Analysis Overview
SHA256
fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad
Threat Level: Known bad
The file 131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks whether UAC is enabled
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 19:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 19:17
Reported
2024-06-26 19:20
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\phkuizgpbko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\mhnarlvhwiphhz = "xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "xzmgefwplesryxcyltlna.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "urzohdpduirlnhhy.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "xzmgefwplesryxcyltlna.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijvollbtogtrxvzugnef.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\kjtkfdrhaqbxbxzsch = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mfjujbjtgqvl = "urzohdpduirlnhhy.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "ijvollbtogtrxvzugnef.exe" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "vvgyutiztkwtyvysdjz.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "vvgyutiztkwtyvysdjz.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xzmgefwplesryxcyltlna.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "ijvollbtogtrxvzugnef.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "kjtkfdrhaqbxbxzsch.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\lfkwmfoznyevu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plsgyterhucvwpo = "bziyspcrjyidgbcud.exe" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bziyspcrjyidgbcud = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kjtkfdrhaqbxbxzsch.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "bziyspcrjyidgbcud.exe ." | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\urzohdpduirlnhhy = "ijvollbtogtrxvzugnef.exe ." | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | C:\Windows\SysWOW64\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | C:\Windows\SysWOW64\hrmoudcdhielahuytjjtoqwfe.jkg | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\hrmoudcdhielahuytjjtoqwfe.jkg | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | C:\Program Files (x86)\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\hrmoudcdhielahuytjjtoqwfe.jkg | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File created | C:\Windows\hrmoudcdhielahuytjjtoqwfe.jkg | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\kjtkfdrhaqbxbxzsch.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\ijvollbtogtrxvzugnef.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\xzmgefwplesryxcyltlna.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\orfazbtnkettbbhesbuxlg.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\bziyspcrjyidgbcud.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| File opened for modification | C:\Windows\vvgyutiztkwtyvysdjz.exe | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File created | C:\Windows\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| File opened for modification | C:\Windows\urzohdpduirlnhhy.exe | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\vjioylo.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
"C:\Users\Admin\AppData\Local\Temp\vjioylo.exe" "-C:\Users\Admin\AppData\Local\Temp\urzohdpduirlnhhy.exe"
C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
"C:\Users\Admin\AppData\Local\Temp\vjioylo.exe" "-C:\Users\Admin\AppData\Local\Temp\urzohdpduirlnhhy.exe"
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
"C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.adobe.com | udp |
| BE | 23.14.90.89:80 | www.adobe.com | tcp |
| US | 8.8.8.8:53 | 89.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 216.58.204.78:80 | www.youtube.com | tcp |
| DE | 89.116.103.113:44743 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 8.8.8.8:53 | 78.204.58.216.in-addr.arpa | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | fbzdiwnuua.net | udp |
| US | 8.8.8.8:53 | yolilodok.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | dxunadygn.org | udp |
| US | 8.8.8.8:53 | vqbpvyvyaex.info | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| LT | 86.100.135.91:17425 | tcp | |
| US | 8.8.8.8:53 | heylzdxbfmj.net | udp |
| US | 8.8.8.8:53 | fihgzroksitl.net | udp |
| US | 8.8.8.8:53 | ifcjvggv.net | udp |
| US | 8.8.8.8:53 | nfwbtoxcplp.net | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | dmlqfdncupgd.net | udp |
| US | 8.8.8.8:53 | dqbxzw.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | pymdlf.info | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | vueusddp.net | udp |
| US | 8.8.8.8:53 | vfaswebt.net | udp |
| US | 8.8.8.8:53 | ozbmbkwhr.net | udp |
| US | 8.8.8.8:53 | yiqknayahap.net | udp |
| US | 8.8.8.8:53 | swfvuomt.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | fuywmovgp.info | udp |
| US | 8.8.8.8:53 | muwyyk.org | udp |
| US | 8.8.8.8:53 | kzjozwgi.info | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | zobumzjwr.info | udp |
| US | 8.8.8.8:53 | rcvotkx.com | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | zqfsuyn.org | udp |
| US | 8.8.8.8:53 | ipvokjc.net | udp |
| US | 8.8.8.8:53 | klhcekfvdcsn.net | udp |
| US | 8.8.8.8:53 | zwhbxydy.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | lsjsjk.net | udp |
| US | 8.8.8.8:53 | esrqlplelqt.net | udp |
| US | 8.8.8.8:53 | rktqewv.com | udp |
| US | 8.8.8.8:53 | cktstug.net | udp |
| US | 8.8.8.8:53 | pooorepy.net | udp |
| US | 8.8.8.8:53 | wishvg.net | udp |
| US | 8.8.8.8:53 | qysyuocy.org | udp |
| US | 8.8.8.8:53 | kgcqac.org | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | zfsyewnlxz.info | udp |
| US | 8.8.8.8:53 | hyjykyyii.org | udp |
| US | 8.8.8.8:53 | winweim.net | udp |
| US | 8.8.8.8:53 | cszooaq.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | aohbwixdxt.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | lixknfeiqw.net | udp |
| US | 8.8.8.8:53 | wyvylyn.info | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | ddxvsaaunk.info | udp |
| US | 8.8.8.8:53 | cilztu.net | udp |
| US | 8.8.8.8:53 | cbvkvbngoatz.net | udp |
| GB | 87.246.15.176:19844 | tcp | |
| US | 8.8.8.8:53 | tsqdaqzkv.net | udp |
| US | 8.8.8.8:53 | qxeednhfvqtb.info | udp |
| US | 8.8.8.8:53 | veparavldou.net | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| US | 8.8.8.8:53 | egihypdscn.net | udp |
| US | 8.8.8.8:53 | dzxeiqt.net | udp |
| US | 8.8.8.8:53 | rmbzvoskrbt.org | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | iotmdw.info | udp |
| US | 8.8.8.8:53 | ukjfxkrqd.info | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | jfwmvap.net | udp |
| US | 8.8.8.8:53 | lwfxdefilma.net | udp |
| US | 8.8.8.8:53 | rxbzlefunz.info | udp |
| US | 8.8.8.8:53 | sqclryafqnci.info | udp |
| US | 8.8.8.8:53 | lgzvzd.info | udp |
| US | 8.8.8.8:53 | siepmcpo.info | udp |
| US | 8.8.8.8:53 | afmqjfvm.net | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | pjhkhcf.org | udp |
| US | 8.8.8.8:53 | ptpayer.com | udp |
| US | 8.8.8.8:53 | zojsnakatzy.net | udp |
| US | 8.8.8.8:53 | lekdjcpdfe.info | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| LT | 84.46.199.237:40571 | tcp | |
| US | 8.8.8.8:53 | ohbsyypy.info | udp |
| US | 8.8.8.8:53 | tfjklcs.net | udp |
| US | 8.8.8.8:53 | lwkgzequs.info | udp |
| US | 8.8.8.8:53 | eoxxtgbjfwp.info | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | sqlkhup.net | udp |
| US | 8.8.8.8:53 | kmqgwgsqma.com | udp |
| US | 8.8.8.8:53 | lfvrnb.net | udp |
| US | 8.8.8.8:53 | cfvsmgvqv.info | udp |
| US | 8.8.8.8:53 | fkxtxocgoib.org | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | mqwmkeuecg.org | udp |
| US | 8.8.8.8:53 | fmvjnanjyb.info | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | qdcdyuxd.info | udp |
| US | 8.8.8.8:53 | yoscaaumysio.com | udp |
| US | 8.8.8.8:53 | ssumtm.info | udp |
| US | 8.8.8.8:53 | pwmcxqvob.org | udp |
| US | 8.8.8.8:53 | flrglb.info | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | kqlefkwyk.info | udp |
| US | 8.8.8.8:53 | smkulmr.info | udp |
| US | 8.8.8.8:53 | cxvpmijmjz.info | udp |
| US | 8.8.8.8:53 | drhdqpor.info | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | zavldhaqv.info | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | yfntjjyoj.net | udp |
| US | 8.8.8.8:53 | tlgazlmc.info | udp |
| US | 8.8.8.8:53 | twtmwa.net | udp |
| US | 8.8.8.8:53 | kgmsogygwo.com | udp |
| US | 8.8.8.8:53 | ichtsnmq.info | udp |
| US | 8.8.8.8:53 | vswxmwpx.net | udp |
| US | 8.8.8.8:53 | fqtllmawo.com | udp |
| US | 8.8.8.8:53 | rdmjuyvafr.net | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | lxukmxfbkd.info | udp |
| US | 8.8.8.8:53 | lwkgzaxwa.com | udp |
| US | 8.8.8.8:53 | qqofrj.net | udp |
| US | 8.8.8.8:53 | udtrpwl.info | udp |
| US | 8.8.8.8:53 | txjuhr.net | udp |
| US | 8.8.8.8:53 | kckcwa.com | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| BG | 93.155.141.26:23110 | tcp | |
| US | 8.8.8.8:53 | zgpkttdsygsl.info | udp |
| US | 8.8.8.8:53 | mmsgbehenil.info | udp |
| US | 8.8.8.8:53 | cmlmcavxxiv.net | udp |
| US | 8.8.8.8:53 | mksjysx.info | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | vgzshhwk.info | udp |
| US | 8.8.8.8:53 | jilglepoh.net | udp |
| US | 8.8.8.8:53 | nkqirervlr.info | udp |
| US | 8.8.8.8:53 | vhbezhhvtmsz.info | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | doofotmuze.net | udp |
| US | 8.8.8.8:53 | xbwcwctiyhl.com | udp |
| US | 8.8.8.8:53 | rqfbdeuupz.info | udp |
| US | 8.8.8.8:53 | euinkmsa.net | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | bdzocmjyrye.info | udp |
| US | 8.8.8.8:53 | daxqldrm.net | udp |
| US | 8.8.8.8:53 | owdqngxobkx.info | udp |
| US | 8.8.8.8:53 | qcvenal.net | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | hozgwgxtpyi.org | udp |
| US | 8.8.8.8:53 | qnveakqmrjr.info | udp |
| US | 8.8.8.8:53 | usumyeceyqke.com | udp |
| US | 8.8.8.8:53 | chailrbazsbf.info | udp |
| US | 8.8.8.8:53 | iasomcay.com | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | zupkjezuto.info | udp |
| US | 8.8.8.8:53 | qkemasssmqiy.org | udp |
| US | 8.8.8.8:53 | uuooygishc.net | udp |
| US | 8.8.8.8:53 | frixacpxzflb.info | udp |
| US | 8.8.8.8:53 | dgduryr.net | udp |
| US | 8.8.8.8:53 | huguadvoo.org | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | ilwnrc.info | udp |
| US | 8.8.8.8:53 | bgfbufft.net | udp |
| US | 8.8.8.8:53 | hylczucs.info | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | hhxxcyvc.net | udp |
| US | 8.8.8.8:53 | hyedfcqec.org | udp |
| US | 8.8.8.8:53 | fxebhlo.net | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | vanafwg.net | udp |
| US | 8.8.8.8:53 | ssokciii.com | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | agvakue.info | udp |
| US | 8.8.8.8:53 | mmuajylch.info | udp |
| US | 8.8.8.8:53 | fqneqry.com | udp |
| US | 8.8.8.8:53 | cufsngxsrue.net | udp |
| US | 8.8.8.8:53 | ljjbekvgppwh.info | udp |
| US | 8.8.8.8:53 | uhcnnwlkby.net | udp |
| US | 8.8.8.8:53 | wcwjlkd.info | udp |
| US | 8.8.8.8:53 | ssxcsebumzy.net | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | nifmtvfrs.net | udp |
| US | 8.8.8.8:53 | xkgrhwnudq.info | udp |
| US | 8.8.8.8:53 | meeergp.info | udp |
| US | 8.8.8.8:53 | rvhimhnadom.net | udp |
| US | 8.8.8.8:53 | fkkgponspp.net | udp |
| US | 8.8.8.8:53 | qorytani.net | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | kyaoys.org | udp |
| US | 8.8.8.8:53 | gisiftlbiqv.net | udp |
| US | 8.8.8.8:53 | ljviot.net | udp |
| US | 8.8.8.8:53 | fjowzmrmue.net | udp |
| US | 8.8.8.8:53 | ravwjpnk.net | udp |
| US | 8.8.8.8:53 | sbophqr.info | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | ejlqjtqcpgma.info | udp |
| US | 8.8.8.8:53 | bwsgmgpocsc.org | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | bflgzffg.info | udp |
| US | 8.8.8.8:53 | mgfrxptcx.net | udp |
| US | 8.8.8.8:53 | hcsadtdyb.info | udp |
| US | 8.8.8.8:53 | ffujrsnlpioe.info | udp |
| US | 8.8.8.8:53 | mikiwu.org | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | mmdffuebcu.net | udp |
| US | 8.8.8.8:53 | cyzafyx.net | udp |
| US | 8.8.8.8:53 | pleaooahrimm.info | udp |
| US | 8.8.8.8:53 | kgwkzwnuv.info | udp |
| US | 8.8.8.8:53 | sznaabuqx.net | udp |
| US | 8.8.8.8:53 | hmskewbfw.net | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | jupvpshulol.info | udp |
| US | 8.8.8.8:53 | nidebb.net | udp |
| US | 8.8.8.8:53 | zhbjld.net | udp |
| US | 8.8.8.8:53 | vsxbgixpgege.net | udp |
| US | 8.8.8.8:53 | nngifrnh.info | udp |
| US | 8.8.8.8:53 | bgjkcqthjcr.info | udp |
| US | 8.8.8.8:53 | dvbmzdwqqj.info | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | ruomtkayakx.info | udp |
| US | 8.8.8.8:53 | jqowtofcr.org | udp |
| US | 8.8.8.8:53 | pfgijrrcyovb.net | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | rubdcipl.net | udp |
| US | 8.8.8.8:53 | jwvdkwakan.net | udp |
| US | 8.8.8.8:53 | bbvqvapdqw.net | udp |
| US | 8.8.8.8:53 | ijxoidecbii.info | udp |
| US | 8.8.8.8:53 | egtyronwtqd.info | udp |
| US | 8.8.8.8:53 | ceyikkcegkkw.com | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | uaudphfsy.info | udp |
| US | 8.8.8.8:53 | aimusyuy.org | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | dzldzt.net | udp |
| US | 8.8.8.8:53 | etpqsb.info | udp |
| US | 8.8.8.8:53 | hxrskp.info | udp |
| US | 8.8.8.8:53 | oyxzinmyat.info | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | qrjmoqdkde.info | udp |
| US | 8.8.8.8:53 | nbpunrsm.info | udp |
| US | 8.8.8.8:53 | cailzz.info | udp |
| US | 8.8.8.8:53 | dtvrgbclbl.net | udp |
| US | 8.8.8.8:53 | ohzcitpwnbr.net | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | xmvvsgg.info | udp |
| US | 8.8.8.8:53 | kgmyjl.net | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | xtspxqw.info | udp |
| US | 8.8.8.8:53 | keztjb.info | udp |
| US | 8.8.8.8:53 | gkcoskqeus.com | udp |
| US | 8.8.8.8:53 | iegkceci.org | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | zhwtrz.info | udp |
| US | 8.8.8.8:53 | wkpqdvmciexy.net | udp |
| US | 8.8.8.8:53 | uauoakkk.com | udp |
| US | 8.8.8.8:53 | ryfuirzjef.info | udp |
| US | 8.8.8.8:53 | gqzzhdak.info | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| BG | 95.42.102.111:26902 | tcp | |
| US | 8.8.8.8:53 | gaacledqb.info | udp |
| US | 8.8.8.8:53 | bhryvkxlw.net | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | fpybmsbkn.net | udp |
| US | 8.8.8.8:53 | igmkkkqmaeye.com | udp |
| US | 8.8.8.8:53 | bkpifkc.info | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | msmqxts.info | udp |
| US | 8.8.8.8:53 | bwsextlslip.net | udp |
| US | 8.8.8.8:53 | igjcav.info | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | boerfw.net | udp |
| US | 8.8.8.8:53 | cidwvzenu.net | udp |
| US | 8.8.8.8:53 | lzktggvqr.com | udp |
| US | 8.8.8.8:53 | yckamrnaqwnv.net | udp |
| US | 8.8.8.8:53 | nsxaxbza.net | udp |
| US | 8.8.8.8:53 | hxummkxlrd.info | udp |
| US | 8.8.8.8:53 | hopmxiq.net | udp |
| US | 8.8.8.8:53 | zkwlcmrx.info | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | bmrjlm.net | udp |
| US | 8.8.8.8:53 | darknroipjl.org | udp |
| US | 8.8.8.8:53 | ewjccamtzlh.net | udp |
| US | 8.8.8.8:53 | layuamikzdql.info | udp |
| US | 8.8.8.8:53 | yrxdnkvpesem.info | udp |
| US | 8.8.8.8:53 | ihjkeai.info | udp |
| US | 8.8.8.8:53 | watedcrdntg.info | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | yvlsfvpux.info | udp |
| US | 8.8.8.8:53 | iyckcwcgaucq.org | udp |
| US | 8.8.8.8:53 | uiouocaqqmoy.org | udp |
| US | 8.8.8.8:53 | hhlorggcrlgx.net | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | cbypoq.net | udp |
| US | 8.8.8.8:53 | gojkzblkjd.net | udp |
| US | 8.8.8.8:53 | jvzyvatftfqd.info | udp |
| US | 8.8.8.8:53 | txqzqy.net | udp |
| US | 8.8.8.8:53 | ramdcshagga.net | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | lciqvvr.org | udp |
| US | 8.8.8.8:53 | lynfumjl.info | udp |
| US | 8.8.8.8:53 | owwzkpzvkunz.info | udp |
| US | 8.8.8.8:53 | tmddfwvdj.com | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | emqgaq.org | udp |
| US | 8.8.8.8:53 | ujxfuttmifle.net | udp |
| US | 8.8.8.8:53 | lsfhhgkizzfj.net | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | yiucei.org | udp |
| US | 8.8.8.8:53 | zonezuf.net | udp |
| US | 8.8.8.8:53 | talugbndu.net | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | kwvexijzvuox.net | udp |
| US | 8.8.8.8:53 | purwwenyj.com | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | tchximlbdye.info | udp |
| US | 8.8.8.8:53 | aagosmeuqico.org | udp |
| BG | 87.97.150.61:23772 | tcp | |
| US | 8.8.8.8:53 | ualztbdnpcru.net | udp |
| US | 8.8.8.8:53 | miasgykcgmwm.org | udp |
| US | 8.8.8.8:53 | vszamneg.info | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | wvimtmr.net | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | colmdkvud.net | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | kmwkei.com | udp |
| US | 8.8.8.8:53 | tbtebovh.info | udp |
| US | 8.8.8.8:53 | bqngkclmbzh.info | udp |
| US | 8.8.8.8:53 | bghvedjqyear.net | udp |
| US | 8.8.8.8:53 | vdzshgcmbo.info | udp |
| US | 8.8.8.8:53 | cffipww.info | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | nzzfvfehku.info | udp |
| US | 8.8.8.8:53 | samcmuoimuwc.com | udp |
| US | 8.8.8.8:53 | psgmlqkt.info | udp |
| US | 8.8.8.8:53 | dejiambqr.info | udp |
| US | 8.8.8.8:53 | xvxqnlx.info | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | aqcesysq.org | udp |
| US | 8.8.8.8:53 | njphrow.net | udp |
| US | 8.8.8.8:53 | fmpgtlnr.net | udp |
| US | 8.8.8.8:53 | nukrnqt.info | udp |
| US | 8.8.8.8:53 | bibcnuhc.info | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | zixwrjjcr.org | udp |
| US | 8.8.8.8:53 | bavrjoztzi.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | vojabs.info | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | gguiwmcike.com | udp |
| US | 8.8.8.8:53 | jaktktbzcd.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | xobzexfvbdji.net | udp |
| US | 8.8.8.8:53 | mpzepeeifsj.net | udp |
| US | 8.8.8.8:53 | gmawtwrycam.info | udp |
| US | 8.8.8.8:53 | ysvntwgn.info | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | avhorwnwh.net | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | fpkapqit.info | udp |
| US | 8.8.8.8:53 | wplqxgiwd.info | udp |
| US | 8.8.8.8:53 | tppgwk.net | udp |
| US | 8.8.8.8:53 | nnfhdl.net | udp |
| US | 8.8.8.8:53 | dabsfkf.org | udp |
| US | 8.8.8.8:53 | zxzkscpc.net | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | knhurclxt.net | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | jxhbtmgbaabw.info | udp |
| US | 8.8.8.8:53 | omsmrtr.net | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | fuduznymxyj.net | udp |
| US | 8.8.8.8:53 | qwiykg.org | udp |
| US | 8.8.8.8:53 | nxhrncawvm.info | udp |
| US | 8.8.8.8:53 | zgghjeyw.info | udp |
| US | 8.8.8.8:53 | uosyqcameu.org | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | yqjapdndp.net | udp |
| US | 8.8.8.8:53 | jrhydkecl.net | udp |
| US | 8.8.8.8:53 | etfitzlwhath.info | udp |
| US | 8.8.8.8:53 | rqpalmeskea.info | udp |
| US | 8.8.8.8:53 | zweegzy.net | udp |
| US | 8.8.8.8:53 | vxjdgjwipz.info | udp |
| US | 8.8.8.8:53 | zsqipixhprno.info | udp |
| US | 8.8.8.8:53 | jrwtbwksdgli.net | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | dsljlpwmvkn.org | udp |
| US | 8.8.8.8:53 | wsygcc.com | udp |
| US | 8.8.8.8:53 | nehugmlapkj.com | udp |
| US | 8.8.8.8:53 | rhjtjgdn.net | udp |
| US | 8.8.8.8:53 | gdtknyfat.net | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | yazbbtmqptzs.net | udp |
| US | 8.8.8.8:53 | ggowpsr.net | udp |
| US | 8.8.8.8:53 | lqyuzhnsdwh.info | udp |
| US | 8.8.8.8:53 | iaixydhqj.net | udp |
| US | 8.8.8.8:53 | lwfcbspjh.com | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | tapcprxcbck.com | udp |
| US | 8.8.8.8:53 | huvapwf.info | udp |
| US | 8.8.8.8:53 | yaoqpybov.net | udp |
| US | 8.8.8.8:53 | edkvvfhm.net | udp |
| US | 8.8.8.8:53 | jnswrk.info | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | bypdbeft.net | udp |
| US | 8.8.8.8:53 | ywwzdoommgl.info | udp |
| US | 8.8.8.8:53 | qiwvjy.info | udp |
| US | 8.8.8.8:53 | ysgquo.org | udp |
| US | 8.8.8.8:53 | nvdihc.net | udp |
| US | 8.8.8.8:53 | yxlcbuil.net | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | gxurrijmwj.net | udp |
| US | 8.8.8.8:53 | ixfsvqwnmyhh.info | udp |
| US | 8.8.8.8:53 | akwagmuq.org | udp |
| US | 8.8.8.8:53 | cimssckkesoy.com | udp |
| US | 8.8.8.8:53 | mivonsn.net | udp |
| US | 8.8.8.8:53 | csqecq.com | udp |
| US | 8.8.8.8:53 | tsfpbwzulu.net | udp |
| US | 8.8.8.8:53 | cruftfwdx.info | udp |
| US | 8.8.8.8:53 | qahkwiajnf.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | qieskwaeumgu.com | udp |
| US | 8.8.8.8:53 | dynsgqe.com | udp |
| US | 8.8.8.8:53 | ygkimmyiyq.com | udp |
| US | 8.8.8.8:53 | cwqoigaq.com | udp |
| US | 8.8.8.8:53 | lpxsxak.info | udp |
| US | 8.8.8.8:53 | abhtvd.info | udp |
| US | 8.8.8.8:53 | yururmq.info | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | wmskoyiwckcc.com | udp |
| US | 8.8.8.8:53 | xqtpfyl.com | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | mvdxof.info | udp |
| US | 8.8.8.8:53 | jnueoe.info | udp |
| US | 8.8.8.8:53 | tubcsi.net | udp |
| US | 8.8.8.8:53 | kuuwpvl.net | udp |
| US | 8.8.8.8:53 | rsvjduddlmg.net | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | dpwthhxfnpje.info | udp |
| US | 8.8.8.8:53 | grtgjfddd.info | udp |
| US | 8.8.8.8:53 | lsfgofca.net | udp |
| US | 8.8.8.8:53 | icfkxadejct.net | udp |
| US | 8.8.8.8:53 | rasctijwu.net | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | dvbaccf.org | udp |
| US | 8.8.8.8:53 | mzhtmkjrutn.net | udp |
| US | 8.8.8.8:53 | gynchtukx.info | udp |
| US | 8.8.8.8:53 | hzofdtymno.net | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | wsggzj.net | udp |
| US | 8.8.8.8:53 | awhwpsamnvpz.info | udp |
| US | 8.8.8.8:53 | cgkiiocgyg.com | udp |
| US | 8.8.8.8:53 | ptlljz.net | udp |
| US | 8.8.8.8:53 | nrwqjv.info | udp |
| US | 8.8.8.8:53 | jbgbtk.net | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | yjpnygixyx.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | csweecoy.com | udp |
| US | 8.8.8.8:53 | eyewqw.org | udp |
| US | 8.8.8.8:53 | buoijljy.info | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | gawoakwkse.org | udp |
| US | 8.8.8.8:53 | zylyqstmdoh.org | udp |
| US | 8.8.8.8:53 | vbyygg.net | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | bllxuuzlwmpw.net | udp |
| US | 8.8.8.8:53 | oasyowq.net | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | cnmsixhe.net | udp |
| US | 8.8.8.8:53 | copersdev.net | udp |
| US | 8.8.8.8:53 | mkfjzhfsclp.info | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | hvdqrg.net | udp |
| US | 8.8.8.8:53 | twvihv.info | udp |
| US | 8.8.8.8:53 | oekzey.info | udp |
| US | 8.8.8.8:53 | fizelqj.info | udp |
| US | 8.8.8.8:53 | xmlficz.net | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | ngcdfpzmnie.net | udp |
| US | 8.8.8.8:53 | yccyweaieusi.com | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | gghgwif.net | udp |
| US | 8.8.8.8:53 | acqsuqyuea.org | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | yuuicqaiuooe.com | udp |
| US | 8.8.8.8:53 | noxoxkzyxix.org | udp |
| US | 8.8.8.8:53 | vupsvur.com | udp |
| US | 8.8.8.8:53 | fgaupidmn.com | udp |
| US | 8.8.8.8:53 | ogfaawv.info | udp |
| US | 8.8.8.8:53 | lzxkgytnsr.info | udp |
| US | 8.8.8.8:53 | grbcxjxsd.info | udp |
| US | 8.8.8.8:53 | hlodfvrr.net | udp |
| US | 8.8.8.8:53 | tbvalm.net | udp |
| US | 8.8.8.8:53 | qciuegymia.com | udp |
| US | 8.8.8.8:53 | whpwlocrrf.info | udp |
| US | 8.8.8.8:53 | iopqhuvdvz.info | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | ladegcamm.info | udp |
| US | 8.8.8.8:53 | kuuwymkesk.org | udp |
| US | 8.8.8.8:53 | aomkcqaa.com | udp |
| US | 8.8.8.8:53 | uqarhw.info | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | ocawoi.org | udp |
| US | 8.8.8.8:53 | bohvpfjikicg.net | udp |
| US | 8.8.8.8:53 | coikwigoik.org | udp |
| US | 8.8.8.8:53 | zrjkew.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | uiwqgqemgqqe.org | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | yqqsvlevnitf.net | udp |
| US | 8.8.8.8:53 | jamglof.com | udp |
| US | 8.8.8.8:53 | tuxlaksiopzg.info | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | uaaebedn.info | udp |
| US | 8.8.8.8:53 | rwrmer.info | udp |
| US | 8.8.8.8:53 | cpvkihx.net | udp |
| US | 8.8.8.8:53 | dohmvklorih.org | udp |
| US | 8.8.8.8:53 | sxxizutlvant.net | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | rfizwynqkt.info | udp |
| US | 8.8.8.8:53 | mentnwt.info | udp |
| BG | 93.183.185.234:24353 | tcp | |
| US | 8.8.8.8:53 | yocciq.com | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\ixujeqtrshe.exe
| MD5 | 915dd43f473ac655dd4e7ebe75cc2d68 |
| SHA1 | 037c49c1ce90c9db0895985286b9edc59f60646c |
| SHA256 | 129e8fbc49b267ee3f1190b4f02fde33949363986ff50f7efa403c40daf16645 |
| SHA512 | 51196244ac9ec5715d71447b8137ae1b9e921382aa5fa39d30a2d8dc81fc68ea5442731a25f8014d94daf774db9c9397836b67ff6225336a2fa144c653045260 |
C:\Windows\SysWOW64\kjtkfdrhaqbxbxzsch.exe
| MD5 | 131ff135d3cbadbe59f927d662f8dcdc |
| SHA1 | 30e8e955a61cf6f197f1e58ae9e769ffc82279c6 |
| SHA256 | fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad |
| SHA512 | c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448 |
C:\Users\Admin\AppData\Local\Temp\vjioylo.exe
| MD5 | 5c1a5a0dc1b7b29dd20ce0851af0a820 |
| SHA1 | dd2ef956742ceae35711c84973c1d3b7b2f927df |
| SHA256 | d0b3f62b886e7475ded0b874d81f5ba25595ad88756f7317762020714df36963 |
| SHA512 | 38e63837c053a7947b28d8e58e7ca6846fba61676197bfeb13a9fbb4f7da2226d9a89294fc916122359e948d6efdf3bc418e579c141bcac2ea74eee9fd295e2e |
C:\Users\Admin\AppData\Local\hrmoudcdhielahuytjjtoqwfe.jkg
| MD5 | 5d6ce8eb3ff4aca2a289ca9784d6c3c6 |
| SHA1 | f916e61b84a7e50b7b56eeb66aa28971007d3191 |
| SHA256 | eb31a484172b19ee36b7d44999bf0601da5d25125be7443c7ea010b188d3ffba |
| SHA512 | 07fd5edecb25b175fff5d9a813e5d4fb80d4b6c165f8ec5eaf36247dc30c5c95a54b9663c47aa0042f87f6cea98ef0fd85ddc5f24d1c04c9e7c94dca81748ff2 |
C:\Users\Admin\AppData\Local\mhnarlvhwiphhzxmstezfsjdnzoahzzrpekl.rxk
| MD5 | 2461db9bea8f88ef430ec74fb4cf7f41 |
| SHA1 | 5eb8ada2591152a82631e47d90d01002d869ca3c |
| SHA256 | b0ee3ec168fd1952c7bca2894b87f7a732fa2fadbe9fdd40fcc857829234eb21 |
| SHA512 | 3be4c2f3bfc8c25f20bebf5951cda939695106e2f5491584a45e06503f8dc2d2401d6bb5ad21debefed4f50cfe21dbdb745eab53462712266ca991c967e56612 |
C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg
| MD5 | 74a20c46b346f1c4548fa06a8a8b5f38 |
| SHA1 | 5b0a674a7072d18e6cefb5f4c6bc34487509e560 |
| SHA256 | 91291fc31bdb3ef362cadb5ebf1c8bd8fb44bd95b2a86de21e27156d2fbf5742 |
| SHA512 | ad45c60195d7697c4aae12e75b066d0421fb30dda161c6820bdff4b0e24e79ac7af4532aba3fc350229ee55fda00fd896b13b2278845ded6df7dbd0bddd47b5a |
C:\Program Files (x86)\hrmoudcdhielahuytjjtoqwfe.jkg
| MD5 | 8081c05b7cc4ffb8ec3806b806b3d2a6 |
| SHA1 | 3c316273bc6641f020ad60f394c4379228dbd31b |
| SHA256 | 8701d0d07fe10c37f379eaf019280f4b0e35255cf3071a935866d7921c8041f8 |
| SHA512 | 70bbafc7a76e2fcb8c401f43b9376d4b48e50f19cb54c9bfe914a40a1e50ec93ba7f067f401ae95b27b5bf33aab34ad7218941a1c459c8dadd618c6e30f22dc7 |
C:\Users\Admin\AppData\Local\hrmoudcdhielahuytjjtoqwfe.jkg
| MD5 | 9c47e3d80e531d3e277355ac9d68cd9b |
| SHA1 | 6b585e60c792f3320649e1fb827196343b7cf53e |
| SHA256 | 286c36d873f9f9e18efcc37bf0177176aa560bc4ed3c079e3ac78166d711daa9 |
| SHA512 | f505ec195736b040d242cef9ac6bca20ee179a2dc4a07d5d817d8d08adfae273871e0cbbaf23dcbf5b7f28e5d988f8dbcb1971b24c1d4a6dff536815d5677343 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 19:17
Reported
2024-06-26 19:20
Platform
win7-20240611-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pemyixevipnh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\skvkxpztjturykg = "eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "xqcsgzkfwhjhpcza.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "yujctpdbvjopaqqukzc.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "yujctpdbvjopaqqukzc.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "liyskhwvqflnzqrwndhe.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "liyskhwvqflnzqrwndhe.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "niwoezmjcpttdsrujx.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xqcsgzkfwhjhpcza.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "xqcsgzkfwhjhpcza.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yujctpdbvjopaqqukzc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "aypkdbrrndknasuasjomd.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "yujctpdbvjopaqqukzc.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eylcrlxtlxaziwuwk.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "yujctpdbvjopaqqukzc.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\liyskhwvqflnzqrwndhe.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "xqcsgzkfwhjhpcza.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "eylcrlxtlxaziwuwk.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "niwoezmjcpttdsrujx.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\xqcsgzkfwhjhpcza = "liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pgqeqhqjyhhdju = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yujctpdbvjopaqqukzc.exe ." | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eylcrlxtlxaziwuwk = "xqcsgzkfwhjhpcza.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\niwoezmjcpttdsrujx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aypkdbrrndknasuasjomd.exe ." | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oenalbjbpxwrw = "liyskhwvqflnzqrwndhe.exe" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File created | C:\Windows\SysWOW64\beaaybwbcxjrjgnyvrbeaa.bwb | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File created | C:\Windows\SysWOW64\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\beaaybwbcxjrjgnyvrbeaa.bwb | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File created | C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Program Files (x86)\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\beaaybwbcxjrjgnyvrbeaa.bwb | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File created | C:\Windows\beaaybwbcxjrjgnyvrbeaa.bwb | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\niwoezmjcpttdsrujx.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\liyskhwvqflnzqrwndhe.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\aypkdbrrndknasuasjomd.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\rqieyxopmdlpdwzgzrxwok.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\xqcsgzkfwhjhpcza.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| File opened for modification | C:\Windows\eylcrlxtlxaziwuwk.exe | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File created | C:\Windows\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| File opened for modification | C:\Windows\yujctpdbvjopaqqukzc.exe | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\131ff135d3cbadbe59f927d662f8dcdc_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
"C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe" "-C:\Users\Admin\AppData\Local\Temp\xqcsgzkfwhjhpcza.exe"
C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe
"C:\Users\Admin\AppData\Local\Temp\yilsxhj.exe" "-C:\Users\Admin\AppData\Local\Temp\xqcsgzkfwhjhpcza.exe"
C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
"C:\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe" "c:\users\admin\appdata\local\temp\131ff135d3cbadbe59f927d662f8dcdc_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.bbc.co.uk | udp |
| US | 151.101.0.81:80 | www.bbc.co.uk | tcp |
| LV | 81.198.153.70:15181 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | emfevccuwzsk.info | udp |
| US | 8.8.8.8:53 | jrwykqq.net | udp |
| US | 8.8.8.8:53 | fbzdiwnuua.net | udp |
| CY | 78.40.141.178:26315 | tcp | |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | tepyknfqpj.net | udp |
| US | 8.8.8.8:53 | ryxctjzgg.com | udp |
| US | 8.8.8.8:53 | akznvakqu.net | udp |
| LT | 78.63.14.25:25098 | tcp | |
| US | 8.8.8.8:53 | cimrms.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | ldpeiuzzr.info | udp |
| BG | 77.77.59.5:13863 | tcp | |
| US | 8.8.8.8:53 | jxbwkfbo.net | udp |
| US | 8.8.8.8:53 | lpllzersuj.info | udp |
| LT | 78.60.126.15:42744 | tcp | |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | gfpinqbmbmx.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | wcbykvjod.info | udp |
| US | 8.8.8.8:53 | yzunrn.net | udp |
| LT | 78.56.187.75:31118 | tcp | |
| US | 8.8.8.8:53 | ybdafmfdaz.net | udp |
| US | 8.8.8.8:53 | miokoi.org | udp |
| US | 8.8.8.8:53 | awowcxnzde.net | udp |
| BG | 178.239.121.175:30794 | tcp | |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | yavjrbwldmn.net | udp |
| US | 8.8.8.8:53 | mgdozpxkn.net | udp |
| LT | 77.79.24.5:38560 | tcp | |
| US | 8.8.8.8:53 | hxaooopty.info | udp |
| US | 8.8.8.8:53 | cgqwmw.com | udp |
| US | 8.8.8.8:53 | qcjeuitux.net | udp |
| BG | 95.43.6.222:37336 | tcp | |
| US | 8.8.8.8:53 | knvyfgstam.info | udp |
| US | 8.8.8.8:53 | agxabrwhhv.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| LT | 91.187.185.131:15609 | tcp | |
| US | 8.8.8.8:53 | dwjekndz.info | udp |
| US | 8.8.8.8:53 | eoagosgwciko.org | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | rwjyat.net | udp |
| BG | 178.239.119.33:34734 | tcp | |
| US | 8.8.8.8:53 | jinzhwrsqi.info | udp |
| US | 8.8.8.8:53 | dirugm.net | udp |
| US | 8.8.8.8:53 | sqiguiiuyq.org | udp |
| BG | 95.42.235.49:44886 | tcp | |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | mokcscyg.com | udp |
| LT | 78.62.132.178:24520 | tcp | |
| US | 8.8.8.8:53 | mmmgockgue.com | udp |
| US | 8.8.8.8:53 | jlowau.net | udp |
| US | 8.8.8.8:53 | cwmzlaiud.net | udp |
| LT | 88.222.16.79:34052 | tcp | |
| US | 8.8.8.8:53 | giioymcimwmg.com | udp |
| US | 8.8.8.8:53 | axdlde.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| BG | 85.130.45.90:32741 | tcp | |
| US | 8.8.8.8:53 | atierp.info | udp |
| US | 8.8.8.8:53 | jchnrmjebk.info | udp |
| US | 8.8.8.8:53 | aecmguku.com | udp |
| LT | 78.62.58.131:16312 | tcp | |
| US | 8.8.8.8:53 | kidrmkwxqbba.info | udp |
| US | 8.8.8.8:53 | zmkyeup.com | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| LV | 87.110.50.191:28303 | tcp | |
| US | 8.8.8.8:53 | fujehadwb.com | udp |
| US | 8.8.8.8:53 | ihrilyfdgvh.net | udp |
| US | 8.8.8.8:53 | uofsbfzvmi.net | udp |
| N/A | 82.137.112.159:21742 | tcp |
Files
\Users\Admin\AppData\Local\Temp\atwewsahkdg.exe
| MD5 | 8b7781277ff9baab32f9a7b0ae6b96fa |
| SHA1 | c6a8e4d5f6e8ca73ad4b1edcdb4c1c2f2119cfe3 |
| SHA256 | 0f67205bb9d5fa465993ffa257d6f38fb4ab5e4528e6910b4568867291ffb28e |
| SHA512 | 9f92d621889596515cb84b69331e8eafe1d5308901d225d75c86cc2da2ad2f7c590d6f857fab0a0811d9dc323363287f45ff5372b7c35361e43332fbc1103b33 |
C:\Windows\SysWOW64\niwoezmjcpttdsrujx.exe
| MD5 | 131ff135d3cbadbe59f927d662f8dcdc |
| SHA1 | 30e8e955a61cf6f197f1e58ae9e769ffc82279c6 |
| SHA256 | fbd2e2e9a43788994e7bd9f0f34240668a79c841a8c919ee79b8fcc9fda93dad |
| SHA512 | c504a3a66012c9a12cfd86246456e191e81ca912f6f5b80ceb8b8d7e41df19904880869a0a7d1da73cfa71ba96d8088a885d10c184efa5a24248d87015066448 |
\Users\Admin\AppData\Local\Temp\yilsxhj.exe
| MD5 | c68fbba348e38db256b5e16afc0df078 |
| SHA1 | 9c58a86589dda1aeb8d96e87fad050f6aba00e6b |
| SHA256 | 75b98bbecf31c011aa758ef6c1b4e1381cdc061ff1a06c95bbb2d139dca7588a |
| SHA512 | 2bb1a5630ddaf036ea7944ab4ba2058211c166f1c27c7198b1babf79f418adcbe23811eeae444f1ad1ebaea0964179170ea5ec7ae3605e40e64590fe0a3343c0 |
C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | 6bea0347a7a7e2a83f82a68a03eb207b |
| SHA1 | 12295dc3c0c0a82e99163ea993fca2de6bd3889b |
| SHA256 | b6ac9d56434ce75c38e889e34938c34709cd67a7f614e591e15bbf5cf68be7d9 |
| SHA512 | 9dab5c69cbcc4bdc1dee90f422766ffe52f9f28836166bad0faa0a3b51ca9156a8daf6f1b72cab5e6216981bd8db1ab1ba5107bb3df32e1b8a79d3f3adfdc27e |
C:\Users\Admin\AppData\Local\sgnyhvbrdjgzckcygniwdoxlrhtzwpsas.wdy
| MD5 | 157f81d8a4448ba3f700ecfcd41116ab |
| SHA1 | a149291385ddcf8179d26e2c8fdcb3847ba9165e |
| SHA256 | 8ef5ba774658efae5b42df4cd6b01b5c76f91bb2aa39d8e3479c0ae05d1221f1 |
| SHA512 | 5c74fbd92aa0cd99352954af1fca5b986e7ec4086c538e68f86f297983045c854a5fbc60f11d4fe4adba3f9a1c18ec03ea1a7263a640c4f18825f55fab253990 |
C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | fa7679fc986f3b8743fcb32d62349077 |
| SHA1 | 3f2ba0fd400f63622c249325a711d7d069e6b926 |
| SHA256 | bff9d803f68f66f3564ca43668c5c5ecde7e2ed921eb3754016ad3d2e11ffcf6 |
| SHA512 | 621fa88555ca6e19dbb813261dd72ed557fe859f54db235e4af6f840e30a019bfaa1123b420b89007e3c5111ec0b828b92639409fe79ffbd8007e9ccfe470253 |
C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | 331d50340c595128d23d9e29fbfda68a |
| SHA1 | 453f848632a3efa4055ea7db33e4f2bbaff8dc68 |
| SHA256 | d0400258f76581167a87df317033f5d62ba98db36bdd8453d1edff7a0119d0d8 |
| SHA512 | eb37e1dafd4a87acd0a2e83c58bb173368fbc9bf3fe33eebd7d01e8f716a76ed996356e14a6292a5ae455123608164f11fe592609089ad3e2d01b85e73a3a0d5 |
C:\sgnyhvbrdjg.bat
| MD5 | ded93dada5a6ff36b4ee07e8c5224762 |
| SHA1 | 755d8608cb7e092487570ddb435e8135c5eede6e |
| SHA256 | 5040c6970a5e3f8a0b08d7fe34ebc1a5ce3d70e22000176dd7b9703b2a131dc7 |
| SHA512 | f2f379aa49e21b534d7d7994fef0da4b764b6fd5aed9e592f24d016b6f7a66a8a68553fac639ec281f0af9db50fcd0ae9069da0ddadb2dc6c5f80f75b27d4fdd |
C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | 4f18d2d463d4020fa417ff1961466841 |
| SHA1 | a4e0a48fbd920f650193723c86bd1378dd1dbb76 |
| SHA256 | 5de41dc860d4a1a6c1d4b6b56b33fd0c067a1bd1729e44ab8f7adc06b8406824 |
| SHA512 | fc7bda6f82579af920f6c1a054981dface2c2c685b28ef6014a37cb54f4109184731069f5776296dbcfaaec2a074c88c12e0e0588694520e322952de41e04777 |
C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | 155c0ce1bfc541aca6f9cb920fe8e0f9 |
| SHA1 | fd0d80f8a50ac724fa0467ea94e215055c0a113a |
| SHA256 | f0bf4d04a62be5c58d791b42cb5c26f6557ae85e932aa4e00f8ee3afc4e8f5e4 |
| SHA512 | bf568b1d05b7cb093f126d5017892816553bc326e44b5aecec72114cf210f5cdf5347757eeedbc49df70427f87c01cd48359b76a5486924bc1f35a2835a6e488 |
C:\Users\Admin\AppData\Local\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | cdfc5d1a0cc9ecf05caebef5286176e0 |
| SHA1 | c122c852a2cd90ab5b4950a094ff3adbad068f32 |
| SHA256 | 145714f0c5b772860d81d18450008cc5dbc6e2f2ea1d81c22441995a30a0398a |
| SHA512 | 711dc861e396763382119f64bbb202952da10080e3864c5aec02e3339b2e2932818f5ee74ca7b0b9018e27f2f16bcf3f07d113a95f15e61466f406ca85b47128 |
C:\Program Files (x86)\beaaybwbcxjrjgnyvrbeaa.bwb
| MD5 | 9f7795f46862bb70238e4243a67cb540 |
| SHA1 | f6366928d70f9901c199f19aff856d75f7a4f166 |
| SHA256 | 7034d5346b4e864991dce66000084766f53f8666dd26a01549981aa1af49fb6f |
| SHA512 | a353e27388b97eb790fc23e88351a27ba932bfe90aa7a13693cacea97a9f1d43b48853bf07a25424df0abd4198b4bd65a9663501641a333fc1d3bc8e552af13b |