Malware Analysis Report

2025-03-15 00:50

Sample ID 240626-sq294szfpg
Target 12733f995ba05a3fac496e95cdcdb013_JaffaCakes118
SHA256 78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c

Threat Level: Known bad

The file 12733f995ba05a3fac496e95cdcdb013_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Adds policy Run key to start application

Loads dropped DLL

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 15:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 15:20

Reported

2024-06-26 15:23

Platform

win7-20240419-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "awheuketmzehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "hguungdvrhpvqnemntdc.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "awheuketmzehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "jgsqhytjdrxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "jgsqhytjdrxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "wwlmgayrofovrphqszkkz.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "awheuketmzehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "hguungdvrhpvqnemntdc.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "jgsqhytjdrxbupekjn.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "wwlmgayrofovrphqszkkz.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "hguungdvrhpvqnemntdc.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "usfewokbwlsxrndkkpy.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "toyujyrfxjnpgzmq.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "awheuketmzehzthmk.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "usfewokbwlsxrndkkpy.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe ." C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "jgsqhytjdrxbupekjn.exe" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File created C:\Windows\SysWOW64\nwuehkrtzzrhmtumxnhqoybeln.tlb C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\nwuehkrtzzrhmtumxnhqoybeln.tlb C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File created C:\Windows\SysWOW64\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File created C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Program Files (x86)\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\nwuehkrtzzrhmtumxnhqoybeln.tlb C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\hguungdvrhpvqnemntdc.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\usfewokbwlsxrndkkpy.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\awheuketmzehzthmk.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\wwlmgayrofovrphqszkkz.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\noegbwvpnfpxutmwzhtukm.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\jgsqhytjdrxbupekjn.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File created C:\Windows\nwuehkrtzzrhmtumxnhqoybeln.tlb C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
File opened for modification C:\Windows\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
File opened for modification C:\Windows\toyujyrfxjnpgzmq.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2124 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2124 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2124 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2124 wrote to memory of 3024 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 3024 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 3024 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe C:\Users\Admin\AppData\Local\Temp\hssejo.exe
PID 2124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
PID 2124 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hssejo.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\hssejo.exe

"C:\Users\Admin\AppData\Local\Temp\hssejo.exe" "-C:\Users\Admin\AppData\Local\Temp\toyujyrfxjnpgzmq.exe"

C:\Users\Admin\AppData\Local\Temp\hssejo.exe

"C:\Users\Admin\AppData\Local\Temp\hssejo.exe" "-C:\Users\Admin\AppData\Local\Temp\toyujyrfxjnpgzmq.exe"

C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.bbc.co.uk udp
US 151.101.64.81:80 www.bbc.co.uk tcp
DE 94.156.201.116:19145 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 rsiwkozvgspb.info udp
US 8.8.8.8:53 pojozadcb.net udp
US 8.8.8.8:53 msacnqdsdeb.info udp
US 8.8.8.8:53 vqsstgn.net udp
MD 89.41.91.121:40988 tcp
US 8.8.8.8:53 emfevccuwzsk.info udp
US 8.8.8.8:53 raxidorxnox.org udp
US 8.8.8.8:53 udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 ryxctjzgg.com udp
BG 87.97.139.7:13119 tcp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 vupwbcmwhchx.info udp
US 8.8.8.8:53 retvxe.net udp
US 8.8.8.8:53 qqhwxmscfmt.info udp
US 8.8.8.8:53 nfwbtoxcplp.net udp
LT 84.32.125.156:25573 tcp
US 8.8.8.8:53 terwpjjwnn.net udp
US 8.8.8.8:53 fzzvlkywa.org udp
BG 77.70.86.216:27898 tcp
US 8.8.8.8:53 tqbsamossau.org udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 mowyegya.org udp
US 8.8.8.8:53 aggsrwrqkmxx.net udp
US 8.8.8.8:53 flbfzhirfq.info udp
RU 109.126.27.124:26325 tcp
US 8.8.8.8:53 akuiimom.org udp
US 8.8.8.8:53 xvzgmlssy.org udp
GR 46.103.81.2:29447 tcp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 nqmsvc.net udp
US 8.8.8.8:53 hmsjpwtnzg.info udp
LT 46.249.172.221:39468 tcp
US 8.8.8.8:53 cmlmmhzcb.net udp
US 8.8.8.8:53 euwpzzvy.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 vgfitmlpxg.info udp
BG 89.215.221.151:37497 tcp
US 8.8.8.8:53 qcjeuitux.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
LT 81.7.111.52:31980 tcp
US 8.8.8.8:53 lbbyqkwsa.org udp
US 8.8.8.8:53 jsnofmvxi.org udp
US 8.8.8.8:53 dcsepizll.info udp
US 8.8.8.8:53 dqarln.info udp
US 8.8.8.8:53 kzjozwgi.info udp
US 8.8.8.8:53 hzveejfiyuj.info udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 ytzhungeyk.info udp
US 8.8.8.8:53 wdsxqagjnuh.net udp
US 8.8.8.8:53 yqwiwiqqge.com udp
US 8.8.8.8:53 vvnyfkdnjb.net udp
US 8.8.8.8:53 hswepwt.com udp
BG 94.156.81.32:16507 tcp
US 8.8.8.8:53 ocmywwiy.com udp
US 8.8.8.8:53 nzxugtv.org udp
RU 109.126.27.124:26325 tcp
US 8.8.8.8:53 cwmzlaiud.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 hzbryhltar.net udp
LT 78.60.83.24:17857 tcp
US 8.8.8.8:53 drrhcxyozvtw.info udp
US 8.8.8.8:53 zmkyeup.com udp
US 8.8.8.8:53 vshgvc.info udp
US 8.8.8.8:53 jydnupwk.net udp
BG 212.233.209.31:19120 tcp
US 8.8.8.8:53 perayouwii.net udp
US 8.8.8.8:53 terjxvzdeglf.info udp
US 8.8.8.8:53 zfsyewnlxz.info udp
DE 84.32.110.126:45090 tcp
US 8.8.8.8:53 myaehqvbrgp.net udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 xivwfmrgf.info udp
MD 109.185.147.241:13725 tcp
US 8.8.8.8:53 gjztkuzaxsk.info udp
US 8.8.8.8:53 jhavtcue.net udp
US 8.8.8.8:53 acyvxr.net udp
BG 188.254.157.235:20334 tcp
US 8.8.8.8:53 ihtqvgrxtyt.info udp
US 8.8.8.8:53 fmjldgh.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 gcfcavb.info udp
LT 88.223.5.42:35390 tcp

Files

\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe

MD5 19f5184f826846d2112ed7cac6ba4bfe
SHA1 afcf03abb58e660d0887a18175ba9ea73d1959f6
SHA256 90c39bd75a61c2ef8759954a92311f1ca3a0284bd8377191325ab4b7e7f58c9b
SHA512 1d68c041fc985d89b4f7f8d5befedab8605e063bc2390f8b4737cadb5313483774dcf47633c79a7e2ba68a270156fdcc010f820dc913c8028eff273df2e166e8

C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe

MD5 12733f995ba05a3fac496e95cdcdb013
SHA1 6cdd41f788c984bddf8691af09fd67e2317c2302
SHA256 78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c
SHA512 76fbdb470649d70b89d36332bf2d47bc352c89a099292b0a640c75d046b24d26538eb766bc3a3f95222cf554c25237b35b41079e94c9c606cd98de2c6f6f562d

\Users\Admin\AppData\Local\Temp\hssejo.exe

MD5 b0ea828788dd366477bbce5a59c80c5f
SHA1 b73084a093c10cd397236a922d121efe05d5edc9
SHA256 83e4154ded81a80b01d71ef58db407cd9bde9b2a0fcc211c87e2ce9e31b26bbc
SHA512 5becc5813a07f3f5b5663afeb66f70e3e1a39889b709877befdacb2e122696d37dfd930952c1095b78ef4422e14ca1d4aa294837dc1d8216f791beec4ccb4675

C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 eb4264ef738c17f7264cdc04876c6cbf
SHA1 6cb7300236c5bd71fc097e8194bf1f46f26b42b6
SHA256 90a7a8c716e0e5536532e5ce7f1593d4e2babcdf7587189f0b312a28326c7465
SHA512 de75978f7bd4ae0b84df47c3fde5f385c63e4c4f746787d85ecd32aeeec5843a9076a9c630e4e607a6534c45cf90d0a2bdf638bf80a83f1f459f8e76bd87f4f4

C:\Users\Admin\AppData\Local\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu

MD5 2e71d8a81e497618fd6ad981f3ffdc78
SHA1 0c256b06711a9da03eb8a9c1da382d43747d85a4
SHA256 162aa0d8e56ae775d59199f3afcd7870e7655ba99dce4f32c57d337f87562d16
SHA512 389eefe5e8649d7415aced824c9aac07a8c4ab60c3c5ae2aacb546c25b969825b36e8c145ce0e2eaf294ae5931dba20bd9225bda0a8c00943a66bbbf3521dcf5

C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 e94c2954286b63959a25393e8d99d8cd
SHA1 89502550bb8d870a4a1b5a3a359e63e140736f0c
SHA256 c5d8e6d276db8ebd08338a049a5d69635564b7cb321aab39656cbfbda50e277c
SHA512 c951d362c166290831289930fc97d7de6ed07d12a759e0c0b60b0f2aeef0f890c8e3558078fb233b189780fde796416f1deaa923d0aa265bcd4065e61cb84616

C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 dad885c57ae848c77cb1575f081cdb0b
SHA1 00d595c94f07ac9ce6a768ad68ef729babd7a272
SHA256 7eeca74e1152abea2f3eb6d665c3e5e35e712c34e438ea1255bc4fb9478e3f3f
SHA512 4e6e63d5f27735515e67160f2506a9be535de7a3841e7a16c0932eedfeb4af4f817bc538ac69621fa8060f54b103b7be9679d0f346040a30b1de6bbf823a7fa4

C:\aorgowipa.bat

MD5 212d8a2fd8abc6bd367e57ae30dd519a
SHA1 3a69b025124ad94b3501574eb734a44903023a34
SHA256 1c48577f1d07728078adc1f8a14598161b676a725744b223bebe49a87bb27571
SHA512 e0b33d30fe8c495f59f0ea94878a126a86212856289767b9c967aba4e3abac021392e483fa419f40ab75e657acff00439d8ec9a14d36105d5b1bb9f5f9fee8b0

C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 44fbc4ba91c501b854ffae4f94fb71a4
SHA1 58d954fc4ea7fa3912fead5aef5be2c51a39c845
SHA256 dc570b3bd2fdae50382e52c27b8a8e2a9dccd30c195ff432b96cdb6ac59a30e5
SHA512 59c82aac2d36768fffeb9ad512e2e4a34e8a1bb8b7db32a0de7678c882be291dbcacd2bc2492e56e68aeb3c18426eb8459e7b17cfb015137cf7c1a7b29a5bf54

C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 14d010b16311c4f94241d328ce1f4c07
SHA1 9691e90939f0723451c969cb8cb910e13e8ab8c8
SHA256 fbe6cb6608f50deede6edab017f3ea0f64b25dae0ebe84bd276bbe2a390b1afe
SHA512 f442d5a6d46f3d174514b70fdb85b90921f611fa5ba84de6db59ffca7a34bd56bf7f7db266a7f307676d077aa2a92e49be1d4a5e05ebf89b6c17f77428682ee5

C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 801a5524c80f9924037584c2f96f9154
SHA1 eed95ca1c009e245b2c69f4f96b3a875a4c9aa3c
SHA256 c6f3a2914965014d8166e3769584138ca40d8a15146a60d066138ad8b1ca1df2
SHA512 e7cc4d9ee5f1863acb7acdc8c60b4d49eb45e471062ae7b92045e7e8aa28ac47a7fd3b2d3cdba1edf66592a9ea99dc36a747fdd4e9614a3072d726051e549ec1

C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb

MD5 a1bb3be70cd2e6cdde9986970e37f33f
SHA1 61ff7d8507be824e7cf568c8bd86ad6de2b07c71
SHA256 4b344636c9a2602e43121381c917ce9e917b65a9e8caf94360956c4fd2235e94
SHA512 8b02530174120a17123f1ac4d669fccf4a2fe63689d627a757e95a265112dae8739174e8c94736e1c50d752e6a7b6d0d7acc2fc43be57770c0d2f93f308cb12e

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 15:20

Reported

2024-06-26 15:23

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "njbxliyzlzxdbfamtpld.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "avmhuqffqdafcfzkqlg.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "avmhuqffqdafcfzkqlg.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "gzohsmzxgrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "czspectvixwdchdqyvsli.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "czspectvixwdchdqyvsli.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "gzohsmzxgrmpkldmq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "czspectvixwdchdqyvsli.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "zrfxhamjrbvxrriq.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "zrfxhamjrbvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "njbxliyzlzxdbfamtpld.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "njbxliyzlzxdbfamtpld.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "zrfxhamjrbvxrriq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "gzohsmzxgrmpkldmq.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe ." C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "czspectvixwdchdqyvsli.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\Windows\SysWOW64\mrsxuazjebixervqglqrwtzyi.ahw C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\Windows\SysWOW64\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\mrsxuazjebixervqglqrwtzyi.ahw C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Program Files (x86)\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\Program Files (x86)\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\gzohsmzxgrmpkldmq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\njbxliyzlzxdbfamtpld.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\Windows\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File created C:\Windows\mrsxuazjebixervqglqrwtzyi.ahw C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\zrfxhamjrbvxrriq.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\czspectvixwdchdqyvsli.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\mrsxuazjebixervqglqrwtzyi.ahw C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\avmhuqffqdafcfzkqlg.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\pjztfaonxjfjfhakpj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
File opened for modification C:\Windows\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
File opened for modification C:\Windows\trljzyqthxxffliwfdbvtj.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3172 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3172 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3172 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe
PID 3492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe
PID 3492 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe
PID 3492 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe
PID 3492 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe
PID 3492 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe C:\Users\Admin\AppData\Local\Temp\cjmts.exe
PID 3172 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3172 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
PID 3172 wrote to memory of 4896 N/A C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\cjmts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\cjmts.exe

"C:\Users\Admin\AppData\Local\Temp\cjmts.exe" "-C:\Users\Admin\AppData\Local\Temp\zrfxhamjrbvxrriq.exe"

C:\Users\Admin\AppData\Local\Temp\cjmts.exe

"C:\Users\Admin\AppData\Local\Temp\cjmts.exe" "-C:\Users\Admin\AppData\Local\Temp\zrfxhamjrbvxrriq.exe"

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.adobe.com udp
BE 23.14.90.89:80 www.adobe.com tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 89.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 52.111.227.11:443 tcp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
LT 78.58.3.233:19832 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 96.46.235.103.in-addr.arpa udp
US 8.8.8.8:53 emfevccuwzsk.info udp
US 8.8.8.8:53 usgoiukeyi.org udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 aoieqa.org udp
US 8.8.8.8:53 gkucss.org udp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 bmrxktfuuqh.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
BG 77.70.118.230:14485 tcp
US 8.8.8.8:53 heylzdxbfmj.net udp
US 8.8.8.8:53 pqzpbyrcjiq.net udp
US 8.8.8.8:53 yaqycsyihod.net udp
US 8.8.8.8:53 mzmiavzflk.info udp
US 8.8.8.8:53 nfwbtoxcplp.net udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 dmlqfdncupgd.net udp
US 8.8.8.8:53 wctinmt.info udp
US 8.8.8.8:53 zhzzui.info udp
US 8.8.8.8:53 yknwqmy.net udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 ddepjzmilwnm.info udp
US 8.8.8.8:53 nqmsvc.net udp
US 8.8.8.8:53 fmovmdjejujj.net udp
US 8.8.8.8:53 myywyq.com udp
US 8.8.8.8:53 esikaeyw.org udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 oqgkggok.org udp
US 8.8.8.8:53 evbkdgdwpwt.net udp
US 8.8.8.8:53 hkzpou.net udp
US 8.8.8.8:53 tpsedopx.info udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 uzkuscfmpaz.info udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 zdcyswrenlxc.info udp
US 8.8.8.8:53 dirugm.net udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 plyqwryarhgd.info udp
US 8.8.8.8:53 ncloprwjca.info udp
US 8.8.8.8:53 zaonbwzcd.net udp
US 8.8.8.8:53 vhmhhato.net udp
US 8.8.8.8:53 fdtcsoxm.net udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 eugisycc.com udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 cktstug.net udp
US 8.8.8.8:53 fmvgjakid.net udp
US 8.8.8.8:53 xnoosyodls.info udp
US 8.8.8.8:53 kadwqbf.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 bsdytwg.info udp
US 8.8.8.8:53 neldjwn.info udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 usjgzpa.net udp
US 8.8.8.8:53 klfmhllih.net udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 zghozkwyfpb.net udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
BG 188.254.157.235:20334 tcp
US 8.8.8.8:53 yywwskakkm.com udp
US 8.8.8.8:53 irdyzjk.net udp
US 8.8.8.8:53 nmduvdesx.net udp
US 8.8.8.8:53 mgdiez.info udp
US 8.8.8.8:53 vivuws.net udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 cdzpkscetox.info udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 mujluotetkp.info udp
US 8.8.8.8:53 toevsnfdpzfz.info udp
US 8.8.8.8:53 ggqufvvq.info udp
US 8.8.8.8:53 gejgdibh.net udp
US 8.8.8.8:53 lwfxdefilma.net udp
US 8.8.8.8:53 gqhggzzsso.net udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 xknruirqxxr.info udp
US 8.8.8.8:53 lqjmrqxmfwy.net udp
US 8.8.8.8:53 jygxloual.info udp
US 8.8.8.8:53 duckslugd.info udp
US 8.8.8.8:53 ipigcemabqk.info udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
US 8.8.8.8:53 bgjsrmdylgn.net udp
US 8.8.8.8:53 seltehtst.net udp
US 8.8.8.8:53 mvndtylzwo.net udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 tgjrvrzhtnhi.net udp
US 8.8.8.8:53 bmggjybdrea.net udp
US 8.8.8.8:53 hrvppstq.net udp
US 8.8.8.8:53 ecymauii.org udp
US 8.8.8.8:53 birmrcz.com udp
US 8.8.8.8:53 sotogai.info udp
US 8.8.8.8:53 mgqseqkksa.com udp
US 8.8.8.8:53 jouzrkl.com udp
US 8.8.8.8:53 scpfdwfjo.net udp
US 8.8.8.8:53 uggascemos.org udp
BG 89.215.53.84:21536 tcp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 nlldhhlv.info udp
US 8.8.8.8:53 jemmtsfcs.info udp
US 8.8.8.8:53 asrtjakcr.net udp
US 8.8.8.8:53 gmywoy.com udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 hpfwskhidyp.org udp
US 8.8.8.8:53 pbnatw.info udp
US 8.8.8.8:53 pwmcxqvob.org udp
US 8.8.8.8:53 ykkkisykyqqm.com udp
US 8.8.8.8:53 dtizeuozkaeh.info udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 nnrfbvwm.net udp
US 8.8.8.8:53 dxwgjb.info udp
US 8.8.8.8:53 soikky.com udp
US 8.8.8.8:53 drhdqpor.info udp
US 8.8.8.8:53 hvpghcqsfehj.info udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 virehlbqcyj.net udp
US 8.8.8.8:53 lvpfpadyyxlm.net udp
US 8.8.8.8:53 jwryrlhedht.com udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 kgmsogygwo.com udp
US 8.8.8.8:53 vqnydsz.org udp
US 8.8.8.8:53 suvqjyw.info udp
US 8.8.8.8:53 ssodao.info udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 lkcenos.org udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
BR 95.86.13.76:32531 tcp
US 8.8.8.8:53 objszqxufyx.info udp
US 8.8.8.8:53 mksjysx.info udp
US 8.8.8.8:53 icfetsg.info udp
US 8.8.8.8:53 vmuvpm.info udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 wmoofupowul.info udp
US 8.8.8.8:53 dgpltr.info udp
US 8.8.8.8:53 mfqevttiubqh.info udp
US 8.8.8.8:53 dngfnjmhzh.info udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 hqhansjajqn.net udp
US 8.8.8.8:53 tvfsnu.net udp
US 8.8.8.8:53 eeagemac.com udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 fqkeisrthq.info udp
US 8.8.8.8:53 xufnezb.info udp
US 8.8.8.8:53 cmsymi.com udp
US 8.8.8.8:53 ccqpelrkro.info udp
US 8.8.8.8:53 owdqngxobkx.info udp
US 8.8.8.8:53 cgfpmcymz.info udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 qymieem.net udp
US 8.8.8.8:53 ehcjnu.net udp
US 8.8.8.8:53 vrjqjvrwfcm.info udp
US 8.8.8.8:53 oqdhibk.net udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 lwpxxoabd.net udp
US 8.8.8.8:53 dxpuzatb.info udp
US 8.8.8.8:53 uuooygishc.net udp
US 8.8.8.8:53 yeiohsd.info udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 ybkfgv.net udp
US 8.8.8.8:53 ucrszfzf.info udp
US 8.8.8.8:53 xotuoivmx.com udp
US 8.8.8.8:53 bgfbufft.net udp
US 8.8.8.8:53 egroraxatel.net udp
US 8.8.8.8:53 rkhauoj.org udp
US 8.8.8.8:53 kcyyao.com udp
US 8.8.8.8:53 zucddldslz.net udp
US 8.8.8.8:53 hylczucs.info udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 pzkckjxhpj.net udp
US 8.8.8.8:53 toogavp.org udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 ccowpuzmvig.info udp
US 8.8.8.8:53 zucfey.net udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 oaqnnvenwa.info udp
US 8.8.8.8:53 yprbvuqj.net udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 pldpgii.net udp
US 8.8.8.8:53 ssjaven.info udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 mtsvewy.net udp
US 8.8.8.8:53 laytjkc.info udp
US 8.8.8.8:53 ntqphzlhlhxj.net udp
US 8.8.8.8:53 ggbcgytgpoq.info udp
US 8.8.8.8:53 aabrvuz.info udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 zsgicqdhe.info udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 qukxnipr.info udp
US 8.8.8.8:53 fumovch.org udp
US 8.8.8.8:53 cgwiwcmmkiku.org udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 ymhulnl.info udp
US 8.8.8.8:53 yeoccgwa.com udp
US 8.8.8.8:53 upaxna.net udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 jupvpshulol.info udp
US 8.8.8.8:53 smfnihl.info udp
US 8.8.8.8:53 oiocsqak.org udp
US 8.8.8.8:53 zrkholzwximd.net udp
US 8.8.8.8:53 kiyakmugcu.org udp
US 8.8.8.8:53 srrquwn.info udp
US 8.8.8.8:53 oucqwamusu.com udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 rudfxcjvcd.net udp
US 8.8.8.8:53 ioxhkydl.info udp
US 8.8.8.8:53 oqwcsdfgpjyh.net udp
US 8.8.8.8:53 zwdnsfvt.info udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 xjlpbt.net udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 gacejehauky.info udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 ukrbvtdgtugm.net udp
US 8.8.8.8:53 jodeapx.info udp
US 8.8.8.8:53 bxjlwifma.com udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 rfgmqcgcdtc.net udp
US 8.8.8.8:53 nrqwji.net udp
US 8.8.8.8:53 oqpxzvwusmb.net udp
US 8.8.8.8:53 ckoaywyaycye.org udp
US 8.8.8.8:53 fhxtexidokzw.info udp
US 8.8.8.8:53 rdtlpxnrditr.net udp
US 8.8.8.8:53 diyylaa.info udp
US 8.8.8.8:53 eozpiuepsq.net udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 xmvvsgg.info udp
US 8.8.8.8:53 sinpaqtwckai.info udp
US 8.8.8.8:53 psdezsjujdhu.net udp
US 8.8.8.8:53 fdpnzdcp.net udp
US 8.8.8.8:53 vpmwcit.org udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 letyvqzergl.info udp
US 8.8.8.8:53 nsqaozdjaman.net udp
US 8.8.8.8:53 skqoqooa.org udp
US 8.8.8.8:53 rgtytol.net udp
US 8.8.8.8:53 iegkceci.org udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 iukasqqcacyi.com udp
US 8.8.8.8:53 yndhqlv.net udp
US 8.8.8.8:53 ikkndhcwqqit.info udp
US 8.8.8.8:53 smjasmiaue.info udp
US 8.8.8.8:53 oakmqgswoo.com udp
US 8.8.8.8:53 vybqdcpl.info udp
US 8.8.8.8:53 cilfvxh.net udp
US 8.8.8.8:53 gknwcell.net udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
PT 85.138.180.127:27682 tcp
US 8.8.8.8:53 hwoelkl.org udp
US 8.8.8.8:53 aglgbwpajmk.net udp
US 8.8.8.8:53 tlyyrd.net udp
US 8.8.8.8:53 sqckykawccim.com udp
US 8.8.8.8:53 cmzsdyzkh.net udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 rohyfivwvya.org udp
US 8.8.8.8:53 adbjxihil.info udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 jibkbjeldgkz.net udp
US 8.8.8.8:53 iyrgakmou.net udp
US 8.8.8.8:53 pqhxontj.net udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 omfqblqlnzzt.net udp
US 8.8.8.8:53 izteqgzgt.net udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 kweprm.net udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 yawmmc.com udp
US 8.8.8.8:53 fixctnakvx.net udp
US 8.8.8.8:53 xhjsrhxpnd.info udp
US 8.8.8.8:53 mhdwxbfyhu.info udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 mwdaoog.net udp
US 8.8.8.8:53 akomfdyhdsi.net udp
US 8.8.8.8:53 daewhip.info udp
US 8.8.8.8:53 qowgxzsf.info udp
US 8.8.8.8:53 oafejrpo.info udp
US 8.8.8.8:53 weceuysoak.com udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 ebjaduv.info udp
US 8.8.8.8:53 iebrpezuxux.info udp
US 8.8.8.8:53 axwkke.info udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 ejusptc.info udp
US 8.8.8.8:53 eaouymasiykg.org udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 ekpdvpw.info udp
US 8.8.8.8:53 aolhvg.net udp
US 8.8.8.8:53 yiucei.org udp
US 8.8.8.8:53 fjyqlnz.com udp
US 8.8.8.8:53 tmlmnkjotnv.net udp
US 8.8.8.8:53 qincfodmlne.net udp
US 8.8.8.8:53 bnbilv.net udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 cucumkqw.org udp
US 8.8.8.8:53 niftrlnvct.net udp
US 8.8.8.8:53 olkwto.info udp
US 8.8.8.8:53 mtnykydxqd.net udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 rxxaju.info udp
US 8.8.8.8:53 zuftdbmycs.info udp
US 8.8.8.8:53 veppsztexne.org udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 vvtpgopw.net udp
US 8.8.8.8:53 jgpprltbnwop.info udp
US 8.8.8.8:53 btvoiyrau.info udp
US 8.8.8.8:53 byrftgjdfei.net udp
US 8.8.8.8:53 uitohr.net udp
US 8.8.8.8:53 pczyktdfwyt.net udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 hgfizrutddl.info udp
US 8.8.8.8:53 wysaymkoqcgm.com udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 iueqqw.com udp
US 8.8.8.8:53 kqaghircoer.net udp
US 8.8.8.8:53 xorwtfl.info udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 vqwnhb.net udp
BG 87.126.179.123:40449 tcp
US 8.8.8.8:53 okmkrkvcp.info udp
US 8.8.8.8:53 lfdxbgrl.net udp
US 8.8.8.8:53 hoiswxdmmta.org udp
US 8.8.8.8:53 ykpklispmaad.info udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 otscjgrud.info udp
US 8.8.8.8:53 lkariixqx.info udp
US 8.8.8.8:53 ddizvdgmnj.info udp
US 8.8.8.8:53 zixwrjjcr.org udp
US 8.8.8.8:53 uaqkwieeysgm.org udp
US 8.8.8.8:53 zqdhpffuxhlu.info udp
US 8.8.8.8:53 xlfmyvpx.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 tmjpfknod.com udp
US 8.8.8.8:53 uwmmme.com udp
US 8.8.8.8:53 goohfykkntnm.info udp
US 8.8.8.8:53 tuoehlqvsrgr.net udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 vkhovsojdtqg.info udp
US 8.8.8.8:53 gatzoe.net udp
US 8.8.8.8:53 jaktktbzcd.info udp
US 8.8.8.8:53 ceoyperlj.info udp
US 8.8.8.8:53 flpxrtvjit.net udp
US 8.8.8.8:53 vsrbzcvew.org udp
US 8.8.8.8:53 ougixybel.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 xmzunf.info udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 qfihkufoqxzj.net udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 vstqpay.com udp
US 8.8.8.8:53 nmjgyqvqfl.net udp
US 8.8.8.8:53 hivxir.net udp
US 8.8.8.8:53 wwzphoj.net udp
US 8.8.8.8:53 pomnzbjfb.info udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 oexgrlngb.info udp
US 8.8.8.8:53 dcpgvybk.info udp
US 8.8.8.8:53 qkokkrmp.net udp
US 8.8.8.8:53 dcgykgbcb.info udp
US 8.8.8.8:53 lqcjayujte.net udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 sicsrkp.net udp
US 8.8.8.8:53 equeey.com udp
US 8.8.8.8:53 suisoowrjvra.info udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 mwokweuu.com udp
US 8.8.8.8:53 qwiykg.org udp
US 8.8.8.8:53 kmnozj.net udp
US 8.8.8.8:53 zsxidzxim.com udp
US 8.8.8.8:53 swuumy.org udp
US 8.8.8.8:53 ieoohldyg.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 aqjslczttpd.net udp
US 8.8.8.8:53 zweegzy.net udp
US 8.8.8.8:53 oxjkrethyx.info udp
US 8.8.8.8:53 xynofj.info udp
US 8.8.8.8:53 hmzmoivltz.net udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 oaooszxjtn.net udp
US 8.8.8.8:53 hlgxyqryl.com udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 mqqjil.net udp
US 8.8.8.8:53 rjzdyij.info udp
US 8.8.8.8:53 rkvrcpskzayz.net udp
US 8.8.8.8:53 lmypma.info udp
US 8.8.8.8:53 wwduhci.net udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 aglommn.net udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 ecyyfmw.info udp
US 8.8.8.8:53 kmezdhrlorvt.net udp
US 8.8.8.8:53 akaaae.org udp
US 8.8.8.8:53 myboaksmt.net udp
US 8.8.8.8:53 dsfukzr.net udp
US 8.8.8.8:53 tkawbwugu.net udp
US 8.8.8.8:53 ddlwjdfellt.com udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 ypphcb.info udp
US 8.8.8.8:53 bjhrtzlc.net udp
US 8.8.8.8:53 typiuwfoz.org udp
US 8.8.8.8:53 mhyijq.info udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 cdyifm.info udp
US 8.8.8.8:53 gafkxsjitgr.net udp
US 8.8.8.8:53 wufaegmef.info udp
US 8.8.8.8:53 libnhirsn.info udp
US 8.8.8.8:53 fbqoxk.net udp
US 8.8.8.8:53 axswvo.net udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 vqnfpehmqiiu.net udp
US 8.8.8.8:53 yinlnci.net udp
US 8.8.8.8:53 cruftfwdx.info udp
US 8.8.8.8:53 qahkwiajnf.info udp
US 8.8.8.8:53 ygxgzmhw.net udp
US 8.8.8.8:53 qmqftblgr.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 uyjctzc.net udp
US 8.8.8.8:53 eafwpqhen.net udp
US 8.8.8.8:53 ngjbbcwxd.net udp
US 8.8.8.8:53 esokeumyyq.org udp
US 8.8.8.8:53 imiwkuec.org udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 cwcqrss.info udp
US 8.8.8.8:53 flzsrj.net udp
US 8.8.8.8:53 jrpyucpidvfy.net udp
US 8.8.8.8:53 epnwvkycuwg.info udp
US 8.8.8.8:53 nkcovn.net udp
US 8.8.8.8:53 oqbqgup.info udp
US 8.8.8.8:53 osgigcqs.org udp
US 8.8.8.8:53 uuymphxi.net udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 uekrdtj.info udp
US 8.8.8.8:53 npdlusdqou.net udp
US 8.8.8.8:53 toxwnv.net udp
US 8.8.8.8:53 ugftcdjn.net udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 smimkascausi.org udp
US 8.8.8.8:53 waakiuwsawim.org udp
US 8.8.8.8:53 hoxrgbubyucy.net udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 zohwhzvkz.info udp
US 8.8.8.8:53 mtfjpeepqqnl.info udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 fdobiq.info udp
US 8.8.8.8:53 byjpastg.info udp
US 8.8.8.8:53 eihkplbkpj.net udp
US 8.8.8.8:53 wlndnwzm.info udp
US 8.8.8.8:53 ngvojinujfj.info udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 zhfvskhlnozj.info udp
US 8.8.8.8:53 rixdih.info udp
US 8.8.8.8:53 mwwoeoaukm.org udp
US 8.8.8.8:53 epvhkjuknagx.net udp
US 8.8.8.8:53 zgvfhjfatp.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 nbsqnr.net udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 jeysfhfpwx.net udp
US 8.8.8.8:53 ftbcroxgmhp.org udp
US 8.8.8.8:53 eeeguywiwqyc.org udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 fubsrzyitvf.com udp
US 8.8.8.8:53 bllxuuzlwmpw.net udp
US 8.8.8.8:53 euqtjghuym.info udp
US 8.8.8.8:53 ikuoogogyimu.org udp
US 8.8.8.8:53 ribgflvd.net udp
US 8.8.8.8:53 mpyrpmlkae.info udp
US 8.8.8.8:53 icosseqyew.org udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 rqgmhpveajwl.info udp
US 8.8.8.8:53 oygcqetbf.info udp
US 8.8.8.8:53 rvoxkbyjno.info udp
MD 94.243.109.164:27616 tcp
US 8.8.8.8:53 vhyzwapneos.net udp
US 8.8.8.8:53 camquygecg.org udp
US 8.8.8.8:53 xdlwjsvw.net udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 vzoxnp.net udp
US 8.8.8.8:53 hecnuwlgpe.net udp
US 8.8.8.8:53 jrzlnuk.info udp
US 8.8.8.8:53 purlxvtaqib.net udp
US 8.8.8.8:53 jjnvsh.net udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 nwpjvxrpbrje.info udp
US 8.8.8.8:53 ymmdqgvkn.info udp
US 8.8.8.8:53 mmeoeg.org udp
US 8.8.8.8:53 onvnqwwnfgvo.info udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 ksmqpqwhmllp.info udp
US 8.8.8.8:53 esnjqzve.net udp
US 8.8.8.8:53 zzhqpcsufnl.com udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 vsmujv.net udp
US 8.8.8.8:53 ssoqokgcso.com udp
US 8.8.8.8:53 keidxwtnvv.info udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 yqcggsaismgo.org udp
US 8.8.8.8:53 yawueu.com udp
US 8.8.8.8:53 ddkwhtss.net udp
US 8.8.8.8:53 fgaupidmn.com udp
US 8.8.8.8:53 vqzupslan.com udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 xphcfo.info udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 rdjnva.net udp
US 8.8.8.8:53 dtdkfhyx.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 sghsiz.info udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 lkpesxjfg.org udp
US 8.8.8.8:53 ekssmwosaygc.com udp
US 8.8.8.8:53 hklftrosir.net udp
US 8.8.8.8:53 gphywn.net udp
US 8.8.8.8:53 rlbgvsxfw.net udp
US 8.8.8.8:53 vabsvubjcxdy.net udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 hmrkriten.org udp
US 8.8.8.8:53 iuehlnle.info udp
US 8.8.8.8:53 jvnkuin.com udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 htxppevsz.info udp
US 8.8.8.8:53 fnkrpwbdqayg.info udp
US 8.8.8.8:53 wdeyfwyy.net udp
US 8.8.8.8:53 wbbslhxq.net udp
US 8.8.8.8:53 eaxqdamoi.net udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 uibimkrgbmc.info udp
US 8.8.8.8:53 mflryaug.net udp
US 8.8.8.8:53 gqbifil.info udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 otqoobn.net udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 wonbpavkh.info udp
US 8.8.8.8:53 ghijqajv.net udp
US 8.8.8.8:53 lngqglyz.info udp
US 8.8.8.8:53 qxefkafo.info udp
US 8.8.8.8:53 rczmvcl.org udp
US 8.8.8.8:53 jtcubboekvlp.info udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 zqraqcb.net udp
US 8.8.8.8:53 ssoljmykrowf.net udp
US 8.8.8.8:53 hkmnxfbj.net udp
US 8.8.8.8:53 pufmsnkufnei.info udp
US 8.8.8.8:53 aksmkcau.com udp
US 8.8.8.8:53 cuwixkt.net udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 nkxapthjcw.info udp
US 8.8.8.8:53 zbtgaub.com udp
US 8.8.8.8:53 uiymqyos.org udp
US 8.8.8.8:53 ioqgzotabjde.net udp
US 8.8.8.8:53 nncjzrpiyjnu.net udp
US 8.8.8.8:53 ymgeiqii.org udp
US 8.8.8.8:53 pqumfck.org udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 gombukxn.info udp
US 8.8.8.8:53 gcaqcqkkqy.org udp
US 8.8.8.8:53 kzegrfpqd.net udp
US 8.8.8.8:53 aemoiseseq.org udp
BG 93.123.60.36:20172 tcp
US 8.8.8.8:53 btvqnszyn.net udp
US 8.8.8.8:53 yppmyvzdzqj.info udp
US 8.8.8.8:53 mcimqueg.com udp
US 8.8.8.8:53 mnhowmb.net udp
US 8.8.8.8:53 vysjvjpa.info udp
US 8.8.8.8:53 tixlgcs.info udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 cacqsu.com udp
US 8.8.8.8:53 uyekaswyqcsw.org udp
US 8.8.8.8:53 brymnfbvrhli.info udp
US 8.8.8.8:53 umqwygr.net udp
US 8.8.8.8:53 oiqicesqiu.com udp
US 8.8.8.8:53 gajqbpkkosp.net udp
US 8.8.8.8:53 aiegtwbep.info udp
US 8.8.8.8:53 munvbtdatbta.net udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 mqalpsv.info udp
US 8.8.8.8:53 oamefufinsp.info udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 ctizju.info udp
US 8.8.8.8:53 vojibmnbj.info udp
US 8.8.8.8:53 jolojxhuye.net udp
US 8.8.8.8:53 teburdm.info udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 vwzlbkneb.info udp
US 8.8.8.8:53 vqybouacio.info udp
US 8.8.8.8:53 rsnjpclmjcj.org udp
US 8.8.8.8:53 burikkxzefq.com udp
US 8.8.8.8:53 fkhwzufclml.info udp
US 8.8.8.8:53 iepgrgprpkwl.info udp
US 8.8.8.8:53 nlmmfjkkhk.net udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 8.8.8.8:53 nbddbt.net udp
US 8.8.8.8:53 jomtbowvhjdy.info udp
US 8.8.8.8:53 vgbztov.info udp
US 8.8.8.8:53 vwacrgroz.info udp
US 8.8.8.8:53 rilqxkv.com udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 lobebxd.com udp
US 8.8.8.8:53 vrrrdjxholra.net udp
US 8.8.8.8:53 bzhzfgrbfqh.info udp
US 8.8.8.8:53 occyom.org udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 casqxdxt.net udp
US 8.8.8.8:53 isogam.com udp
FR 162.19.4.1:80 isogam.com tcp
US 8.8.8.8:53 fmntzmp.info udp
US 8.8.8.8:53 aqhyxevud.net udp
US 8.8.8.8:53 hsbqnqd.info udp
US 8.8.8.8:53 1.4.19.162.in-addr.arpa udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 uddtynjrja.info udp
US 8.8.8.8:53 qmouaemucecm.com udp
US 8.8.8.8:53 vpzbjofwv.net udp
US 8.8.8.8:53 vujolokwt.net udp
US 8.8.8.8:53 aflzpvxkiz.info udp
US 8.8.8.8:53 yxqewriktar.info udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 jxxmjjlfvykt.info udp
US 8.8.8.8:53 wxlieancrkf.net udp
US 8.8.8.8:53 qobsyud.net udp
US 8.8.8.8:53 eypegkf.net udp
US 8.8.8.8:53 xpdwdmp.org udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 bydodr.net udp
US 8.8.8.8:53 uznfsjbiu.net udp
US 8.8.8.8:53 oukckyekao.org udp
US 8.8.8.8:53 udp
US 162.249.65.164:80 tcp
N/A 78.62.144.169:22671 tcp

Files

C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe

MD5 3d7e11d4bb9c0a48f9853e596dc4da17
SHA1 d6db78229ee1efcaf7ca53c63528ccfae24fb9c2
SHA256 4eead57652239fb62bd5314cce3403c8667809f9251c090e74207468b8e1c144
SHA512 e03c87746ef6d45ca090f4bf62cf70f142a11848e1168cabb99abf4aff88f5bfb4a6b9aa48a38cfeae5fbf7f9fa11462beb9ca10111399af39bd27d37e455ea9

C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe

MD5 12733f995ba05a3fac496e95cdcdb013
SHA1 6cdd41f788c984bddf8691af09fd67e2317c2302
SHA256 78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c
SHA512 76fbdb470649d70b89d36332bf2d47bc352c89a099292b0a640c75d046b24d26538eb766bc3a3f95222cf554c25237b35b41079e94c9c606cd98de2c6f6f562d

C:\Users\Admin\AppData\Local\Temp\cjmts.exe

MD5 ecd47927cf64fe794c711bbfdf6b7c77
SHA1 846c37effa48ba1aac993b17dab982dbb6737d5d
SHA256 4e0f2a0a23767461e7f26e36be55a1ddfbbf6758f539fbb1d8520093cd3ba2b8
SHA512 1a3cf76b58f45c8a4e6ba376fa8fd108359ab732223db0641738f1870a57b24ae81ae3baab351f59c9adee1b47032ef9cf7c301667e109aa8f0b7cdab9111178

C:\Users\Admin\AppData\Local\mrsxuazjebixervqglqrwtzyi.ahw

MD5 f85eb75d8e118e408266f058c3f74cc0
SHA1 d55d76f178f2028a8f7a23da868bceaca12e6651
SHA256 b90844b792929f3aa914aef31843ac64a6149d34f3343527bb3c2338b71c6a56
SHA512 38317b1804b639447521296597f7dd400acfa01583b8f46cec0f7add26d3f7b44fb0efefbe1a4d1e3d9a16a24d7cd12b60d924422ff4d4a7e2129af7c17451a8

C:\Users\Admin\AppData\Local\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq

MD5 f96032a19d9e435b625c727578c6ffad
SHA1 254f32f4cddabcf613063940264c95a614ce1e2a
SHA256 9d35b1625eed4347abde159564c7338065314d974733332794a2a5d3501b1c3a
SHA512 72f1de2d75b94b925554bbc780494aab07db47f0eb94ac57fd625a9f2acb7923b71bf2cde3d6fa4c55b0bcaeed9d6f139f30b0528ca4f5f0eeaf4f06f3ff56f1

C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw

MD5 fffca5f360d8a5354a86b02f88a4f0a4
SHA1 fb053e41691692c462de98a0fc2b39f68e2f9853
SHA256 8c322dffda6a1a7936c061efdd7b5aa97402b001657afd06a1302d57db483063
SHA512 429b18363e701a9133793d172074e2853ef292469c93e306bf04133da43c20b378f47c3ef5dabb6bb5ea4b07f84f92977524c9a1f0bb1d995ddb6f58081bea9e

C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw

MD5 2651bda2691e3da8cc33d7c0c0418a13
SHA1 bd414e72306da419afc31ef6bbb95c5ed5b840f9
SHA256 ba01ecd8d232230672950f300c0040257f5acc6875894bd72296a84b2eefac51
SHA512 6482358b3a33fac0bcfb2569af00ba0d1d6c8a9178fd1b4120ec9786e4a1d342464322553fa65cffa3f04cab5b3de1f087d610a7b396a28f95405f0d318a7986

C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw

MD5 57364628e129529fbc18bd7d9a48be24
SHA1 949f86233771e51cec5cc8daabcdedfedd80c7bf
SHA256 a597b71e3c68b055ae9fd12bc5178a743f9006cc4db8eb4d80781324d80062d5
SHA512 5c9c47ebe8ec737cc27360eb93a0a4562db0a32a0e6abffdf3c45e670b6a56b3f0b9c01d58f624d8d1687197462a263a73e50c0f2995caa3b7bed67058971248

C:\gryjmydtu.bat

MD5 1192167e25794cffdbbb439cae8bb478
SHA1 ca491cdd1b85119eff222a7918b7c20f194ab92e
SHA256 8d98cad12852c396007009e36b58f87decf1973d2358040231417de73816f72e
SHA512 a45ba8f103ffe71d2965027e303cbd639fa0319577b508b07d8c9da756b75c17212d8949a0411fdbbdfed719cbdede118370c6f5c44618dcb0f2c5aac738544f

C:\Users\Admin\AppData\Local\mrsxuazjebixervqglqrwtzyi.ahw

MD5 115e8f1e7c7baf13d3f5a81708ba97d0
SHA1 db62107e1be3c6759ef7e4fc80aa28d76efea7af
SHA256 98ef8ff5616a5d6c0ff521ccbd49092b27cae0bb4c5276610fac2294fb544b5e
SHA512 33dd94b55c66aac5d20361939b08c787b3850a6e60ba07d8ebbe26a784a17c44043dce06e21df7eda739b500a4a110a90e916b7b10150ee436a55c2e4e39cd88