnan.com | udp |
| US | 8.8.8.8:53 | oisqasiugkeq.info | udp |
| US | 8.8.8.8:53 | maqjaqeoya.biz | udp |
| US | 8.8.8.8:53 | qkobvsdsholapet.com | udp |
| US | 8.8.8.8:53 | cfjmjadsholapet.com | udp |
| US | 8.8.8.8:53 | cogbysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sucksk.net | udp |
| US | 8.8.8.8:53 | llichwfox.org | udp |
| US | 8.8.8.8:53 | corjkwnansnan.org | udp |
| US | 8.8.8.8:53 | qmqeymiq.info | udp |
| US | 8.8.8.8:53 | wymjkaiugkeq.info | udp |
| US | 8.8.8.8:53 | ynqtvwnansnan.com | udp |
| US | 8.8.8.8:53 | vkjrosfox.com | udp |
| US | 8.8.8.8:53 | mawrpcuiwcymao.net | udp |
| US | 8.8.8.8:53 | aoooma.biz | udp |
| US | 8.8.8.8:53 | brtyzcn.org | udp |
| US | 8.8.8.8:53 | dbnyiafox.com | udp |
| US | 8.8.8.8:53 | yyiosk.net | udp |
| US | 8.8.8.8:53 | ciabcgeoya.info | udp |
| US | 8.8.8.8:53 | apmejodsholapet.com | udp |
| US | 8.8.8.8:53 | yxvccgfqbex.org | udp |
| US | 8.8.8.8:53 | qaeqiueoya.biz | udp |
| US | 8.8.8.8:53 | cwgsacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gxaztwnansnan.org | udp |
| US | 8.8.8.8:53 | qwlghodsholapet.org | udp |
| US | 8.8.8.8:53 | syemxyeoya.net | udp |
| US | 8.8.8.8:53 | aqoxoeiq.net | udp |
| US | 8.8.8.8:53 | ejzyxufqbex.org | udp |
| US | 8.8.8.8:53 | xedzmcn.cc | udp |
| US | 8.8.8.8:53 | ooeufo.net | udp |
| US | 8.8.8.8:53 | suipigeoya.biz | udp |
| US | 8.8.8.8:53 | cxmdqkdsholapet.com | udp |
| US | 8.8.8.8:53 | srpymufqbex.cc | udp |
| US | 8.8.8.8:53 | qsaovsiugkeq.info | udp |
| US | 8.8.8.8:53 | wgaokiiugkeq.info | udp |
| US | 8.8.8.8:53 | owdorufqbex.org | udp |
| US | 8.8.8.8:53 | uvpkrodsholapet.org | udp |
| US | 8.8.8.8:53 | aquaisiugkeq.net | udp |
| US | 8.8.8.8:53 | giqjsguiwcymao.info | udp |
| US | 8.8.8.8:53 | rlhytcn.cc | udp |
| US | 8.8.8.8:53 | zajmwsn.org | udp |
| US | 8.8.8.8:53 | acqghgeoya.biz | udp |
| US | 8.8.8.8:53 | uqwuck.biz | udp |
| US | 8.8.8.8:53 | sqjuvqfqbex.com | udp |
| US | 8.8.8.8:53 | owzezqfqbex.com | udp |
| US | 8.8.8.8:53 | waioxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | meskia.biz | udp |
| US | 8.8.8.8:53 | alwkvwnansnan.com | udp |
| US | 8.8.8.8:53 | ekfqhkdsholapet.com | udp |
| US | 8.8.8.8:53 | gyejqguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wyywyqeoya.net | udp |
| US | 8.8.8.8:53 | rdrwlkn.cc | udp |
| US | 8.8.8.8:53 | vybkxifox.org | udp |
| US | 8.8.8.8:53 | igsvswiugkeq.info | udp |
| US | 8.8.8.8:53 | scssga.info | udp |
| US | 8.8.8.8:53 | qukgqmnansnan.org | udp |
| US | 8.8.8.8:53 | wfxqsmnansnan.com | udp |
| US | 8.8.8.8:53 | uyieteiq.net | udp |
| US | 8.8.8.8:53 | mseoyk.net | udp |
| US | 8.8.8.8:53 | loiqlafox.org | udp |
| US | 8.8.8.8:53 | ipbgfufqbex.cc | udp |
| US | 8.8.8.8:53 | mymqnwiq.net | udp |
| US | 8.8.8.8:53 | iaoano.biz | udp |
| US | 8.8.8.8:53 | xfjijgn.org | udp |
| US | 8.8.8.8:53 | vspfdafox.com | udp |
| US | 8.8.8.8:53 | kwuqhk.info | udp |
| US | 8.8.8.8:53 | wssizueoya.net | udp |
| US | 8.8.8.8:53 | spmjewnansnan.cc | udp |
| US | 8.8.8.8:53 | pulwlifox.com | udp |
| US | 8.8.8.8:53 | emicys.biz | udp |
| US | 8.8.8.8:53 | mmwikwiq.net | udp |
| US | 8.8.8.8:53 | ioqmfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sbdwpenansnan.com | udp |
| US | 8.8.8.8:53 | yokaos.info | udp |
| US | 8.8.8.8:53 | osobjiiugkeq.info | udp |
| US | 8.8.8.8:53 | chjjgqfqbex.com | udp |
| US | 8.8.8.8:53 | wuhthanansnan.cc | udp |
| US | 8.8.8.8:53 | kckzkueoya.net | udp |
| US | 8.8.8.8:53 | aeeeuaiq.info | udp |
| US | 8.8.8.8:53 | epeeuanansnan.cc | udp |
| US | 8.8.8.8:53 | emdctqfqbex.org | udp |
| US | 8.8.8.8:53 | eywsgo.info | udp |
| US | 8.8.8.8:53 | acwdqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | mhdevufqbex.com | udp |
| US | 8.8.8.8:53 | divsdkn.org | udp |
| US | 8.8.8.8:53 | cmeigsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | yaabuueoya.net | udp |
| US | 8.8.8.8:53 | ldjpbcn.org | udp |
| US | 8.8.8.8:53 | gnnpbqfqbex.cc | udp |
| US | 8.8.8.8:53 | qseecaiugkeq.info | udp |
| US | 8.8.8.8:53 | iuqxtyeoya.info | udp |
| US | 8.8.8.8:53 | fxguasfox.cc | udp |
| US | 8.8.8.8:53 | wkrzlgfqbex.org | udp |
| US | 8.8.8.8:53 | mmqtqwiugkeq.net | udp |
| US | 8.8.8.8:53 | wmkdhs.net | udp |
| US | 8.8.8.8:53 | vahpqcn.com | udp |
| US | 8.8.8.8:53 | uurmdyfqbex.org | udp |
| US | 8.8.8.8:53 | kccamwiq.net | udp |
| US | 8.8.8.8:53 | sqigrmiq.net | udp |
| US | 8.8.8.8:53 | ypkibmnansnan.org | udp |
| US | 8.8.8.8:53 | uxbibodsholapet.com | udp |
| US | 8.8.8.8:53 | emgwmsiugkeq.info | udp |
| US | 8.8.8.8:53 | ackbia.biz | udp |
| US | 8.8.8.8:53 | lwohpwfox.cc | udp |
| US | 8.8.8.8:53 | krjgewnansnan.cc | udp |
| US | 8.8.8.8:53 | wsocyguiwcymao.info | udp |
| US | 8.8.8.8:53 | qyesak.net | udp |
| US | 8.8.8.8:53 | qgryvufqbex.org | udp |
| US | 8.8.8.8:53 | krxihodsholapet.org | udp |
| US | 8.8.8.8:53 | coegcguiwcymao.info | udp |
| US | 8.8.8.8:53 | qsoiia.net | udp |
| US | 8.8.8.8:53 | qlnxyqfqbex.org | udp |
| US | 8.8.8.8:53 | mrtmzufqbex.com | udp |
| US | 8.8.8.8:53 | igoebaiq.biz | udp |
| US | 8.8.8.8:53 | bgusvsfox.org | udp |
| US | 8.8.8.8:53 | vvxlzkn.org | udp |
| US | 8.8.8.8:53 | iqcvia.info | udp |
| US | 8.8.8.8:53 | samqsk.net | udp |
| US | 8.8.8.8:53 | gqckhmnansnan.cc | udp |
| US | 8.8.8.8:53 | dwdyrgn.cc | udp |
| US | 8.8.8.8:53 | cioguwiq.net | udp |
| US | 8.8.8.8:53 | iwuoyaiq.net | udp |
| US | 8.8.8.8:53 | oumofadsholapet.org | udp |
| US | 8.8.8.8:53 | xmrutifox.org | udp |
| US | 8.8.8.8:53 | wwiossiugkeq.biz | udp |
| US | 8.8.8.8:53 | auaela.info | udp |
| US | 8.8.8.8:53 | avhixufqbex.cc | udp |
| US | 8.8.8.8:53 | cuisbueoya.biz | udp |
| US | 8.8.8.8:53 | oemxjs.net | udp |
| US | 8.8.8.8:53 | skanymnansnan.com | udp |
| US | 8.8.8.8:53 | yaruuenansnan.com | udp |
| US | 8.8.8.8:53 | qqgpgwiq.biz | udp |
| US | 8.8.8.8:53 | uyuouaiugkeq.biz | udp |
| US | 8.8.8.8:53 | luzkdsn.com | udp |
| US | 8.8.8.8:53 | srhrjadsholapet.com | udp |
| US | 8.8.8.8:53 | wiacxueoya.net | udp |
| US | 8.8.8.8:53 | immzqmiq.biz | udp |
| US | 8.8.8.8:53 | gnbbnenansnan.com | udp |
| US | 8.8.8.8:53 | yseaesiugkeq.biz | udp |
| US | 8.8.8.8:53 | ysckmcuiwcymao.info | udp |
| US | 8.8.8.8:53 | lnnepkn.org | udp |
| US | 8.8.8.8:53 | uhfkomnansnan.cc | udp |
| US | 8.8.8.8:53 | wgguvwiq.net | udp |
| US | 8.8.8.8:53 | kigfwaiq.info | udp |
| US | 8.8.8.8:53 | vduuvsfox.com | udp |
| US | 8.8.8.8:53 | zilqmwfox.cc | udp |
| US | 8.8.8.8:53 | qomemmiq.biz | udp |
| US | 8.8.8.8:53 | ywkzieiq.info | udp |
| US | 8.8.8.8:53 | miaxradsholapet.com | udp |
| US | 8.8.8.8:53 | mdxllodsholapet.org | udp |
| US | 8.8.8.8:53 | qauziguiwcymao.biz | udp |
| US | 8.8.8.8:53 | sisnaaiq.info | udp |
| US | 8.8.8.8:53 | owvrlyfqbex.com | udp |
| US | 8.8.8.8:53 | hhfkqafox.com | udp |
| US | 8.8.8.8:53 | ccmddsuiwcymao.info | udp |
| US | 8.8.8.8:53 | eyuhsgeoya.info | udp |
| US | 8.8.8.8:53 | onifrenansnan.com | udp |
| US | 8.8.8.8:53 | ibjszanansnan.cc | udp |
| US | 8.8.8.8:53 | sewwjgeoya.biz | udp |
| US | 8.8.8.8:53 | mkasraiugkeq.info | udp |
| US | 8.8.8.8:53 | qdwyeanansnan.org | udp |
| US | 8.8.8.8:53 | wttlpodsholapet.org | udp |
| US | 8.8.8.8:53 | cmukpueoya.info | udp |
| US | 8.8.8.8:53 | ggcrco.biz | udp |
| US | 8.8.8.8:53 | qbmiukdsholapet.org | udp |
| US | 8.8.8.8:53 | ikzwzadsholapet.org | udp |
| US | 8.8.8.8:53 | qsoagsiugkeq.info | udp |
| US | 8.8.8.8:53 | wqwqdmiq.biz | udp |
| US | 8.8.8.8:53 | vrsejafox.org | udp |
| US | 8.8.8.8:53 | rbruuwfox.cc | udp |
| US | 8.8.8.8:53 | uqcgoyeoya.net | udp |
| US | 8.8.8.8:53 | eymxuwiq.biz | udp |
| US | 8.8.8.8:53 | cgzjnqfqbex.com | udp |
| US | 8.8.8.8:53 | wvfsyodsholapet.org | udp |
| US | 8.8.8.8:53 | umcbuueoya.biz | udp |
| US | 8.8.8.8:53 | eeiykwiugkeq.info | udp |
| US | 8.8.8.8:53 | anuujmnansnan.cc | udp |
| US | 8.8.8.8:53 | ustxrsdsholapet.com | udp |
| US | 8.8.8.8:53 | mwamsaiq.biz | udp |
| US | 8.8.8.8:53 | auyqhcuiwcymao.net | udp |
| US | 8.8.8.8:53 | psmcrafox.com | udp |
| US | 8.8.8.8:53 | fuxylcn.org | udp |
| US | 8.8.8.8:53 | ummyyk.biz | udp |
| US | 8.8.8.8:53 | wgiyfguiwcymao.info | udp |
| US | 8.8.8.8:53 | bznopsn.cc | udp |
| US | 8.8.8.8:53 | xyrmtafox.cc | udp |
| US | 8.8.8.8:53 | kwiueeiq.net | udp |
| US | 8.8.8.8:53 | gcmmxk.net | udp |
| US | 8.8.8.8:53 | ituqnmnansnan.com | udp |
| US | 8.8.8.8:53 | mjjdhanansnan.cc | udp |
| US | 8.8.8.8:53 | wcqjasuiwcymao.biz | udp |
| US | 8.8.8.8:53 | iksmjs.biz | udp |
| US | 8.8.8.8:53 | vkqkgifox.com | udp |
| US | 8.8.8.8:53 | xcbifafox.org | udp |
| US | 8.8.8.8:53 | suaeggeoya.info | udp |
| US | 8.8.8.8:53 | ucwshguiwcymao.info | udp |
| US | 8.8.8.8:53 | bzdyzcn.com | udp |
| US | 8.8.8.8:53 | dzlslafox.org | udp |
| US | 8.8.8.8:53 | smsygiiugkeq.biz | udp |
| US | 8.8.8.8:53 | mouuyguiwcymao.info | udp |
| US | 8.8.8.8:53 | xjffbgn.org | udp |
| US | 8.8.8.8:53 | hofmhifox.com | udp |
| US | 8.8.8.8:53 | iqqqkueoya.biz | udp |
| US | 8.8.8.8:53 | qgeoqueoya.biz | udp |
| US | 8.8.8.8:53 | obnstufqbex.cc | udp |
| US | 8.8.8.8:53 | mzbkrgfqbex.cc | udp |
| US | 8.8.8.8:53 | qecqoaiq.info | udp |
| US | 8.8.8.8:53 | qkuwus.net | udp |
| US | 8.8.8.8:53 | gzyqcanansnan.com | udp |
| US | 8.8.8.8:53 | yunmdkdsholapet.cc | udp |
| US | 8.8.8.8:53 | gsueaa.net | udp |
| US | 8.8.8.8:53 | aokysaiq.info | udp |
| US | 8.8.8.8:53 | haddlsn.cc | udp |
| US | 8.8.8.8:53 | ahzykanansnan.com | udp |
| US | 8.8.8.8:53 | kgeylk.net | udp |
| US | 8.8.8.8:53 | kyamwiiugkeq.biz | udp |
| US | 8.8.8.8:53 | kdrwtgfqbex.org | udp |
| US | 8.8.8.8:53 | qhzcuodsholapet.cc | udp |
| US | 8.8.8.8:53 | cyqceiiugkeq.biz | udp |
| US | 8.8.8.8:53 | aogxyyeoya.info | udp |
| US | 8.8.8.8:53 | ycespwnansnan.org | udp |
| US | 8.8.8.8:53 | qmdwwwnansnan.com | udp |
| US | 8.8.8.8:53 | wmcocueoya.biz | udp |
| US | 8.8.8.8:53 | sgmswsuiwcymao.info | udp |
| US | 8.8.8.8:53 | buuexifox.org | udp |
| US | 8.8.8.8:53 | xybxdwfox.com | udp |
| US | 8.8.8.8:53 | uoiousuiwcymao.net | udp |
| US | 8.8.8.8:53 | ywazeeiq.net | udp |
| US | 8.8.8.8:53 | pkpcqcn.org | udp |
| US | 8.8.8.8:53 | qinmjgfqbex.com | udp |
| US | 8.8.8.8:53 | gcokls.info | udp |
| US | 8.8.8.8:53 | cusmbeiq.net | udp |
| US | 8.8.8.8:53 | kfeiwodsholapet.com | udp |
| US | 8.8.8.8:53 | lxtezafox.cc | udp |
| US | 8.8.8.8:53 | wqgqmcuiwcymao.info | udp |
| US | 8.8.8.8:53 | yceewcuiwcymao.net | udp |
| US | 8.8.8.8:53 | fhurfifox.org | udp |
| US | 8.8.8.8:53 | ytxnbwnansnan.org | udp |
| US | 8.8.8.8:53 | gyyyyueoya.info | udp |
| US | 8.8.8.8:53 | kygmyo.biz | udp |
| US | 8.8.8.8:53 | bhdyjcn.org | udp |
| US | 8.8.8.8:53 | iftlfwnansnan.org | udp |
| US | 8.8.8.8:53 | omilys.info | udp |
| US | 8.8.8.8:53 | sgaixo.biz | udp |
| US | 8.8.8.8:53 | ilyepodsholapet.cc | udp |
| US | 8.8.8.8:53 | esnsvwnansnan.org | udp |
| US | 8.8.8.8:53 | mikyaa.info | udp |
| US | 8.8.8.8:53 | uusunguiwcymao.net | udp |
| US | 8.8.8.8:53 | kseukadsholapet.org | udp |
| US | 8.8.8.8:53 | smreqgfqbex.cc | udp |
| US | 8.8.8.8:53 | seqyeyeoya.net | udp |
| US | 8.8.8.8:53 | gcgkxwiq.biz | udp |
| US | 8.8.8.8:53 | gxcutenansnan.cc | udp |
| US | 8.8.8.8:53 | bbjfrsfox.org | udp |
| US | 8.8.8.8:53 | qmcnxiiugkeq.biz | udp |
| US | 8.8.8.8:53 | kmkffmiq.biz | udp |
| US | 8.8.8.8:53 | bcjvhcn.com | udp |
| US | 8.8.8.8:53 | hsbmggn.org | udp |
| US | 8.8.8.8:53 | kqwapqeoya.info | udp |
| US | 8.8.8.8:53 | ssugjsuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ieuafodsholapet.org | udp |
| US | 8.8.8.8:53 | othrpsdsholapet.cc | udp |
| US | 8.8.8.8:53 | mqsqvmiq.net | udp |
| US | 8.8.8.8:53 | kwknca.biz | udp |
| US | 8.8.8.8:53 | jbnoxgn.org | udp |
| US | 8.8.8.8:53 | wepmhqfqbex.cc | udp |
| US | 8.8.8.8:53 | gocnniiugkeq.biz | udp |
| US | 8.8.8.8:53 | oqiyoqeoya.biz | udp |
| US | 8.8.8.8:53 | kpfgngfqbex.cc | udp |
| US | 8.8.8.8:53 | zshqrgn.com | udp |
| US | 8.8.8.8:53 | waeqtyeoya.info | udp |
| US | 8.8.8.8:53 | msynqaiq.info | udp |
| US | 8.8.8.8:53 | vxufowfox.cc | udp |
| US | 8.8.8.8:53 | ecbqeqfqbex.org | udp |
| US | 8.8.8.8:53 | ammgoeiq.net | udp |
| US | 8.8.8.8:53 | mgqiqsiugkeq.net | udp |
| US | 8.8.8.8:53 | gnoztsdsholapet.org | udp |
| US | 8.8.8.8:53 | iwdwnmnansnan.org | udp |
| US | 8.8.8.8:53 | yeccawiugkeq.biz | udp |
| US | 8.8.8.8:53 | qwgmeaiq.info | udp |
| US | 8.8.8.8:53 | yenfbgfqbex.org | udp |
| US | 8.8.8.8:53 | jellksn.cc | udp |
| US | 8.8.8.8:53 | ygeneqeoya.net | udp |
| US | 8.8.8.8:53 | imctpkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | lcikrafox.cc | udp |
| US | 8.8.8.8:53 | qmjsqanansnan.org | udp |
| US | 8.8.8.8:53 | smuixueoya.net | udp |
| US | 8.8.8.8:53 | imymucuiwcymao.biz | udp |
| US | 8.8.8.8:53 | jdhywkn.org | udp |
| US | 8.8.8.8:53 | dbxqlwfox.cc | udp |
| US | 8.8.8.8:53 | uowsgaiugkeq.biz | udp |
| US | 8.8.8.8:53 | koecoaiq.net | udp |
| US | 8.8.8.8:53 | wyjthyfqbex.org | udp |
| US | 8.8.8.8:53 | dnxuzkn.com | udp |
| US | 8.8.8.8:53 | gigrasiugkeq.biz | udp |
| US | 8.8.8.8:53 | qqgorsuiwcymao.info | udp |
| US | 8.8.8.8:53 | slfymyfqbex.cc | udp |
| US | 8.8.8.8:53 | suyuygeoya.net | udp |
| US | 8.8.8.8:53 | eemizgeoya.net | udp |
| US | 8.8.8.8:53 | bjpilcn.org | udp |
| US | 8.8.8.8:53 | nfftmcn.org | udp |
| US | 8.8.8.8:53 | magwuaiq.info | udp |
| US | 8.8.8.8:53 | suemqwiugkeq.biz | udp |
| US | 8.8.8.8:53 | gcjwngfqbex.org | udp |
| US | 8.8.8.8:53 | vojczgn.com | udp |
| US | 8.8.8.8:53 | kisujgeoya.biz | udp |
| US | 8.8.8.8:53 | gkmyryeoya.info | udp |
| US | 8.8.8.8:53 | kthmiqfqbex.org | udp |
| US | 8.8.8.8:53 | mevyxadsholapet.com | udp |
| US | 8.8.8.8:53 | uewaqs.net | udp |
| US | 8.8.8.8:53 | uokqhodsholapet.cc | udp |
| US | 8.8.8.8:53 | xsxoasn.org | udp |
| US | 8.8.8.8:53 | ywgica.net | udp |
| US | 8.8.8.8:53 | umgcpaiq.net | udp |
| US | 8.8.8.8:53 | anbkvyfqbex.com | udp |
| US | 8.8.8.8:53 | jqjluifox.cc | udp |
| US | 8.8.8.8:53 | ooihyaiq.biz | udp |
| US | 8.8.8.8:53 | aosyhaiugkeq.info | udp |
| US | 8.8.8.8:53 | yadnsufqbex.org | udp |
| US | 8.8.8.8:53 | hkveycn.cc | udp |
| US | 8.8.8.8:53 | uecbgs.biz | udp |
| US | 8.8.8.8:53 | iuockyeoya.biz | udp |
| US | 8.8.8.8:53 | xzdiekn.com | udp |
| US | 8.8.8.8:53 | yvnvuwnansnan.cc | udp |
| US | 8.8.8.8:53 | gmigjwiugkeq.biz | udp |
| US | 8.8.8.8:53 | oowwxwiugkeq.net | udp |
| US | 8.8.8.8:53 | sstdtqfqbex.cc | udp |
| US | 8.8.8.8:53 | iwprvodsholapet.com | udp |
| US | 8.8.8.8:53 | icyvcaiugkeq.biz | udp |
| US | 8.8.8.8:53 | wuowgeiq.biz | udp |
| US | 8.8.8.8:53 | aucersdsholapet.org | udp |
| US | 8.8.8.8:53 | axxursdsholapet.com | udp |
| US | 8.8.8.8:53 | swkmqyeoya.biz | udp |
| US | 8.8.8.8:53 | waohaeiq.net | udp |
| US | 8.8.8.8:53 | vukzeifox.org | udp |
| US | 8.8.8.8:53 | rzjifgn.org | udp |
| US | 8.8.8.8:53 | agmqnkuiwcymao.info | udp |
| US | 8.8.8.8:53 | mesfcwiugkeq.biz | udp |
| US | 8.8.8.8:53 | crvchufqbex.org | udp |
| US | 8.8.8.8:53 | wvzckufqbex.cc | udp |
| US | 8.8.8.8:53 | koqjlaiugkeq.net | udp |
| US | 8.8.8.8:53 | ekkddyeoya.info | udp |
| US | 8.8.8.8:53 | bqpqzgn.cc | udp |
| US | 8.8.8.8:53 | skhaxsdsholapet.com | udp |
| US | 8.8.8.8:53 | magfqyeoya.info | udp |
| US | 8.8.8.8:53 | jegjfwfox.com | udp |
| US | 8.8.8.8:53 | iitwoadsholapet.org | udp |
| US | 8.8.8.8:53 | ikcokiiugkeq.info | udp |
| US | 8.8.8.8:53 | guuyjs.biz | udp |
| US | 8.8.8.8:53 | zoayaifox.com | udp |
| US | 8.8.8.8:53 | dmbymifox.org | udp |
| US | 8.8.8.8:53 | gwosyaiugkeq.net | udp |
| US | 8.8.8.8:53 | gqaileiq.biz | udp |
| US | 8.8.8.8:53 | zbgmgafox.com | udp |
| US | 8.8.8.8:53 | crdkagfqbex.cc | udp |
| US | 8.8.8.8:53 | ciymwmiq.net | udp |
| US | 8.8.8.8:53 | wieaeo.info | udp |
| US | 8.8.8.8:53 | quiydsdsholapet.cc | udp |
| US | 8.8.8.8:53 | emigvyeoya.info | udp |
| US | 8.8.8.8:53 | mumvpueoya.biz | udp |
| US | 8.8.8.8:53 | reqjwwfox.com | udp |
| US | 8.8.8.8:53 | ezfnqqfqbex.org | udp |
| US | 8.8.8.8:53 | qakvzaiugkeq.net | udp |
| US | 8.8.8.8:53 | eoggisuiwcymao.net | udp |
| US | 8.8.8.8:53 | ohaqlsdsholapet.com | udp |
| US | 8.8.8.8:53 | idtflenansnan.com | udp |
| US | 8.8.8.8:53 | omykao.info | udp |
| US | 8.8.8.8:53 | umwogaiugkeq.biz | udp |
| US | 8.8.8.8:53 | cekulodsholapet.cc | udp |
| US | 8.8.8.8:53 | vlzkzgn.com | udp |
| US | 8.8.8.8:53 | syasoaiq.net | udp |
| US | 8.8.8.8:53 | askicgeoya.biz | udp |
| US | 8.8.8.8:53 | spognkdsholapet.com | udp |
| US | 8.8.8.8:53 | jvjiugn.com | udp |
| US | 8.8.8.8:53 | ukcqgsiugkeq.net | udp |
| US | 8.8.8.8:53 | hydiosn.org | udp |
| US | 8.8.8.8:53 | jbnccgn.cc | udp |
| US | 8.8.8.8:53 | kyuoaeiq.info | udp |
| US | 8.8.8.8:53 | qyymjodsholapet.cc | udp |
| US | 8.8.8.8:53 | hlpitcn.cc | udp |
| US | 8.8.8.8:53 | uyynlwiugkeq.info | udp |
| US | 8.8.8.8:53 | keyues.biz | udp |
| US | 8.8.8.8:53 | iplcqufqbex.org | udp |
| US | 8.8.8.8:53 | wpfdnenansnan.com | udp |
| US | 8.8.8.8:53 | umseiaiugkeq.net | udp |
| US | 8.8.8.8:53 | mosogiiugkeq.net | udp |
| US | 8.8.8.8:53 | qkvlhyfqbex.com | udp |
| US | 8.8.8.8:53 | uqhnzkdsholapet.cc | udp |
| US | 8.8.8.8:53 | yqstysiugkeq.info | udp |
| US | 8.8.8.8:53 | oyuoraiugkeq.biz | udp |
| US | 8.8.8.8:53 | tmoypifox.org | udp |
| US | 8.8.8.8:53 | kahctenansnan.cc | udp |
| US | 8.8.8.8:53 | yymasgeoya.info | udp |
| US | 8.8.8.8:53 | egieogeoya.biz | udp |
| US | 8.8.8.8:53 | zcostafox.com | udp |
| US | 8.8.8.8:53 | jvbofgn.com | udp |
| US | 8.8.8.8:53 | eyksms.info | udp |
| US | 8.8.8.8:53 | iokmds.info | udp |
| US | 8.8.8.8:53 | amyenwnansnan.org | udp |
| US | 8.8.8.8:53 | ygbtlwnansnan.org | udp |
| US | 8.8.8.8:53 | maqlksuiwcymao.net | udp |
| US | 8.8.8.8:53 | yqibgwiq.net | udp |
| US | 8.8.8.8:53 | jajixcn.com | udp |
| US | 8.8.8.8:53 | wvzkpanansnan.cc | udp |
| US | 8.8.8.8:53 | okeismiq.biz | udp |
| US | 8.8.8.8:53 | cscsccuiwcymao.info | udp |
| US | 8.8.8.8:53 | yyogtadsholapet.com | udp |
| US | 8.8.8.8:53 | wrdadsdsholapet.org | udp |
| US | 8.8.8.8:53 | qsceeaiugkeq.info | udp |
| US | 8.8.8.8:53 | kiqsliiugkeq.net | udp |
| US | 8.8.8.8:53 | pkyutwfox.cc | udp |
| US | 8.8.8.8:53 | qrppekdsholapet.org | udp |
| US | 8.8.8.8:53 | kuuoryeoya.net | udp |
| US | 8.8.8.8:53 | imyvcs.net | udp |
| US | 8.8.8.8:53 | exuaqadsholapet.cc | udp |
| US | 8.8.8.8:53 | milybenansnan.cc | udp |
| US | 8.8.8.8:53 | uugnsqeoya.net | udp |
| US | 8.8.8.8:53 | qcwmoaiq.net | udp |
| US | 8.8.8.8:53 | ixiytenansnan.com | udp |
| US | 8.8.8.8:53 | ctheeenansnan.com | udp |
| US | 8.8.8.8:53 | usaqosiugkeq.net | udp |
| US | 8.8.8.8:53 | gcqcceiq.info | udp |
| US | 8.8.8.8:53 | pqvghcn.org | udp |
| US | 8.8.8.8:53 | ezrusadsholapet.org | udp |
| US | 8.8.8.8:53 | oaypfiiugkeq.info | udp |
| US | 8.8.8.8:53 | wugqgeiq.net | udp |
| US | 8.8.8.8:53 | ojgyvadsholapet.org | udp |
| US | 8.8.8.8:53 | rvxxbwfox.org | udp |
| US | 8.8.8.8:53 | yqsifkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ayechs.net | udp |
| US | 8.8.8.8:53 | ofskdadsholapet.com | udp |
| US | 8.8.8.8:53 | catgfufqbex.cc | udp |
| US | 8.8.8.8:53 | gyeowk.info | udp |
| US | 8.8.8.8:53 | iukowqeoya.net | udp |
| US | 8.8.8.8:53 | aefkxyfqbex.com | udp |
| US | 8.8.8.8:53 | zyzgrcn.org | udp |
| US | 8.8.8.8:53 | yewmqsiugkeq.net | udp |
| US | 8.8.8.8:53 | uogomk.biz | udp |
| US | 8.8.8.8:53 | cebgxgfqbex.com | udp |
| US | 8.8.8.8:53 | gelqzanansnan.org | udp |
| US | 8.8.8.8:53 | kiapso.biz | udp |
| US | 8.8.8.8:53 | sgmgsyeoya.info | udp |
| US | 8.8.8.8:53 | qhbxvqfqbex.cc | udp |
| US | 8.8.8.8:53 | kvpcjkdsholapet.com | udp |
| US | 8.8.8.8:53 | kqgjss.info | udp |
| US | 8.8.8.8:53 | eeyeywiugkeq.info | udp |
| US | 8.8.8.8:53 | arogxenansnan.org | udp |
| US | 8.8.8.8:53 | crxkyqfqbex.cc | udp |
| US | 8.8.8.8:53 | isgkbqeoya.biz | udp |
| US | 8.8.8.8:53 | acudmkuiwcymao.net | udp |
| US | 8.8.8.8:53 | wxwffkdsholapet.org | udp |
| US | 8.8.8.8:53 | zwpczcn.com | udp |
| US | 8.8.8.8:53 | wiczfguiwcymao.info | udp |
| US | 8.8.8.8:53 | qmyaekuiwcymao.info | udp |
| US | 8.8.8.8:53 | lhlyfgn.org | udp |
| US | 8.8.8.8:53 | vxbulcn.org | udp |
| US | 8.8.8.8:53 | cgiwxmiq.biz | udp |
| US | 8.8.8.8:53 | eoscuueoya.net | udp |
| US | 8.8.8.8:53 | djjkpkn.com | udp |
| US | 8.8.8.8:53 | ckqqvsiugkeq.info | udp |
| US | 8.8.8.8:53 | uwmrieiq.net | udp |
| US | 8.8.8.8:53 | bgryrcn.com | udp |
| US | 8.8.8.8:53 | brjrpkn.cc | udp |
| US | 8.8.8.8:53 | aykuueiq.info | udp |
| US | 8.8.8.8:53 | aaswasuiwcymao.net | udp |
| US | 8.8.8.8:53 | iawxrwnansnan.com | udp |
| US | 8.8.8.8:53 | bcnrpafox.com | udp |
| US | 8.8.8.8:53 | mocwqcuiwcymao.info | udp |
| US | 8.8.8.8:53 | wuwmiadsholapet.cc | udp |
| US | 8.8.8.8:53 | tgtilwfox.com | udp |
| US | 8.8.8.8:53 | yeqehs.info | udp |
| US | 8.8.8.8:53 | cayoiwiugkeq.biz | udp |
| US | 8.8.8.8:53 | vlxchgn.org | udp |
| US | 8.8.8.8:53 | iqtwvadsholapet.org | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wmcesiiugkeq.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | caawamiq.biz | udp |
| US | 8.8.8.8:53 | dqnvskn.cc | udp |
| US | 8.8.8.8:53 | nxtaygn.cc | udp |
| US | 8.8.8.8:53 | maqnjqeoya.net | udp |
| US | 8.8.8.8:53 | sgmiimiq.biz | udp |
| US | 8.8.8.8:53 | yxbudqfqbex.org | udp |
| US | 8.8.8.8:53 | lftmngn.cc | udp |
| US | 8.8.8.8:53 | moogfk.net | udp |
| US | 8.8.8.8:53 | mmebgiiugkeq.biz | udp |
| US | 8.8.8.8:53 | jfmlbifox.cc | udp |
| US | 8.8.8.8:53 | mwhxdodsholapet.org | udp |
| US | 8.8.8.8:53 | uqeheaiugkeq.biz | udp |
| US | 8.8.8.8:53 | gywsws.net | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wfsqtwnansnan.org | udp |
| US | 8.8.8.8:53 | cvxvhufqbex.org | udp |
| US | 8.8.8.8:53 | eugtgaiq.biz | udp |
| US | 8.8.8.8:53 | qossaueoya.biz | udp |
| US | 8.8.8.8:53 | cxrejwnansnan.cc | udp |
| US | 8.8.8.8:53 | ciowdiiugkeq.biz | udp |
| US | 8.8.8.8:53 | ekmwwk.biz | udp |
| US | 8.8.8.8:53 | xsvuckn.com | udp |
| US | 8.8.8.8:53 | yrvgjufqbex.org | udp |
| US | 8.8.8.8:53 | caiedgeoya.info | udp |
| US | 8.8.8.8:53 | iooiwa.info | udp |
| US | 8.8.8.8:53 | xiryzkn.cc | udp |
| US | 8.8.8.8:53 | mwtjmenansnan.cc | udp |
| US | 8.8.8.8:53 | mykbms.net | udp |
| US | 8.8.8.8:53 | oeopseiq.net | udp |
| US | 8.8.8.8:53 | jvlzrkn.cc | udp |
| US | 8.8.8.8:53 | kljiaqfqbex.cc | udp |
| US | 8.8.8.8:53 | myukkwiugkeq.info | udp |
| US | 8.8.8.8:53 | wccioa.net | udp |
| US | 8.8.8.8:53 | kdlwdyfqbex.org | udp |
| US | 8.8.8.8:53 | qfpptanansnan.cc | udp |
| US | 8.8.8.8:53 | casyncuiwcymao.info | udp |
| US | 8.8.8.8:53 | qwofqqeoya.biz | udp |
| US | 8.8.8.8:53 | ktienmnansnan.cc | udp |
| US | 8.8.8.8:53 | wgjetanansnan.cc | udp |
| US | 8.8.8.8:53 | wegcsqeoya.info | udp |
| US | 8.8.8.8:53 | wutwxgfqbex.cc | udp |
| US | 8.8.8.8:53 | wgfkjanansnan.cc | udp |
| US | 8.8.8.8:53 | asuwvueoya.info | udp |
| US | 8.8.8.8:53 | mcojfgeoya.biz | udp |
| US | 8.8.8.8:53 | qidsfqfqbex.com | udp |
| US | 8.8.8.8:53 | xopuxafox.org | udp |
| US | 8.8.8.8:53 | emuyko.biz | udp |
| US | 8.8.8.8:53 | wkyhas.net | udp |
| US | 8.8.8.8:53 | pkwjuafox.cc | udp |
| US | 8.8.8.8:53 | elzmkodsholapet.org | udp |
| US | 8.8.8.8:53 | ummchsiugkeq.info | udp |
| US | 8.8.8.8:53 | sskgwyeoya.net | udp |
| US | 8.8.8.8:53 | deknaifox.org | udp |
| US | 8.8.8.8:53 | uidoeyfqbex.cc | udp |
| US | 8.8.8.8:53 | iisbqgeoya.info | udp |
| US | 8.8.8.8:53 | geyymwiugkeq.biz | udp |
| US | 8.8.8.8:53 | spsdcenansnan.cc | udp |
| US | 8.8.8.8:53 | qdzuxanansnan.cc | udp |
| US | 8.8.8.8:53 | goscfqeoya.info | udp |
| US | 8.8.8.8:53 | wookuwiq.info | udp |
| US | 8.8.8.8:53 | hwpufgn.cc | udp |
| US | 8.8.8.8:53 | grhcgqfqbex.cc | udp |
| US | 8.8.8.8:53 | ekycya.net | udp |
| US | 8.8.8.8:53 | qgyioo.biz | udp |
| US | 8.8.8.8:53 | hudkvkn.com | udp |
| US | 8.8.8.8:53 | mwpqjgfqbex.com | udp |
| US | 8.8.8.8:53 | mmesemiq.info | udp |
| US | 8.8.8.8:53 | wyiecwiq.net | udp |
| US | 8.8.8.8:53 | kmheegfqbex.org | udp |
| US | 8.8.8.8:53 | agkudkuiwcymao.info | udp |
| US | 8.8.8.8:53 | kekylmiq.biz | udp |
| US | 8.8.8.8:53 | ouwyzodsholapet.cc | udp |
| US | 8.8.8.8:53 | ltbudafox.com | udp |
| US | 8.8.8.8:53 | ciolusiugkeq.info | udp |
| US | 8.8.8.8:53 | wcieomiq.biz | udp |
| US | 8.8.8.8:53 | hlbcmgn.cc | udp |
| US | 8.8.8.8:53 | denmywfox.cc | udp |
| US | 8.8.8.8:53 | guefgwiugkeq.net | udp |
| US | 8.8.8.8:53 | momwha.info | udp |
| US | 8.8.8.8:53 | qmwmumnansnan.cc | udp |
| US | 8.8.8.8:53 | snxuhgfqbex.cc | udp |
| US | 8.8.8.8:53 | esmmbkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | ywocqa.info | udp |
| US | 8.8.8.8:53 | hinypcn.com | udp |
| US | 8.8.8.8:53 | cuhglyfqbex.cc | udp |
| US | 8.8.8.8:53 | wokeqiiugkeq.net | udp |
| US | 8.8.8.8:53 | jchwngn.cc | udp |
| US | 8.8.8.8:53 | rxflwcn.org | udp |
| US | 8.8.8.8:53 | uomjxkuiwcymao.info | udp |
| US | 8.8.8.8:53 | yckzwcuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gyluhufqbex.org | udp |
| US | 8.8.8.8:53 | jndgxcn.com | udp |
| US | 8.8.8.8:53 | koiczkuiwcymao.info | udp |
| US | 8.8.8.8:53 | tnvszcn.cc | udp |
| US | 8.8.8.8:53 | wovvzkdsholapet.com | udp |
| US | 8.8.8.8:53 | gsuidsiugkeq.biz | udp |
| US | 8.8.8.8:53 | iiafomiq.info | udp |
| US | 8.8.8.8:53 | csuqnodsholapet.cc | udp |
| US | 8.8.8.8:53 | wijrdufqbex.cc | udp |
| US | 8.8.8.8:53 | swemaiiugkeq.biz | udp |
| US | 8.8.8.8:53 | gmqcksuiwcymao.biz | udp |
| US | 8.8.8.8:53 | pkhscsn.com | udp |
| US | 8.8.8.8:53 | oehugkdsholapet.cc | udp |
| US | 8.8.8.8:53 | esosxcuiwcymao.net | udp |
| US | 8.8.8.8:53 | cwqxaeiq.info | udp |
| US | 8.8.8.8:53 | whbfkufqbex.com | udp |
| US | 8.8.8.8:53 | lkrkpcn.com | udp |
| US | 8.8.8.8:53 | gogmesuiwcymao.info | udp |
| US | 8.8.8.8:53 | gcscliiugkeq.biz | udp |
| US | 8.8.8.8:53 | mtmkvkdsholapet.com | udp |
| US | 8.8.8.8:53 | gepgxsdsholapet.cc | udp |
| US | 8.8.8.8:53 | iqqhqqeoya.info | udp |
| US | 8.8.8.8:53 | gewufguiwcymao.net | udp |
| US | 8.8.8.8:53 | cgygnadsholapet.com | udp |
| US | 8.8.8.8:53 | zqnbfwfox.org | udp |
| US | 8.8.8.8:53 | wugvekuiwcymao.biz | udp |
| US | 8.8.8.8:53 | eyiewyeoya.info | udp |
| US | 8.8.8.8:53 | untorgfqbex.org | udp |
| US | 8.8.8.8:53 | oapqrqfqbex.cc | udp |
| US | 8.8.8.8:53 | yskuss.biz | udp |
| US | 8.8.8.8:53 | sqyiaaiugkeq.net | udp |
| US | 8.8.8.8:53 | edxmfqfqbex.org | udp |
| US | 8.8.8.8:53 | qvbmxodsholapet.cc | udp |
| US | 8.8.8.8:53 | ywkeoueoya.info | udp |
| US | 8.8.8.8:53 | yhcobodsholapet.com | udp |
| US | 8.8.8.8:53 | zgjubsn.com | udp |
| US | 8.8.8.8:53 | qwuntiiugkeq.info | udp |
| US | 8.8.8.8:53 | ecquoueoya.biz | udp |
| US | 8.8.8.8:53 | qhoeqmnansnan.cc | udp |
| US | 8.8.8.8:53 | aaxefanansnan.cc | udp |
| US | 8.8.8.8:53 | sqcwos.biz | udp |
| US | 8.8.8.8:53 | kymrgwiq.net | udp |
| US | 8.8.8.8:53 | pwestsfox.org | udp |
| US | 8.8.8.8:53 | gajkjwnansnan.com | udp |
| US | 8.8.8.8:53 | mmaxwqeoya.info | udp |
| US | 8.8.8.8:53 | yasupiiugkeq.net | udp |
| US | 8.8.8.8:53 | uqgkoodsholapet.org | udp |
| US | 8.8.8.8:53 | rsxszcn.cc | udp |
| US | 8.8.8.8:53 | asqqlcuiwcymao.net | udp |
| US | 8.8.8.8:53 | mowwqaiq.info | udp |
| US | 8.8.8.8:53 | wnomzadsholapet.cc | udp |
| US | 8.8.8.8:53 | bmhwjafox.com | udp |
| US | 8.8.8.8:53 | eeqivcuiwcymao.info | udp |
| US | 8.8.8.8:53 | iccshaiq.biz | udp |
| US | 8.8.8.8:53 | ljnexkn.com | udp |
| US | 8.8.8.8:53 | gvhwpsdsholapet.com | udp |
| US | 8.8.8.8:53 | qqmsgyeoya.net | udp |
| US | 8.8.8.8:53 | qyguza.net | udp |
| US | 8.8.8.8:53 | wjzuyqfqbex.org | udp |
| US | 8.8.8.8:53 | vwzvvsfox.com | udp |
| US | 8.8.8.8:53 | csydsaiq.info | udp |
| US | 8.8.8.8:53 | kqecimiq.net | udp |
| US | 8.8.8.8:53 | imtrayfqbex.cc | udp |
| US | 8.8.8.8:53 | hwtydgn.cc | udp |
| US | 8.8.8.8:53 | ieednsuiwcymao.net | udp |
| US | 8.8.8.8:53 | qoomewiq.info | udp |
| US | 8.8.8.8:53 | wwgspodsholapet.org | udp |
| US | 8.8.8.8:53 | qptclanansnan.org | udp |
| US | 8.8.8.8:53 | mmskygeoya.info | udp |
| US | 8.8.8.8:53 | kkmcns.info | udp |
| US | 8.8.8.8:53 | prnsvsn.org | udp |
| US | 8.8.8.8:53 | mibjcenansnan.com | udp |
| US | 8.8.8.8:53 | miwdgkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kqkmgsiugkeq.info | udp |
| US | 8.8.8.8:53 | kwrepgfqbex.com | udp |
| US | 8.8.8.8:53 | wvlydodsholapet.org | udp |
| US | 8.8.8.8:53 | wicubqeoya.net | udp |
| US | 8.8.8.8:53 | saifymiq.biz | udp |
| US | 8.8.8.8:53 | rhptqgn.org | udp |
| US | 8.8.8.8:53 | bipqusn.com | udp |
| US | 8.8.8.8:53 | ycmoraiugkeq.biz | udp |
| US | 8.8.8.8:53 | kiatcs.net | udp |
| US | 8.8.8.8:53 | rasanwfox.com | udp |
| US | 8.8.8.8:53 | jdzukwfox.com | udp |
| US | 8.8.8.8:53 | wecsmk.biz | udp |
| US | 8.8.8.8:53 | wymsqcuiwcymao.info | udp |
| US | 8.8.8.8:53 | yxhtzgfqbex.cc | udp |
| US | 8.8.8.8:53 | merknsdsholapet.cc | udp |
| US | 8.8.8.8:53 | sgyxmyeoya.biz | udp |
| US | 8.8.8.8:53 | aksfgiiugkeq.biz | udp |
| US | 8.8.8.8:53 | abiymmnansnan.org | udp |
| US | 8.8.8.8:53 | cupytwnansnan.org | udp |
| US | 8.8.8.8:53 | qiwidkuiwcymao.net | udp |
| US | 8.8.8.8:53 | ieiqosuiwcymao.net | udp |
| US | 8.8.8.8:53 | flyieafox.com | udp |
| US | 8.8.8.8:53 | jrhbnwfox.com | udp |
| US | 8.8.8.8:53 | eoiyzguiwcymao.net | udp |
| US | 8.8.8.8:53 | suwioa.net | udp |
| US | 8.8.8.8:53 | gjphzyfqbex.cc | udp |
| US | 8.8.8.8:53 | ygxommnansnan.cc | udp |
| US | 8.8.8.8:53 | qkmkeo.net | udp |
| US | 8.8.8.8:53 | iuiqaiiugkeq.net | udp |
| US | 8.8.8.8:53 | xtqmvafox.cc | udp |
| US | 8.8.8.8:53 | eozulanansnan.org | udp |
| US | 8.8.8.8:53 | oeaejo.net | udp |
| US | 8.8.8.8:53 | ggghksiugkeq.info | udp |
| US | 8.8.8.8:53 | nnmcmafox.com | udp |
| US | 8.8.8.8:53 | ilxnhenansnan.cc | udp |
| US | 8.8.8.8:53 | womcco.info | udp |
| US | 8.8.8.8:53 | kssmvwnansnan.org | udp |
| US | 8.8.8.8:53 | zjdkbifox.cc | udp |
| US | 8.8.8.8:53 | gwyujiiugkeq.info | udp |
| US | 8.8.8.8:53 | ciqeakuiwcymao.info | udp |
| US | 8.8.8.8:53 | iiwobadsholapet.org | udp |
| US | 8.8.8.8:53 | fmzmbsn.org | udp |
| US | 8.8.8.8:53 | kkaqqkuiwcymao.net | udp |
| US | 8.8.8.8:53 | symiageoya.info | udp |
| US | 8.8.8.8:53 | ywxqtgfqbex.org | udp |
| US | 8.8.8.8:53 | evzwfanansnan.com | udp |
| US | 8.8.8.8:53 | sagkaa.biz | udp |
| US | 8.8.8.8:53 | omuwcsuiwcymao.info | udp |
| US | 8.8.8.8:53 | kkuwjadsholapet.org | udp |
| US | 8.8.8.8:53 | wldlpenansnan.cc | udp |
| US | 8.8.8.8:53 | ecyrwmiq.biz | udp |
| US | 8.8.8.8:53 | suyuyo.biz | udp |
| US | 8.8.8.8:53 | mgaxpkuiwcymao.net | udp |
| US | 8.8.8.8:53 | wyoodwiugkeq.net | udp |
| US | 8.8.8.8:53 | ohailenansnan.org | udp |
| US | 8.8.8.8:53 | sptnzyfqbex.org | udp |
| US | 8.8.8.8:53 | acceliiugkeq.net | udp |
| US | 8.8.8.8:53 | muigfaiq.info | udp |
| US | 8.8.8.8:53 | kmaytadsholapet.org | udp |
| US | 8.8.8.8:53 | rcnxtafox.com | udp |
| US | 8.8.8.8:53 | kakmngeoya.biz | udp |
| US | 8.8.8.8:53 | hgcemafox.org | udp |
| US | 8.8.8.8:53 | nsdilwfox.cc | udp |
| US | 8.8.8.8:53 | suguoyeoya.biz | udp |
| US | 8.8.8.8:53 | mgijcyeoya.biz | udp |
| US | 8.8.8.8:53 | mmjmygfqbex.cc | udp |
| US | 8.8.8.8:53 | grdksanansnan.org | udp |
| US | 8.8.8.8:53 | quyeps.info | udp |
| US | 8.8.8.8:53 | eagjdk.info | udp |
| US | 8.8.8.8:53 | mwqkbmnansnan.com | udp |
| US | 8.8.8.8:53 | qcvwpenansnan.org | udp |
| US | 8.8.8.8:53 | omenowiugkeq.biz | udp |
| US | 8.8.8.8:53 | kqwkkiiugkeq.info | udp |
| US | 8.8.8.8:53 | jpqoqafox.com | udp |
| US | 8.8.8.8:53 | ksxutufqbex.cc | udp |
| US | 8.8.8.8:53 | komiksiugkeq.biz | udp |
| US | 8.8.8.8:53 | alvljufqbex.com | udp |
| US | 8.8.8.8:53 | rjxwfkn.org | udp |
| US | 8.8.8.8:53 | mqsuxguiwcymao.biz | udp |
| US | 8.8.8.8:53 | wawqwmiq.biz | udp |
| US | 8.8.8.8:53 | rdkkkifox.org | udp |
| US | 8.8.8.8:53 | gyskesuiwcymao.net | udp |
| US | 8.8.8.8:53 | qkguoyeoya.biz | udp |
| US | 8.8.8.8:53 | xinwpcn.org | udp |
| US | 8.8.8.8:53 | aozcyadsholapet.cc | udp |
| US | 8.8.8.8:53 | meauoguiwcymao.info | udp |
| US | 8.8.8.8:53 | wnqwgenansnan.com | udp |
| US | 8.8.8.8:53 | irbgzodsholapet.com | udp |
| US | 8.8.8.8:53 | ysqcvkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kqweccuiwcymao.net | udp |
| US | 8.8.8.8:53 | pnholkn.org | udp |
| US | 8.8.8.8:53 | kadyianansnan.org | udp |
| US | 8.8.8.8:53 | aygbcaiq.biz | udp |
| US | 8.8.8.8:53 | qucozeiq.biz | udp |
| US | 8.8.8.8:53 | sgekvmnansnan.org | udp |
| US | 8.8.8.8:53 | rqnqnwfox.org | udp |
| US | 8.8.8.8:53 | uquwueiq.biz | udp |
| US | 8.8.8.8:53 | cmwuacuiwcymao.biz | udp |
| US | 8.8.8.8:53 | kiwcdsdsholapet.cc | udp |
| US | 8.8.8.8:53 | zxjaxkn.cc | udp |
| US | 8.8.8.8:53 | woakfeiq.biz | udp |
| US | 8.8.8.8:53 | zexahgn.cc | udp |
| US | 8.8.8.8:53 | axvqxufqbex.cc | udp |
| US | 8.8.8.8:53 | gquuzkuiwcymao.info | udp |
| US | 8.8.8.8:53 | aaiuwqeoya.net | udp |
| US | 8.8.8.8:53 | pghqjkn.cc | udp |
| US | 8.8.8.8:53 | uzvqlwnansnan.cc | udp |
| US | 8.8.8.8:53 | ykucaa.biz | udp |
| US | 8.8.8.8:53 | qcssiiiugkeq.biz | udp |
| US | 8.8.8.8:53 | aqgatkdsholapet.com | udp |
| US | 8.8.8.8:53 | gcbudqfqbex.org | udp |
| US | 8.8.8.8:53 | kyaqjqeoya.info | udp |
| US | 8.8.8.8:53 | ojjadufqbex.com | udp |
| US | 8.8.8.8:53 | lnbalkn.cc | udp |
| US | 8.8.8.8:53 | qamusaiq.net | udp |
| US | 8.8.8.8:53 | iqifpwiq.info | udp |
| US | 8.8.8.8:53 | pnlqxcn.org | udp |
| US | 8.8.8.8:53 | kyxapgfqbex.com | udp |
| US | 8.8.8.8:53 | qwypusiugkeq.net | udp |
| US | 8.8.8.8:53 | umywasiugkeq.net | udp |
| US | 8.8.8.8:53 | ahkucsdsholapet.org | udp |
| US | 8.8.8.8:53 | ynvyrenansnan.com | udp |
| US | 8.8.8.8:53 | gaoumyeoya.info | udp |
| US | 8.8.8.8:53 | qgeygo.biz | udp |
| US | 8.8.8.8:53 | unyxzwnansnan.cc | udp |
| US | 8.8.8.8:53 | lzdkmgn.com | udp |
| US | 8.8.8.8:53 | ygeergeoya.info | udp |
| US | 8.8.8.8:53 | geisjwiugkeq.net | udp |
| US | 8.8.8.8:53 | rxmprsfox.cc | udp |
| US | 8.8.8.8:53 | emzbngfqbex.com | udp |
| US | 8.8.8.8:53 | sqalbaiq.biz | udp |
| US | 8.8.8.8:53 | amauqaiq.info | udp |
| US | 8.8.8.8:53 | geubesdsholapet.cc | udp |
| US | 8.8.8.8:53 | bspscsfox.org | udp |
| US | 8.8.8.8:53 | keublkuiwcymao.net | udp |
| US | 8.8.8.8:53 | kyoeeguiwcymao.info | udp |
| US | 8.8.8.8:53 | tslyqsn.cc | udp |
| US | 8.8.8.8:53 | qzfunsdsholapet.com | udp |
| US | 8.8.8.8:53 | oeewscuiwcymao.biz | udp |
| US | 8.8.8.8:53 | qqwkxeiq.biz | udp |
| US | 8.8.8.8:53 | xxmaeifox.org | udp |
| US | 8.8.8.8:53 | uzpyfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | ciggia.biz | udp |
| US | 8.8.8.8:53 | ymrhnqfqbex.cc | udp |
| US | 8.8.8.8:53 | pcxalgn.org | udp |
| US | 8.8.8.8:53 | ukgfpiiugkeq.biz | udp |
| US | 8.8.8.8:53 | wjdgayfqbex.com | udp |
| US | 8.8.8.8:53 | utpaimnansnan.com | udp |
| US | 8.8.8.8:53 | msakxcuiwcymao.info | udp |
| US | 8.8.8.8:53 | qkoooa.info | udp |
| US | 8.8.8.8:53 | qbhdgqfqbex.cc | udp |
| US | 8.8.8.8:53 | kargdqfqbex.org | udp |
| US | 8.8.8.8:53 | ckwnyo.info | udp |
| US | 8.8.8.8:53 | goegkmiq.info | udp |
| US | 8.8.8.8:53 | jkyudafox.cc | udp |
| US | 8.8.8.8:53 | mhvhuwnansnan.cc | udp |
| US | 8.8.8.8:53 | usijwsiugkeq.biz | udp |
| US | 8.8.8.8:53 | aoiykwiugkeq.net | udp |
| US | 8.8.8.8:53 | olwmqmnansnan.cc | udp |
| US | 8.8.8.8:53 | smdgmodsholapet.com | udp |
| US | 8.8.8.8:53 | cyaucwiugkeq.net | udp |
| US | 8.8.8.8:53 | msmqgeiq.net | udp |
| US | 8.8.8.8:53 | ouaivenansnan.org | udp |
| US | 8.8.8.8:53 | ccrkmmnansnan.org | udp |
| US | 8.8.8.8:53 | qcqgncuiwcymao.biz | udp |
| US | 8.8.8.8:53 | cieivs.net | udp |
| US | 8.8.8.8:53 | tlbocsn.org | udp |
| US | 8.8.8.8:53 | qpfxjqfqbex.cc | udp |
| US | 8.8.8.8:53 | gmgqys.biz | udp |
| US | 8.8.8.8:53 | wamyva.net | udp |
| US | 8.8.8.8:53 | oxkohanansnan.cc | udp |
| US | 8.8.8.8:53 | wgzstkdsholapet.cc | udp |
| US | 8.8.8.8:53 | qiwwws.net | udp |
| US | 8.8.8.8:53 | mmqmmyeoya.info | udp |
| US | 8.8.8.8:53 | nrpwvkn.org | udp |
| US | 8.8.8.8:53 | sofgjyfqbex.org | udp |
| US | 8.8.8.8:53 | soyuwiiugkeq.info | udp |
| US | 8.8.8.8:53 | ywyyoguiwcymao.info | udp |
| US | 8.8.8.8:53 | qxdwlyfqbex.cc | udp |
| US | 8.8.8.8:53 | cnnpvgfqbex.com | udp |
| US | 8.8.8.8:53 | gqegxaiugkeq.net | udp |
| US | 8.8.8.8:53 | eoicomiq.biz | udp |
| US | 8.8.8.8:53 | tkaunafox.com | udp |
| US | 8.8.8.8:53 | jbnscgn.org | udp |
| US | 8.8.8.8:53 | qkmowk.net | udp |
| US | 8.8.8.8:53 | mwcxwqeoya.net | udp |
| US | 8.8.8.8:53 | gvhapwnansnan.org | udp |
| US | 8.8.8.8:53 | omugoguiwcymao.biz | udp |
| US | 8.8.8.8:53 | sqsswaiugkeq.net | udp |
| US | 8.8.8.8:53 | fvniwcn.com | udp |
| US | 8.8.8.8:53 | ywqyma.info | udp |
| US | 8.8.8.8:53 | oaoxko.net | udp |
| US | 8.8.8.8:53 | uxllwufqbex.cc | udp |
| US | 8.8.8.8:53 | xwvnlkn.cc | udp |
| US | 8.8.8.8:53 | mmqxggeoya.biz | udp |
| US | 8.8.8.8:53 | oaiavsuiwcymao.info | udp |
| US | 8.8.8.8:53 | pdpagcn.com | udp |
| US | 8.8.8.8:53 | kghezufqbex.org | udp |
| US | 8.8.8.8:53 | qscagiiugkeq.info | udp |
| US | 8.8.8.8:53 | gowiaguiwcymao.biz | udp |
| US | 8.8.8.8:53 | bccyxifox.org | udp |
| US | 8.8.8.8:53 | jkfmzsfox.cc | udp |
| US | 8.8.8.8:53 | wqaqgkuiwcymao.biz | udp |
| US | 8.8.8.8:53 | wmuiysiugkeq.biz | udp |
| US | 8.8.8.8:53 | sgbenqfqbex.cc | udp |
| US | 8.8.8.8:53 | kupapmnansnan.com | udp |
| US | 8.8.8.8:53 | ugmqsguiwcymao.biz | udp |
| US | 8.8.8.8:53 | kkamwwiq.biz | udp |
| US | 8.8.8.8:53 | fksytsfox.cc | udp |
| US | 8.8.8.8:53 | shnslodsholapet.cc | udp |
| US | 8.8.8.8:53 | suaksiiugkeq.net | udp |
| US | 8.8.8.8:53 | qccsnsuiwcymao.info | udp |
| US | 8.8.8.8:53 | ggsltenansnan.cc | udp |
| US | 8.8.8.8:53 | gcxzranansnan.com | udp |
| US | 8.8.8.8:53 | qawgmaiugkeq.info | udp |
| US | 8.8.8.8:53 | kwcmukuiwcymao.info | udp |
| US | 8.8.8.8:53 | ihsqtsdsholapet.cc | udp |
| US | 8.8.8.8:53 | rnbubcn.cc | udp |
| US | 8.8.8.8:53 | soexaiiugkeq.info | udp |
| US | 8.8.8.8:53 | myzsrqfqbex.com | udp |
| US | 8.8.8.8:53 | quskxqeoya.info | udp |
| US | 8.8.8.8:53 | iqwayk.biz | udp |
| US | 8.8.8.8:53 | obmipkdsholapet.com | udp |
| US | 8.8.8.8:53 | qgxckenansnan.com | udp |
| US | 8.8.8.8:53 | asoqhiiugkeq.net | udp |
| US | 8.8.8.8:53 | mywyiwiugkeq.info | udp |
| US | 8.8.8.8:53 | apesfmnansnan.org | udp |
| US | 8.8.8.8:53 | xnbpnafox.cc | udp |
| US | 8.8.8.8:53 | icwlocuiwcymao.biz | udp |
| US | 8.8.8.8:53 | gkuyos.net | udp |
| US | 8.8.8.8:53 | zuauswfox.cc | udp |
| US | 8.8.8.8:53 | hqdgfwfox.cc | udp |
| US | 8.8.8.8:53 | imelesuiwcymao.net | udp |
| US | 8.8.8.8:53 | ykigoaiq.net | udp |
| US | 8.8.8.8:53 | yqfqbyfqbex.cc | udp |
| US | 8.8.8.8:53 | sixnssdsholapet.org | udp |
| US | 8.8.8.8:53 | ogeghaiq.net | udp |
| US | 8.8.8.8:53 | qqylhadsholapet.org | udp |
| US | 8.8.8.8:53 | kldfdkdsholapet.com | udp |
| US | 8.8.8.8:53 | usgxnaiugkeq.biz | udp |
| US | 8.8.8.8:53 | qckgaueoya.net | udp |
| US | 8.8.8.8:53 | msmeoadsholapet.cc | udp |
| US | 8.8.8.8:53 | fxdqpkn.com | udp |
| US | 8.8.8.8:53 | kwgsycuiwcymao.info | udp |
| US | 8.8.8.8:53 | iyiypsuiwcymao.net | udp |
| US | 8.8.8.8:53 | emonmanansnan.cc | udp |
| US | 8.8.8.8:53 | mphuxufqbex.org | udp |
| US | 8.8.8.8:53 | yasetcuiwcymao.info | udp |
| US | 8.8.8.8:53 | skqluqeoya.info | udp |
| US | 8.8.8.8:53 | xoyvgsfox.cc | udp |
| US | 8.8.8.8:53 | rxlolwfox.cc | udp |
| US | 8.8.8.8:53 | ameioyeoya.biz | udp |
| US | 8.8.8.8:53 | qbqctwnansnan.org | udp |
| US | 8.8.8.8:53 | jyzucifox.com | udp |
| US | 8.8.8.8:53 | koarak.net | udp |
| US | 8.8.8.8:53 | ikepswiq.info | udp |
| US | 8.8.8.8:53 | bapnrkn.cc | udp |
| US | 8.8.8.8:53 | tuhgwcn.cc | udp |
| US | 8.8.8.8:53 | qcsmryeoya.info | udp |
| US | 8.8.8.8:53 | oqecyaiugkeq.biz | udp |
| US | 8.8.8.8:53 | xwvgtsn.cc | udp |
| US | 8.8.8.8:53 | jqvxdafox.cc | udp |
| US | 8.8.8.8:53 | ycwgrgeoya.biz | udp |
| US | 8.8.8.8:53 | qqwggwiugkeq.biz | udp |
| US | 8.8.8.8:53 | pkpycifox.com | udp |
| US | 8.8.8.8:53 | ssogkguiwcymao.info | udp |
| US | 8.8.8.8:53 | oycegguiwcymao.biz | udp |
| US | 8.8.8.8:53 | ruieyafox.org | udp |
| US | 8.8.8.8:53 | syvoqyfqbex.org | udp |
| US | 8.8.8.8:53 | osqguwiugkeq.biz | udp |
| US | 8.8.8.8:53 | soccvo.info | udp |
| US | 8.8.8.8:53 | xwqgiafox.org | udp |
| US | 8.8.8.8:53 | dyrqpsfox.cc | udp |
| US | 8.8.8.8:53 | yuusoqeoya.info | udp |
| US | 8.8.8.8:53 | oocqps.net | udp |
| US | 8.8.8.8:53 | ahiudsdsholapet.com | udp |
| US | 8.8.8.8:53 | rozbdkn.cc | udp |
| US | 8.8.8.8:53 | ieyziwiugkeq.biz | udp |
| US | 8.8.8.8:53 | ywksayeoya.net | udp |
| US | 8.8.8.8:53 | rthapgn.cc | udp |
| US | 8.8.8.8:53 | rwlqzafox.org | udp |
| US | 8.8.8.8:53 | wuaecguiwcymao.net | udp |
| US | 8.8.8.8:53 | qmsskwiugkeq.info | udp |
| US | 8.8.8.8:53 | iuimamnansnan.cc | udp |
| US | 8.8.8.8:53 | owduxsdsholapet.org | udp |
| US | 8.8.8.8:53 | ewkcaeiq.net | udp |
| US | 8.8.8.8:53 | ioyuwkuiwcymao.net | udp |
| US | 8.8.8.8:53 | uvikfsdsholapet.cc | udp |
| US | 8.8.8.8:53 | fbroywfox.com | udp |
| US | 8.8.8.8:53 | wiaubkuiwcymao.info | udp |
| US | 8.8.8.8:53 | euupxqeoya.info | udp |
| US | 8.8.8.8:53 | wtiuzodsholapet.org | udp |
| US | 8.8.8.8:53 | ghfclqfqbex.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\fiesmefhpso.exe
| MD5 | b58393335b3621bfb1fc631823248577 |
| SHA1 | 315ffce8bae73f153679650cb580659cae1df77a |
| SHA256 | 6ea5753634bcae5b7fb519f8556eb8d09b0a7b547e3b0214e7141ce8e92302d9 |
| SHA512 | 456450a5dceb3f1cdbafb7d5f65766b1c5c0a3de04abaa2601b178b330dcfb217c4f362285055a5bb1daa88fa0dbdfb7810b05d073cc04ea540f7a4b5b9dc053 |
C:\Windows\SysWOW64\rhaofyqfoybwxwentj.exe
| MD5 | 11d1709b0283773db48c654533d3b83f |
| SHA1 | e82a0b7eaa8355619813ccd6f39b6d7d3258bf14 |
| SHA256 | c850d262eb8ae27093e6bbf4a35b73d8037a4e376ea971ad116037e01f0091a5 |
| SHA512 | ad946f0b6116965014f1cfd1278da83b81cce06a71d1ac4b567de6dc45b406705167eaba28537b52480bce63f247b55dd4cac9aa3fde8bd4ec11bd6558497a6a |
C:\Users\Admin\AppData\Local\Temp\ptacho.exe
| MD5 | 98c529f7da6878ab2353226aeb57033c |
| SHA1 | d8dcdc2d603b2902be8e131844058a99a12e7de5 |
| SHA256 | 78411a2638a164517cc02cccfb8761bf6accaf43fd99e89c2fab7139a233c5ae |
| SHA512 | 7f3425faa88a525a908d9717400cc55a95415e24da16dc00a86cdeaaf191d5d785809b61411add42e361a7003a49cbb722d2d313dc173518600d0a6541a89e78 |
C:\Users\Admin\AppData\Local\gddywwvrhyiksyndqnnig.fbr
| MD5 | b9b70be48a822c29530f5aa0336abe95 |
| SHA1 | 6339238b4546613554fb3bf1a82f1476c3ae8b90 |
| SHA256 | 31ed8227338c62790edefb49bd658420d4a402d2662978af498b3215a680d1bf |
| SHA512 | 38ec0183c5549bbd0b126f9f5e22f67087a8122e4463efe4717f90922db138d23a1ab390b5c17dbdf0a2355a395cd65330fadacd984c43ee931475ecde079bbc |
C:\Users\Admin\AppData\Local\bjuajuelmojwpgghfnyenyipqsnatkkl.rci
| MD5 | a16c320c8559071b86a35d0782911030 |
| SHA1 | 62c25e066937b8abddda0754cd9344441e4535ee |
| SHA256 | b44dcc6c98dc63afcf8ff4cda3145a1b00a7392a55ba4eb7ededb32f6ec1cee9 |
| SHA512 | 23a1fe88ce28133e38a96ced62e0a86c3c4cf7d562130d05b36b853e016a68d37f8c5611e1070b79f735192a2685ad1cab0b97eee4992e93e52638f31ca7af9c |
C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr
| MD5 | 682b3f2e21d7a149d7439aef9b5ad39f |
| SHA1 | 111bb00c4bc96e894362f2cc43163391dc024858 |
| SHA256 | a1f930a42042c19ab4811bea450068b87d17047f1d8a33b40a43a501bbb6b6b2 |
| SHA512 | e472a469d0fc654e62275b5ff7938310bdc186c820f7b41d38efdc5791b3e443c1dd29ba0eba33d144288113c2d60a741c64515668455554fb923de98e19349f |
C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr
| MD5 | 734ce331210b40713394968e6dc4c93e |
| SHA1 | 5f17cc0e12729ed311ed54f0ab3b76d2ce3c63c7 |
| SHA256 | c17803f1bb82285ba2a94cbd9d138978528a2577f285241cbc8033d1437cff06 |
| SHA512 | 8ff4fefb3ce6a4315672bb84948f4428c72026bbce88c7ce17eba00976e57616ba8d8ad00ea88d64ce041e779ec967b4a7aae453975d3f2413e2e9bfa9ce02c8 |
C:\Users\Admin\AppData\Local\gddywwvrhyiksyndqnnig.fbr
| MD5 | 0d303dbc8eb4d2b04919ee5644c89505 |
| SHA1 | 752b58c02afc0fd5f6eea544d445dade7d9dcf38 |
| SHA256 | 6c4ab9bf25a58b406732ce758f8e1f160cdb90907b543c75cc4d04520418455b |
| SHA512 | 87319e0aa12c688a17a8ca384e5b64e0975af3bf11ae1a493123f8394980cdbad7df041ac1c4bec33d6dd42b4c06153ef0a78e0bd9964b4357eb25ba1a2798fb |
C:\Users\Admin\AppData\Local\gddywwvrhyiksyndqnnig.fbr
| MD5 | 11bb0ae60e75d1a45fecbe6689417d25 |
| SHA1 | 2577ac29f0f4e599ac8707e6a48aac6548cc9b7a |
| SHA256 | 2a233b2e841b2d36dc61c2922e5bde93261fac4eec9988977c3076b7d2bb377c |
| SHA512 | 4f247715720cee667034161ad294b589f62570d434447ce37f2023398d53683e70cd53b0665e81eb114f3430e5087d9e7661ad838c7ccd1667121ecc369ca570 |
C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr
| MD5 | 115b8cf5d79efbedcab1cc58b5eb08c2 |
| SHA1 | 4ab322bd9b41a59ae85f66e96fc802f4d0390806 |
| SHA256 | e3223efaaef2888bdadee996c613d571322ca03e19d6c4b47f621fdd51644ea9 |
| SHA512 | f8a7b6a3fd6d5b070d812294a6b5e997499e435f0e4ad2a1a6665c38c8c58497de5045cba3cf71be4cc57b434002671a369340c4a6ae7458790209ba80ea3f6d |
C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr
| MD5 | 5cd04cb66b441a05b3e013ef9cc30e8e |
| SHA1 | bd7e3f1d5c6cfd08c3a46b96933d415ad6b8477c |
| SHA256 | 9d9bc7a03a7cd6ef38e18946540328bb9ec81bd51c5a5fc703d90b54e6c746b1 |
| SHA512 | 9bca44f962c62b41886888360d492e7d6b113e061e5882f44748d959da21eeb09ef9e17ec8215d67637aeaaed7a5e6888865e7d96cbce8179285375d86d0bdb9 |
C:\Program Files (x86)\gddywwvrhyiksyndqnnig.fbr
| MD5 | 0c8728caf4a05598caabb348cf9cdf5b |
| SHA1 | 0fa1dddb1ce4f7afc340bb7df7a0ae660933806c |
| SHA256 | 59e0e8254b911d499aea45a682b8f12093a61bb6bd0db1c4fed35ffa318c24eb |
| SHA512 | 092082a3ffdd5a90de32dc36e7c0bfbe8f95acf3621b451ff92703307cc1730dc91e89c0856763441ad5685f99fcc1f90bfb27a15e7d128a0bcbd4a04a350c86 |