Malware Analysis Report

2025-03-15 00:49

Sample ID 240626-p4jhdayall
Target 120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118
SHA256 b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f

Threat Level: Known bad

The file 120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 12:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 12:52

Reported

2024-06-26 12:55

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "zqjdzljapkcyhzvnlzd.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "meytqdcukgzwgzwpodia.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "bupljxxqheywhbzttjpid.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "bupljxxqheywhbzttjpid.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "zqjdzljapkcyhzvnlzd.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "oewpkvsiwqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "zqjdzljapkcyhzvnlzd.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "fuldxhdsfyoipfzpl.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "ymctmvqeqixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "zqjdzljapkcyhzvnlzd.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "bupljxxqheywhbzttjpid.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "zqjdzljapkcyhzvnlzd.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "fuldxhdsfyoipfzpl.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "meytqdcukgzwgzwpodia.exe ." C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "bupljxxqheywhbzttjpid.exe ." C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "zqjdzljapkcyhzvnlzd.exe ." C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "fuldxhdsfyoipfzpl.exe ." C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "ymctmvqeqixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "fuldxhdsfyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\caabexcawyxaqpsrwrcaab.xca C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created C:\Windows\SysWOW64\caabexcawyxaqpsrwrcaab.xca C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File created C:\Windows\SysWOW64\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\SysWOW64\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Program Files (x86)\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created C:\Program Files (x86)\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created C:\Windows\caabexcawyxaqpsrwrcaab.xca C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\meytqdcukgzwgzwpodia.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\oewpkvsiwqhckbwnkx.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\bupljxxqheywhbzttjpid.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\smifetuogezykfezarysol.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
File opened for modification C:\Windows\fuldxhdsfyoipfzpl.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\zqjdzljapkcyhzvnlzd.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\caabexcawyxaqpsrwrcaab.xca C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File created C:\Windows\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
File opened for modification C:\Windows\ymctmvqeqixqwlet.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
PID 1724 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
PID 1724 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
PID 3856 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
PID 3856 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
PID 3856 wrote to memory of 4760 N/A C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
PID 3856 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
PID 3856 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
PID 3856 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
PID 1724 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
PID 1724 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
PID 1724 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zeltddp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe

"C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\zeltddp.exe

"C:\Users\Admin\AppData\Local\Temp\zeltddp.exe" "-C:\Users\Admin\AppData\Local\Temp\ymctmvqeqixqwlet.exe"

C:\Users\Admin\AppData\Local\Temp\zeltddp.exe

"C:\Users\Admin\AppData\Local\Temp\zeltddp.exe" "-C:\Users\Admin\AppData\Local\Temp\ymctmvqeqixqwlet.exe"

C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe

"C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
GB 216.58.204.78:80 www.youtube.com tcp
LT 86.100.244.238:24914 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 okgawo.com udp
US 8.8.8.8:53 doqadkuof.info udp
US 8.8.8.8:53 nyjaauagrms.info udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 tcgivox.net udp
US 8.8.8.8:53 nuvifgdamtn.com udp
US 8.8.8.8:53 gnjyfqyyuah.net udp
US 8.8.8.8:53 akznvakqu.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
BG 89.253.181.52:41128 tcp
US 8.8.8.8:53 ujoljttsxq.info udp
US 8.8.8.8:53 muignec.info udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 redbqzty.net udp
US 8.8.8.8:53 tvtzlaxiqwhm.info udp
US 8.8.8.8:53 wdqzak.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 xkspbit.info udp
BG 94.236.133.213:14926 tcp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 dywiphscm.org udp
US 8.8.8.8:53 xmfftnfvt.info udp
US 8.8.8.8:53 ykmcklupzy.info udp
US 8.8.8.8:53 bmxmwor.org udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 fkvkpvdy.info udp
US 8.8.8.8:53 muwyyk.org udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 kwckumqq.org udp
US 8.8.8.8:53 rivibs.info udp
US 8.8.8.8:53 dirugm.net udp
US 8.8.8.8:53 jltjplitfsvr.net udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 mmmgockgue.com udp
US 8.8.8.8:53 fphezgrudwy.com udp
US 8.8.8.8:53 uqmmeguw.com udp
US 8.8.8.8:53 dplenrxv.info udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 hbvsnfx.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 uofsbfzvmi.net udp
US 8.8.8.8:53 ymhluaqf.net udp
US 8.8.8.8:53 uoeguewi.com udp
US 8.8.8.8:53 jqyohwzjpwn.org udp
US 8.8.8.8:53 frxwvzgkecgt.net udp
US 8.8.8.8:53 shrhtghklmrt.info udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 fkyyjbooyaz.info udp
US 8.8.8.8:53 xbptoctu.net udp
US 8.8.8.8:53 dwykakd.com udp
US 8.8.8.8:53 ialwjmfwl.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 sqexbog.info udp
US 8.8.8.8:53 yigegscquime.org udp
US 8.8.8.8:53 vvykoe.net udp
US 8.8.8.8:53 odjody.info udp
US 8.8.8.8:53 ashmtyrlb.info udp
US 8.8.8.8:53 vupryswurgx.com udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 giauoauuaeoo.org udp
US 8.8.8.8:53 lowmkoxod.org udp
US 8.8.8.8:53 epmvtbpfwg.info udp
US 8.8.8.8:53 kqamwaras.net udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
KZ 2.133.198.129:24210 tcp
US 8.8.8.8:53 swccfklax.info udp
US 8.8.8.8:53 mgdiez.info udp
US 8.8.8.8:53 hblywaba.info udp
US 8.8.8.8:53 ppfspir.net udp
US 8.8.8.8:53 lzucuuvgdbh.com udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 virqyl.info udp
US 8.8.8.8:53 pohukd.net udp
US 8.8.8.8:53 nubquiaqwh.info udp
US 8.8.8.8:53 tbljpenfcmwo.info udp
US 8.8.8.8:53 mucgqgigae.com udp
US 8.8.8.8:53 johshutquxd.net udp
US 8.8.8.8:53 yjnpjgygyu.net udp
US 8.8.8.8:53 vvnykrrqfv.info udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 fqdidqzrtyv.net udp
US 8.8.8.8:53 rwrwldik.net udp
US 8.8.8.8:53 gejgdibh.net udp
US 8.8.8.8:53 lwfxdefilma.net udp
US 8.8.8.8:53 rkfbmfkavjbk.info udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 xxxwxnjwel.net udp
US 8.8.8.8:53 sgryhunqt.info udp
US 8.8.8.8:53 hotvmca.net udp
US 8.8.8.8:53 byxypiaupuv.com udp
US 8.8.8.8:53 ikkyqcse.org udp
US 8.8.8.8:53 piggojslxdcy.net udp
US 8.8.8.8:53 lubgnyps.info udp
US 8.8.8.8:53 ysaeaocy.com udp
US 8.8.8.8:53 duckslugd.info udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
US 8.8.8.8:53 plxqkwzn.net udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 tgjrvrzhtnhi.net udp
US 8.8.8.8:53 serjauchlyxf.net udp
DE 78.94.223.225:22134 tcp
US 8.8.8.8:53 iyjynqasmad.net udp
US 8.8.8.8:53 mgsqkqauyy.org udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 nlldhhlv.info udp
US 8.8.8.8:53 pknuhylyaqe.com udp
US 8.8.8.8:53 lliitjxmbydm.info udp
US 8.8.8.8:53 aklfmfvpdm.net udp
US 8.8.8.8:53 jdpyxlk.info udp
US 8.8.8.8:53 odwqgkfyk.net udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 ztfvxriaaf.info udp
US 8.8.8.8:53 ndsyfc.net udp
US 8.8.8.8:53 jedbqqewoif.org udp
US 8.8.8.8:53 gmrfvgcyjsf.net udp
US 8.8.8.8:53 giioceskecgw.com udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 vzjbuusnplke.info udp
US 8.8.8.8:53 durkmkepyz.info udp
US 8.8.8.8:53 xgephwr.org udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 zavedepogys.com udp
US 8.8.8.8:53 qqajoomvfu.info udp
US 8.8.8.8:53 omskhihwcv.net udp
US 8.8.8.8:53 hygaerbfornz.net udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 zebqaalrjn.info udp
US 8.8.8.8:53 yvqmxjbediv.info udp
US 8.8.8.8:53 tqtnixrc.net udp
US 8.8.8.8:53 dpzlbd.net udp
US 8.8.8.8:53 hdqawr.net udp
LT 78.31.227.245:21577 tcp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 nqspkwdtfbjk.info udp
US 8.8.8.8:53 vanejamutuy.com udp
US 8.8.8.8:53 rwxqzqtnopn.info udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
US 8.8.8.8:53 pmaskbqnroed.info udp
US 8.8.8.8:53 yhxodykuwjpu.net udp
US 8.8.8.8:53 kicnvn.net udp
US 8.8.8.8:53 rcjyzscqqid.info udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 kkbrpwx.info udp
US 8.8.8.8:53 dfkobcd.info udp
US 8.8.8.8:53 ggmsrb.net udp
US 8.8.8.8:53 tppmydowxsv.info udp
US 8.8.8.8:53 jilglepoh.net udp
US 8.8.8.8:53 lvpicxnk.info udp
BG 89.215.109.146:25938 tcp
US 8.8.8.8:53 kueiumgg.com udp
US 8.8.8.8:53 laytqvfmap.net udp
US 8.8.8.8:53 qirzluero.net udp
US 8.8.8.8:53 mkuois.com udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 sbhvtpnuxten.info udp
US 8.8.8.8:53 omaesyiamg.com udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 aamggw.org udp
US 8.8.8.8:53 hozgwgxtpyi.org udp
US 8.8.8.8:53 pqtxoofuphqb.net udp
US 8.8.8.8:53 xwjvcvoy.info udp
US 8.8.8.8:53 nvglpaei.info udp
US 8.8.8.8:53 dovmlzhqu.net udp
US 8.8.8.8:53 tuvyfmgmqml.com udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 keiwuwkawe.info udp
US 8.8.8.8:53 hvidfzlhst.info udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 wsdlridyzqo.info udp
US 8.8.8.8:53 fmgixl.info udp
US 8.8.8.8:53 hylczucs.info udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 auchkx.net udp
US 8.8.8.8:53 juxednrtosh.info udp
US 8.8.8.8:53 qqfstubjftd.net udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 uwmockmqwq.com udp
US 8.8.8.8:53 kgeseogswa.com udp
US 8.8.8.8:53 rxvstynovax.com udp
US 8.8.8.8:53 skmmasoqqcqe.org udp
US 8.8.8.8:53 qgyawesesksq.com udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 ioqvzyzgfic.net udp
US 8.8.8.8:53 kkekyi.com udp
US 8.8.8.8:53 fsuhsbzkpmzv.info udp
US 8.8.8.8:53 fqneqry.com udp
US 8.8.8.8:53 xapyfkz.com udp
US 8.8.8.8:53 ndhqvfvdkt.net udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 ewrsakbaheh.info udp
US 8.8.8.8:53 iaqewk.com udp
US 8.8.8.8:53 rvhimhnadom.net udp
US 8.8.8.8:53 aoqawaiaioew.org udp
US 8.8.8.8:53 ohzkfe.net udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 kyaoys.org udp
US 8.8.8.8:53 dsyopqtp.net udp
US 8.8.8.8:53 iljlbgd.info udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 ueliaye.net udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 bkjkuyve.info udp
US 8.8.8.8:53 kiacqceaaaky.com udp
US 8.8.8.8:53 rnportgex.net udp
US 8.8.8.8:53 exfrbbbwjctj.net udp
US 8.8.8.8:53 criptaewpfvq.info udp
US 8.8.8.8:53 aygeuayskosm.com udp
US 8.8.8.8:53 jjpetbkub.org udp
US 8.8.8.8:53 ozdbxljg.info udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 iexcrxzkl.info udp
US 8.8.8.8:53 qzfyhmuou.info udp
US 8.8.8.8:53 fivsfsa.com udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 emrcjcwqdcl.net udp
US 8.8.8.8:53 mdugmdpvxaqy.info udp
US 8.8.8.8:53 jbcorart.net udp
US 8.8.8.8:53 rxlummfw.info udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 yucuywaqce.org udp
US 8.8.8.8:53 qbocfslapf.info udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 jjexisyd.info udp
US 8.8.8.8:53 jsrlqlzflds.net udp
US 8.8.8.8:53 hejgout.net udp
US 8.8.8.8:53 ztbglar.com udp
US 8.8.8.8:53 kexythjteun.info udp
US 8.8.8.8:53 fgabmjkytusf.info udp
US 8.8.8.8:53 wunwdvasxdj.info udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 pdprgwxhjk.net udp
US 8.8.8.8:53 gacejehauky.info udp
US 8.8.8.8:53 awmmeoswiw.com udp
US 8.8.8.8:53 woqbzwtkzed.info udp
US 8.8.8.8:53 euqcieyakcsy.com udp
US 8.8.8.8:53 xdwmrosei.org udp
US 8.8.8.8:53 ltnrnglsdao.info udp
US 8.8.8.8:53 nnpmxpzodoy.net udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 wlvfhnlofzzj.info udp
US 8.8.8.8:53 dzldzt.net udp
US 8.8.8.8:53 sqiweuioyq.com udp
BG 79.132.3.194:44788 tcp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 cddcfhioygh.info udp
US 8.8.8.8:53 xodpyddbjg.info udp
US 8.8.8.8:53 cwrcncp.net udp
US 8.8.8.8:53 dtvrgbclbl.net udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 vkncfdraomlk.info udp
US 8.8.8.8:53 vgcdhehbkcpf.net udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 njqpjbvcuc.info udp
US 8.8.8.8:53 zipznkelzju.net udp
US 8.8.8.8:53 nizefixgaep.org udp
US 8.8.8.8:53 scmgmuik.com udp
US 8.8.8.8:53 letyvqzergl.info udp
US 8.8.8.8:53 uehgdmxej.net udp
US 8.8.8.8:53 bpappuxfustz.info udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 qmsaug.org udp
US 8.8.8.8:53 oakmqgswoo.com udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
BG 87.97.186.98:26588 tcp
US 8.8.8.8:53 ohzuvtiadul.net udp
US 8.8.8.8:53 hcxfnfsmvwx.org udp
US 8.8.8.8:53 nehcwsxkczf.info udp
US 8.8.8.8:53 izpixuntbaux.net udp
US 8.8.8.8:53 qesemwqo.org udp
US 8.8.8.8:53 flzibhbfjxoy.info udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 qrheuvaampph.net udp
US 8.8.8.8:53 awcoec.com udp
US 8.8.8.8:53 kvwateqlpn.net udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 agsqqamu.com udp
US 8.8.8.8:53 zydgbqt.info udp
US 8.8.8.8:53 xmnwiil.net udp
US 8.8.8.8:53 iixfzjvahypl.info udp
US 8.8.8.8:53 myguwo.com udp
US 8.8.8.8:53 llpbmeckkaka.net udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 auzqsofdzgs.net udp
US 8.8.8.8:53 boerfw.net udp
US 8.8.8.8:53 yawcmcwm.com udp
US 8.8.8.8:53 oiqajiyuvqb.net udp
US 8.8.8.8:53 iesvbjn.net udp
US 8.8.8.8:53 uareno.net udp
US 8.8.8.8:53 pstgdbzovtjz.info udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 uhzcvfx.info udp
US 8.8.8.8:53 wmwiou.org udp
US 8.8.8.8:53 vtxffgfwwyci.info udp
US 8.8.8.8:53 bvxjpnkw.info udp
US 8.8.8.8:53 qibixeryx.info udp
US 8.8.8.8:53 zynjgev.org udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 yvlsfvpux.info udp
US 8.8.8.8:53 mtamirtfkx.net udp
US 8.8.8.8:53 lqkmbnn.net udp
US 8.8.8.8:53 dobjwlwwtn.net udp
US 8.8.8.8:53 wohzmclipsk.info udp
US 8.8.8.8:53 uiouocaqqmoy.org udp
US 8.8.8.8:53 hhlorggcrlgx.net udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
LT 85.232.154.140:28364 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 nmtkvwnynff.com udp
US 8.8.8.8:53 eeaehaugl.net udp
US 8.8.8.8:53 bdcjyuvawqb.com udp
US 8.8.8.8:53 tdjvynvxhzje.net udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 gldwfjbk.info udp
US 8.8.8.8:53 bcvuherif.info udp
US 8.8.8.8:53 ccumqokuuy.org udp
US 8.8.8.8:53 ujxfuttmifle.net udp
US 8.8.8.8:53 tsxpihmaz.net udp
US 8.8.8.8:53 nmokuqame.com udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 ieposk.info udp
US 8.8.8.8:53 zfyqaicv.net udp
US 8.8.8.8:53 jtjkqpygzy.net udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 hkzfbe.net udp
US 8.8.8.8:53 teofhgjztc.info udp
US 8.8.8.8:53 oudqwgrqu.net udp
US 8.8.8.8:53 dlenlm.net udp
US 8.8.8.8:53 zxycdqpchh.net udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 yhysaizsrrmo.net udp
US 8.8.8.8:53 nldqdvbfleex.net udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 oteebcttx.net udp
US 8.8.8.8:53 wegammfwzcp.net udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 soyoysouog.org udp
US 8.8.8.8:53 pkcxohvowirw.info udp
US 8.8.8.8:53 fzxisl.net udp
US 8.8.8.8:53 osguuuamaqyq.org udp
US 8.8.8.8:53 vmgzfroejk.net udp
US 8.8.8.8:53 uousmuseqe.com udp
US 8.8.8.8:53 wjfcsdyb.info udp
US 8.8.8.8:53 fqkivcouov.info udp
US 8.8.8.8:53 kmwkei.com udp
US 8.8.8.8:53 wnuapoho.net udp
US 8.8.8.8:53 skbatzjqbafv.net udp
US 8.8.8.8:53 xorwtfl.info udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 nzzfvfehku.info udp
US 8.8.8.8:53 ihsqxemqgu.info udp
US 8.8.8.8:53 wweumwaoqm.com udp
US 8.8.8.8:53 udlytwazjqha.net udp
US 8.8.8.8:53 hfrcpwr.org udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 ercuxepz.net udp
US 8.8.8.8:53 slrqkwuvzf.net udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 paalbz.info udp
US 8.8.8.8:53 mrnehqvllkoz.net udp
US 8.8.8.8:53 pvzvwibdjy.net udp
US 8.8.8.8:53 eqnljnhjvax.net udp
US 8.8.8.8:53 aigaeg.org udp
US 8.8.8.8:53 iorsfssgb.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 iasmea.com udp
US 8.8.8.8:53 bpysnyoolon.net udp
US 8.8.8.8:53 wggiaw.com udp
US 8.8.8.8:53 vojabs.info udp
US 8.8.8.8:53 qyvibcz.net udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 dstutgjd.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 agswqeewoiay.com udp
US 8.8.8.8:53 jzkmle.net udp
US 8.8.8.8:53 gydcehncpl.net udp
US 8.8.8.8:53 vekbhuljcmt.net udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 dichxzxc.info udp
BG 109.160.65.195:25202 tcp
US 8.8.8.8:53 wmvwweu.info udp
US 8.8.8.8:53 nrqiwrnxwcah.info udp
US 8.8.8.8:53 qswmqsaq.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 qqqcoscyie.com udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ocnvjmf.info udp
US 8.8.8.8:53 wlhgfyh.net udp
US 8.8.8.8:53 wjvtvcqo.info udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 lmuotunxzft.org udp
US 8.8.8.8:53 kgbmanpf.info udp
US 8.8.8.8:53 uewqvzpoasx.info udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 esgoseyyug.com udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 bqjynswmzcx.net udp
US 8.8.8.8:53 zonfnaohbdz.info udp
US 8.8.8.8:53 inagoxllds.net udp
US 8.8.8.8:53 qmzysih.info udp
US 8.8.8.8:53 sdgmjmrxelqc.net udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 jfvofzhyb.info udp
US 8.8.8.8:53 yopofpgs.info udp
US 8.8.8.8:53 rdomza.net udp
US 8.8.8.8:53 pktxfdoy.info udp
US 8.8.8.8:53 fgclljqb.info udp
US 8.8.8.8:53 lepuvcj.info udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 yqjapdndp.net udp
US 8.8.8.8:53 cijyyfx.net udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 rspdncfythn.com udp
US 8.8.8.8:53 dyjgrgngvyd.com udp
US 8.8.8.8:53 ratdzyzwonjb.info udp
US 8.8.8.8:53 pdiyvqi.net udp
US 8.8.8.8:53 ykyootwczm.info udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 twyjfppup.net udp
US 8.8.8.8:53 gsismgyk.com udp
US 8.8.8.8:53 puzropkpyzvy.info udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 pcjkdb.net udp
US 8.8.8.8:53 tejarlqji.org udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 bovcffbcxiv.net udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 bypdbeft.net udp
US 8.8.8.8:53 finorok.com udp
US 8.8.8.8:53 osxativnzcn.net udp
US 8.8.8.8:53 mcdajeowl.net udp
US 8.8.8.8:53 yoyoplvry.net udp
US 8.8.8.8:53 znknpznpt.net udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 wwmalejbofsi.net udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 vqibsnyp.net udp
US 8.8.8.8:53 kisiwi.org udp
US 8.8.8.8:53 scoexujxhsmd.info udp
US 8.8.8.8:53 qyutvn.net udp
US 8.8.8.8:53 kwoydb.net udp
US 8.8.8.8:53 kymmgs.org udp
US 8.8.8.8:53 lkutjcgidkx.com udp
US 8.8.8.8:53 cruftfwdx.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 cwqoigaq.com udp
US 8.8.8.8:53 lpxsxak.info udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 cwcqrss.info udp
US 8.8.8.8:53 vqdcqvhege.net udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 tvthukfpgo.info udp
US 8.8.8.8:53 gihptc.net udp
US 8.8.8.8:53 jnueoe.info udp
US 8.8.8.8:53 curmcwqggnz.info udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 ahwulap.net udp
US 8.8.8.8:53 comesqew.com udp
US 8.8.8.8:53 dpwthhxfnpje.info udp
US 8.8.8.8:53 rquzfqv.net udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 yiqmeq.org udp
US 8.8.8.8:53 yugsiskqke.com udp
US 8.8.8.8:53 xzzomifo.net udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 wgtkbakel.info udp
US 8.8.8.8:53 jijflhlbnek.info udp
LT 78.62.199.176:27468 tcp
US 8.8.8.8:53 zhdwnejrjxd.info udp
US 8.8.8.8:53 moecmwis.com udp
US 8.8.8.8:53 qgawyuaqcams.org udp
US 8.8.8.8:53 msqgswikuq.com udp
US 8.8.8.8:53 sceegskqagau.com udp
US 8.8.8.8:53 hsjnkjbsv.org udp
US 8.8.8.8:53 fwlsvqfxy.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 wmmmnnvsb.net udp
US 8.8.8.8:53 pclhwb.info udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 wuwqimkoaqqm.com udp
US 8.8.8.8:53 fxvwboxva.org udp
US 8.8.8.8:53 ommkcakc.com udp
US 8.8.8.8:53 tkzkttrerse.org udp
US 8.8.8.8:53 psmcafpg.net udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 zgjmyktmi.net udp
US 8.8.8.8:53 ukackqx.info udp
US 8.8.8.8:53 xmzqbkbh.net udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 mogwiuukouyg.org udp
US 8.8.8.8:53 yskmkw.org udp
US 8.8.8.8:53 aqaypoxqh.net udp
US 8.8.8.8:53 ppcoxwjyx.org udp
US 8.8.8.8:53 iefagqf.info udp
US 8.8.8.8:53 ksgmywwoiuea.org udp
US 8.8.8.8:53 hrnwxwh.net udp
US 8.8.8.8:53 gzjbtizoy.info udp
US 8.8.8.8:53 rqptzuzkw.net udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 wymwsq.org udp
US 8.8.8.8:53 iahdyofgzpp.info udp
US 8.8.8.8:53 cuawkmecwmko.com udp
US 8.8.8.8:53 fdznrpnr.info udp
US 8.8.8.8:53 eqzmbmf.net udp
US 8.8.8.8:53 ekskoc.com udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 xwbgdcn.com udp
US 8.8.8.8:53 fknxpii.org udp
US 8.8.8.8:53 uwgeacfydia.info udp
US 8.8.8.8:53 zedslh.info udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 colixct.info udp
US 8.8.8.8:53 cuqmnczh.net udp
US 8.8.8.8:53 easidvnyuvd.net udp
US 8.8.8.8:53 vopcpx.net udp
US 8.8.8.8:53 smqwoaom.org udp
US 8.8.8.8:53 nrkqsv.info udp
BG 87.120.253.195:28638 tcp
US 8.8.8.8:53 ooquie.org udp
US 8.8.8.8:53 ebqncg.net udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 ydbimcjg.net udp
US 8.8.8.8:53 vsmujv.net udp
US 8.8.8.8:53 pcjujygmb.net udp
US 8.8.8.8:53 kamaoeccsq.org udp
US 8.8.8.8:53 mgwccmqiws.org udp
US 8.8.8.8:53 chgstbfp.info udp
US 8.8.8.8:53 asqtxgqjsvsu.net udp
US 8.8.8.8:53 ckywwowmgu.com udp
US 8.8.8.8:53 chxgtdvbmk.net udp
US 8.8.8.8:53 gbkefcaj.net udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 wemaquqqyq.com udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 lauwjsahfqe.com udp
US 8.8.8.8:53 pntqpnnct.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 erbdxezj.info udp
US 8.8.8.8:53 umkkqmygcyic.com udp
US 8.8.8.8:53 wgwico.com udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 euaaoob.info udp
US 8.8.8.8:53 sjhidpvhofx.net udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 rvblherphhvh.net udp
US 8.8.8.8:53 lkmiikaximld.info udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 xijmxvls.net udp
US 8.8.8.8:53 gmxxmqvmnmu.net udp
US 8.8.8.8:53 difwbkm.com udp
US 8.8.8.8:53 reklrihmg.net udp
US 8.8.8.8:53 atbzdq.net udp
US 8.8.8.8:53 aowewswqsk.com udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 uafjxkf.info udp
US 8.8.8.8:53 blnhzufvhjbg.info udp
US 8.8.8.8:53 uibimkrgbmc.info udp
US 8.8.8.8:53 hmswlujal.info udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 thczmuyibt.info udp
US 8.8.8.8:53 imnqnbyod.info udp
US 8.8.8.8:53 xgcleeb.net udp
US 8.8.8.8:53 ogqkcu.org udp
US 8.8.8.8:53 fwhelldhzo.net udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 jcwvufddrnku.info udp
US 8.8.8.8:53 hdosthbpjx.net udp
US 8.8.8.8:53 hqhqghz.info udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 qawyeiynivwz.info udp
US 8.8.8.8:53 kffoddfyzwln.info udp
US 8.8.8.8:53 pufmsnkufnei.info udp
US 8.8.8.8:53 gujricess.net udp
US 8.8.8.8:53 zlciwy.net udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 ioqgzotabjde.net udp
US 8.8.8.8:53 fcciputfz.net udp
US 8.8.8.8:53 nuktbyb.net udp
US 8.8.8.8:53 rqsmlao.net udp
TR 78.187.15.155:33084 tcp
US 8.8.8.8:53 palxeidvfpd.org udp
US 8.8.8.8:53 eujwywdqzbn.info udp
US 8.8.8.8:53 hcibjm.net udp
US 8.8.8.8:53 zwjmxfu.com udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 pbwkpxldr.org udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 rsaatvbu.info udp
US 8.8.8.8:53 hvaoxbvrxh.net udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 puprddkjex.net udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 gkqgwa.com udp
US 8.8.8.8:53 hwhlnuvwuah.com udp
US 8.8.8.8:53 ypcbzv.net udp
US 8.8.8.8:53 fbbgdpmofa.net udp
US 8.8.8.8:53 swoiauyiumwe.com udp
US 8.8.8.8:53 tapcqehwm.org udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 8.8.8.8:53 jckzybggww.net udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 vkksjij.info udp
US 8.8.8.8:53 rzypsgyelbpq.info udp
US 8.8.8.8:53 uingks.info udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 podzfziejc.info udp
US 8.8.8.8:53 ebxkxemf.net udp
US 8.8.8.8:53 reduridszip.com udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 vsfgngxssqp.org udp
US 8.8.8.8:53 dhfqbtvckgph.net udp
US 8.8.8.8:53 gyzonqd.net udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 lacqmuqwelf.net udp
US 8.8.8.8:53 vachbyj.com udp
US 8.8.8.8:53 gefgtkx.net udp
US 8.8.8.8:53 qegyoeqaiwgy.com udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 hyustwrl.info udp
RU 81.201.246.182:35905 tcp
US 8.8.8.8:53 iciaiuykiqcq.com udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 ukdofop.net udp
US 8.8.8.8:53 aktvscn.net udp
US 8.8.8.8:53 pyjfbsisnywu.net udp
US 8.8.8.8:53 wyjido.info udp
US 8.8.8.8:53 zxfgvmk.info udp
US 8.8.8.8:53 nadqrenh.net udp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 ucuacmcmas.com udp
US 8.8.8.8:53 weyrtj.net udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 tjvsdajo.info udp
US 8.8.8.8:53 sihixqp.net udp
US 8.8.8.8:53 soagnufzvmc.net udp
US 8.8.8.8:53 cajvxe.info udp
US 8.8.8.8:53 kcbzncjbqapl.info udp
US 8.8.8.8:53 wcjlrwzpsydn.info udp
US 8.8.8.8:53 vgpaqnjfkkd.com udp
US 8.8.8.8:53 jfzciyx.org udp
US 162.249.65.164:80 jfzciyx.org tcp
BG 78.90.75.153:32958 tcp
US 8.8.8.8:53 nhsmjqdstc.info udp
US 8.8.8.8:53 fgbchcfumog.info udp
US 8.8.8.8:53 yaeemmygcgom.com udp
US 8.8.8.8:53 nwtgsyuxbyvz.info udp
US 8.8.8.8:53 rwfwzdclae.net udp
US 8.8.8.8:53 sidlvctfcd.net udp
US 8.8.8.8:53 uohkrmicx.net udp
US 8.8.8.8:53 sweeic.org udp
US 8.8.8.8:53 scqikm.org udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 mmqmmiksgmum.org udp
US 8.8.8.8:53 qgsyyuayos.com udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 igcnzhzbyw.net udp
US 8.8.8.8:53 caqmlebv.net udp
US 8.8.8.8:53 bmzdfoks.info udp
US 8.8.8.8:53 sorotygo.net udp
US 8.8.8.8:53 lsxiiqtwxqr.info udp
US 8.8.8.8:53 dezfgsjb.info udp
US 8.8.8.8:53 coiaemzexxch.info udp
US 8.8.8.8:53 maeecagi.org udp
US 8.8.8.8:53 gsmrduxntn.info udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 usmecwqwes.com udp
US 8.8.8.8:53 drzqzpp.net udp
US 8.8.8.8:53 kpnvjzjdnafo.info udp
US 8.8.8.8:53 yqnknyjgf.net udp
US 8.8.8.8:53 eusyiwkuysuq.org udp
US 8.8.8.8:53 tirnpwmcwmd.org udp
US 8.8.8.8:53 uobmfgjcztv.info udp
US 8.8.8.8:53 vabibbc.info udp
US 8.8.8.8:53 advqhrwvss.net udp
US 8.8.8.8:53 eeiuwoyqsscg.com udp
US 8.8.8.8:53 pkfdpch.com udp
US 8.8.8.8:53 kuikiwiw.org udp
US 8.8.8.8:53 xfvqmg.info udp
US 8.8.8.8:53 zwlosf.info udp
US 8.8.8.8:53 zusbpnvlif.info udp
US 8.8.8.8:53 pgliatwntj.net udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 qinzzyctzscv.info udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 gmaogsoege.org udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 nnwwgplutoaa.info udp
US 8.8.8.8:53 gddyts.net udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 efrdvj.info udp
US 8.8.8.8:53 eliafxhjmfn.net udp
US 8.8.8.8:53 juhpwusaizyj.info udp
US 8.8.8.8:53 iuyfyqx.net udp
US 8.8.8.8:53 pvewjnuz.info udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 iqswkiiwsm.com udp
US 8.8.8.8:53 zfufibqgp.info udp
US 8.8.8.8:53 yceqcskoeg.org udp
US 162.249.65.164:80 yceqcskoeg.org tcp
US 8.8.8.8:53 smkkusaw.com udp
US 8.8.8.8:53 adomofxvpaq.net udp
US 8.8.8.8:53 qawxtu.net udp
US 8.8.8.8:53 kmuiqqiwumow.com udp
US 8.8.8.8:53 pkyhryr.com udp
US 8.8.8.8:53 lwpshcumfy.net udp
US 8.8.8.8:53 hymalfmxf.org udp
US 8.8.8.8:53 cgwgaguesg.org udp
US 162.249.65.164:80 cgwgaguesg.org tcp
US 8.8.8.8:53 nptnxwtqn.net udp
US 8.8.8.8:53 vslfxlrum.info udp
US 8.8.8.8:53 qkogdsn.net udp
US 8.8.8.8:53 cazkgtf.info udp
US 8.8.8.8:53 lmotmynorj.info udp
US 8.8.8.8:53 kwevfh.info udp
US 8.8.8.8:53 julxerwaocda.net udp
US 8.8.8.8:53 xrkzfeew.net udp
US 8.8.8.8:53 mohwhul.info udp
US 8.8.8.8:53 kwudkgrjjmxe.net udp
US 8.8.8.8:53 kmvqiujn.info udp
US 8.8.8.8:53 csbjegdy.net udp
US 8.8.8.8:53 fsitat.info udp
US 8.8.8.8:53 nhzaoabuak.info udp
US 8.8.8.8:53 rehcryb.info udp
US 8.8.8.8:53 nkybtwpgzoi.info udp
US 8.8.8.8:53 casuoskm.org udp
US 8.8.8.8:53 uhomvhrcp.info udp
US 8.8.8.8:53 gwmeafacbwrh.info udp
US 8.8.8.8:53 tuzmpmtt.net udp
US 8.8.8.8:53 kzvsamqv.net udp
US 8.8.8.8:53 qkdqch.net udp
US 8.8.8.8:53 disswbwid.info udp
US 8.8.8.8:53 ivhcmej.info udp
US 8.8.8.8:53 zxgngtzz.info udp
US 8.8.8.8:53 ybsuebgirh.info udp
US 8.8.8.8:53 xezranfm.net udp
US 8.8.8.8:53 jiuacev.com udp
US 8.8.8.8:53 eaisokwcuc.com udp
US 8.8.8.8:53 ycgnvcios.net udp
US 8.8.8.8:53 oaxybkrkbnh.net udp
US 8.8.8.8:53 kgroexxj.info udp
US 8.8.8.8:53 fcrxkspz.net udp
US 8.8.8.8:53 lblxlwomf.net udp
US 8.8.8.8:53 fqeeflyxnmx.info udp
US 8.8.8.8:53 gecuvliijwx.info udp
US 8.8.8.8:53 ekamqi.org udp
US 162.249.65.164:80 ekamqi.org tcp
US 8.8.8.8:53 rgxnusp.com udp
US 8.8.8.8:53 xlhnemw.info udp
US 8.8.8.8:53 fawjawcovn.net udp
US 8.8.8.8:53 cvwpfiesyd.info udp
US 8.8.8.8:53 zrnunoxrvex.com udp
US 8.8.8.8:53 bltmage.net udp
US 8.8.8.8:53 vvvtqw.info udp
US 8.8.8.8:53 amhsiqjwugt.net udp
US 8.8.8.8:53 dawhui.net udp
US 8.8.8.8:53 hyafbvpm.net udp
US 8.8.8.8:53 qkmciiwa.org udp
US 8.8.8.8:53 nuqrzqrr.info udp
US 8.8.8.8:53 iwkgqakcoo.org udp
US 8.8.8.8:53 eqcsskwyyiug.org udp
US 162.249.65.164:80 eqcsskwyyiug.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe

MD5 a65f9e9778022e24ab2653d9cf5f69ea
SHA1 9fdb856b8b19d33bd1aa992728da9954c1019b58
SHA256 b8c249884491bacb4bc994b69e2319584de66ef9321fdd245f0a610b4726c5d7
SHA512 3960372388f3ab78559570f402816f798cc5698b0a021571575b4f634be88395f9b7aa69d0ef46a6e8da8c428c28c2c22ec970a925ce2ce6ad88384823487f83

C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe

MD5 120740fceaf7a90d28b61e4675a41a1b
SHA1 5a775bc4a73a237e17e6058a0d2bafb663faf477
SHA256 b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f
SHA512 27c4068d0b6374d8191204263c507d5317a7fc1cae4a0a24e57385157bf390993e1becfa28df9264ddb225ac9cafc926e8e87fdf00c939ccf962496f04c5f490

C:\Users\Admin\AppData\Local\Temp\zeltddp.exe

MD5 29b59329af2880c1193f705e23cf34e4
SHA1 58fa192a5bfa0d9fd30d7cc1dfce6ed5d4513c57
SHA256 8d9f8fdc948796003e86d64e82b55a35ebff99b74d221ce466f2db5a36b943cf
SHA512 dd3df3b43bfa4cbaf56d986924897c6ce58340c15b03b027ee065f764ebbc186405e2cffab2dcdb0e8e0a5b7509490eb02cc0589988d9621db91976797e601ba

C:\Users\Admin\AppData\Local\caabexcawyxaqpsrwrcaab.xca

MD5 88cb7aabf14fd962a7f72d867dd7cd51
SHA1 64ceb6c4ae3b08bf802f00e95157ef93e01a5397
SHA256 05b75f4b5c32691c49a2221df28dc06f0f5a03de31fd6e88689d18a243fa99a8
SHA512 11bd4ae3da82ed9b623e4f6cc05008512217ddfaa68629b5237e7de7d430bb261da6d3d99641d779a580c8baa37b3b38528f5262f7527f66b753c0b4bc2fc094

C:\Users\Admin\AppData\Local\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz

MD5 cd18effc7319ccb59a6469984380a079
SHA1 a85c88c81ace446854e9cc6445c8e8bd78529f05
SHA256 b93324c196cddc72ec608603cfd7a012decfd26b0bf79eb9074caa1e921aeb00
SHA512 8bde9b29fe7491165e462621b9505d09bffff8d2cc4e8798a755faa9087f70b9b7c03dd7e4538d810c5dba126c116436d9470071f943d56e426bd9cf64e7170d

C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca

MD5 c3a765524694e3131aba30e206e82eea
SHA1 f56084435398624f362b170e43d1da27b6d74e86
SHA256 c36a9238405e35a52cd64c20deb7cdfa26d6d8a949fa0e7e30484483a69b183f
SHA512 d30eb29a397d9a3bc888b784e2b15d0f63a0db91ee8e6844484b8a24875c303645a3b21981db99a95d7de6c33f804d08f4a5fbdfd8821287829e13a28923c9cb

C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca

MD5 938e3e795251dadf5c6ca408920b20e5
SHA1 d4fb010bc30c7bb8760f3efe5ae757abe37582db
SHA256 6932f5323f5e8145f91fb4784887e6b3968e3e215ee13ace7c80075cdb9e0757
SHA512 5f90843777ad2f692c612a57d9665fb2048c75dbb02105deb2787282ae98ca6e53a72965b1eb1d913356e6baa5d68544b8b5add25931e81092b28f5e34e3e779

C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca

MD5 5e85e3939974696eb9fb5769bd93a422
SHA1 73f6b0d60130e33b81077176b9c6d14d1b928dff
SHA256 dd2a81d078bd5746ba40d44e7d609614e3255a3eb91408d77351e14048b275b5
SHA512 919f7f1375e921e34586d5ab20aee2fca1aefccbe3c12bd2a81251bc7f9755f6fa738fd8cddf47ee1c1b02d419bfe6c6bd80d0907af84583897fa41235b25ff5

C:\fmvfrthot.bat

MD5 6addea9ce46bd542554102adc15168cc
SHA1 d487e4c6b8bb6837f518608893d433710e0c2b6a
SHA256 90f82200d63db36cc2d0644ad299dd5466018f6a9580b4eb6b04f2168ac4ddeb
SHA512 aaf2e243ef5d1dc6561b18fd79c674d3c6522e87201b341db92c208130b63e6a2566afc29e2093c86d3d2d4a8505f5c57cbf7c945a38091837dfa9c65af8bb12

C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca

MD5 d8dcd8f5657651cd951091716f889538
SHA1 a7f80e850595aaa07b67befae27bb1de99b42863
SHA256 fe25156275ac74bbe45bc4e02e536a713a76f34314d6cbd23e6e80dd4a93e0e7
SHA512 b1b1d04e0c95cccbfa2fe760150fc28eb2c201e60161d4123b27abe54eb8dd881795b4b3b8a92b8d106fffcbd39087fb90bc37f8fc0e8457ce2cbee0d255af3a

C:\Users\Admin\AppData\Local\caabexcawyxaqpsrwrcaab.xca

MD5 651e638280fc8c5fda8c63ee3b9e5e3b
SHA1 7efa0b5f90dc2b213b97e3b62bf36a01f6c6facf
SHA256 fbeac60f69ad67efb4e011fd8730d6b1b7ba07ffc1dedf9fb94327c946de0387
SHA512 3d31091737296c890fe98bd01d17ee8ca4a958ed9219f404426005f017179b5fa46f535637ac447278a425c2220e96e2f80cc84a02d839a769081055fe28824a

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 12:52

Reported

2024-06-26 12:55

Platform

win7-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe ." C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "qjumfbsnapggctkobc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "araqhbqjuhwuodsu.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "ojwqljczofyayrkqfikf.exe ." C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe ." C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "qjumfbsnapggctkobc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "qjumfbsnapggctkobc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "ojwqljczofyayrkqfikf.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "araqhbqjuhwuodsu.exe ." C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "bvhaurjftjbczrjocef.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "dzniedxvldxaztnukornb.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "dzniedxvldxaztnukornb.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "ojwqljczofyayrkqfikf.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe ." C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "bvhaurjftjbczrjocef.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "dzniedxvldxaztnukornb.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "ojwqljczofyayrkqfikf.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "ojwqljczofyayrkqfikf.exe ." C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ilgilrsxutueklmaxisvqsvb.hed C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\Windows\SysWOW64\ilgilrsxutueklmaxisvqsvb.hed C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\Windows\SysWOW64\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Program Files (x86)\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\Program Files (x86)\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\Windows\ilgilrsxutueklmaxisvqsvb.hed C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\ilgilrsxutueklmaxisvqsvb.hed C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\dzniedxvldxaztnukornb.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\hzjasndxjxnmhxnqc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\qjumfbsnapggctkobc.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\ojwqljczofyayrkqfikf.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
File opened for modification C:\Windows\urgczzutkdyccxsarwaxmi.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File created C:\Windows\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\bvhaurjftjbczrjocef.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
File opened for modification C:\Windows\araqhbqjuhwuodsu.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 1736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 1736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 1736 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 2612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 2612 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe C:\Users\Admin\AppData\Local\Temp\djhms.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
PID 1736 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\djhms.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe

"C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\djhms.exe

"C:\Users\Admin\AppData\Local\Temp\djhms.exe" "-C:\Users\Admin\AppData\Local\Temp\araqhbqjuhwuodsu.exe"

C:\Users\Admin\AppData\Local\Temp\djhms.exe

"C:\Users\Admin\AppData\Local\Temp\djhms.exe" "-C:\Users\Admin\AppData\Local\Temp\araqhbqjuhwuodsu.exe"

C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe

"C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:80 www.google.com tcp
BG 91.148.146.249:32469 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 rsiwkozvgspb.info udp
US 8.8.8.8:53 vqsstgn.net udp
US 8.8.8.8:53 lvpgjob.info udp
MD 93.113.115.180:45741 tcp
US 8.8.8.8:53 aovgxgn.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 vhyoummwt.net udp
US 8.8.8.8:53 yaecmm.com udp
CZ 89.102.107.92:20810 tcp
US 8.8.8.8:53 gnjyfqyyuah.net udp
US 8.8.8.8:53 znjvajxz.net udp
LT 178.16.38.3:34580 tcp
US 8.8.8.8:53 sdfcrpvhajbk.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 juzzlqgodtf.info udp
US 8.8.8.8:53 akxucef.info udp
US 8.8.8.8:53 ztqwlmqob.com udp
BG 130.204.191.122:32949 tcp
US 8.8.8.8:53 vuglhrra.info udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 agznnkdgn.info udp
BG 130.204.77.104:18027 tcp
US 8.8.8.8:53 qiwueooauw.org udp
US 8.8.8.8:53 wwqauiqygw.com udp
US 8.8.8.8:53 dsjvnelr.net udp
US 8.8.8.8:53 iymeim.org udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 mahkshj.info udp
BG 84.54.149.70:34804 tcp
US 8.8.8.8:53 vcoupkqq.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 mgdozpxkn.net udp
BG 188.254.207.135:36110 tcp
US 8.8.8.8:53 qcjeuitux.net udp
US 8.8.8.8:53 skajzkfnwgtk.info udp
US 8.8.8.8:53 swfvuomt.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
BG 87.97.152.143:17093 tcp
US 8.8.8.8:53 fshxdrvmmgy.com udp
US 8.8.8.8:53 sdtazw.net udp
GR 46.176.120.59:22955 tcp
US 8.8.8.8:53 iavnfs.net udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 iiecwooaqmgo.org udp
US 8.8.8.8:53 fuhhdoyf.net udp
US 8.8.8.8:53 hrspgxseqt.net udp
TR 176.237.38.155:32651 tcp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 actwoqxmp.net udp
BG 78.90.75.153:32958 tcp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 uauukdl.net udp
US 8.8.8.8:53 cgioigqcyk.com udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 yswisumwkgua.com udp
US 8.8.8.8:53 suzoxigsd.info udp
US 8.8.8.8:53 bnvmvujbf.com udp
US 8.8.8.8:53 sibwxylmi.net udp
US 8.8.8.8:53 xclxqizbuh.net udp
US 8.8.8.8:53 zfsyewnlxz.info udp
US 8.8.8.8:53 cszooaq.info udp
US 8.8.8.8:53 lzzqgigv.info udp
IR 91.92.151.136:26447 tcp
US 8.8.8.8:53 ydkqpibxwk.net udp
US 8.8.8.8:53 jhksssu.org udp
US 8.8.8.8:53 jxvuwkfron.info udp
BG 87.120.253.195:28638 tcp
US 8.8.8.8:53 ifxocqrwlat.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 giweasec.com udp
GB 86.154.11.105:32805 tcp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 auestap.net udp
US 8.8.8.8:53 kyudguqc.info udp
US 8.8.8.8:53 dbyartjkoae.info udp
US 8.8.8.8:53 cjdkskbxu.info udp

Files

\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe

MD5 2cc310c1e9ff178b0a72abb2e2653817
SHA1 f18ac7e16cdb869249a124876f4928efdeb37665
SHA256 e94ff9d95f2fe53a3edd166b00ba9425e1007112e46687951dd0a5241c93f8ff
SHA512 efae0da5b896cca28622241eb124c05454e91c952a313cb27fbf2239bb0fe1ca230e0eaa45df7390f2435e31e7298da66f7d2d8dea555aa41d89c5740d6a2917

C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe

MD5 120740fceaf7a90d28b61e4675a41a1b
SHA1 5a775bc4a73a237e17e6058a0d2bafb663faf477
SHA256 b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f
SHA512 27c4068d0b6374d8191204263c507d5317a7fc1cae4a0a24e57385157bf390993e1becfa28df9264ddb225ac9cafc926e8e87fdf00c939ccf962496f04c5f490

\Users\Admin\AppData\Local\Temp\djhms.exe

MD5 5653eefb7548f3457b40a3641ba48200
SHA1 6cbaec95bca3ddca2caf5260f152a1ab16762874
SHA256 c36896ea3dd206f7961b55e314bffe7f92da184013bfa86850a13fed87a24b27
SHA512 d536e44282e436cbb05b9ad685f93133586eacd563dde0ec9c095eff9d638e90dea45a2c046e2fafe07927ca6e304616f55da92818c3d4273a89960333413d8a

C:\Users\Admin\AppData\Local\ilgilrsxutueklmaxisvqsvb.hed

MD5 734c308131ef45c784edec6e7081b40d
SHA1 d87cfb7cc9ab0bd5b95c12bc9ca2c28379f59d12
SHA256 6591f2d989d9bd5546e65a0651083a5cadae3c773d397ef926ca9ff2b069e27d
SHA512 5bf6afb999bd163e1847a5c9006261ef6457e4faa562e461e16ae05813c5c5576e8090623546a472c634b53c7efee7792cabcbeba9e39ac9437bb73b37568108

C:\Users\Admin\AppData\Local\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl

MD5 748f4d4782c2f3aa0e1768510e23229e
SHA1 501ccdd5cb35fbb30520bef039531ffc13c7f256
SHA256 1d264b1791c819e431ce7bd66fec5610aef816ebe98f636cf9bbf30e89c4a1c7
SHA512 9926c411687a70f8739ed8fdf5a7096d4f67d32b766dcc0b19f3b5c24b325268259f488c8901a3a7c89d8f9655eb028fb31500fd9e22725fe3449f9bda796220

C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed

MD5 1267d9110848669ce4b7b00565b92bb4
SHA1 1a9ccfb321fb37d03b099d36653f868e70a3a24f
SHA256 143d12ad5fc3a8a19ea68236543004269d32be84576cd824b85cc126511c1c0e
SHA512 31bc9d5818b198ad88717c42db1ff2e297300c470c59fc7430a925cc3afbc8dda1cd7926abb90826fe15aea14d15edd8683b6ef156ee95b479544443a4ce7c2e

C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed

MD5 f31a49bde5bcd80cbd91e5aeb3b4c23f
SHA1 6989e588ff4a7ca8e86c529d5b4866711319fd14
SHA256 20f4403dbe16d0f9e10eeaf5cd1e575476f04c76d7894d15816f36a70c58ea29
SHA512 de33404bf65def956148538e1d1057ed0f4bc038412d6ceeebab581381bb1f8cc3422d629b27de6d3ab9aa1ac4e370832cce0b18421af4a183d04cf5008b8f99

C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed

MD5 ffc9179f403eb336da078a9077aedb1f
SHA1 a5a7ea6e744a287e1a2972de6eb0169af99895cb
SHA256 91db25b4c30489bb8a1fd9e7568c12b6941bbcd809640414b654a8d88ac795c8
SHA512 de198b02900e059db3a69f15bfbeefd4f518e6eccb7400eaa2d3577cdb62bb55d795c23599c041c4eeabbe4a55883a3f603a88ab4155838d7ded9e55aedc9922

C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed

MD5 9335f3fddcfa17f94ba0682f43b49a71
SHA1 25ba1c58cc2d732100bb9de59abc07e30919e6f8
SHA256 2f93913f50a599f5fdbc557c9933157e8ff6b8a09716f83c620df5081473ec6b
SHA512 f387618228f0516511be16e9eff11f0c1402f464d53dc83cda3e5cab94329ce7418b00eb8e96622d7b9e10e8543d39c3934686e554df4eeb93b0640bc1caa4a9

C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed

MD5 f84d62ddb5b21d0f68bdd866397ae90b
SHA1 77747cca72b9b9f9ec5f57ef8658aa1701233ee6
SHA256 36b14f75da2865d4ca680a158d8a4574c40c176791595c6cc172972ff7c41feb
SHA512 757f0111f11d6a4d1131e26c4cad55f3ad8799a53bdcc283f9f1e7a30e40898f5493c13c5c04f55275431a0a1046f4dc474594b9d8fdd78b4a02bcb235eb8eba

C:\Users\Admin\AppData\Local\ilgilrsxutueklmaxisvqsvb.hed

MD5 5c1cbf18e863db4d76242f82491b35a4
SHA1 f5ac5c1729557fe360a7dd55a57c0c4cc5018459
SHA256 07e50f6b423f12f4e9239bcf18e0f52dcf0891300fb04fb2b99fc9a8b2e9423e
SHA512 021d6afba5ef3bf9f275ce0845d6855fc17b25e3062632135dc3341619a126e1e93cd4fba8833289de518a01cf01a1ce27e7901343c6353721b805b819d21b7c