Analysis Overview
SHA256
b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f
Threat Level: Known bad
The file 120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 12:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 12:52
Reported
2024-06-26 12:55
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bejpx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouclwxkq = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "zqjdzljapkcyhzvnlzd.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "meytqdcukgzwgzwpodia.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "bupljxxqheywhbzttjpid.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "bupljxxqheywhbzttjpid.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "zqjdzljapkcyhzvnlzd.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "oewpkvsiwqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "zqjdzljapkcyhzvnlzd.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "fuldxhdsfyoipfzpl.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "ymctmvqeqixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "zqjdzljapkcyhzvnlzd.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "bupljxxqheywhbzttjpid.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bupljxxqheywhbzttjpid.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "zqjdzljapkcyhzvnlzd.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcnznrhqxku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymctmvqeqixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqjdzljapkcyhzvnlzd.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "fuldxhdsfyoipfzpl.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "meytqdcukgzwgzwpodia.exe ." | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "bupljxxqheywhbzttjpid.exe ." | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ygqborgoug = "zqjdzljapkcyhzvnlzd.exe ." | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mqwdml = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meytqdcukgzwgzwpodia.exe" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fmvfrthot = "oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zeltddp = "fuldxhdsfyoipfzpl.exe ." | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "ymctmvqeqixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mqwdml = "fuldxhdsfyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qamzotkucqbq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oewpkvsiwqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\caabexcawyxaqpsrwrcaab.xca | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | C:\Windows\SysWOW64\caabexcawyxaqpsrwrcaab.xca | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File created | C:\Windows\SysWOW64\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Program Files (x86)\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | C:\Program Files (x86)\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | C:\Windows\caabexcawyxaqpsrwrcaab.xca | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\meytqdcukgzwgzwpodia.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\oewpkvsiwqhckbwnkx.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\bupljxxqheywhbzttjpid.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\smifetuogezykfezarysol.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| File opened for modification | C:\Windows\fuldxhdsfyoipfzpl.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\zqjdzljapkcyhzvnlzd.exe | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\caabexcawyxaqpsrwrcaab.xca | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File created | C:\Windows\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| File opened for modification | C:\Windows\ymctmvqeqixqwlet.exe | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\zeltddp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
"C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
"C:\Users\Admin\AppData\Local\Temp\zeltddp.exe" "-C:\Users\Admin\AppData\Local\Temp\ymctmvqeqixqwlet.exe"
C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
"C:\Users\Admin\AppData\Local\Temp\zeltddp.exe" "-C:\Users\Admin\AppData\Local\Temp\ymctmvqeqixqwlet.exe"
C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
"C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| BE | 88.221.83.211:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 211.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| GB | 216.58.204.78:80 | www.youtube.com | tcp |
| LT | 86.100.244.238:24914 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | okgawo.com | udp |
| US | 8.8.8.8:53 | doqadkuof.info | udp |
| US | 8.8.8.8:53 | nyjaauagrms.info | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | tcgivox.net | udp |
| US | 8.8.8.8:53 | nuvifgdamtn.com | udp |
| US | 8.8.8.8:53 | gnjyfqyyuah.net | udp |
| US | 8.8.8.8:53 | akznvakqu.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| BG | 89.253.181.52:41128 | tcp | |
| US | 8.8.8.8:53 | ujoljttsxq.info | udp |
| US | 8.8.8.8:53 | muignec.info | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | redbqzty.net | udp |
| US | 8.8.8.8:53 | tvtzlaxiqwhm.info | udp |
| US | 8.8.8.8:53 | wdqzak.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | xkspbit.info | udp |
| BG | 94.236.133.213:14926 | tcp | |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | dywiphscm.org | udp |
| US | 8.8.8.8:53 | xmfftnfvt.info | udp |
| US | 8.8.8.8:53 | ykmcklupzy.info | udp |
| US | 8.8.8.8:53 | bmxmwor.org | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fkvkpvdy.info | udp |
| US | 8.8.8.8:53 | muwyyk.org | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | kwckumqq.org | udp |
| US | 8.8.8.8:53 | rivibs.info | udp |
| US | 8.8.8.8:53 | dirugm.net | udp |
| US | 8.8.8.8:53 | jltjplitfsvr.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | mmmgockgue.com | udp |
| US | 8.8.8.8:53 | fphezgrudwy.com | udp |
| US | 8.8.8.8:53 | uqmmeguw.com | udp |
| US | 8.8.8.8:53 | dplenrxv.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | hbvsnfx.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | uofsbfzvmi.net | udp |
| US | 8.8.8.8:53 | ymhluaqf.net | udp |
| US | 8.8.8.8:53 | uoeguewi.com | udp |
| US | 8.8.8.8:53 | jqyohwzjpwn.org | udp |
| US | 8.8.8.8:53 | frxwvzgkecgt.net | udp |
| US | 8.8.8.8:53 | shrhtghklmrt.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | fkyyjbooyaz.info | udp |
| US | 8.8.8.8:53 | xbptoctu.net | udp |
| US | 8.8.8.8:53 | dwykakd.com | udp |
| US | 8.8.8.8:53 | ialwjmfwl.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | sqexbog.info | udp |
| US | 8.8.8.8:53 | yigegscquime.org | udp |
| US | 8.8.8.8:53 | vvykoe.net | udp |
| US | 8.8.8.8:53 | odjody.info | udp |
| US | 8.8.8.8:53 | ashmtyrlb.info | udp |
| US | 8.8.8.8:53 | vupryswurgx.com | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | giauoauuaeoo.org | udp |
| US | 8.8.8.8:53 | lowmkoxod.org | udp |
| US | 8.8.8.8:53 | epmvtbpfwg.info | udp |
| US | 8.8.8.8:53 | kqamwaras.net | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| KZ | 2.133.198.129:24210 | tcp | |
| US | 8.8.8.8:53 | swccfklax.info | udp |
| US | 8.8.8.8:53 | mgdiez.info | udp |
| US | 8.8.8.8:53 | hblywaba.info | udp |
| US | 8.8.8.8:53 | ppfspir.net | udp |
| US | 8.8.8.8:53 | lzucuuvgdbh.com | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | virqyl.info | udp |
| US | 8.8.8.8:53 | pohukd.net | udp |
| US | 8.8.8.8:53 | nubquiaqwh.info | udp |
| US | 8.8.8.8:53 | tbljpenfcmwo.info | udp |
| US | 8.8.8.8:53 | mucgqgigae.com | udp |
| US | 8.8.8.8:53 | johshutquxd.net | udp |
| US | 8.8.8.8:53 | yjnpjgygyu.net | udp |
| US | 8.8.8.8:53 | vvnykrrqfv.info | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | fqdidqzrtyv.net | udp |
| US | 8.8.8.8:53 | rwrwldik.net | udp |
| US | 8.8.8.8:53 | gejgdibh.net | udp |
| US | 8.8.8.8:53 | lwfxdefilma.net | udp |
| US | 8.8.8.8:53 | rkfbmfkavjbk.info | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | xxxwxnjwel.net | udp |
| US | 8.8.8.8:53 | sgryhunqt.info | udp |
| US | 8.8.8.8:53 | hotvmca.net | udp |
| US | 8.8.8.8:53 | byxypiaupuv.com | udp |
| US | 8.8.8.8:53 | ikkyqcse.org | udp |
| US | 8.8.8.8:53 | piggojslxdcy.net | udp |
| US | 8.8.8.8:53 | lubgnyps.info | udp |
| US | 8.8.8.8:53 | ysaeaocy.com | udp |
| US | 8.8.8.8:53 | duckslugd.info | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| US | 8.8.8.8:53 | plxqkwzn.net | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | tgjrvrzhtnhi.net | udp |
| US | 8.8.8.8:53 | serjauchlyxf.net | udp |
| DE | 78.94.223.225:22134 | tcp | |
| US | 8.8.8.8:53 | iyjynqasmad.net | udp |
| US | 8.8.8.8:53 | mgsqkqauyy.org | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nlldhhlv.info | udp |
| US | 8.8.8.8:53 | pknuhylyaqe.com | udp |
| US | 8.8.8.8:53 | lliitjxmbydm.info | udp |
| US | 8.8.8.8:53 | aklfmfvpdm.net | udp |
| US | 8.8.8.8:53 | jdpyxlk.info | udp |
| US | 8.8.8.8:53 | odwqgkfyk.net | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | ztfvxriaaf.info | udp |
| US | 8.8.8.8:53 | ndsyfc.net | udp |
| US | 8.8.8.8:53 | jedbqqewoif.org | udp |
| US | 8.8.8.8:53 | gmrfvgcyjsf.net | udp |
| US | 8.8.8.8:53 | giioceskecgw.com | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | vzjbuusnplke.info | udp |
| US | 8.8.8.8:53 | durkmkepyz.info | udp |
| US | 8.8.8.8:53 | xgephwr.org | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | zavedepogys.com | udp |
| US | 8.8.8.8:53 | qqajoomvfu.info | udp |
| US | 8.8.8.8:53 | omskhihwcv.net | udp |
| US | 8.8.8.8:53 | hygaerbfornz.net | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | zebqaalrjn.info | udp |
| US | 8.8.8.8:53 | yvqmxjbediv.info | udp |
| US | 8.8.8.8:53 | tqtnixrc.net | udp |
| US | 8.8.8.8:53 | dpzlbd.net | udp |
| US | 8.8.8.8:53 | hdqawr.net | udp |
| LT | 78.31.227.245:21577 | tcp | |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | nqspkwdtfbjk.info | udp |
| US | 8.8.8.8:53 | vanejamutuy.com | udp |
| US | 8.8.8.8:53 | rwxqzqtnopn.info | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| US | 8.8.8.8:53 | pmaskbqnroed.info | udp |
| US | 8.8.8.8:53 | yhxodykuwjpu.net | udp |
| US | 8.8.8.8:53 | kicnvn.net | udp |
| US | 8.8.8.8:53 | rcjyzscqqid.info | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | kkbrpwx.info | udp |
| US | 8.8.8.8:53 | dfkobcd.info | udp |
| US | 8.8.8.8:53 | ggmsrb.net | udp |
| US | 8.8.8.8:53 | tppmydowxsv.info | udp |
| US | 8.8.8.8:53 | jilglepoh.net | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| BG | 89.215.109.146:25938 | tcp | |
| US | 8.8.8.8:53 | kueiumgg.com | udp |
| US | 8.8.8.8:53 | laytqvfmap.net | udp |
| US | 8.8.8.8:53 | qirzluero.net | udp |
| US | 8.8.8.8:53 | mkuois.com | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | sbhvtpnuxten.info | udp |
| US | 8.8.8.8:53 | omaesyiamg.com | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | aamggw.org | udp |
| US | 8.8.8.8:53 | hozgwgxtpyi.org | udp |
| US | 8.8.8.8:53 | pqtxoofuphqb.net | udp |
| US | 8.8.8.8:53 | xwjvcvoy.info | udp |
| US | 8.8.8.8:53 | nvglpaei.info | udp |
| US | 8.8.8.8:53 | dovmlzhqu.net | udp |
| US | 8.8.8.8:53 | tuvyfmgmqml.com | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | keiwuwkawe.info | udp |
| US | 8.8.8.8:53 | hvidfzlhst.info | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | wsdlridyzqo.info | udp |
| US | 8.8.8.8:53 | fmgixl.info | udp |
| US | 8.8.8.8:53 | hylczucs.info | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | auchkx.net | udp |
| US | 8.8.8.8:53 | juxednrtosh.info | udp |
| US | 8.8.8.8:53 | qqfstubjftd.net | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | uwmockmqwq.com | udp |
| US | 8.8.8.8:53 | kgeseogswa.com | udp |
| US | 8.8.8.8:53 | rxvstynovax.com | udp |
| US | 8.8.8.8:53 | skmmasoqqcqe.org | udp |
| US | 8.8.8.8:53 | qgyawesesksq.com | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | ioqvzyzgfic.net | udp |
| US | 8.8.8.8:53 | kkekyi.com | udp |
| US | 8.8.8.8:53 | fsuhsbzkpmzv.info | udp |
| US | 8.8.8.8:53 | fqneqry.com | udp |
| US | 8.8.8.8:53 | xapyfkz.com | udp |
| US | 8.8.8.8:53 | ndhqvfvdkt.net | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | ewrsakbaheh.info | udp |
| US | 8.8.8.8:53 | iaqewk.com | udp |
| US | 8.8.8.8:53 | rvhimhnadom.net | udp |
| US | 8.8.8.8:53 | aoqawaiaioew.org | udp |
| US | 8.8.8.8:53 | ohzkfe.net | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | kyaoys.org | udp |
| US | 8.8.8.8:53 | dsyopqtp.net | udp |
| US | 8.8.8.8:53 | iljlbgd.info | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | ueliaye.net | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | bkjkuyve.info | udp |
| US | 8.8.8.8:53 | kiacqceaaaky.com | udp |
| US | 8.8.8.8:53 | rnportgex.net | udp |
| US | 8.8.8.8:53 | exfrbbbwjctj.net | udp |
| US | 8.8.8.8:53 | criptaewpfvq.info | udp |
| US | 8.8.8.8:53 | aygeuayskosm.com | udp |
| US | 8.8.8.8:53 | jjpetbkub.org | udp |
| US | 8.8.8.8:53 | ozdbxljg.info | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | iexcrxzkl.info | udp |
| US | 8.8.8.8:53 | qzfyhmuou.info | udp |
| US | 8.8.8.8:53 | fivsfsa.com | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | emrcjcwqdcl.net | udp |
| US | 8.8.8.8:53 | mdugmdpvxaqy.info | udp |
| US | 8.8.8.8:53 | jbcorart.net | udp |
| US | 8.8.8.8:53 | rxlummfw.info | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | yucuywaqce.org | udp |
| US | 8.8.8.8:53 | qbocfslapf.info | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | jjexisyd.info | udp |
| US | 8.8.8.8:53 | jsrlqlzflds.net | udp |
| US | 8.8.8.8:53 | hejgout.net | udp |
| US | 8.8.8.8:53 | ztbglar.com | udp |
| US | 8.8.8.8:53 | kexythjteun.info | udp |
| US | 8.8.8.8:53 | fgabmjkytusf.info | udp |
| US | 8.8.8.8:53 | wunwdvasxdj.info | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | pdprgwxhjk.net | udp |
| US | 8.8.8.8:53 | gacejehauky.info | udp |
| US | 8.8.8.8:53 | awmmeoswiw.com | udp |
| US | 8.8.8.8:53 | woqbzwtkzed.info | udp |
| US | 8.8.8.8:53 | euqcieyakcsy.com | udp |
| US | 8.8.8.8:53 | xdwmrosei.org | udp |
| US | 8.8.8.8:53 | ltnrnglsdao.info | udp |
| US | 8.8.8.8:53 | nnpmxpzodoy.net | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | wlvfhnlofzzj.info | udp |
| US | 8.8.8.8:53 | dzldzt.net | udp |
| US | 8.8.8.8:53 | sqiweuioyq.com | udp |
| BG | 79.132.3.194:44788 | tcp | |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | cddcfhioygh.info | udp |
| US | 8.8.8.8:53 | xodpyddbjg.info | udp |
| US | 8.8.8.8:53 | cwrcncp.net | udp |
| US | 8.8.8.8:53 | dtvrgbclbl.net | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | vkncfdraomlk.info | udp |
| US | 8.8.8.8:53 | vgcdhehbkcpf.net | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | njqpjbvcuc.info | udp |
| US | 8.8.8.8:53 | zipznkelzju.net | udp |
| US | 8.8.8.8:53 | nizefixgaep.org | udp |
| US | 8.8.8.8:53 | scmgmuik.com | udp |
| US | 8.8.8.8:53 | letyvqzergl.info | udp |
| US | 8.8.8.8:53 | uehgdmxej.net | udp |
| US | 8.8.8.8:53 | bpappuxfustz.info | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | qmsaug.org | udp |
| US | 8.8.8.8:53 | oakmqgswoo.com | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| BG | 87.97.186.98:26588 | tcp | |
| US | 8.8.8.8:53 | ohzuvtiadul.net | udp |
| US | 8.8.8.8:53 | hcxfnfsmvwx.org | udp |
| US | 8.8.8.8:53 | nehcwsxkczf.info | udp |
| US | 8.8.8.8:53 | izpixuntbaux.net | udp |
| US | 8.8.8.8:53 | qesemwqo.org | udp |
| US | 8.8.8.8:53 | flzibhbfjxoy.info | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | qrheuvaampph.net | udp |
| US | 8.8.8.8:53 | awcoec.com | udp |
| US | 8.8.8.8:53 | kvwateqlpn.net | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | agsqqamu.com | udp |
| US | 8.8.8.8:53 | zydgbqt.info | udp |
| US | 8.8.8.8:53 | xmnwiil.net | udp |
| US | 8.8.8.8:53 | iixfzjvahypl.info | udp |
| US | 8.8.8.8:53 | myguwo.com | udp |
| US | 8.8.8.8:53 | llpbmeckkaka.net | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | auzqsofdzgs.net | udp |
| US | 8.8.8.8:53 | boerfw.net | udp |
| US | 8.8.8.8:53 | yawcmcwm.com | udp |
| US | 8.8.8.8:53 | oiqajiyuvqb.net | udp |
| US | 8.8.8.8:53 | iesvbjn.net | udp |
| US | 8.8.8.8:53 | uareno.net | udp |
| US | 8.8.8.8:53 | pstgdbzovtjz.info | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | uhzcvfx.info | udp |
| US | 8.8.8.8:53 | wmwiou.org | udp |
| US | 8.8.8.8:53 | vtxffgfwwyci.info | udp |
| US | 8.8.8.8:53 | bvxjpnkw.info | udp |
| US | 8.8.8.8:53 | qibixeryx.info | udp |
| US | 8.8.8.8:53 | zynjgev.org | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | yvlsfvpux.info | udp |
| US | 8.8.8.8:53 | mtamirtfkx.net | udp |
| US | 8.8.8.8:53 | lqkmbnn.net | udp |
| US | 8.8.8.8:53 | dobjwlwwtn.net | udp |
| US | 8.8.8.8:53 | wohzmclipsk.info | udp |
| US | 8.8.8.8:53 | uiouocaqqmoy.org | udp |
| US | 8.8.8.8:53 | hhlorggcrlgx.net | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| LT | 85.232.154.140:28364 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nmtkvwnynff.com | udp |
| US | 8.8.8.8:53 | eeaehaugl.net | udp |
| US | 8.8.8.8:53 | bdcjyuvawqb.com | udp |
| US | 8.8.8.8:53 | tdjvynvxhzje.net | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | gldwfjbk.info | udp |
| US | 8.8.8.8:53 | bcvuherif.info | udp |
| US | 8.8.8.8:53 | ccumqokuuy.org | udp |
| US | 8.8.8.8:53 | ujxfuttmifle.net | udp |
| US | 8.8.8.8:53 | tsxpihmaz.net | udp |
| US | 8.8.8.8:53 | nmokuqame.com | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | ieposk.info | udp |
| US | 8.8.8.8:53 | zfyqaicv.net | udp |
| US | 8.8.8.8:53 | jtjkqpygzy.net | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | hkzfbe.net | udp |
| US | 8.8.8.8:53 | teofhgjztc.info | udp |
| US | 8.8.8.8:53 | oudqwgrqu.net | udp |
| US | 8.8.8.8:53 | dlenlm.net | udp |
| US | 8.8.8.8:53 | zxycdqpchh.net | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | yhysaizsrrmo.net | udp |
| US | 8.8.8.8:53 | nldqdvbfleex.net | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | oteebcttx.net | udp |
| US | 8.8.8.8:53 | wegammfwzcp.net | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | soyoysouog.org | udp |
| US | 8.8.8.8:53 | pkcxohvowirw.info | udp |
| US | 8.8.8.8:53 | fzxisl.net | udp |
| US | 8.8.8.8:53 | osguuuamaqyq.org | udp |
| US | 8.8.8.8:53 | vmgzfroejk.net | udp |
| US | 8.8.8.8:53 | uousmuseqe.com | udp |
| US | 8.8.8.8:53 | wjfcsdyb.info | udp |
| US | 8.8.8.8:53 | fqkivcouov.info | udp |
| US | 8.8.8.8:53 | kmwkei.com | udp |
| US | 8.8.8.8:53 | wnuapoho.net | udp |
| US | 8.8.8.8:53 | skbatzjqbafv.net | udp |
| US | 8.8.8.8:53 | xorwtfl.info | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | nzzfvfehku.info | udp |
| US | 8.8.8.8:53 | ihsqxemqgu.info | udp |
| US | 8.8.8.8:53 | wweumwaoqm.com | udp |
| US | 8.8.8.8:53 | udlytwazjqha.net | udp |
| US | 8.8.8.8:53 | hfrcpwr.org | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | ercuxepz.net | udp |
| US | 8.8.8.8:53 | slrqkwuvzf.net | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | paalbz.info | udp |
| US | 8.8.8.8:53 | mrnehqvllkoz.net | udp |
| US | 8.8.8.8:53 | pvzvwibdjy.net | udp |
| US | 8.8.8.8:53 | eqnljnhjvax.net | udp |
| US | 8.8.8.8:53 | aigaeg.org | udp |
| US | 8.8.8.8:53 | iorsfssgb.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | iasmea.com | udp |
| US | 8.8.8.8:53 | bpysnyoolon.net | udp |
| US | 8.8.8.8:53 | wggiaw.com | udp |
| US | 8.8.8.8:53 | vojabs.info | udp |
| US | 8.8.8.8:53 | qyvibcz.net | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | dstutgjd.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | agswqeewoiay.com | udp |
| US | 8.8.8.8:53 | jzkmle.net | udp |
| US | 8.8.8.8:53 | gydcehncpl.net | udp |
| US | 8.8.8.8:53 | vekbhuljcmt.net | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | dichxzxc.info | udp |
| BG | 109.160.65.195:25202 | tcp | |
| US | 8.8.8.8:53 | wmvwweu.info | udp |
| US | 8.8.8.8:53 | nrqiwrnxwcah.info | udp |
| US | 8.8.8.8:53 | qswmqsaq.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ocnvjmf.info | udp |
| US | 8.8.8.8:53 | wlhgfyh.net | udp |
| US | 8.8.8.8:53 | wjvtvcqo.info | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | lmuotunxzft.org | udp |
| US | 8.8.8.8:53 | kgbmanpf.info | udp |
| US | 8.8.8.8:53 | uewqvzpoasx.info | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | esgoseyyug.com | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | bqjynswmzcx.net | udp |
| US | 8.8.8.8:53 | zonfnaohbdz.info | udp |
| US | 8.8.8.8:53 | inagoxllds.net | udp |
| US | 8.8.8.8:53 | qmzysih.info | udp |
| US | 8.8.8.8:53 | sdgmjmrxelqc.net | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | jfvofzhyb.info | udp |
| US | 8.8.8.8:53 | yopofpgs.info | udp |
| US | 8.8.8.8:53 | rdomza.net | udp |
| US | 8.8.8.8:53 | pktxfdoy.info | udp |
| US | 8.8.8.8:53 | fgclljqb.info | udp |
| US | 8.8.8.8:53 | lepuvcj.info | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | yqjapdndp.net | udp |
| US | 8.8.8.8:53 | cijyyfx.net | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | rspdncfythn.com | udp |
| US | 8.8.8.8:53 | dyjgrgngvyd.com | udp |
| US | 8.8.8.8:53 | ratdzyzwonjb.info | udp |
| US | 8.8.8.8:53 | pdiyvqi.net | udp |
| US | 8.8.8.8:53 | ykyootwczm.info | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | twyjfppup.net | udp |
| US | 8.8.8.8:53 | gsismgyk.com | udp |
| US | 8.8.8.8:53 | puzropkpyzvy.info | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | pcjkdb.net | udp |
| US | 8.8.8.8:53 | tejarlqji.org | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | bovcffbcxiv.net | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | bypdbeft.net | udp |
| US | 8.8.8.8:53 | finorok.com | udp |
| US | 8.8.8.8:53 | osxativnzcn.net | udp |
| US | 8.8.8.8:53 | mcdajeowl.net | udp |
| US | 8.8.8.8:53 | yoyoplvry.net | udp |
| US | 8.8.8.8:53 | znknpznpt.net | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | wwmalejbofsi.net | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | vqibsnyp.net | udp |
| US | 8.8.8.8:53 | kisiwi.org | udp |
| US | 8.8.8.8:53 | scoexujxhsmd.info | udp |
| US | 8.8.8.8:53 | qyutvn.net | udp |
| US | 8.8.8.8:53 | kwoydb.net | udp |
| US | 8.8.8.8:53 | kymmgs.org | udp |
| US | 8.8.8.8:53 | lkutjcgidkx.com | udp |
| US | 8.8.8.8:53 | cruftfwdx.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | cwqoigaq.com | udp |
| US | 8.8.8.8:53 | lpxsxak.info | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | cwcqrss.info | udp |
| US | 8.8.8.8:53 | vqdcqvhege.net | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | tvthukfpgo.info | udp |
| US | 8.8.8.8:53 | gihptc.net | udp |
| US | 8.8.8.8:53 | jnueoe.info | udp |
| US | 8.8.8.8:53 | curmcwqggnz.info | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | ahwulap.net | udp |
| US | 8.8.8.8:53 | comesqew.com | udp |
| US | 8.8.8.8:53 | dpwthhxfnpje.info | udp |
| US | 8.8.8.8:53 | rquzfqv.net | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | yiqmeq.org | udp |
| US | 8.8.8.8:53 | yugsiskqke.com | udp |
| US | 8.8.8.8:53 | xzzomifo.net | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | wgtkbakel.info | udp |
| US | 8.8.8.8:53 | jijflhlbnek.info | udp |
| LT | 78.62.199.176:27468 | tcp | |
| US | 8.8.8.8:53 | zhdwnejrjxd.info | udp |
| US | 8.8.8.8:53 | moecmwis.com | udp |
| US | 8.8.8.8:53 | qgawyuaqcams.org | udp |
| US | 8.8.8.8:53 | msqgswikuq.com | udp |
| US | 8.8.8.8:53 | sceegskqagau.com | udp |
| US | 8.8.8.8:53 | hsjnkjbsv.org | udp |
| US | 8.8.8.8:53 | fwlsvqfxy.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | wmmmnnvsb.net | udp |
| US | 8.8.8.8:53 | pclhwb.info | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | wuwqimkoaqqm.com | udp |
| US | 8.8.8.8:53 | fxvwboxva.org | udp |
| US | 8.8.8.8:53 | ommkcakc.com | udp |
| US | 8.8.8.8:53 | tkzkttrerse.org | udp |
| US | 8.8.8.8:53 | psmcafpg.net | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | zgjmyktmi.net | udp |
| US | 8.8.8.8:53 | ukackqx.info | udp |
| US | 8.8.8.8:53 | xmzqbkbh.net | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | mogwiuukouyg.org | udp |
| US | 8.8.8.8:53 | yskmkw.org | udp |
| US | 8.8.8.8:53 | aqaypoxqh.net | udp |
| US | 8.8.8.8:53 | ppcoxwjyx.org | udp |
| US | 8.8.8.8:53 | iefagqf.info | udp |
| US | 8.8.8.8:53 | ksgmywwoiuea.org | udp |
| US | 8.8.8.8:53 | hrnwxwh.net | udp |
| US | 8.8.8.8:53 | gzjbtizoy.info | udp |
| US | 8.8.8.8:53 | rqptzuzkw.net | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | wymwsq.org | udp |
| US | 8.8.8.8:53 | iahdyofgzpp.info | udp |
| US | 8.8.8.8:53 | cuawkmecwmko.com | udp |
| US | 8.8.8.8:53 | fdznrpnr.info | udp |
| US | 8.8.8.8:53 | eqzmbmf.net | udp |
| US | 8.8.8.8:53 | ekskoc.com | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | xwbgdcn.com | udp |
| US | 8.8.8.8:53 | fknxpii.org | udp |
| US | 8.8.8.8:53 | uwgeacfydia.info | udp |
| US | 8.8.8.8:53 | zedslh.info | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | colixct.info | udp |
| US | 8.8.8.8:53 | cuqmnczh.net | udp |
| US | 8.8.8.8:53 | easidvnyuvd.net | udp |
| US | 8.8.8.8:53 | vopcpx.net | udp |
| US | 8.8.8.8:53 | smqwoaom.org | udp |
| US | 8.8.8.8:53 | nrkqsv.info | udp |
| BG | 87.120.253.195:28638 | tcp | |
| US | 8.8.8.8:53 | ooquie.org | udp |
| US | 8.8.8.8:53 | ebqncg.net | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | ydbimcjg.net | udp |
| US | 8.8.8.8:53 | vsmujv.net | udp |
| US | 8.8.8.8:53 | pcjujygmb.net | udp |
| US | 8.8.8.8:53 | kamaoeccsq.org | udp |
| US | 8.8.8.8:53 | mgwccmqiws.org | udp |
| US | 8.8.8.8:53 | chgstbfp.info | udp |
| US | 8.8.8.8:53 | asqtxgqjsvsu.net | udp |
| US | 8.8.8.8:53 | ckywwowmgu.com | udp |
| US | 8.8.8.8:53 | chxgtdvbmk.net | udp |
| US | 8.8.8.8:53 | gbkefcaj.net | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | wemaquqqyq.com | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | lauwjsahfqe.com | udp |
| US | 8.8.8.8:53 | pntqpnnct.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | erbdxezj.info | udp |
| US | 8.8.8.8:53 | umkkqmygcyic.com | udp |
| US | 8.8.8.8:53 | wgwico.com | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | euaaoob.info | udp |
| US | 8.8.8.8:53 | sjhidpvhofx.net | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | rvblherphhvh.net | udp |
| US | 8.8.8.8:53 | lkmiikaximld.info | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | xijmxvls.net | udp |
| US | 8.8.8.8:53 | gmxxmqvmnmu.net | udp |
| US | 8.8.8.8:53 | difwbkm.com | udp |
| US | 8.8.8.8:53 | reklrihmg.net | udp |
| US | 8.8.8.8:53 | atbzdq.net | udp |
| US | 8.8.8.8:53 | aowewswqsk.com | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | uafjxkf.info | udp |
| US | 8.8.8.8:53 | blnhzufvhjbg.info | udp |
| US | 8.8.8.8:53 | uibimkrgbmc.info | udp |
| US | 8.8.8.8:53 | hmswlujal.info | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | thczmuyibt.info | udp |
| US | 8.8.8.8:53 | imnqnbyod.info | udp |
| US | 8.8.8.8:53 | xgcleeb.net | udp |
| US | 8.8.8.8:53 | ogqkcu.org | udp |
| US | 8.8.8.8:53 | fwhelldhzo.net | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | jcwvufddrnku.info | udp |
| US | 8.8.8.8:53 | hdosthbpjx.net | udp |
| US | 8.8.8.8:53 | hqhqghz.info | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | qawyeiynivwz.info | udp |
| US | 8.8.8.8:53 | kffoddfyzwln.info | udp |
| US | 8.8.8.8:53 | pufmsnkufnei.info | udp |
| US | 8.8.8.8:53 | gujricess.net | udp |
| US | 8.8.8.8:53 | zlciwy.net | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | ioqgzotabjde.net | udp |
| US | 8.8.8.8:53 | fcciputfz.net | udp |
| US | 8.8.8.8:53 | nuktbyb.net | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| TR | 78.187.15.155:33084 | tcp | |
| US | 8.8.8.8:53 | palxeidvfpd.org | udp |
| US | 8.8.8.8:53 | eujwywdqzbn.info | udp |
| US | 8.8.8.8:53 | hcibjm.net | udp |
| US | 8.8.8.8:53 | zwjmxfu.com | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | pbwkpxldr.org | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | rsaatvbu.info | udp |
| US | 8.8.8.8:53 | hvaoxbvrxh.net | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | puprddkjex.net | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | gkqgwa.com | udp |
| US | 8.8.8.8:53 | hwhlnuvwuah.com | udp |
| US | 8.8.8.8:53 | ypcbzv.net | udp |
| US | 8.8.8.8:53 | fbbgdpmofa.net | udp |
| US | 8.8.8.8:53 | swoiauyiumwe.com | udp |
| US | 8.8.8.8:53 | tapcqehwm.org | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 8.8.8.8:53 | jckzybggww.net | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | vkksjij.info | udp |
| US | 8.8.8.8:53 | rzypsgyelbpq.info | udp |
| US | 8.8.8.8:53 | uingks.info | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | podzfziejc.info | udp |
| US | 8.8.8.8:53 | ebxkxemf.net | udp |
| US | 8.8.8.8:53 | reduridszip.com | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | vsfgngxssqp.org | udp |
| US | 8.8.8.8:53 | dhfqbtvckgph.net | udp |
| US | 8.8.8.8:53 | gyzonqd.net | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | lacqmuqwelf.net | udp |
| US | 8.8.8.8:53 | vachbyj.com | udp |
| US | 8.8.8.8:53 | gefgtkx.net | udp |
| US | 8.8.8.8:53 | qegyoeqaiwgy.com | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | hyustwrl.info | udp |
| RU | 81.201.246.182:35905 | tcp | |
| US | 8.8.8.8:53 | iciaiuykiqcq.com | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | ukdofop.net | udp |
| US | 8.8.8.8:53 | aktvscn.net | udp |
| US | 8.8.8.8:53 | pyjfbsisnywu.net | udp |
| US | 8.8.8.8:53 | wyjido.info | udp |
| US | 8.8.8.8:53 | zxfgvmk.info | udp |
| US | 8.8.8.8:53 | nadqrenh.net | udp |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | ucuacmcmas.com | udp |
| US | 8.8.8.8:53 | weyrtj.net | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | tjvsdajo.info | udp |
| US | 8.8.8.8:53 | sihixqp.net | udp |
| US | 8.8.8.8:53 | soagnufzvmc.net | udp |
| US | 8.8.8.8:53 | cajvxe.info | udp |
| US | 8.8.8.8:53 | kcbzncjbqapl.info | udp |
| US | 8.8.8.8:53 | wcjlrwzpsydn.info | udp |
| US | 8.8.8.8:53 | vgpaqnjfkkd.com | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| BG | 78.90.75.153:32958 | tcp | |
| US | 8.8.8.8:53 | nhsmjqdstc.info | udp |
| US | 8.8.8.8:53 | fgbchcfumog.info | udp |
| US | 8.8.8.8:53 | yaeemmygcgom.com | udp |
| US | 8.8.8.8:53 | nwtgsyuxbyvz.info | udp |
| US | 8.8.8.8:53 | rwfwzdclae.net | udp |
| US | 8.8.8.8:53 | sidlvctfcd.net | udp |
| US | 8.8.8.8:53 | uohkrmicx.net | udp |
| US | 8.8.8.8:53 | sweeic.org | udp |
| US | 8.8.8.8:53 | scqikm.org | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | mmqmmiksgmum.org | udp |
| US | 8.8.8.8:53 | qgsyyuayos.com | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | igcnzhzbyw.net | udp |
| US | 8.8.8.8:53 | caqmlebv.net | udp |
| US | 8.8.8.8:53 | bmzdfoks.info | udp |
| US | 8.8.8.8:53 | sorotygo.net | udp |
| US | 8.8.8.8:53 | lsxiiqtwxqr.info | udp |
| US | 8.8.8.8:53 | dezfgsjb.info | udp |
| US | 8.8.8.8:53 | coiaemzexxch.info | udp |
| US | 8.8.8.8:53 | maeecagi.org | udp |
| US | 8.8.8.8:53 | gsmrduxntn.info | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | usmecwqwes.com | udp |
| US | 8.8.8.8:53 | drzqzpp.net | udp |
| US | 8.8.8.8:53 | kpnvjzjdnafo.info | udp |
| US | 8.8.8.8:53 | yqnknyjgf.net | udp |
| US | 8.8.8.8:53 | eusyiwkuysuq.org | udp |
| US | 8.8.8.8:53 | tirnpwmcwmd.org | udp |
| US | 8.8.8.8:53 | uobmfgjcztv.info | udp |
| US | 8.8.8.8:53 | vabibbc.info | udp |
| US | 8.8.8.8:53 | advqhrwvss.net | udp |
| US | 8.8.8.8:53 | eeiuwoyqsscg.com | udp |
| US | 8.8.8.8:53 | pkfdpch.com | udp |
| US | 8.8.8.8:53 | kuikiwiw.org | udp |
| US | 8.8.8.8:53 | xfvqmg.info | udp |
| US | 8.8.8.8:53 | zwlosf.info | udp |
| US | 8.8.8.8:53 | zusbpnvlif.info | udp |
| US | 8.8.8.8:53 | pgliatwntj.net | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | qinzzyctzscv.info | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | gmaogsoege.org | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | nnwwgplutoaa.info | udp |
| US | 8.8.8.8:53 | gddyts.net | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | efrdvj.info | udp |
| US | 8.8.8.8:53 | eliafxhjmfn.net | udp |
| US | 8.8.8.8:53 | juhpwusaizyj.info | udp |
| US | 8.8.8.8:53 | iuyfyqx.net | udp |
| US | 8.8.8.8:53 | pvewjnuz.info | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | iqswkiiwsm.com | udp |
| US | 8.8.8.8:53 | zfufibqgp.info | udp |
| US | 8.8.8.8:53 | yceqcskoeg.org | udp |
| US | 162.249.65.164:80 | yceqcskoeg.org | tcp |
| US | 8.8.8.8:53 | smkkusaw.com | udp |
| US | 8.8.8.8:53 | adomofxvpaq.net | udp |
| US | 8.8.8.8:53 | qawxtu.net | udp |
| US | 8.8.8.8:53 | kmuiqqiwumow.com | udp |
| US | 8.8.8.8:53 | pkyhryr.com | udp |
| US | 8.8.8.8:53 | lwpshcumfy.net | udp |
| US | 8.8.8.8:53 | hymalfmxf.org | udp |
| US | 8.8.8.8:53 | cgwgaguesg.org | udp |
| US | 162.249.65.164:80 | cgwgaguesg.org | tcp |
| US | 8.8.8.8:53 | nptnxwtqn.net | udp |
| US | 8.8.8.8:53 | vslfxlrum.info | udp |
| US | 8.8.8.8:53 | qkogdsn.net | udp |
| US | 8.8.8.8:53 | cazkgtf.info | udp |
| US | 8.8.8.8:53 | lmotmynorj.info | udp |
| US | 8.8.8.8:53 | kwevfh.info | udp |
| US | 8.8.8.8:53 | julxerwaocda.net | udp |
| US | 8.8.8.8:53 | xrkzfeew.net | udp |
| US | 8.8.8.8:53 | mohwhul.info | udp |
| US | 8.8.8.8:53 | kwudkgrjjmxe.net | udp |
| US | 8.8.8.8:53 | kmvqiujn.info | udp |
| US | 8.8.8.8:53 | csbjegdy.net | udp |
| US | 8.8.8.8:53 | fsitat.info | udp |
| US | 8.8.8.8:53 | nhzaoabuak.info | udp |
| US | 8.8.8.8:53 | rehcryb.info | udp |
| US | 8.8.8.8:53 | nkybtwpgzoi.info | udp |
| US | 8.8.8.8:53 | casuoskm.org | udp |
| US | 8.8.8.8:53 | uhomvhrcp.info | udp |
| US | 8.8.8.8:53 | gwmeafacbwrh.info | udp |
| US | 8.8.8.8:53 | tuzmpmtt.net | udp |
| US | 8.8.8.8:53 | kzvsamqv.net | udp |
| US | 8.8.8.8:53 | qkdqch.net | udp |
| US | 8.8.8.8:53 | disswbwid.info | udp |
| US | 8.8.8.8:53 | ivhcmej.info | udp |
| US | 8.8.8.8:53 | zxgngtzz.info | udp |
| US | 8.8.8.8:53 | ybsuebgirh.info | udp |
| US | 8.8.8.8:53 | xezranfm.net | udp |
| US | 8.8.8.8:53 | jiuacev.com | udp |
| US | 8.8.8.8:53 | eaisokwcuc.com | udp |
| US | 8.8.8.8:53 | ycgnvcios.net | udp |
| US | 8.8.8.8:53 | oaxybkrkbnh.net | udp |
| US | 8.8.8.8:53 | kgroexxj.info | udp |
| US | 8.8.8.8:53 | fcrxkspz.net | udp |
| US | 8.8.8.8:53 | lblxlwomf.net | udp |
| US | 8.8.8.8:53 | fqeeflyxnmx.info | udp |
| US | 8.8.8.8:53 | gecuvliijwx.info | udp |
| US | 8.8.8.8:53 | ekamqi.org | udp |
| US | 162.249.65.164:80 | ekamqi.org | tcp |
| US | 8.8.8.8:53 | rgxnusp.com | udp |
| US | 8.8.8.8:53 | xlhnemw.info | udp |
| US | 8.8.8.8:53 | fawjawcovn.net | udp |
| US | 8.8.8.8:53 | cvwpfiesyd.info | udp |
| US | 8.8.8.8:53 | zrnunoxrvex.com | udp |
| US | 8.8.8.8:53 | bltmage.net | udp |
| US | 8.8.8.8:53 | vvvtqw.info | udp |
| US | 8.8.8.8:53 | amhsiqjwugt.net | udp |
| US | 8.8.8.8:53 | dawhui.net | udp |
| US | 8.8.8.8:53 | hyafbvpm.net | udp |
| US | 8.8.8.8:53 | qkmciiwa.org | udp |
| US | 8.8.8.8:53 | nuqrzqrr.info | udp |
| US | 8.8.8.8:53 | iwkgqakcoo.org | udp |
| US | 8.8.8.8:53 | eqcsskwyyiug.org | udp |
| US | 162.249.65.164:80 | eqcsskwyyiug.org | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ocdnblbhymn.exe
| MD5 | a65f9e9778022e24ab2653d9cf5f69ea |
| SHA1 | 9fdb856b8b19d33bd1aa992728da9954c1019b58 |
| SHA256 | b8c249884491bacb4bc994b69e2319584de66ef9321fdd245f0a610b4726c5d7 |
| SHA512 | 3960372388f3ab78559570f402816f798cc5698b0a021571575b4f634be88395f9b7aa69d0ef46a6e8da8c428c28c2c22ec970a925ce2ce6ad88384823487f83 |
C:\Windows\SysWOW64\oewpkvsiwqhckbwnkx.exe
| MD5 | 120740fceaf7a90d28b61e4675a41a1b |
| SHA1 | 5a775bc4a73a237e17e6058a0d2bafb663faf477 |
| SHA256 | b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f |
| SHA512 | 27c4068d0b6374d8191204263c507d5317a7fc1cae4a0a24e57385157bf390993e1becfa28df9264ddb225ac9cafc926e8e87fdf00c939ccf962496f04c5f490 |
C:\Users\Admin\AppData\Local\Temp\zeltddp.exe
| MD5 | 29b59329af2880c1193f705e23cf34e4 |
| SHA1 | 58fa192a5bfa0d9fd30d7cc1dfce6ed5d4513c57 |
| SHA256 | 8d9f8fdc948796003e86d64e82b55a35ebff99b74d221ce466f2db5a36b943cf |
| SHA512 | dd3df3b43bfa4cbaf56d986924897c6ce58340c15b03b027ee065f764ebbc186405e2cffab2dcdb0e8e0a5b7509490eb02cc0589988d9621db91976797e601ba |
C:\Users\Admin\AppData\Local\caabexcawyxaqpsrwrcaab.xca
| MD5 | 88cb7aabf14fd962a7f72d867dd7cd51 |
| SHA1 | 64ceb6c4ae3b08bf802f00e95157ef93e01a5397 |
| SHA256 | 05b75f4b5c32691c49a2221df28dc06f0f5a03de31fd6e88689d18a243fa99a8 |
| SHA512 | 11bd4ae3da82ed9b623e4f6cc05008512217ddfaa68629b5237e7de7d430bb261da6d3d99641d779a580c8baa37b3b38528f5262f7527f66b753c0b4bc2fc094 |
C:\Users\Admin\AppData\Local\tcnznrhqxkuijthrhnjsdpdhxgnakyzjx.xdz
| MD5 | cd18effc7319ccb59a6469984380a079 |
| SHA1 | a85c88c81ace446854e9cc6445c8e8bd78529f05 |
| SHA256 | b93324c196cddc72ec608603cfd7a012decfd26b0bf79eb9074caa1e921aeb00 |
| SHA512 | 8bde9b29fe7491165e462621b9505d09bffff8d2cc4e8798a755faa9087f70b9b7c03dd7e4538d810c5dba126c116436d9470071f943d56e426bd9cf64e7170d |
C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca
| MD5 | c3a765524694e3131aba30e206e82eea |
| SHA1 | f56084435398624f362b170e43d1da27b6d74e86 |
| SHA256 | c36a9238405e35a52cd64c20deb7cdfa26d6d8a949fa0e7e30484483a69b183f |
| SHA512 | d30eb29a397d9a3bc888b784e2b15d0f63a0db91ee8e6844484b8a24875c303645a3b21981db99a95d7de6c33f804d08f4a5fbdfd8821287829e13a28923c9cb |
C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca
| MD5 | 938e3e795251dadf5c6ca408920b20e5 |
| SHA1 | d4fb010bc30c7bb8760f3efe5ae757abe37582db |
| SHA256 | 6932f5323f5e8145f91fb4784887e6b3968e3e215ee13ace7c80075cdb9e0757 |
| SHA512 | 5f90843777ad2f692c612a57d9665fb2048c75dbb02105deb2787282ae98ca6e53a72965b1eb1d913356e6baa5d68544b8b5add25931e81092b28f5e34e3e779 |
C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca
| MD5 | 5e85e3939974696eb9fb5769bd93a422 |
| SHA1 | 73f6b0d60130e33b81077176b9c6d14d1b928dff |
| SHA256 | dd2a81d078bd5746ba40d44e7d609614e3255a3eb91408d77351e14048b275b5 |
| SHA512 | 919f7f1375e921e34586d5ab20aee2fca1aefccbe3c12bd2a81251bc7f9755f6fa738fd8cddf47ee1c1b02d419bfe6c6bd80d0907af84583897fa41235b25ff5 |
C:\fmvfrthot.bat
| MD5 | 6addea9ce46bd542554102adc15168cc |
| SHA1 | d487e4c6b8bb6837f518608893d433710e0c2b6a |
| SHA256 | 90f82200d63db36cc2d0644ad299dd5466018f6a9580b4eb6b04f2168ac4ddeb |
| SHA512 | aaf2e243ef5d1dc6561b18fd79c674d3c6522e87201b341db92c208130b63e6a2566afc29e2093c86d3d2d4a8505f5c57cbf7c945a38091837dfa9c65af8bb12 |
C:\Program Files (x86)\caabexcawyxaqpsrwrcaab.xca
| MD5 | d8dcd8f5657651cd951091716f889538 |
| SHA1 | a7f80e850595aaa07b67befae27bb1de99b42863 |
| SHA256 | fe25156275ac74bbe45bc4e02e536a713a76f34314d6cbd23e6e80dd4a93e0e7 |
| SHA512 | b1b1d04e0c95cccbfa2fe760150fc28eb2c201e60161d4123b27abe54eb8dd881795b4b3b8a92b8d106fffcbd39087fb90bc37f8fc0e8457ce2cbee0d255af3a |
C:\Users\Admin\AppData\Local\caabexcawyxaqpsrwrcaab.xca
| MD5 | 651e638280fc8c5fda8c63ee3b9e5e3b |
| SHA1 | 7efa0b5f90dc2b213b97e3b62bf36a01f6c6facf |
| SHA256 | fbeac60f69ad67efb4e011fd8730d6b1b7ba07ffc1dedf9fb94327c946de0387 |
| SHA512 | 3d31091737296c890fe98bd01d17ee8ca4a958ed9219f404426005f017179b5fa46f535637ac447278a425c2220e96e2f80cc84a02d839a769081055fe28824a |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 12:52
Reported
2024-06-26 12:55
Platform
win7-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkwjzkzgpau = "ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hrtcmzhtx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe ." | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "qjumfbsnapggctkobc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "araqhbqjuhwuodsu.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "ojwqljczofyayrkqfikf.exe ." | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dzniedxvldxaztnukornb.exe ." | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "qjumfbsnapggctkobc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "qjumfbsnapggctkobc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "ojwqljczofyayrkqfikf.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "araqhbqjuhwuodsu.exe ." | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "bvhaurjftjbczrjocef.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "dzniedxvldxaztnukornb.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "dzniedxvldxaztnukornb.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "ojwqljczofyayrkqfikf.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bvhaurjftjbczrjocef.exe ." | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\rflymdpfnxjev = "dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vltiyrfxhthexlz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\araqhbqjuhwuodsu.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "bvhaurjftjbczrjocef.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\aloyjxgtyf = "dzniedxvldxaztnukornb.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hzjasndxjxnmhxnqc.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\shocrjwnwhuqiv = "ojwqljczofyayrkqfikf.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\araqhbqjuhwuodsu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qjumfbsnapggctkobc.exe" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vhlwixhvbjt = "ojwqljczofyayrkqfikf.exe ." | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ilgilrsxutueklmaxisvqsvb.hed | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\Windows\SysWOW64\ilgilrsxutueklmaxisvqsvb.hed | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\Windows\SysWOW64\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Program Files (x86)\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\Program Files (x86)\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\Windows\ilgilrsxutueklmaxisvqsvb.hed | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\ilgilrsxutueklmaxisvqsvb.hed | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\dzniedxvldxaztnukornb.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\hzjasndxjxnmhxnqc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\qjumfbsnapggctkobc.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\ojwqljczofyayrkqfikf.exe | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| File opened for modification | C:\Windows\urgczzutkdyccxsarwaxmi.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File created | C:\Windows\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\bvhaurjftjbczrjocef.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| File opened for modification | C:\Windows\araqhbqjuhwuodsu.exe | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\djhms.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\120740fceaf7a90d28b61e4675a41a1b_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
"C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\djhms.exe
"C:\Users\Admin\AppData\Local\Temp\djhms.exe" "-C:\Users\Admin\AppData\Local\Temp\araqhbqjuhwuodsu.exe"
C:\Users\Admin\AppData\Local\Temp\djhms.exe
"C:\Users\Admin\AppData\Local\Temp\djhms.exe" "-C:\Users\Admin\AppData\Local\Temp\araqhbqjuhwuodsu.exe"
C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
"C:\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe" "c:\users\admin\appdata\local\temp\120740fceaf7a90d28b61e4675a41a1b_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| BG | 91.148.146.249:32469 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | rsiwkozvgspb.info | udp |
| US | 8.8.8.8:53 | vqsstgn.net | udp |
| US | 8.8.8.8:53 | lvpgjob.info | udp |
| MD | 93.113.115.180:45741 | tcp | |
| US | 8.8.8.8:53 | aovgxgn.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | vhyoummwt.net | udp |
| US | 8.8.8.8:53 | yaecmm.com | udp |
| CZ | 89.102.107.92:20810 | tcp | |
| US | 8.8.8.8:53 | gnjyfqyyuah.net | udp |
| US | 8.8.8.8:53 | znjvajxz.net | udp |
| LT | 178.16.38.3:34580 | tcp | |
| US | 8.8.8.8:53 | sdfcrpvhajbk.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | juzzlqgodtf.info | udp |
| US | 8.8.8.8:53 | akxucef.info | udp |
| US | 8.8.8.8:53 | ztqwlmqob.com | udp |
| BG | 130.204.191.122:32949 | tcp | |
| US | 8.8.8.8:53 | vuglhrra.info | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | agznnkdgn.info | udp |
| BG | 130.204.77.104:18027 | tcp | |
| US | 8.8.8.8:53 | qiwueooauw.org | udp |
| US | 8.8.8.8:53 | wwqauiqygw.com | udp |
| US | 8.8.8.8:53 | dsjvnelr.net | udp |
| US | 8.8.8.8:53 | iymeim.org | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | mahkshj.info | udp |
| BG | 84.54.149.70:34804 | tcp | |
| US | 8.8.8.8:53 | vcoupkqq.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | mgdozpxkn.net | udp |
| BG | 188.254.207.135:36110 | tcp | |
| US | 8.8.8.8:53 | qcjeuitux.net | udp |
| US | 8.8.8.8:53 | skajzkfnwgtk.info | udp |
| US | 8.8.8.8:53 | swfvuomt.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| BG | 87.97.152.143:17093 | tcp | |
| US | 8.8.8.8:53 | fshxdrvmmgy.com | udp |
| US | 8.8.8.8:53 | sdtazw.net | udp |
| GR | 46.176.120.59:22955 | tcp | |
| US | 8.8.8.8:53 | iavnfs.net | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | iiecwooaqmgo.org | udp |
| US | 8.8.8.8:53 | fuhhdoyf.net | udp |
| US | 8.8.8.8:53 | hrspgxseqt.net | udp |
| TR | 176.237.38.155:32651 | tcp | |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | actwoqxmp.net | udp |
| BG | 78.90.75.153:32958 | tcp | |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | uauukdl.net | udp |
| US | 8.8.8.8:53 | cgioigqcyk.com | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | yswisumwkgua.com | udp |
| US | 8.8.8.8:53 | suzoxigsd.info | udp |
| US | 8.8.8.8:53 | bnvmvujbf.com | udp |
| US | 8.8.8.8:53 | sibwxylmi.net | udp |
| US | 8.8.8.8:53 | xclxqizbuh.net | udp |
| US | 8.8.8.8:53 | zfsyewnlxz.info | udp |
| US | 8.8.8.8:53 | cszooaq.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| IR | 91.92.151.136:26447 | tcp | |
| US | 8.8.8.8:53 | ydkqpibxwk.net | udp |
| US | 8.8.8.8:53 | jhksssu.org | udp |
| US | 8.8.8.8:53 | jxvuwkfron.info | udp |
| BG | 87.120.253.195:28638 | tcp | |
| US | 8.8.8.8:53 | ifxocqrwlat.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | giweasec.com | udp |
| GB | 86.154.11.105:32805 | tcp | |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | auestap.net | udp |
| US | 8.8.8.8:53 | kyudguqc.info | udp |
| US | 8.8.8.8:53 | dbyartjkoae.info | udp |
| US | 8.8.8.8:53 | cjdkskbxu.info | udp |
Files
\Users\Admin\AppData\Local\Temp\ngvfpmsmxqf.exe
| MD5 | 2cc310c1e9ff178b0a72abb2e2653817 |
| SHA1 | f18ac7e16cdb869249a124876f4928efdeb37665 |
| SHA256 | e94ff9d95f2fe53a3edd166b00ba9425e1007112e46687951dd0a5241c93f8ff |
| SHA512 | efae0da5b896cca28622241eb124c05454e91c952a313cb27fbf2239bb0fe1ca230e0eaa45df7390f2435e31e7298da66f7d2d8dea555aa41d89c5740d6a2917 |
C:\Windows\SysWOW64\qjumfbsnapggctkobc.exe
| MD5 | 120740fceaf7a90d28b61e4675a41a1b |
| SHA1 | 5a775bc4a73a237e17e6058a0d2bafb663faf477 |
| SHA256 | b33c48e4e2a2c6dfd6a1c425e7703dc8e1da95a4842c8e18e60d09d4a18bcc7f |
| SHA512 | 27c4068d0b6374d8191204263c507d5317a7fc1cae4a0a24e57385157bf390993e1becfa28df9264ddb225ac9cafc926e8e87fdf00c939ccf962496f04c5f490 |
\Users\Admin\AppData\Local\Temp\djhms.exe
| MD5 | 5653eefb7548f3457b40a3641ba48200 |
| SHA1 | 6cbaec95bca3ddca2caf5260f152a1ab16762874 |
| SHA256 | c36896ea3dd206f7961b55e314bffe7f92da184013bfa86850a13fed87a24b27 |
| SHA512 | d536e44282e436cbb05b9ad685f93133586eacd563dde0ec9c095eff9d638e90dea45a2c046e2fafe07927ca6e304616f55da92818c3d4273a89960333413d8a |
C:\Users\Admin\AppData\Local\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | 734c308131ef45c784edec6e7081b40d |
| SHA1 | d87cfb7cc9ab0bd5b95c12bc9ca2c28379f59d12 |
| SHA256 | 6591f2d989d9bd5546e65a0651083a5cadae3c773d397ef926ca9ff2b069e27d |
| SHA512 | 5bf6afb999bd163e1847a5c9006261ef6457e4faa562e461e16ae05813c5c5576e8090623546a472c634b53c7efee7792cabcbeba9e39ac9437bb73b37568108 |
C:\Users\Admin\AppData\Local\rflymdpfnxjevhtsawrflymdpfnxjevhtsa.rfl
| MD5 | 748f4d4782c2f3aa0e1768510e23229e |
| SHA1 | 501ccdd5cb35fbb30520bef039531ffc13c7f256 |
| SHA256 | 1d264b1791c819e431ce7bd66fec5610aef816ebe98f636cf9bbf30e89c4a1c7 |
| SHA512 | 9926c411687a70f8739ed8fdf5a7096d4f67d32b766dcc0b19f3b5c24b325268259f488c8901a3a7c89d8f9655eb028fb31500fd9e22725fe3449f9bda796220 |
C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | 1267d9110848669ce4b7b00565b92bb4 |
| SHA1 | 1a9ccfb321fb37d03b099d36653f868e70a3a24f |
| SHA256 | 143d12ad5fc3a8a19ea68236543004269d32be84576cd824b85cc126511c1c0e |
| SHA512 | 31bc9d5818b198ad88717c42db1ff2e297300c470c59fc7430a925cc3afbc8dda1cd7926abb90826fe15aea14d15edd8683b6ef156ee95b479544443a4ce7c2e |
C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | f31a49bde5bcd80cbd91e5aeb3b4c23f |
| SHA1 | 6989e588ff4a7ca8e86c529d5b4866711319fd14 |
| SHA256 | 20f4403dbe16d0f9e10eeaf5cd1e575476f04c76d7894d15816f36a70c58ea29 |
| SHA512 | de33404bf65def956148538e1d1057ed0f4bc038412d6ceeebab581381bb1f8cc3422d629b27de6d3ab9aa1ac4e370832cce0b18421af4a183d04cf5008b8f99 |
C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | ffc9179f403eb336da078a9077aedb1f |
| SHA1 | a5a7ea6e744a287e1a2972de6eb0169af99895cb |
| SHA256 | 91db25b4c30489bb8a1fd9e7568c12b6941bbcd809640414b654a8d88ac795c8 |
| SHA512 | de198b02900e059db3a69f15bfbeefd4f518e6eccb7400eaa2d3577cdb62bb55d795c23599c041c4eeabbe4a55883a3f603a88ab4155838d7ded9e55aedc9922 |
C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | 9335f3fddcfa17f94ba0682f43b49a71 |
| SHA1 | 25ba1c58cc2d732100bb9de59abc07e30919e6f8 |
| SHA256 | 2f93913f50a599f5fdbc557c9933157e8ff6b8a09716f83c620df5081473ec6b |
| SHA512 | f387618228f0516511be16e9eff11f0c1402f464d53dc83cda3e5cab94329ce7418b00eb8e96622d7b9e10e8543d39c3934686e554df4eeb93b0640bc1caa4a9 |
C:\Program Files (x86)\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | f84d62ddb5b21d0f68bdd866397ae90b |
| SHA1 | 77747cca72b9b9f9ec5f57ef8658aa1701233ee6 |
| SHA256 | 36b14f75da2865d4ca680a158d8a4574c40c176791595c6cc172972ff7c41feb |
| SHA512 | 757f0111f11d6a4d1131e26c4cad55f3ad8799a53bdcc283f9f1e7a30e40898f5493c13c5c04f55275431a0a1046f4dc474594b9d8fdd78b4a02bcb235eb8eba |
C:\Users\Admin\AppData\Local\ilgilrsxutueklmaxisvqsvb.hed
| MD5 | 5c1cbf18e863db4d76242f82491b35a4 |
| SHA1 | f5ac5c1729557fe360a7dd55a57c0c4cc5018459 |
| SHA256 | 07e50f6b423f12f4e9239bcf18e0f52dcf0891300fb04fb2b99fc9a8b2e9423e |
| SHA512 | 021d6afba5ef3bf9f275ce0845d6855fc17b25e3062632135dc3341619a126e1e93cd4fba8833289de518a01cf01a1ce27e7901343c6353721b805b819d21b7c |