Analysis Overview
SHA256
78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c
Threat Level: Known bad
The file 12733f995ba05a3fac496e95cdcdb013_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Adds policy Run key to start application
Loads dropped DLL
Impair Defenses: Safe Mode Boot
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 15:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 15:20
Reported
2024-06-26 15:23
Platform
win7-20240419-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "awheuketmzehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\timcluhpbh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kcjcoaqbqzazn = "jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "hguungdvrhpvqnemntdc.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "awheuketmzehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "jgsqhytjdrxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "jgsqhytjdrxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "wwlmgayrofovrphqszkkz.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "awheuketmzehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "hguungdvrhpvqnemntdc.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\awheuketmzehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "jgsqhytjdrxbupekjn.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "wwlmgayrofovrphqszkkz.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "hguungdvrhpvqnemntdc.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "usfewokbwlsxrndkkpy.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "toyujyrfxjnpgzmq.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "awheuketmzehzthmk.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oirmaogtkvyzpht = "usfewokbwlsxrndkkpy.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\oejakuirelk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\awheuketmzehzthmk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wwlmgayrofovrphqszkkz.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\lcialwlvjrrp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\toyujyrfxjnpgzmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\toyujyrfxjnpgzmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hguungdvrhpvqnemntdc.exe ." | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\lemgtgxjzjllar = "jgsqhytjdrxbupekjn.exe" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File created | C:\Windows\SysWOW64\nwuehkrtzzrhmtumxnhqoybeln.tlb | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nwuehkrtzzrhmtumxnhqoybeln.tlb | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File created | C:\Windows\SysWOW64\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File created | C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\nwuehkrtzzrhmtumxnhqoybeln.tlb | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\hguungdvrhpvqnemntdc.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\usfewokbwlsxrndkkpy.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\awheuketmzehzthmk.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\wwlmgayrofovrphqszkkz.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\noegbwvpnfpxutmwzhtukm.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\jgsqhytjdrxbupekjn.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File created | C:\Windows\nwuehkrtzzrhmtumxnhqoybeln.tlb | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| File opened for modification | C:\Windows\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| File opened for modification | C:\Windows\toyujyrfxjnpgzmq.exe | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hssejo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\hssejo.exe
"C:\Users\Admin\AppData\Local\Temp\hssejo.exe" "-C:\Users\Admin\AppData\Local\Temp\toyujyrfxjnpgzmq.exe"
C:\Users\Admin\AppData\Local\Temp\hssejo.exe
"C:\Users\Admin\AppData\Local\Temp\hssejo.exe" "-C:\Users\Admin\AppData\Local\Temp\toyujyrfxjnpgzmq.exe"
C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
"C:\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.bbc.co.uk | udp |
| US | 151.101.64.81:80 | www.bbc.co.uk | tcp |
| DE | 94.156.201.116:19145 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | rsiwkozvgspb.info | udp |
| US | 8.8.8.8:53 | pojozadcb.net | udp |
| US | 8.8.8.8:53 | msacnqdsdeb.info | udp |
| US | 8.8.8.8:53 | vqsstgn.net | udp |
| MD | 89.41.91.121:40988 | tcp | |
| US | 8.8.8.8:53 | emfevccuwzsk.info | udp |
| US | 8.8.8.8:53 | raxidorxnox.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | ryxctjzgg.com | udp |
| BG | 87.97.139.7:13119 | tcp | |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | vupwbcmwhchx.info | udp |
| US | 8.8.8.8:53 | retvxe.net | udp |
| US | 8.8.8.8:53 | qqhwxmscfmt.info | udp |
| US | 8.8.8.8:53 | nfwbtoxcplp.net | udp |
| LT | 84.32.125.156:25573 | tcp | |
| US | 8.8.8.8:53 | terwpjjwnn.net | udp |
| US | 8.8.8.8:53 | fzzvlkywa.org | udp |
| BG | 77.70.86.216:27898 | tcp | |
| US | 8.8.8.8:53 | tqbsamossau.org | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | mowyegya.org | udp |
| US | 8.8.8.8:53 | aggsrwrqkmxx.net | udp |
| US | 8.8.8.8:53 | flbfzhirfq.info | udp |
| RU | 109.126.27.124:26325 | tcp | |
| US | 8.8.8.8:53 | akuiimom.org | udp |
| US | 8.8.8.8:53 | xvzgmlssy.org | udp |
| GR | 46.103.81.2:29447 | tcp | |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | nqmsvc.net | udp |
| US | 8.8.8.8:53 | hmsjpwtnzg.info | udp |
| LT | 46.249.172.221:39468 | tcp | |
| US | 8.8.8.8:53 | cmlmmhzcb.net | udp |
| US | 8.8.8.8:53 | euwpzzvy.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | vgfitmlpxg.info | udp |
| BG | 89.215.221.151:37497 | tcp | |
| US | 8.8.8.8:53 | qcjeuitux.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| LT | 81.7.111.52:31980 | tcp | |
| US | 8.8.8.8:53 | lbbyqkwsa.org | udp |
| US | 8.8.8.8:53 | jsnofmvxi.org | udp |
| US | 8.8.8.8:53 | dcsepizll.info | udp |
| US | 8.8.8.8:53 | dqarln.info | udp |
| US | 8.8.8.8:53 | kzjozwgi.info | udp |
| US | 8.8.8.8:53 | hzveejfiyuj.info | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | ytzhungeyk.info | udp |
| US | 8.8.8.8:53 | wdsxqagjnuh.net | udp |
| US | 8.8.8.8:53 | yqwiwiqqge.com | udp |
| US | 8.8.8.8:53 | vvnyfkdnjb.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| BG | 94.156.81.32:16507 | tcp | |
| US | 8.8.8.8:53 | ocmywwiy.com | udp |
| US | 8.8.8.8:53 | nzxugtv.org | udp |
| RU | 109.126.27.124:26325 | tcp | |
| US | 8.8.8.8:53 | cwmzlaiud.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | hzbryhltar.net | udp |
| LT | 78.60.83.24:17857 | tcp | |
| US | 8.8.8.8:53 | drrhcxyozvtw.info | udp |
| US | 8.8.8.8:53 | zmkyeup.com | udp |
| US | 8.8.8.8:53 | vshgvc.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| BG | 212.233.209.31:19120 | tcp | |
| US | 8.8.8.8:53 | perayouwii.net | udp |
| US | 8.8.8.8:53 | terjxvzdeglf.info | udp |
| US | 8.8.8.8:53 | zfsyewnlxz.info | udp |
| DE | 84.32.110.126:45090 | tcp | |
| US | 8.8.8.8:53 | myaehqvbrgp.net | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | xivwfmrgf.info | udp |
| MD | 109.185.147.241:13725 | tcp | |
| US | 8.8.8.8:53 | gjztkuzaxsk.info | udp |
| US | 8.8.8.8:53 | jhavtcue.net | udp |
| US | 8.8.8.8:53 | acyvxr.net | udp |
| BG | 188.254.157.235:20334 | tcp | |
| US | 8.8.8.8:53 | ihtqvgrxtyt.info | udp |
| US | 8.8.8.8:53 | fmjldgh.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | gcfcavb.info | udp |
| LT | 88.223.5.42:35390 | tcp |
Files
\Users\Admin\AppData\Local\Temp\ebnbjiaxolx.exe
| MD5 | 19f5184f826846d2112ed7cac6ba4bfe |
| SHA1 | afcf03abb58e660d0887a18175ba9ea73d1959f6 |
| SHA256 | 90c39bd75a61c2ef8759954a92311f1ca3a0284bd8377191325ab4b7e7f58c9b |
| SHA512 | 1d68c041fc985d89b4f7f8d5befedab8605e063bc2390f8b4737cadb5313483774dcf47633c79a7e2ba68a270156fdcc010f820dc913c8028eff273df2e166e8 |
C:\Windows\SysWOW64\jgsqhytjdrxbupekjn.exe
| MD5 | 12733f995ba05a3fac496e95cdcdb013 |
| SHA1 | 6cdd41f788c984bddf8691af09fd67e2317c2302 |
| SHA256 | 78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c |
| SHA512 | 76fbdb470649d70b89d36332bf2d47bc352c89a099292b0a640c75d046b24d26538eb766bc3a3f95222cf554c25237b35b41079e94c9c606cd98de2c6f6f562d |
\Users\Admin\AppData\Local\Temp\hssejo.exe
| MD5 | b0ea828788dd366477bbce5a59c80c5f |
| SHA1 | b73084a093c10cd397236a922d121efe05d5edc9 |
| SHA256 | 83e4154ded81a80b01d71ef58db407cd9bde9b2a0fcc211c87e2ce9e31b26bbc |
| SHA512 | 5becc5813a07f3f5b5663afeb66f70e3e1a39889b709877befdacb2e122696d37dfd930952c1095b78ef4422e14ca1d4aa294837dc1d8216f791beec4ccb4675 |
C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | eb4264ef738c17f7264cdc04876c6cbf |
| SHA1 | 6cb7300236c5bd71fc097e8194bf1f46f26b42b6 |
| SHA256 | 90a7a8c716e0e5536532e5ce7f1593d4e2babcdf7587189f0b312a28326c7465 |
| SHA512 | de75978f7bd4ae0b84df47c3fde5f385c63e4c4f746787d85ecd32aeeec5843a9076a9c630e4e607a6534c45cf90d0a2bdf638bf80a83f1f459f8e76bd87f4f4 |
C:\Users\Admin\AppData\Local\oirmaogtkvyzphtwstysbwkyqdufijzrdgcdi.lgu
| MD5 | 2e71d8a81e497618fd6ad981f3ffdc78 |
| SHA1 | 0c256b06711a9da03eb8a9c1da382d43747d85a4 |
| SHA256 | 162aa0d8e56ae775d59199f3afcd7870e7655ba99dce4f32c57d337f87562d16 |
| SHA512 | 389eefe5e8649d7415aced824c9aac07a8c4ab60c3c5ae2aacb546c25b969825b36e8c145ce0e2eaf294ae5931dba20bd9225bda0a8c00943a66bbbf3521dcf5 |
C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | e94c2954286b63959a25393e8d99d8cd |
| SHA1 | 89502550bb8d870a4a1b5a3a359e63e140736f0c |
| SHA256 | c5d8e6d276db8ebd08338a049a5d69635564b7cb321aab39656cbfbda50e277c |
| SHA512 | c951d362c166290831289930fc97d7de6ed07d12a759e0c0b60b0f2aeef0f890c8e3558078fb233b189780fde796416f1deaa923d0aa265bcd4065e61cb84616 |
C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | dad885c57ae848c77cb1575f081cdb0b |
| SHA1 | 00d595c94f07ac9ce6a768ad68ef729babd7a272 |
| SHA256 | 7eeca74e1152abea2f3eb6d665c3e5e35e712c34e438ea1255bc4fb9478e3f3f |
| SHA512 | 4e6e63d5f27735515e67160f2506a9be535de7a3841e7a16c0932eedfeb4af4f817bc538ac69621fa8060f54b103b7be9679d0f346040a30b1de6bbf823a7fa4 |
C:\aorgowipa.bat
| MD5 | 212d8a2fd8abc6bd367e57ae30dd519a |
| SHA1 | 3a69b025124ad94b3501574eb734a44903023a34 |
| SHA256 | 1c48577f1d07728078adc1f8a14598161b676a725744b223bebe49a87bb27571 |
| SHA512 | e0b33d30fe8c495f59f0ea94878a126a86212856289767b9c967aba4e3abac021392e483fa419f40ab75e657acff00439d8ec9a14d36105d5b1bb9f5f9fee8b0 |
C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | 44fbc4ba91c501b854ffae4f94fb71a4 |
| SHA1 | 58d954fc4ea7fa3912fead5aef5be2c51a39c845 |
| SHA256 | dc570b3bd2fdae50382e52c27b8a8e2a9dccd30c195ff432b96cdb6ac59a30e5 |
| SHA512 | 59c82aac2d36768fffeb9ad512e2e4a34e8a1bb8b7db32a0de7678c882be291dbcacd2bc2492e56e68aeb3c18426eb8459e7b17cfb015137cf7c1a7b29a5bf54 |
C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | 14d010b16311c4f94241d328ce1f4c07 |
| SHA1 | 9691e90939f0723451c969cb8cb910e13e8ab8c8 |
| SHA256 | fbe6cb6608f50deede6edab017f3ea0f64b25dae0ebe84bd276bbe2a390b1afe |
| SHA512 | f442d5a6d46f3d174514b70fdb85b90921f611fa5ba84de6db59ffca7a34bd56bf7f7db266a7f307676d077aa2a92e49be1d4a5e05ebf89b6c17f77428682ee5 |
C:\Program Files (x86)\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | 801a5524c80f9924037584c2f96f9154 |
| SHA1 | eed95ca1c009e245b2c69f4f96b3a875a4c9aa3c |
| SHA256 | c6f3a2914965014d8166e3769584138ca40d8a15146a60d066138ad8b1ca1df2 |
| SHA512 | e7cc4d9ee5f1863acb7acdc8c60b4d49eb45e471062ae7b92045e7e8aa28ac47a7fd3b2d3cdba1edf66592a9ea99dc36a747fdd4e9614a3072d726051e549ec1 |
C:\Users\Admin\AppData\Local\nwuehkrtzzrhmtumxnhqoybeln.tlb
| MD5 | a1bb3be70cd2e6cdde9986970e37f33f |
| SHA1 | 61ff7d8507be824e7cf568c8bd86ad6de2b07c71 |
| SHA256 | 4b344636c9a2602e43121381c917ce9e917b65a9e8caf94360956c4fd2235e94 |
| SHA512 | 8b02530174120a17123f1ac4d669fccf4a2fe63689d627a757e95a265112dae8739174e8c94736e1c50d752e6a7b6d0d7acc2fc43be57770c0d2f93f308cb12e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 15:20
Reported
2024-06-26 15:23
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zltfjwctvz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\qfqfmclfkrihy = "gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "njbxliyzlzxdbfamtpld.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "avmhuqffqdafcfzkqlg.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "avmhuqffqdafcfzkqlg.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "gzohsmzxgrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "czspectvixwdchdqyvsli.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "czspectvixwdchdqyvsli.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "gzohsmzxgrmpkldmq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ulypyqbxenghazp = "czspectvixwdchdqyvsli.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zrfxhamjrbvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "zrfxhamjrbvxrriq.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gzohsmzxgrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "zrfxhamjrbvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "njbxliyzlzxdbfamtpld.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\gzohsmzxgrmpkldmq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njbxliyzlzxdbfamtpld.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "njbxliyzlzxdbfamtpld.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "zrfxhamjrbvxrriq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rfpdjygzdjzx = "gzohsmzxgrmpkldmq.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\avmhuqffqdafcfzkqlg.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rhtjrisntbttlj = "czspectvixwdchdqyvsli.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\uhqdiwdvyds = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zrfxhamjrbvxrriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pjztfaonxjfjfhakpj.exe ." | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\Windows\SysWOW64\mrsxuazjebixervqglqrwtzyi.ahw | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\Windows\SysWOW64\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mrsxuazjebixervqglqrwtzyi.ahw | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Program Files (x86)\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\Program Files (x86)\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\gzohsmzxgrmpkldmq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\njbxliyzlzxdbfamtpld.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\Windows\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File created | C:\Windows\mrsxuazjebixervqglqrwtzyi.ahw | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\zrfxhamjrbvxrriq.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\czspectvixwdchdqyvsli.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\mrsxuazjebixervqglqrwtzyi.ahw | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\avmhuqffqdafcfzkqlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\pjztfaonxjfjfhakpj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| File opened for modification | C:\Windows\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\trljzyqthxxffliwfdbvtj.exe | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\cjmts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\12733f995ba05a3fac496e95cdcdb013_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\cjmts.exe
"C:\Users\Admin\AppData\Local\Temp\cjmts.exe" "-C:\Users\Admin\AppData\Local\Temp\zrfxhamjrbvxrriq.exe"
C:\Users\Admin\AppData\Local\Temp\cjmts.exe
"C:\Users\Admin\AppData\Local\Temp\cjmts.exe" "-C:\Users\Admin\AppData\Local\Temp\zrfxhamjrbvxrriq.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\12733f995ba05a3fac496e95cdcdb013_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.adobe.com | udp |
| BE | 23.14.90.89:80 | www.adobe.com | tcp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| LT | 78.58.3.233:19832 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 96.46.235.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | emfevccuwzsk.info | udp |
| US | 8.8.8.8:53 | usgoiukeyi.org | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | aoieqa.org | udp |
| US | 8.8.8.8:53 | gkucss.org | udp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bmrxktfuuqh.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| BG | 77.70.118.230:14485 | tcp | |
| US | 8.8.8.8:53 | heylzdxbfmj.net | udp |
| US | 8.8.8.8:53 | pqzpbyrcjiq.net | udp |
| US | 8.8.8.8:53 | yaqycsyihod.net | udp |
| US | 8.8.8.8:53 | mzmiavzflk.info | udp |
| US | 8.8.8.8:53 | nfwbtoxcplp.net | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | dmlqfdncupgd.net | udp |
| US | 8.8.8.8:53 | wctinmt.info | udp |
| US | 8.8.8.8:53 | zhzzui.info | udp |
| US | 8.8.8.8:53 | yknwqmy.net | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | ddepjzmilwnm.info | udp |
| US | 8.8.8.8:53 | nqmsvc.net | udp |
| US | 8.8.8.8:53 | fmovmdjejujj.net | udp |
| US | 8.8.8.8:53 | myywyq.com | udp |
| US | 8.8.8.8:53 | esikaeyw.org | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | oqgkggok.org | udp |
| US | 8.8.8.8:53 | evbkdgdwpwt.net | udp |
| US | 8.8.8.8:53 | hkzpou.net | udp |
| US | 8.8.8.8:53 | tpsedopx.info | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | uzkuscfmpaz.info | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | zdcyswrenlxc.info | udp |
| US | 8.8.8.8:53 | dirugm.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | plyqwryarhgd.info | udp |
| US | 8.8.8.8:53 | ncloprwjca.info | udp |
| US | 8.8.8.8:53 | zaonbwzcd.net | udp |
| US | 8.8.8.8:53 | vhmhhato.net | udp |
| US | 8.8.8.8:53 | fdtcsoxm.net | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eugisycc.com | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | cktstug.net | udp |
| US | 8.8.8.8:53 | fmvgjakid.net | udp |
| US | 8.8.8.8:53 | xnoosyodls.info | udp |
| US | 8.8.8.8:53 | kadwqbf.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | bsdytwg.info | udp |
| US | 8.8.8.8:53 | neldjwn.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | usjgzpa.net | udp |
| US | 8.8.8.8:53 | klfmhllih.net | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | zghozkwyfpb.net | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| BG | 188.254.157.235:20334 | tcp | |
| US | 8.8.8.8:53 | yywwskakkm.com | udp |
| US | 8.8.8.8:53 | irdyzjk.net | udp |
| US | 8.8.8.8:53 | nmduvdesx.net | udp |
| US | 8.8.8.8:53 | mgdiez.info | udp |
| US | 8.8.8.8:53 | vivuws.net | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | cdzpkscetox.info | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | mujluotetkp.info | udp |
| US | 8.8.8.8:53 | toevsnfdpzfz.info | udp |
| US | 8.8.8.8:53 | ggqufvvq.info | udp |
| US | 8.8.8.8:53 | gejgdibh.net | udp |
| US | 8.8.8.8:53 | lwfxdefilma.net | udp |
| US | 8.8.8.8:53 | gqhggzzsso.net | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | xknruirqxxr.info | udp |
| US | 8.8.8.8:53 | lqjmrqxmfwy.net | udp |
| US | 8.8.8.8:53 | jygxloual.info | udp |
| US | 8.8.8.8:53 | duckslugd.info | udp |
| US | 8.8.8.8:53 | ipigcemabqk.info | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| US | 8.8.8.8:53 | bgjsrmdylgn.net | udp |
| US | 8.8.8.8:53 | seltehtst.net | udp |
| US | 8.8.8.8:53 | mvndtylzwo.net | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | tgjrvrzhtnhi.net | udp |
| US | 8.8.8.8:53 | bmggjybdrea.net | udp |
| US | 8.8.8.8:53 | hrvppstq.net | udp |
| US | 8.8.8.8:53 | ecymauii.org | udp |
| US | 8.8.8.8:53 | birmrcz.com | udp |
| US | 8.8.8.8:53 | sotogai.info | udp |
| US | 8.8.8.8:53 | mgqseqkksa.com | udp |
| US | 8.8.8.8:53 | jouzrkl.com | udp |
| US | 8.8.8.8:53 | scpfdwfjo.net | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| BG | 89.215.53.84:21536 | tcp | |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | nlldhhlv.info | udp |
| US | 8.8.8.8:53 | jemmtsfcs.info | udp |
| US | 8.8.8.8:53 | asrtjakcr.net | udp |
| US | 8.8.8.8:53 | gmywoy.com | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | hpfwskhidyp.org | udp |
| US | 8.8.8.8:53 | pbnatw.info | udp |
| US | 8.8.8.8:53 | pwmcxqvob.org | udp |
| US | 8.8.8.8:53 | ykkkisykyqqm.com | udp |
| US | 8.8.8.8:53 | dtizeuozkaeh.info | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | nnrfbvwm.net | udp |
| US | 8.8.8.8:53 | dxwgjb.info | udp |
| US | 8.8.8.8:53 | soikky.com | udp |
| US | 8.8.8.8:53 | drhdqpor.info | udp |
| US | 8.8.8.8:53 | hvpghcqsfehj.info | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | virehlbqcyj.net | udp |
| US | 8.8.8.8:53 | lvpfpadyyxlm.net | udp |
| US | 8.8.8.8:53 | jwryrlhedht.com | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | kgmsogygwo.com | udp |
| US | 8.8.8.8:53 | vqnydsz.org | udp |
| US | 8.8.8.8:53 | suvqjyw.info | udp |
| US | 8.8.8.8:53 | ssodao.info | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | lkcenos.org | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| BR | 95.86.13.76:32531 | tcp | |
| US | 8.8.8.8:53 | objszqxufyx.info | udp |
| US | 8.8.8.8:53 | mksjysx.info | udp |
| US | 8.8.8.8:53 | icfetsg.info | udp |
| US | 8.8.8.8:53 | vmuvpm.info | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | wmoofupowul.info | udp |
| US | 8.8.8.8:53 | dgpltr.info | udp |
| US | 8.8.8.8:53 | mfqevttiubqh.info | udp |
| US | 8.8.8.8:53 | dngfnjmhzh.info | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | hqhansjajqn.net | udp |
| US | 8.8.8.8:53 | tvfsnu.net | udp |
| US | 8.8.8.8:53 | eeagemac.com | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | fqkeisrthq.info | udp |
| US | 8.8.8.8:53 | xufnezb.info | udp |
| US | 8.8.8.8:53 | cmsymi.com | udp |
| US | 8.8.8.8:53 | ccqpelrkro.info | udp |
| US | 8.8.8.8:53 | owdqngxobkx.info | udp |
| US | 8.8.8.8:53 | cgfpmcymz.info | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | qymieem.net | udp |
| US | 8.8.8.8:53 | ehcjnu.net | udp |
| US | 8.8.8.8:53 | vrjqjvrwfcm.info | udp |
| US | 8.8.8.8:53 | oqdhibk.net | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | lwpxxoabd.net | udp |
| US | 8.8.8.8:53 | dxpuzatb.info | udp |
| US | 8.8.8.8:53 | uuooygishc.net | udp |
| US | 8.8.8.8:53 | yeiohsd.info | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | ybkfgv.net | udp |
| US | 8.8.8.8:53 | ucrszfzf.info | udp |
| US | 8.8.8.8:53 | xotuoivmx.com | udp |
| US | 8.8.8.8:53 | bgfbufft.net | udp |
| US | 8.8.8.8:53 | egroraxatel.net | udp |
| US | 8.8.8.8:53 | rkhauoj.org | udp |
| US | 8.8.8.8:53 | kcyyao.com | udp |
| US | 8.8.8.8:53 | zucddldslz.net | udp |
| US | 8.8.8.8:53 | hylczucs.info | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | pzkckjxhpj.net | udp |
| US | 8.8.8.8:53 | toogavp.org | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | ccowpuzmvig.info | udp |
| US | 8.8.8.8:53 | zucfey.net | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | oaqnnvenwa.info | udp |
| US | 8.8.8.8:53 | yprbvuqj.net | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | pldpgii.net | udp |
| US | 8.8.8.8:53 | ssjaven.info | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | mtsvewy.net | udp |
| US | 8.8.8.8:53 | laytjkc.info | udp |
| US | 8.8.8.8:53 | ntqphzlhlhxj.net | udp |
| US | 8.8.8.8:53 | ggbcgytgpoq.info | udp |
| US | 8.8.8.8:53 | aabrvuz.info | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | zsgicqdhe.info | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | qukxnipr.info | udp |
| US | 8.8.8.8:53 | fumovch.org | udp |
| US | 8.8.8.8:53 | cgwiwcmmkiku.org | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | ymhulnl.info | udp |
| US | 8.8.8.8:53 | yeoccgwa.com | udp |
| US | 8.8.8.8:53 | upaxna.net | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | jupvpshulol.info | udp |
| US | 8.8.8.8:53 | smfnihl.info | udp |
| US | 8.8.8.8:53 | oiocsqak.org | udp |
| US | 8.8.8.8:53 | zrkholzwximd.net | udp |
| US | 8.8.8.8:53 | kiyakmugcu.org | udp |
| US | 8.8.8.8:53 | srrquwn.info | udp |
| US | 8.8.8.8:53 | oucqwamusu.com | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | rudfxcjvcd.net | udp |
| US | 8.8.8.8:53 | ioxhkydl.info | udp |
| US | 8.8.8.8:53 | oqwcsdfgpjyh.net | udp |
| US | 8.8.8.8:53 | zwdnsfvt.info | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | xjlpbt.net | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | gacejehauky.info | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | ukrbvtdgtugm.net | udp |
| US | 8.8.8.8:53 | jodeapx.info | udp |
| US | 8.8.8.8:53 | bxjlwifma.com | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | rfgmqcgcdtc.net | udp |
| US | 8.8.8.8:53 | nrqwji.net | udp |
| US | 8.8.8.8:53 | oqpxzvwusmb.net | udp |
| US | 8.8.8.8:53 | ckoaywyaycye.org | udp |
| US | 8.8.8.8:53 | fhxtexidokzw.info | udp |
| US | 8.8.8.8:53 | rdtlpxnrditr.net | udp |
| US | 8.8.8.8:53 | diyylaa.info | udp |
| US | 8.8.8.8:53 | eozpiuepsq.net | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | xmvvsgg.info | udp |
| US | 8.8.8.8:53 | sinpaqtwckai.info | udp |
| US | 8.8.8.8:53 | psdezsjujdhu.net | udp |
| US | 8.8.8.8:53 | fdpnzdcp.net | udp |
| US | 8.8.8.8:53 | vpmwcit.org | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | letyvqzergl.info | udp |
| US | 8.8.8.8:53 | nsqaozdjaman.net | udp |
| US | 8.8.8.8:53 | skqoqooa.org | udp |
| US | 8.8.8.8:53 | rgtytol.net | udp |
| US | 8.8.8.8:53 | iegkceci.org | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | iukasqqcacyi.com | udp |
| US | 8.8.8.8:53 | yndhqlv.net | udp |
| US | 8.8.8.8:53 | ikkndhcwqqit.info | udp |
| US | 8.8.8.8:53 | smjasmiaue.info | udp |
| US | 8.8.8.8:53 | oakmqgswoo.com | udp |
| US | 8.8.8.8:53 | vybqdcpl.info | udp |
| US | 8.8.8.8:53 | cilfvxh.net | udp |
| US | 8.8.8.8:53 | gknwcell.net | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| PT | 85.138.180.127:27682 | tcp | |
| US | 8.8.8.8:53 | hwoelkl.org | udp |
| US | 8.8.8.8:53 | aglgbwpajmk.net | udp |
| US | 8.8.8.8:53 | tlyyrd.net | udp |
| US | 8.8.8.8:53 | sqckykawccim.com | udp |
| US | 8.8.8.8:53 | cmzsdyzkh.net | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | rohyfivwvya.org | udp |
| US | 8.8.8.8:53 | adbjxihil.info | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | jibkbjeldgkz.net | udp |
| US | 8.8.8.8:53 | iyrgakmou.net | udp |
| US | 8.8.8.8:53 | pqhxontj.net | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | omfqblqlnzzt.net | udp |
| US | 8.8.8.8:53 | izteqgzgt.net | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | kweprm.net | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | yawmmc.com | udp |
| US | 8.8.8.8:53 | fixctnakvx.net | udp |
| US | 8.8.8.8:53 | xhjsrhxpnd.info | udp |
| US | 8.8.8.8:53 | mhdwxbfyhu.info | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | mwdaoog.net | udp |
| US | 8.8.8.8:53 | akomfdyhdsi.net | udp |
| US | 8.8.8.8:53 | daewhip.info | udp |
| US | 8.8.8.8:53 | qowgxzsf.info | udp |
| US | 8.8.8.8:53 | oafejrpo.info | udp |
| US | 8.8.8.8:53 | weceuysoak.com | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | ebjaduv.info | udp |
| US | 8.8.8.8:53 | iebrpezuxux.info | udp |
| US | 8.8.8.8:53 | axwkke.info | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | ejusptc.info | udp |
| US | 8.8.8.8:53 | eaouymasiykg.org | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | ekpdvpw.info | udp |
| US | 8.8.8.8:53 | aolhvg.net | udp |
| US | 8.8.8.8:53 | yiucei.org | udp |
| US | 8.8.8.8:53 | fjyqlnz.com | udp |
| US | 8.8.8.8:53 | tmlmnkjotnv.net | udp |
| US | 8.8.8.8:53 | qincfodmlne.net | udp |
| US | 8.8.8.8:53 | bnbilv.net | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | cucumkqw.org | udp |
| US | 8.8.8.8:53 | niftrlnvct.net | udp |
| US | 8.8.8.8:53 | olkwto.info | udp |
| US | 8.8.8.8:53 | mtnykydxqd.net | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | rxxaju.info | udp |
| US | 8.8.8.8:53 | zuftdbmycs.info | udp |
| US | 8.8.8.8:53 | veppsztexne.org | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | vvtpgopw.net | udp |
| US | 8.8.8.8:53 | jgpprltbnwop.info | udp |
| US | 8.8.8.8:53 | btvoiyrau.info | udp |
| US | 8.8.8.8:53 | byrftgjdfei.net | udp |
| US | 8.8.8.8:53 | uitohr.net | udp |
| US | 8.8.8.8:53 | pczyktdfwyt.net | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | hgfizrutddl.info | udp |
| US | 8.8.8.8:53 | wysaymkoqcgm.com | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | iueqqw.com | udp |
| US | 8.8.8.8:53 | kqaghircoer.net | udp |
| US | 8.8.8.8:53 | xorwtfl.info | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | vqwnhb.net | udp |
| BG | 87.126.179.123:40449 | tcp | |
| US | 8.8.8.8:53 | okmkrkvcp.info | udp |
| US | 8.8.8.8:53 | lfdxbgrl.net | udp |
| US | 8.8.8.8:53 | hoiswxdmmta.org | udp |
| US | 8.8.8.8:53 | ykpklispmaad.info | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | otscjgrud.info | udp |
| US | 8.8.8.8:53 | lkariixqx.info | udp |
| US | 8.8.8.8:53 | ddizvdgmnj.info | udp |
| US | 8.8.8.8:53 | zixwrjjcr.org | udp |
| US | 8.8.8.8:53 | uaqkwieeysgm.org | udp |
| US | 8.8.8.8:53 | zqdhpffuxhlu.info | udp |
| US | 8.8.8.8:53 | xlfmyvpx.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | tmjpfknod.com | udp |
| US | 8.8.8.8:53 | uwmmme.com | udp |
| US | 8.8.8.8:53 | goohfykkntnm.info | udp |
| US | 8.8.8.8:53 | tuoehlqvsrgr.net | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | vkhovsojdtqg.info | udp |
| US | 8.8.8.8:53 | gatzoe.net | udp |
| US | 8.8.8.8:53 | jaktktbzcd.info | udp |
| US | 8.8.8.8:53 | ceoyperlj.info | udp |
| US | 8.8.8.8:53 | flpxrtvjit.net | udp |
| US | 8.8.8.8:53 | vsrbzcvew.org | udp |
| US | 8.8.8.8:53 | ougixybel.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | xmzunf.info | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | qfihkufoqxzj.net | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | vstqpay.com | udp |
| US | 8.8.8.8:53 | nmjgyqvqfl.net | udp |
| US | 8.8.8.8:53 | hivxir.net | udp |
| US | 8.8.8.8:53 | wwzphoj.net | udp |
| US | 8.8.8.8:53 | pomnzbjfb.info | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | oexgrlngb.info | udp |
| US | 8.8.8.8:53 | dcpgvybk.info | udp |
| US | 8.8.8.8:53 | qkokkrmp.net | udp |
| US | 8.8.8.8:53 | dcgykgbcb.info | udp |
| US | 8.8.8.8:53 | lqcjayujte.net | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | sicsrkp.net | udp |
| US | 8.8.8.8:53 | equeey.com | udp |
| US | 8.8.8.8:53 | suisoowrjvra.info | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | mwokweuu.com | udp |
| US | 8.8.8.8:53 | qwiykg.org | udp |
| US | 8.8.8.8:53 | kmnozj.net | udp |
| US | 8.8.8.8:53 | zsxidzxim.com | udp |
| US | 8.8.8.8:53 | swuumy.org | udp |
| US | 8.8.8.8:53 | ieoohldyg.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | aqjslczttpd.net | udp |
| US | 8.8.8.8:53 | zweegzy.net | udp |
| US | 8.8.8.8:53 | oxjkrethyx.info | udp |
| US | 8.8.8.8:53 | xynofj.info | udp |
| US | 8.8.8.8:53 | hmzmoivltz.net | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | oaooszxjtn.net | udp |
| US | 8.8.8.8:53 | hlgxyqryl.com | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | mqqjil.net | udp |
| US | 8.8.8.8:53 | rjzdyij.info | udp |
| US | 8.8.8.8:53 | rkvrcpskzayz.net | udp |
| US | 8.8.8.8:53 | lmypma.info | udp |
| US | 8.8.8.8:53 | wwduhci.net | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | aglommn.net | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | ecyyfmw.info | udp |
| US | 8.8.8.8:53 | kmezdhrlorvt.net | udp |
| US | 8.8.8.8:53 | akaaae.org | udp |
| US | 8.8.8.8:53 | myboaksmt.net | udp |
| US | 8.8.8.8:53 | dsfukzr.net | udp |
| US | 8.8.8.8:53 | tkawbwugu.net | udp |
| US | 8.8.8.8:53 | ddlwjdfellt.com | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | ypphcb.info | udp |
| US | 8.8.8.8:53 | bjhrtzlc.net | udp |
| US | 8.8.8.8:53 | typiuwfoz.org | udp |
| US | 8.8.8.8:53 | mhyijq.info | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | cdyifm.info | udp |
| US | 8.8.8.8:53 | gafkxsjitgr.net | udp |
| US | 8.8.8.8:53 | wufaegmef.info | udp |
| US | 8.8.8.8:53 | libnhirsn.info | udp |
| US | 8.8.8.8:53 | fbqoxk.net | udp |
| US | 8.8.8.8:53 | axswvo.net | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | vqnfpehmqiiu.net | udp |
| US | 8.8.8.8:53 | yinlnci.net | udp |
| US | 8.8.8.8:53 | cruftfwdx.info | udp |
| US | 8.8.8.8:53 | qahkwiajnf.info | udp |
| US | 8.8.8.8:53 | ygxgzmhw.net | udp |
| US | 8.8.8.8:53 | qmqftblgr.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | uyjctzc.net | udp |
| US | 8.8.8.8:53 | eafwpqhen.net | udp |
| US | 8.8.8.8:53 | ngjbbcwxd.net | udp |
| US | 8.8.8.8:53 | esokeumyyq.org | udp |
| US | 8.8.8.8:53 | imiwkuec.org | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | cwcqrss.info | udp |
| US | 8.8.8.8:53 | flzsrj.net | udp |
| US | 8.8.8.8:53 | jrpyucpidvfy.net | udp |
| US | 8.8.8.8:53 | epnwvkycuwg.info | udp |
| US | 8.8.8.8:53 | nkcovn.net | udp |
| US | 8.8.8.8:53 | oqbqgup.info | udp |
| US | 8.8.8.8:53 | osgigcqs.org | udp |
| US | 8.8.8.8:53 | uuymphxi.net | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | uekrdtj.info | udp |
| US | 8.8.8.8:53 | npdlusdqou.net | udp |
| US | 8.8.8.8:53 | toxwnv.net | udp |
| US | 8.8.8.8:53 | ugftcdjn.net | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | smimkascausi.org | udp |
| US | 8.8.8.8:53 | waakiuwsawim.org | udp |
| US | 8.8.8.8:53 | hoxrgbubyucy.net | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | zohwhzvkz.info | udp |
| US | 8.8.8.8:53 | mtfjpeepqqnl.info | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | fdobiq.info | udp |
| US | 8.8.8.8:53 | byjpastg.info | udp |
| US | 8.8.8.8:53 | eihkplbkpj.net | udp |
| US | 8.8.8.8:53 | wlndnwzm.info | udp |
| US | 8.8.8.8:53 | ngvojinujfj.info | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | zhfvskhlnozj.info | udp |
| US | 8.8.8.8:53 | rixdih.info | udp |
| US | 8.8.8.8:53 | mwwoeoaukm.org | udp |
| US | 8.8.8.8:53 | epvhkjuknagx.net | udp |
| US | 8.8.8.8:53 | zgvfhjfatp.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | nbsqnr.net | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | jeysfhfpwx.net | udp |
| US | 8.8.8.8:53 | ftbcroxgmhp.org | udp |
| US | 8.8.8.8:53 | eeeguywiwqyc.org | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | fubsrzyitvf.com | udp |
| US | 8.8.8.8:53 | bllxuuzlwmpw.net | udp |
| US | 8.8.8.8:53 | euqtjghuym.info | udp |
| US | 8.8.8.8:53 | ikuoogogyimu.org | udp |
| US | 8.8.8.8:53 | ribgflvd.net | udp |
| US | 8.8.8.8:53 | mpyrpmlkae.info | udp |
| US | 8.8.8.8:53 | icosseqyew.org | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | rqgmhpveajwl.info | udp |
| US | 8.8.8.8:53 | oygcqetbf.info | udp |
| US | 8.8.8.8:53 | rvoxkbyjno.info | udp |
| MD | 94.243.109.164:27616 | tcp | |
| US | 8.8.8.8:53 | vhyzwapneos.net | udp |
| US | 8.8.8.8:53 | camquygecg.org | udp |
| US | 8.8.8.8:53 | xdlwjsvw.net | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | vzoxnp.net | udp |
| US | 8.8.8.8:53 | hecnuwlgpe.net | udp |
| US | 8.8.8.8:53 | jrzlnuk.info | udp |
| US | 8.8.8.8:53 | purlxvtaqib.net | udp |
| US | 8.8.8.8:53 | jjnvsh.net | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | nwpjvxrpbrje.info | udp |
| US | 8.8.8.8:53 | ymmdqgvkn.info | udp |
| US | 8.8.8.8:53 | mmeoeg.org | udp |
| US | 8.8.8.8:53 | onvnqwwnfgvo.info | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | ksmqpqwhmllp.info | udp |
| US | 8.8.8.8:53 | esnjqzve.net | udp |
| US | 8.8.8.8:53 | zzhqpcsufnl.com | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | vsmujv.net | udp |
| US | 8.8.8.8:53 | ssoqokgcso.com | udp |
| US | 8.8.8.8:53 | keidxwtnvv.info | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | yqcggsaismgo.org | udp |
| US | 8.8.8.8:53 | yawueu.com | udp |
| US | 8.8.8.8:53 | ddkwhtss.net | udp |
| US | 8.8.8.8:53 | fgaupidmn.com | udp |
| US | 8.8.8.8:53 | vqzupslan.com | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | xphcfo.info | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | rdjnva.net | udp |
| US | 8.8.8.8:53 | dtdkfhyx.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | sghsiz.info | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | lkpesxjfg.org | udp |
| US | 8.8.8.8:53 | ekssmwosaygc.com | udp |
| US | 8.8.8.8:53 | hklftrosir.net | udp |
| US | 8.8.8.8:53 | gphywn.net | udp |
| US | 8.8.8.8:53 | rlbgvsxfw.net | udp |
| US | 8.8.8.8:53 | vabsvubjcxdy.net | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | hmrkriten.org | udp |
| US | 8.8.8.8:53 | iuehlnle.info | udp |
| US | 8.8.8.8:53 | jvnkuin.com | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | htxppevsz.info | udp |
| US | 8.8.8.8:53 | fnkrpwbdqayg.info | udp |
| US | 8.8.8.8:53 | wdeyfwyy.net | udp |
| US | 8.8.8.8:53 | wbbslhxq.net | udp |
| US | 8.8.8.8:53 | eaxqdamoi.net | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | uibimkrgbmc.info | udp |
| US | 8.8.8.8:53 | mflryaug.net | udp |
| US | 8.8.8.8:53 | gqbifil.info | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | otqoobn.net | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | wonbpavkh.info | udp |
| US | 8.8.8.8:53 | ghijqajv.net | udp |
| US | 8.8.8.8:53 | lngqglyz.info | udp |
| US | 8.8.8.8:53 | qxefkafo.info | udp |
| US | 8.8.8.8:53 | rczmvcl.org | udp |
| US | 8.8.8.8:53 | jtcubboekvlp.info | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | zqraqcb.net | udp |
| US | 8.8.8.8:53 | ssoljmykrowf.net | udp |
| US | 8.8.8.8:53 | hkmnxfbj.net | udp |
| US | 8.8.8.8:53 | pufmsnkufnei.info | udp |
| US | 8.8.8.8:53 | aksmkcau.com | udp |
| US | 8.8.8.8:53 | cuwixkt.net | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | nkxapthjcw.info | udp |
| US | 8.8.8.8:53 | zbtgaub.com | udp |
| US | 8.8.8.8:53 | uiymqyos.org | udp |
| US | 8.8.8.8:53 | ioqgzotabjde.net | udp |
| US | 8.8.8.8:53 | nncjzrpiyjnu.net | udp |
| US | 8.8.8.8:53 | ymgeiqii.org | udp |
| US | 8.8.8.8:53 | pqumfck.org | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | gombukxn.info | udp |
| US | 8.8.8.8:53 | gcaqcqkkqy.org | udp |
| US | 8.8.8.8:53 | kzegrfpqd.net | udp |
| US | 8.8.8.8:53 | aemoiseseq.org | udp |
| BG | 93.123.60.36:20172 | tcp | |
| US | 8.8.8.8:53 | btvqnszyn.net | udp |
| US | 8.8.8.8:53 | yppmyvzdzqj.info | udp |
| US | 8.8.8.8:53 | mcimqueg.com | udp |
| US | 8.8.8.8:53 | mnhowmb.net | udp |
| US | 8.8.8.8:53 | vysjvjpa.info | udp |
| US | 8.8.8.8:53 | tixlgcs.info | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | cacqsu.com | udp |
| US | 8.8.8.8:53 | uyekaswyqcsw.org | udp |
| US | 8.8.8.8:53 | brymnfbvrhli.info | udp |
| US | 8.8.8.8:53 | umqwygr.net | udp |
| US | 8.8.8.8:53 | oiqicesqiu.com | udp |
| US | 8.8.8.8:53 | gajqbpkkosp.net | udp |
| US | 8.8.8.8:53 | aiegtwbep.info | udp |
| US | 8.8.8.8:53 | munvbtdatbta.net | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | mqalpsv.info | udp |
| US | 8.8.8.8:53 | oamefufinsp.info | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | ctizju.info | udp |
| US | 8.8.8.8:53 | vojibmnbj.info | udp |
| US | 8.8.8.8:53 | jolojxhuye.net | udp |
| US | 8.8.8.8:53 | teburdm.info | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | vwzlbkneb.info | udp |
| US | 8.8.8.8:53 | vqybouacio.info | udp |
| US | 8.8.8.8:53 | rsnjpclmjcj.org | udp |
| US | 8.8.8.8:53 | burikkxzefq.com | udp |
| US | 8.8.8.8:53 | fkhwzufclml.info | udp |
| US | 8.8.8.8:53 | iepgrgprpkwl.info | udp |
| US | 8.8.8.8:53 | nlmmfjkkhk.net | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 8.8.8.8:53 | nbddbt.net | udp |
| US | 8.8.8.8:53 | jomtbowvhjdy.info | udp |
| US | 8.8.8.8:53 | vgbztov.info | udp |
| US | 8.8.8.8:53 | vwacrgroz.info | udp |
| US | 8.8.8.8:53 | rilqxkv.com | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | lobebxd.com | udp |
| US | 8.8.8.8:53 | vrrrdjxholra.net | udp |
| US | 8.8.8.8:53 | bzhzfgrbfqh.info | udp |
| US | 8.8.8.8:53 | occyom.org | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | casqxdxt.net | udp |
| US | 8.8.8.8:53 | isogam.com | udp |
| FR | 162.19.4.1:80 | isogam.com | tcp |
| US | 8.8.8.8:53 | fmntzmp.info | udp |
| US | 8.8.8.8:53 | aqhyxevud.net | udp |
| US | 8.8.8.8:53 | hsbqnqd.info | udp |
| US | 8.8.8.8:53 | 1.4.19.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | uddtynjrja.info | udp |
| US | 8.8.8.8:53 | qmouaemucecm.com | udp |
| US | 8.8.8.8:53 | vpzbjofwv.net | udp |
| US | 8.8.8.8:53 | vujolokwt.net | udp |
| US | 8.8.8.8:53 | aflzpvxkiz.info | udp |
| US | 8.8.8.8:53 | yxqewriktar.info | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | jxxmjjlfvykt.info | udp |
| US | 8.8.8.8:53 | wxlieancrkf.net | udp |
| US | 8.8.8.8:53 | qobsyud.net | udp |
| US | 8.8.8.8:53 | eypegkf.net | udp |
| US | 8.8.8.8:53 | xpdwdmp.org | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | bydodr.net | udp |
| US | 8.8.8.8:53 | uznfsjbiu.net | udp |
| US | 8.8.8.8:53 | oukckyekao.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 162.249.65.164:80 | tcp | |
| N/A | 78.62.144.169:22671 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
| MD5 | 3d7e11d4bb9c0a48f9853e596dc4da17 |
| SHA1 | d6db78229ee1efcaf7ca53c63528ccfae24fb9c2 |
| SHA256 | 4eead57652239fb62bd5314cce3403c8667809f9251c090e74207468b8e1c144 |
| SHA512 | e03c87746ef6d45ca090f4bf62cf70f142a11848e1168cabb99abf4aff88f5bfb4a6b9aa48a38cfeae5fbf7f9fa11462beb9ca10111399af39bd27d37e455ea9 |
C:\Windows\SysWOW64\pjztfaonxjfjfhakpj.exe
| MD5 | 12733f995ba05a3fac496e95cdcdb013 |
| SHA1 | 6cdd41f788c984bddf8691af09fd67e2317c2302 |
| SHA256 | 78f4412b5ce4aca748096baf19f05130b7e9f64b9949397ffc68959e62462e6c |
| SHA512 | 76fbdb470649d70b89d36332bf2d47bc352c89a099292b0a640c75d046b24d26538eb766bc3a3f95222cf554c25237b35b41079e94c9c606cd98de2c6f6f562d |
C:\Users\Admin\AppData\Local\Temp\cjmts.exe
| MD5 | ecd47927cf64fe794c711bbfdf6b7c77 |
| SHA1 | 846c37effa48ba1aac993b17dab982dbb6737d5d |
| SHA256 | 4e0f2a0a23767461e7f26e36be55a1ddfbbf6758f539fbb1d8520093cd3ba2b8 |
| SHA512 | 1a3cf76b58f45c8a4e6ba376fa8fd108359ab732223db0641738f1870a57b24ae81ae3baab351f59c9adee1b47032ef9cf7c301667e109aa8f0b7cdab9111178 |
C:\Users\Admin\AppData\Local\mrsxuazjebixervqglqrwtzyi.ahw
| MD5 | f85eb75d8e118e408266f058c3f74cc0 |
| SHA1 | d55d76f178f2028a8f7a23da868bceaca12e6651 |
| SHA256 | b90844b792929f3aa914aef31843ac64a6149d34f3343527bb3c2338b71c6a56 |
| SHA512 | 38317b1804b639447521296597f7dd400acfa01583b8f46cec0f7add26d3f7b44fb0efefbe1a4d1e3d9a16a24d7cd12b60d924422ff4d4a7e2129af7c17451a8 |
C:\Users\Admin\AppData\Local\rhtjrisntbttljyefvlxnvmwrxfxxpncijzp.rzq
| MD5 | f96032a19d9e435b625c727578c6ffad |
| SHA1 | 254f32f4cddabcf613063940264c95a614ce1e2a |
| SHA256 | 9d35b1625eed4347abde159564c7338065314d974733332794a2a5d3501b1c3a |
| SHA512 | 72f1de2d75b94b925554bbc780494aab07db47f0eb94ac57fd625a9f2acb7923b71bf2cde3d6fa4c55b0bcaeed9d6f139f30b0528ca4f5f0eeaf4f06f3ff56f1 |
C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw
| MD5 | fffca5f360d8a5354a86b02f88a4f0a4 |
| SHA1 | fb053e41691692c462de98a0fc2b39f68e2f9853 |
| SHA256 | 8c322dffda6a1a7936c061efdd7b5aa97402b001657afd06a1302d57db483063 |
| SHA512 | 429b18363e701a9133793d172074e2853ef292469c93e306bf04133da43c20b378f47c3ef5dabb6bb5ea4b07f84f92977524c9a1f0bb1d995ddb6f58081bea9e |
C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw
| MD5 | 2651bda2691e3da8cc33d7c0c0418a13 |
| SHA1 | bd414e72306da419afc31ef6bbb95c5ed5b840f9 |
| SHA256 | ba01ecd8d232230672950f300c0040257f5acc6875894bd72296a84b2eefac51 |
| SHA512 | 6482358b3a33fac0bcfb2569af00ba0d1d6c8a9178fd1b4120ec9786e4a1d342464322553fa65cffa3f04cab5b3de1f087d610a7b396a28f95405f0d318a7986 |
C:\Program Files (x86)\mrsxuazjebixervqglqrwtzyi.ahw
| MD5 | 57364628e129529fbc18bd7d9a48be24 |
| SHA1 | 949f86233771e51cec5cc8daabcdedfedd80c7bf |
| SHA256 | a597b71e3c68b055ae9fd12bc5178a743f9006cc4db8eb4d80781324d80062d5 |
| SHA512 | 5c9c47ebe8ec737cc27360eb93a0a4562db0a32a0e6abffdf3c45e670b6a56b3f0b9c01d58f624d8d1687197462a263a73e50c0f2995caa3b7bed67058971248 |
C:\gryjmydtu.bat
| MD5 | 1192167e25794cffdbbb439cae8bb478 |
| SHA1 | ca491cdd1b85119eff222a7918b7c20f194ab92e |
| SHA256 | 8d98cad12852c396007009e36b58f87decf1973d2358040231417de73816f72e |
| SHA512 | a45ba8f103ffe71d2965027e303cbd639fa0319577b508b07d8c9da756b75c17212d8949a0411fdbbdfed719cbdede118370c6f5c44618dcb0f2c5aac738544f |
C:\Users\Admin\AppData\Local\mrsxuazjebixervqglqrwtzyi.ahw
| MD5 | 115e8f1e7c7baf13d3f5a81708ba97d0 |
| SHA1 | db62107e1be3c6759ef7e4fc80aa28d76efea7af |
| SHA256 | 98ef8ff5616a5d6c0ff521ccbd49092b27cae0bb4c5276610fac2294fb544b5e |
| SHA512 | 33dd94b55c66aac5d20361939b08c787b3850a6e60ba07d8ebbe26a784a17c44043dce06e21df7eda739b500a4a110a90e916b7b10150ee436a55c2e4e39cd88 |