Malware Analysis Report

2025-03-15 00:53

Sample ID 240627-amyhmsvekk
Target 1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118
SHA256 96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def

Threat Level: Known bad

The file 1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Loads dropped DLL

Impair Defenses: Safe Mode Boot

Checks computer location settings

Executes dropped EXE

Looks up external IP address via web service

Checks whether UAC is enabled

Adds Run key to start application

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

System policy modification

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 00:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 00:20

Reported

2024-06-27 00:22

Platform

win7-20240611-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "ncamkbnmyiqjhbtruh.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "xkgqmblisagxtlbx.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "xkgqmblisagxtlbx.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "ncamkbnmyiqjhbtruh.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "xkgqmblisagxtlbx.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "ncamkbnmyiqjhbtruh.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "lccqqjxymyiddzttynee.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "lccqqjxymyiddzttynee.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "ncamkbnmyiqjhbtruh.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "ncamkbnmyiqjhbtruh.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "espaxnywhqxpmfwtv.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "lccqqjxymyiddzttynee.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "lccqqjxymyiddzttynee.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "astijdsujwhdebwxdtlmb.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "astijdsujwhdebwxdtlmb.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "espaxnywhqxpmfwtv.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "yonazreerclfezsrvjz.exe" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File created C:\Windows\SysWOW64\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File created C:\Windows\SysWOW64\femiqrnwsmehptvdqnmuqyzv.aum C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\femiqrnwsmehptvdqnmuqyzv.aum C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File created C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Program Files (x86)\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File created C:\Windows\femiqrnwsmehptvdqnmuqyzv.aum C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\espaxnywhqxpmfwtv.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File created C:\Windows\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\lccqqjxymyiddzttynee.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\femiqrnwsmehptvdqnmuqyzv.aum C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\yonazreerclfezsrvjz.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\ncamkbnmyiqjhbtruh.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
File opened for modification C:\Windows\astijdsujwhdebwxdtlmb.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
File opened for modification C:\Windows\xkgqmblisagxtlbx.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 1912 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 1912 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 1912 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 2812 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 2812 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe C:\Users\Admin\AppData\Local\Temp\loaamr.exe
PID 1912 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 1912 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 1912 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
PID 1912 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\loaamr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\loaamr.exe

"C:\Users\Admin\AppData\Local\Temp\loaamr.exe" "-C:\Users\Admin\AppData\Local\Temp\xkgqmblisagxtlbx.exe"

C:\Users\Admin\AppData\Local\Temp\loaamr.exe

"C:\Users\Admin\AppData\Local\Temp\loaamr.exe" "-C:\Users\Admin\AppData\Local\Temp\xkgqmblisagxtlbx.exe"

C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.imdb.com udp
GB 143.204.182.185:80 www.imdb.com tcp
LV 78.84.44.143:15896 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 vfvcqz.info udp
US 8.8.8.8:53 blumhkper.org udp
LV 78.84.44.143:15896 tcp
US 8.8.8.8:53 esqewcusmyke.com udp
US 8.8.8.8:53 nfaazpfkdijh.net udp
US 8.8.8.8:53 ojwyxefnq.info udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 jujscjr.info udp
US 8.8.8.8:53 naxgpeb.info udp
US 8.8.8.8:53 vcuahutubfr.info udp
US 8.8.8.8:53 pqvwihfl.info udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 mmxyych.net udp
US 8.8.8.8:53 licwkmh.info udp
US 8.8.8.8:53 aisgkquwmi.org udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 dplwgsy.com udp
US 8.8.8.8:53 vtuchdyp.net udp
US 8.8.8.8:53 asaieemikaoc.com udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 zpmmfjrj.info udp
US 8.8.8.8:53 tmqnhsg.info udp
US 8.8.8.8:53 wszxpgcencx.info udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 phkkxj.info udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 bqztam.net udp
US 8.8.8.8:53 ywosyimzua.info udp
US 8.8.8.8:53 gpipnj.net udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 vzwjvwhrcf.info udp
US 8.8.8.8:53 rnzabyp.info udp
US 8.8.8.8:53 wekuqguegw.org udp
US 8.8.8.8:53 dfrxdc.info udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 nupcwtehbj.net udp
US 8.8.8.8:53 nwqgdulxv.net udp
US 8.8.8.8:53 rosjipzf.info udp
US 8.8.8.8:53 jpttmocqb.com udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 hejognpazmw.info udp
US 8.8.8.8:53 yxfqlxyhjwfw.net udp
US 8.8.8.8:53 vmompla.info udp
US 8.8.8.8:53 uzplvx.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 awdqcylajab.info udp
US 8.8.8.8:53 tvwixzxpdrzh.info udp
US 8.8.8.8:53 nynepdwl.info udp
US 8.8.8.8:53 bclttefpnho.com udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 ddrbopbgtd.info udp
US 8.8.8.8:53 pidsjmg.info udp
US 8.8.8.8:53 djwnewnxwaum.info udp
US 8.8.8.8:53 cepwskrua.info udp
US 8.8.8.8:53 lcbxzjfvr.org udp
US 8.8.8.8:53 jbmqhuvdbube.net udp
US 8.8.8.8:53 wsfcjoxxn.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 ioknztsrpi.info udp
US 8.8.8.8:53 axvedelyw.info udp
US 8.8.8.8:53 cummaokcis.org udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 gktaomddok.info udp
US 8.8.8.8:53 rumsjqb.info udp
US 8.8.8.8:53 ocmifsjxx.info udp
US 8.8.8.8:53 oeocgocqws.com udp
US 8.8.8.8:53 oormsqtmn.info udp

Files

\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe

MD5 134d068cc73ba4c3603bbd3e2a4cbe61
SHA1 f963b42b1dfde721b8e7a495aea206e34dca43a1
SHA256 a392af48ac00136ad4fb383c8c357e1d30d5802880c5dd47b9063860dd087bde
SHA512 50c57a317d58c0be8f0d89d3399f5e42b1cce9e504e5139cdc7fb4320150b4ec311e9b1b8643fc0075820981930241a52297efc5257750ac671b02e172f55eb8

C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe

MD5 1402edfdcc8d1c5f9ec36eba012a8d37
SHA1 cfbe8acbaec2676015c7105032d1da134f31c1ab
SHA256 96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def
SHA512 a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9

\Users\Admin\AppData\Local\Temp\loaamr.exe

MD5 83b22a30081165473641487d5725e1d5
SHA1 8fa117ca2b20b908d2e5981c0c936e0250d02bda
SHA256 71ec7832e99237ae3ede9231db507db60a71f0632117320234631d1e2cdae3ef
SHA512 09c76214caa129beb381eb1fd972f5ed5266fe2a443129ed6d1d9b1c60bee82ee80605186fa3335de6dfca9bde1e8bffdf9b4482c30fd91767aedde60db5aa2d

C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

MD5 d248acdb9149d1d5535de002eec46e84
SHA1 5ab2be1e0beedfd64bebc04e186c09551388013a
SHA256 43c01c062d2362cb26cdf0a55ec61ebcd116f3a9d0487448dfcbdd19cc921966
SHA512 58ff2aeff614602761377c70ec0671c4fb49d6ee88af25f05c81ee9dc805ff375e4bd632f93836fcb60500b33479a23c74d2a743ab5849497c3a9ceb18755834

C:\Users\Admin\AppData\Local\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr

MD5 181b1fb739fa1a8878a324bfdd5fa015
SHA1 08dac393714225c2843386c41ecd697c0fec2103
SHA256 343b71aba8083c9c46e8425f40d21a924a1c9437cfe99ef78795251e6faa48dd
SHA512 d0f663ff033bfd456b2eebe7a1e57bc7466047c482288338ce38c6e804cd3c7ae6c7f3e6b38ca735f7698fc872104cc428349bf9b8e52f33d131d866995190a4

C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

MD5 87a1b9c2fb7e43b4706a4e3e180c1788
SHA1 cd8cc6e6bf2f8654159df4169e9db5ce82a668f9
SHA256 c130c2220b2d90625716cbfdfdb27baab0cc8ccc74925839ef9f0c85805b54cb
SHA512 adedd4c81a6fceb586e437a1c434b260bb2c496939237c5b696e1134bd769a32680289d54ebad0d2b94ccce234fce36932787b871224a8778506f131b6cd3dbd

C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

MD5 a7df3efdf40341d4172f6c8cd21af5ee
SHA1 8d43ca8ad69f37c73cf498fba1d4fd8e70aec663
SHA256 c08002f040016dfdafd0d748ea1c417cd2d006d56f39ef4740a93d692f0aaf84
SHA512 5100279717f98e8cbb4c1edd4d360aa4c259f2713afc1c1181bb35c359bfc18c055aa93d4a5c8b0e388b4446375e0bc3a8d8488ddef6e1c4d6225090e81d7b6c

C:\sarwnxcuzcd.bat

MD5 66c2974e4d4e293f27aee7af72bb89c7
SHA1 5351bf94c6ac1f4a7c76b18b6f1f7d8543c0a96d
SHA256 d0ffc434571d9f80ab9451fe2416d6963274a9a38a7d02ee873d3c541ba70544
SHA512 8b55c0c68e4a93233875aa60873aec5508dfaeea65e314f71b828785eb57bb9f3e5c9af24932683cc0fb3b3071d0120b20b02b6b54112b3bbf182df2a504f02d

C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

MD5 f5593508bf59de9ab7ba2c6288bd1f1b
SHA1 af92de2ad116660441caab8182744dbd3345897d
SHA256 3a1d5c09d3311bb72823ff1e0a470f839d7a6c135c8aa325105ec4b064a024c1
SHA512 41cc3433d6dc1b93382ba6182aba780d6d9c91b701c4f86e357dcd0b7e0e0577b6ec0574bfb7c7b08a626cec994b1923a17f6a5a1cb1fc53ed4dcec7f024fbc2

C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

MD5 f9b3d857c2357e90300fb60160c28bf4
SHA1 138380cb9f082ae45589d9bb4bca81d8e8ba92ac
SHA256 96c9e21c6a15d315470149661358aaa160396546db464315a01e43d61fa1de91
SHA512 f140997aed45b39b84cf1a6fdf54cc1e3f6dd2e3a28d22426f13c80e813526b58d77dbb1988068faecade53c54b58c7b5382da08371c2711257a6f895dcf9304

C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

MD5 b7429e737babd07b475ab65dc0442b4e
SHA1 69b6b39bafc9396fd0615a754ff1c81779822250
SHA256 63c34bedfde8f3d3a2c03f70dd2486cc54a63b4f4ebfa45aae0a53395138e285
SHA512 4782a6c18c2575a4e73cd029d0b48dda6a332034b54ce46ca29cfb74e915668b9c22d5886c0362016e9b88a988cb62bc51a3fcee957fc010c63a6d7c6d45ecc6

C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum

MD5 d8000634ff1f272ff1ce7f911616cc17
SHA1 3b86cc0de072811f50c7f8dadbb065afc83d647f
SHA256 e3f23a246ca6278ae192c3b85124939afa4ff32aa48452372214133426cca213
SHA512 e2315ff1d62e1258c82836305cbdb6a9e517366f696193a929f96b3fd6c8e4f186a5dc7363c01da08a14791ff0cb1c8a619120973e384dfaeb27be4ebdb53031

C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum

MD5 1a5fd6f8b48ac7a56adffc534ec411a0
SHA1 b2b544c3c3c494b52a5a97666d68cd57f4f883a9
SHA256 e57539b17ada985918b11fccc7dbd5e61bdd5b426962fc56e674a7f265ed81d5
SHA512 730044355b293294ce1f5e303d4463675cbc34e4ced7cac1e12f3e9f6dceaaa98d728aec081b49cc40e4b8aa6709d4dc765cda9f14941c1e95f1add00719961a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 00:20

Reported

2024-06-27 00:22

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "lfzllbnlwqfzelyeli.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "wrmzaredpkavbjxemka.exe ." C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "lfzllbnlwqfzelyeli.exe ." C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "cvozynyvfymfjpbgm.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "yvshkdsthewtblbkuumjg.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "wrmzaredpkavbjxemka.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "wrmzaredpkavbjxemka.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "lfzllbnlwqfzelyeli.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "jfbprjxxkgxtajygpofb.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "yvshkdsthewtblbkuumjg.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "jfbprjxxkgxtajygpofb.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "vnfpnblhqivnqvgk.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "cvozynyvfymfjpbgm.exe ." C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe ." C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "vnfpnblhqivnqvgk.exe ." C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\qdqvoxctxksfddjiiygtglensjnaivttz.yow C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File created C:\Windows\SysWOW64\qdqvoxctxksfddjiiygtglensjnaivttz.yow C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\zbdxfdxdwyvxkzuixczbdx.dxd C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File created C:\Windows\SysWOW64\zbdxfdxdwyvxkzuixczbdx.dxd C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Program Files (x86)\qdqvoxctxksfddjiiygtglensjnaivttz.yow C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File created C:\Program Files (x86)\qdqvoxctxksfddjiiygtglensjnaivttz.yow C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File created C:\Windows\zbdxfdxdwyvxkzuixczbdx.dxd C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\qdqvoxctxksfddjiiygtglensjnaivttz.yow C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\vnfpnblhqivnqvgk.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\lfzllbnlwqfzelyeli.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\pnlbfzprgexvepgqbcvtrh.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\zbdxfdxdwyvxkzuixczbdx.dxd C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\yvshkdsthewtblbkuumjg.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
File opened for modification C:\Windows\cvozynyvfymfjpbgm.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\jfbprjxxkgxtajygpofb.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File created C:\Windows\qdqvoxctxksfddjiiygtglensjnaivttz.yow C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
File opened for modification C:\Windows\wrmzaredpkavbjxemka.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
PID 2368 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
PID 2368 wrote to memory of 644 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
PID 644 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
PID 644 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
PID 644 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
PID 644 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
PID 644 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
PID 644 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
PID 2368 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
PID 2368 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
PID 2368 wrote to memory of 416 N/A C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\jrzznr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe

"C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\jrzznr.exe

"C:\Users\Admin\AppData\Local\Temp\jrzznr.exe" "-C:\Users\Admin\AppData\Local\Temp\vnfpnblhqivnqvgk.exe"

C:\Users\Admin\AppData\Local\Temp\jrzznr.exe

"C:\Users\Admin\AppData\Local\Temp\jrzznr.exe" "-C:\Users\Admin\AppData\Local\Temp\vnfpnblhqivnqvgk.exe"

C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe

"C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
BE 2.17.107.105:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 105.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
GB 142.250.187.196:80 www.google.com tcp
LV 78.84.44.143:15896 tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 eckiewmugw.org udp
US 8.8.8.8:53 tkrggwgdlt.info udp
US 8.8.8.8:53 vmgnso.net udp
US 8.8.8.8:53 skocyuos.org udp
US 8.8.8.8:53 nbdboizswev.info udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 idmdtvqr.info udp
US 8.8.8.8:53 tzcozg.net udp
US 8.8.8.8:53 xwnizsvsz.com udp
US 8.8.8.8:53 khiftw.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
LV 78.84.44.143:15896 tcp
US 8.8.8.8:53 xsjloeuaexsi.info udp
US 8.8.8.8:53 tsjjrwn.net udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 gedpfnatsumb.info udp
US 8.8.8.8:53 migqpgc.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 euaiocigiw.com udp
US 8.8.8.8:53 crpylskijwj.net udp
US 8.8.8.8:53 vzbehibesqp.org udp
US 8.8.8.8:53 ugoimw.net udp
US 8.8.8.8:53 wsnvsazgr.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 jsgjempgore.info udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 tyukzh.net udp
US 8.8.8.8:53 paakdnzwrvy.org udp
US 8.8.8.8:53 vwebfaxv.info udp
US 8.8.8.8:53 cmpmpyz.info udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 smrdtv.net udp
US 8.8.8.8:53 puxoplqkt.net udp
US 8.8.8.8:53 ijzixwxcowj.info udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 wjdobfdd.net udp
US 8.8.8.8:53 tvwdubzl.info udp
US 8.8.8.8:53 aqhgmj.net udp
US 8.8.8.8:53 nofutrwsp.info udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 qihiraoeb.info udp
US 8.8.8.8:53 qerwmsxil.net udp
US 8.8.8.8:53 nwqgdulxv.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 dfugxcskokj.net udp
US 8.8.8.8:53 gczhlqhypjmz.net udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 eaazplccwb.info udp
US 8.8.8.8:53 wqlshww.net udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 jxwhcs.info udp
US 8.8.8.8:53 gjznbmlgwon.net udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 njqkqncik.net udp
US 8.8.8.8:53 jyevniawle.info udp
US 8.8.8.8:53 gqajqpquz.net udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 yosozwxkf.info udp
US 8.8.8.8:53 vmgdpfin.info udp
US 8.8.8.8:53 zqvanhjsu.info udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
US 8.8.8.8:53 muuagg.org udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 ulntaatcj.info udp
US 8.8.8.8:53 edrxhiamad.net udp
US 8.8.8.8:53 uwqkbvt.net udp
US 8.8.8.8:53 easyuoyaesoe.com udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 bgktvuwmu.info udp
US 8.8.8.8:53 jogvtml.com udp
US 8.8.8.8:53 oeiwqe.com udp
US 8.8.8.8:53 kzvswpfo.info udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 dqjnakhud.net udp
US 8.8.8.8:53 zkbscmwomagg.info udp
US 8.8.8.8:53 scckkyymkmuo.com udp
US 8.8.8.8:53 lynyvziafz.net udp
US 8.8.8.8:53 lkisorlj.info udp
US 8.8.8.8:53 tcblvigv.net udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
US 8.8.8.8:53 sqrtwdbcdar.net udp
US 8.8.8.8:53 ifiwgz.net udp
US 8.8.8.8:53 fnoicopo.info udp
US 8.8.8.8:53 smikkk.org udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 dgsoroign.info udp
US 8.8.8.8:53 jqhahdiydrtq.info udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 emoykmuk.org udp
US 8.8.8.8:53 czhdbwpockz.net udp
US 8.8.8.8:53 yrvzcpdx.info udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 iusieqyk.org udp
US 8.8.8.8:53 chtmriiyt.net udp
US 8.8.8.8:53 ccyuis.info udp
US 8.8.8.8:53 tttvdyyjcmin.info udp
US 8.8.8.8:53 jhlphypfkb.net udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 iceoacec.org udp
US 8.8.8.8:53 yxkhplvayu.info udp
US 8.8.8.8:53 kuugwiwe.com udp
US 8.8.8.8:53 hllgxwmuc.info udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 ujshseovck.info udp
US 8.8.8.8:53 taydtvqdzh.info udp
US 8.8.8.8:53 uekkhctuw.info udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 jixaqsl.net udp
US 8.8.8.8:53 feyijafz.info udp
US 8.8.8.8:53 stasje.net udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 ryqpnpjaz.net udp
US 8.8.8.8:53 sacqyy.org udp
US 8.8.8.8:53 rycwlmjczjn.info udp
US 8.8.8.8:53 qscewa.org udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
US 8.8.8.8:53 ociokctoz.net udp
US 8.8.8.8:53 patzdexrgkhy.net udp
US 8.8.8.8:53 qxoesbxxaj.info udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 cosqdaqghon.net udp
US 8.8.8.8:53 jyqgfmtyz.com udp
US 8.8.8.8:53 lemomn.net udp
US 8.8.8.8:53 ctcvaf.net udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 pvywiwql.net udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 zphblrztdb.info udp
US 8.8.8.8:53 qkhktcawkce.info udp
US 8.8.8.8:53 gkcsacokuq.com udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 hmeibptyi.org udp
US 8.8.8.8:53 jobqhonuw.com udp
US 8.8.8.8:53 ucswymsg.org udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 dmvaxdt.info udp
US 8.8.8.8:53 yosuiwck.com udp
US 8.8.8.8:53 jcxsnexfr.info udp
US 8.8.8.8:53 semoyg.com udp
US 8.8.8.8:53 bkxghrwhvf.net udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 jrbcowtp.info udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 dpidzv.info udp
US 8.8.8.8:53 dgwytkyj.info udp
US 8.8.8.8:53 yyoisi.com udp
US 8.8.8.8:53 kltqdpmwtuot.info udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 mccfjh.info udp
US 8.8.8.8:53 rofxdaxwh.org udp
US 8.8.8.8:53 ijskzyl.info udp
US 8.8.8.8:53 uibkaibnh.info udp
US 8.8.8.8:53 lznurtzgu.com udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 aoiasggywwyw.org udp
US 8.8.8.8:53 lgneodtxcu.net udp
US 8.8.8.8:53 hnfadwdzpa.net udp
US 8.8.8.8:53 imxatgckwke.info udp
US 8.8.8.8:53 ievqtwkuy.info udp
US 8.8.8.8:53 cysqagkyowsy.com udp
US 8.8.8.8:53 guyeonsiontw.info udp
US 8.8.8.8:53 dhbcbfj.net udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 gerunhpf.net udp
US 8.8.8.8:53 tblmdsokgrxu.net udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 yljamebfag.info udp
US 8.8.8.8:53 lcjeydhp.info udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 feeiwzrxxk.info udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 lutjvzs.org udp
US 8.8.8.8:53 tuhpwznayan.org udp
US 8.8.8.8:53 pmokilmhf.org udp
US 8.8.8.8:53 rrzstkxi.net udp
US 8.8.8.8:53 umucaoemmk.org udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 uewiscpfp.info udp
US 8.8.8.8:53 ljjitaty.net udp
US 8.8.8.8:53 pczgznzws.com udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 giretml.info udp
US 8.8.8.8:53 xyiqietogyz.info udp
US 8.8.8.8:53 fsuatws.net udp
US 8.8.8.8:53 zwtcba.info udp
US 8.8.8.8:53 tnncrqy.org udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 rzmnoubunh.info udp
US 8.8.8.8:53 yqpxpasybm.net udp
US 8.8.8.8:53 zmmcovsqdyn.info udp
US 8.8.8.8:53 chponqw.net udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 sytxwstmjot.net udp
US 8.8.8.8:53 tonzfjf.com udp
US 8.8.8.8:53 jumyllfsvux.org udp
US 8.8.8.8:53 saycqwyq.com udp
US 8.8.8.8:53 kejqtcu.net udp
US 8.8.8.8:53 xuwjvoxkz.info udp
US 8.8.8.8:53 wvdivuzroh.info udp
US 8.8.8.8:53 yomkbuvcn.net udp
US 8.8.8.8:53 vwzqbonybhv.net udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 yaouiasmso.com udp
US 8.8.8.8:53 eaqyzbj.net udp
US 8.8.8.8:53 vehtfhoepk.info udp
US 8.8.8.8:53 pcmsxrjkys.info udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 ewqkmois.org udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 lutymwnvy.org udp
US 8.8.8.8:53 vszdpjlsxz.info udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 hyjiypbtbkp.org udp
US 8.8.8.8:53 zflnqt.net udp
US 8.8.8.8:53 kmfmlumnr.info udp
US 8.8.8.8:53 hebswwvcjkp.com udp
US 8.8.8.8:53 xjnnlbhnpu.net udp
US 8.8.8.8:53 qcueycmcp.info udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 mfivrlb.net udp
US 8.8.8.8:53 yekuaeyq.org udp
US 8.8.8.8:53 xxnhbviuim.net udp
US 8.8.8.8:53 zzxmrhhhxl.info udp
US 8.8.8.8:53 fsvwksd.info udp
US 8.8.8.8:53 fkpkjsj.com udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 siffsyjcz.net udp
US 8.8.8.8:53 shxctxvuvhti.net udp
US 8.8.8.8:53 jtbojr.info udp
US 8.8.8.8:53 oqgsrtfyzye.net udp
US 8.8.8.8:53 jpipxftddf.net udp
US 8.8.8.8:53 hxrpjoy.info udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 xyzqgc.info udp
US 8.8.8.8:53 lypjpqgao.info udp
US 8.8.8.8:53 igyaigaywg.com udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 162.249.65.164:80 auowmaggsumq.org tcp
US 8.8.8.8:53 uxldkohjxv.info udp
US 8.8.8.8:53 yisqasmcay.com udp
US 8.8.8.8:53 wpzwffdyxdlo.info udp
US 8.8.8.8:53 ceucaeqm.com udp
US 8.8.8.8:53 ogwsumeouc.org udp
US 8.8.8.8:53 pgxzxcjmdmz.info udp
US 8.8.8.8:53 suqkqk.org udp
US 8.8.8.8:53 gyfuzmak.net udp
US 8.8.8.8:53 knbuvdla.info udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 xuvvpcln.net udp
US 8.8.8.8:53 hoephg.info udp
US 8.8.8.8:53 ljjinmtet.org udp
US 8.8.8.8:53 jzmowpz.com udp
US 8.8.8.8:53 kgqwydv.info udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 kjqhmauqzyow.info udp
US 8.8.8.8:53 kaiugywoco.com udp
US 8.8.8.8:53 okxwfzdar.net udp
US 8.8.8.8:53 vxskfyrvvcq.org udp
US 8.8.8.8:53 qjbiuq.info udp
US 8.8.8.8:53 pwxpcylo.info udp
US 8.8.8.8:53 pwfbznesuzyd.info udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 ehrthbnqkba.info udp
US 8.8.8.8:53 btmtmedn.net udp
US 8.8.8.8:53 kkdgekcylcr.net udp
US 8.8.8.8:53 ogwwkwqaookm.org udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 omgoscseqa.org udp
US 8.8.8.8:53 wptqnf.info udp
US 8.8.8.8:53 wgiaxqhoxfxl.net udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 smfoqodak.net udp
US 8.8.8.8:53 yiquyy.com udp
US 170.130.114.59:80 yiquyy.com tcp
US 8.8.8.8:53 honkemm.org udp
US 8.8.8.8:53 qcsicqyw.com udp
US 8.8.8.8:53 ahsjckjod.net udp
US 8.8.8.8:53 tjlvvh.net udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 59.114.130.170.in-addr.arpa udp
US 8.8.8.8:53 ssrwes.net udp
US 8.8.8.8:53 npxtibrwfr.info udp
US 8.8.8.8:53 tktutifpq.info udp
US 8.8.8.8:53 uoeayqwyic.org udp
US 8.8.8.8:53 yatvyt.net udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 icwmouge.com udp
US 8.8.8.8:53 amnsppfm.info udp
US 8.8.8.8:53 umbdimjkmw.info udp
US 8.8.8.8:53 fktnyddmbwip.net udp
US 8.8.8.8:53 wezqzcegl.net udp
US 8.8.8.8:53 biedutvzlvhu.info udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 smyyim.org udp
US 8.8.8.8:53 lxrmeylzmin.net udp
US 8.8.8.8:53 vlruwdroph.net udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 rkiwvizdh.org udp
US 8.8.8.8:53 kjpzpm.info udp
US 8.8.8.8:53 bacgtghkfvj.com udp
US 8.8.8.8:53 qdaqqydwtys.info udp
US 8.8.8.8:53 cyprnax.net udp
US 8.8.8.8:53 xjhvdp.info udp
US 8.8.8.8:53 mpihpkh.info udp
US 8.8.8.8:53 xgxjjgt.org udp
US 8.8.8.8:53 igwkukcyoiok.com udp
US 8.8.8.8:53 ykgcyu.com udp
US 8.8.8.8:53 nhxdqrbjrbfi.net udp
US 8.8.8.8:53 gikqawcaaq.com udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 buvnucsm.net udp
US 8.8.8.8:53 oemcwsugag.com udp
US 8.8.8.8:53 usobdnptwp.info udp
US 8.8.8.8:53 uswsgycuqcwy.com udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 pxmgbj.info udp
US 8.8.8.8:53 muovzntcb.net udp
US 8.8.8.8:53 xvjahnr.info udp
US 8.8.8.8:53 baszpcbvz.info udp
US 8.8.8.8:53 vzoenenbp.net udp
US 8.8.8.8:53 tkngjra.info udp
US 8.8.8.8:53 zihaqg.net udp
US 8.8.8.8:53 gyqyuwesoaoc.org udp
US 8.8.8.8:53 kcrdxklup.net udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 tsclzpfepqby.net udp
US 8.8.8.8:53 mgqqiugikywg.org udp
US 8.8.8.8:53 dgbdoglgbcal.net udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 hysljlek.net udp
US 8.8.8.8:53 hcmuukbr.net udp
US 8.8.8.8:53 snkfsdgrphho.net udp
US 8.8.8.8:53 gppdfjmw.info udp
US 8.8.8.8:53 qtrhichetl.net udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 xevyxyqnp.net udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 xuhsbqxl.net udp
US 8.8.8.8:53 ddckrr.info udp
US 8.8.8.8:53 exyujn.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 nkoews.net udp
US 8.8.8.8:53 ijofqwpvnhpq.net udp
US 8.8.8.8:53 naxiuuwss.net udp
US 8.8.8.8:53 zoxlrmjevi.info udp
US 8.8.8.8:53 oqmcoemgo.info udp
US 8.8.8.8:53 bjgvoizh.info udp
US 8.8.8.8:53 tsxuqrkl.info udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 lrvnvralborq.net udp
US 8.8.8.8:53 luqluapwpg.info udp
US 8.8.8.8:53 eaciykeeccui.org udp
US 8.8.8.8:53 lfppeqe.org udp
US 8.8.8.8:53 lxveqvqrez.info udp
US 8.8.8.8:53 sooklqj.net udp
US 8.8.8.8:53 jliefm.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 gpyvawv.info udp
US 8.8.8.8:53 lkqtnskp.info udp
US 8.8.8.8:53 xrpxttbzepoi.info udp
US 8.8.8.8:53 eunqguv.info udp
US 8.8.8.8:53 titiqwvq.net udp
US 8.8.8.8:53 lyspbidj.net udp
US 8.8.8.8:53 zqbdpmmjgzjk.net udp
US 8.8.8.8:53 cuykyuwg.org udp
US 8.8.8.8:53 tpdoeinqh.net udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 zgfimstfk.net udp
US 8.8.8.8:53 xsrkotmy.info udp
US 8.8.8.8:53 tctenjnn.net udp
US 8.8.8.8:53 anptmvnhla.info udp
US 8.8.8.8:53 kmysyi.info udp
US 8.8.8.8:53 pelaghtbk.com udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 nidsrmzspbd.net udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 lhihpfmzbb.net udp
US 8.8.8.8:53 vsyjdmli.net udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 zpbihodt.info udp
US 8.8.8.8:53 brlexsniv.info udp
US 8.8.8.8:53 kgrxufxij.info udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 agevnz.info udp
US 8.8.8.8:53 tbenamucvu.info udp
US 8.8.8.8:53 hkmcvvc.info udp
US 8.8.8.8:53 rrbwxmkemd.info udp
US 8.8.8.8:53 tmokjeliz.info udp
US 8.8.8.8:53 ekytmwcr.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 wgkznif.net udp
US 8.8.8.8:53 cklvjinm.net udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 tutudsdigor.com udp
US 8.8.8.8:53 tpvawecqn.com udp
US 8.8.8.8:53 tulncwdr.info udp
US 8.8.8.8:53 rgpofqoapmb.info udp
US 8.8.8.8:53 iceikg.org udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 qprxpk.net udp
US 8.8.8.8:53 mszidfiqah.info udp
US 8.8.8.8:53 mmoiaeiaocug.com udp
US 8.8.8.8:53 gmessioiyesy.org udp
US 8.8.8.8:53 logjpizsl.com udp
US 8.8.8.8:53 bwbkdeh.com udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 nusuhyt.net udp
US 8.8.8.8:53 nbfajgf.info udp
US 8.8.8.8:53 zrpkrbmjmv.net udp
US 8.8.8.8:53 fuxllxop.info udp
US 8.8.8.8:53 cyxkjqpuzol.net udp
US 8.8.8.8:53 rutqahlgxbz.org udp
US 8.8.8.8:53 uqkygcak.com udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 nenafsjel.org udp
US 8.8.8.8:53 kpwlqbdcgnou.info udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 ylzptbgj.net udp
US 8.8.8.8:53 tolvdlrm.net udp
US 8.8.8.8:53 jwgidaul.info udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 lorgzsl.info udp
US 8.8.8.8:53 mexerz.net udp
US 8.8.8.8:53 ayaikukyks.org udp
US 8.8.8.8:53 vwfwxmf.net udp
US 8.8.8.8:53 ncldubrp.net udp
US 8.8.8.8:53 xfaruevqa.info udp
US 8.8.8.8:53 hvxbueogvv.info udp
US 8.8.8.8:53 mhpzkxfpcd.net udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 lxnqlkygdub.info udp
US 8.8.8.8:53 qsxyuhfg.info udp
US 8.8.8.8:53 qqzran.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 pfrcjbfqrgtb.info udp
US 8.8.8.8:53 cyoqcyqo.com udp
US 8.8.8.8:53 fonermiqt.net udp
US 8.8.8.8:53 biwklwngsdt.org udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 emmekguy.com udp
US 8.8.8.8:53 xqxqvobidee.net udp
US 8.8.8.8:53 sotwljtecuh.net udp
US 8.8.8.8:53 wgbmnurwp.info udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 xzgsxbb.com udp
US 8.8.8.8:53 uldbtsfo.net udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 bblssfrfec.net udp
US 8.8.8.8:53 jerbhbjmyll.com udp
US 8.8.8.8:53 ewduukbqentw.net udp
US 8.8.8.8:53 qwuclxiwzin.info udp
US 8.8.8.8:53 aaouuouoiqmk.org udp
US 8.8.8.8:53 oyphxqjbqo.info udp
US 8.8.8.8:53 owcfpb.net udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 hqxgvizidil.com udp
US 8.8.8.8:53 sumqcaai.org udp
US 8.8.8.8:53 kcogoageam.com udp
US 8.8.8.8:53 crzxuldzyj.net udp
US 8.8.8.8:53 nnfbcvdk.info udp
US 8.8.8.8:53 skoiwe.com udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 napshnj.net udp
US 8.8.8.8:53 lksozka.net udp
US 8.8.8.8:53 yvojwxwfiw.net udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 eepaxijrnwkv.net udp
US 8.8.8.8:53 ldpkyqhkswd.info udp
US 8.8.8.8:53 uryyyrprrlzw.info udp
US 8.8.8.8:53 rpqdeifb.net udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 ixvbcgotbn.info udp
US 8.8.8.8:53 citgksaxetvh.info udp
US 8.8.8.8:53 vrwdvy.info udp
US 8.8.8.8:53 rjwwrxmvvtg.org udp
US 8.8.8.8:53 nrlvny.info udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 gywfzklbr.info udp
US 8.8.8.8:53 abzwwvcx.net udp
US 8.8.8.8:53 istkospymrt.net udp
US 8.8.8.8:53 ftcjafkzpl.net udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 kkicou.com udp
US 8.8.8.8:53 iscoyg.org udp
US 8.8.8.8:53 gqdssetb.net udp
US 8.8.8.8:53 nflgzgmp.info udp
US 8.8.8.8:53 enlkthdkwj.net udp
US 8.8.8.8:53 rvibgcghbvyo.info udp
US 8.8.8.8:53 gphalz.net udp
US 8.8.8.8:53 gvlsjuxsqxh.net udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 hiycbotsekd.com udp
US 8.8.8.8:53 wstoqjg.info udp
US 8.8.8.8:53 tbjvbefqr.info udp
US 8.8.8.8:53 jaargjgadkst.info udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 wajypsjqrlc.info udp
US 8.8.8.8:53 gkwmvfnvunqy.net udp
US 8.8.8.8:53 okxtfcp.net udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 mkcgmdji.info udp
US 8.8.8.8:53 mrxwdeao.info udp
US 8.8.8.8:53 vqjpkwb.net udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 fecjlcn.info udp
US 8.8.8.8:53 vftsat.net udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 zfusuibapjr.info udp
US 8.8.8.8:53 zbolqasjxrfu.info udp
US 8.8.8.8:53 imyqeqbstun.info udp
US 8.8.8.8:53 zpwppcsawvmo.info udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 sctwdjwgvh.info udp
US 8.8.8.8:53 nkjqpa.net udp
US 8.8.8.8:53 nxluaatqq.com udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 sqguis.com udp
US 8.8.8.8:53 yyrbfmjlmyqa.net udp
US 8.8.8.8:53 pekjeo.net udp
US 8.8.8.8:53 xzfumwodooyh.net udp
US 8.8.8.8:53 ssmmjopmh.info udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 lmvxlmt.info udp
US 8.8.8.8:53 qvvrhkrzrun.info udp
US 8.8.8.8:53 ipcguhpomgso.net udp
US 8.8.8.8:53 ujzlhj.info udp
US 8.8.8.8:53 isokee.org udp
US 8.8.8.8:53 bajfsbvxwd.info udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 sgphyamiz.info udp
US 8.8.8.8:53 dspwhkz.org udp
US 8.8.8.8:53 mywqcs.org udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 vzlavynhq.org udp
US 8.8.8.8:53 esaocyaeyegw.com udp
US 8.8.8.8:53 pclrlibqxkq.org udp
US 8.8.8.8:53 ybtpvy.net udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 hprzcbvg.info udp
US 8.8.8.8:53 afszbipjcgv.info udp
US 8.8.8.8:53 aciwgi.org udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mejgpwvozsb.info udp
US 8.8.8.8:53 qyaagi.com udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 udaajo.info udp
US 8.8.8.8:53 qavxtnybal.net udp
US 8.8.8.8:53 drehda.net udp
US 8.8.8.8:53 cmhaassoxtc.info udp
US 8.8.8.8:53 ascviapwshga.info udp
US 8.8.8.8:53 mazmgkpb.info udp
US 8.8.8.8:53 qwzajqy.info udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 huvinzvjdrfe.net udp
US 8.8.8.8:53 nijpfwn.net udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 lklmymteg.info udp
US 8.8.8.8:53 ebzrfww.net udp
US 8.8.8.8:53 nqjjgapj.info udp
US 8.8.8.8:53 nuhyxeigk.info udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 kspxda.info udp
US 8.8.8.8:53 bjyklhhhkyoh.info udp
US 8.8.8.8:53 bbrkykjh.info udp
US 8.8.8.8:53 mygyykkqacqu.org udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 tarcbqr.net udp
US 8.8.8.8:53 bheudz.info udp
US 8.8.8.8:53 yqkikqoywaas.com udp
US 8.8.8.8:53 bhtfjmvlkkhp.info udp
US 8.8.8.8:53 yihgoczdn.info udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 wgbjaqsv.info udp
US 8.8.8.8:53 kwkerzhgqns.net udp
US 8.8.8.8:53 veuwbsjwtgh.net udp
US 8.8.8.8:53 kcsskwaa.org udp
US 8.8.8.8:53 kkknwihe.info udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 sltjlfdjbt.net udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 gdxcdi.info udp
US 8.8.8.8:53 huvabqngfpaj.info udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 quewjglko.net udp
US 8.8.8.8:53 ipxcbhnfnj.info udp
US 8.8.8.8:53 wkmqakioaegs.com udp
US 8.8.8.8:53 miheuwovp.net udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 8.8.8.8:53 gixnnn.net udp
US 8.8.8.8:53 oshrzlikl.info udp
US 8.8.8.8:53 yqeikm.org udp
US 8.8.8.8:53 vohxgjcknxx.info udp
US 8.8.8.8:53 eawmqzrhvo.info udp
US 8.8.8.8:53 lljnryhl.info udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 gdveixnmj.net udp
US 8.8.8.8:53 qlgdxhio.info udp
US 8.8.8.8:53 tfdammxsvmz.com udp
US 8.8.8.8:53 iuuqoqgu.org udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 ikpmlcghqp.net udp
US 8.8.8.8:53 qwmieckoacqw.org udp
US 8.8.8.8:53 qricithapd.net udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 efjjliqd.info udp
US 8.8.8.8:53 qyeunl.net udp
US 8.8.8.8:53 uyusvwoit.net udp
US 8.8.8.8:53 ksfzenpwavdw.info udp
US 8.8.8.8:53 efubrmlh.net udp
US 8.8.8.8:53 makpolzuol.net udp
US 8.8.8.8:53 emxsqslwnub.net udp
US 8.8.8.8:53 qigeuyqiga.com udp
US 8.8.8.8:53 vufzxorwm.info udp
US 8.8.8.8:53 awkizuysx.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 kyqugqywge.com udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 uplbmwjqn.net udp
US 8.8.8.8:53 bcvuhficdeh.info udp
US 8.8.8.8:53 oqugsiqwsquq.org udp
US 8.8.8.8:53 ogkknfkefmf.net udp
US 8.8.8.8:53 wuiscsccge.com udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 fqbjkr.info udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 wyjudcxiq.info udp
US 8.8.8.8:53 xqfimycsv.info udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 gmxolfmo.net udp
US 8.8.8.8:53 dodzemngzpqv.net udp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 eeicoogwaugc.com udp
US 8.8.8.8:53 wblqlfxqa.net udp
US 8.8.8.8:53 lobesk.net udp
US 8.8.8.8:53 eusosaok.com udp
US 8.8.8.8:53 ourqucg.info udp
US 8.8.8.8:53 gfxrwlbzamcu.net udp
US 8.8.8.8:53 qqvmzuxczjx.net udp
US 8.8.8.8:53 iebiyilqo.info udp
US 8.8.8.8:53 vuzdkpreod.info udp
US 8.8.8.8:53 wsrnpavrlayc.net udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 cnnwamf.net udp
US 8.8.8.8:53 iiauic.com udp
US 8.8.8.8:53 sslcoxdy.net udp
US 8.8.8.8:53 mcqguiky.com udp
US 8.8.8.8:53 ayxvdktpr.info udp
US 8.8.8.8:53 jfzciyx.org udp
US 162.249.65.164:80 jfzciyx.org tcp
US 8.8.8.8:53 wiydtgwon.net udp
US 8.8.8.8:53 ifxuep.net udp
US 8.8.8.8:53 eozwvpi.net udp
US 8.8.8.8:53 sidlvctfcd.net udp
US 8.8.8.8:53 lexbrydecxe.org udp
US 8.8.8.8:53 wkuezkn.net udp
US 8.8.8.8:53 odzbxn.info udp
US 8.8.8.8:53 acgwiwsisu.org udp
US 8.8.8.8:53 udpurapqf.info udp
US 8.8.8.8:53 vcapzsn.com udp
US 8.8.8.8:53 ritdhsergsyd.net udp
US 8.8.8.8:53 kyoaokueao.com udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 pfllud.info udp
US 8.8.8.8:53 zlrajztb.net udp
US 8.8.8.8:53 cgkkxyqwxsx.net udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 ekdyxagal.net udp
US 8.8.8.8:53 najbjpny.net udp
US 8.8.8.8:53 ctxbqaol.net udp
US 8.8.8.8:53 oymsikma.org udp
US 8.8.8.8:53 vnwetyaizu.net udp
US 8.8.8.8:53 rnhevdvl.net udp
US 8.8.8.8:53 velrfr.net udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 oaqsieunuuwe.net udp
US 8.8.8.8:53 tkokqylbkqc.org udp
US 8.8.8.8:53 pitqyi.info udp
US 8.8.8.8:53 nfzmpq.info udp
US 8.8.8.8:53 sjcbnztkskl.info udp
US 8.8.8.8:53 asnapiuotwf.net udp
US 8.8.8.8:53 ucahjlrsxiwp.net udp
US 8.8.8.8:53 rgbwhwo.net udp
US 8.8.8.8:53 qjdxrvwylqnk.info udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 pwjwayz.org udp
US 8.8.8.8:53 pcrjxsbgiuj.net udp
US 8.8.8.8:53 mmewkcaw.org udp
US 8.8.8.8:53 zhbmwk.net udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 fwzmlrhodnx.org udp
US 8.8.8.8:53 byphbmny.net udp
US 8.8.8.8:53 fbjyqshd.info udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 gewymcss.com udp
US 8.8.8.8:53 tlhagbuqfo.info udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 apkgjarprdwh.info udp
US 8.8.8.8:53 ryzwfmlyw.info udp
US 8.8.8.8:53 bgqdamdhpjse.info udp
US 8.8.8.8:53 mmpqlyt.info udp
US 8.8.8.8:53 kvcaeszv.info udp
US 8.8.8.8:53 loxvpzn.info udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 hurjymry.info udp
US 8.8.8.8:53 gyjznsxnzgh.info udp
US 8.8.8.8:53 ymwhda.info udp
US 8.8.8.8:53 hndzkwzhmxhs.info udp
US 8.8.8.8:53 eeymkcci.com udp
US 8.8.8.8:53 skompoxsmmz.net udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 xspajbn.net udp
US 8.8.8.8:53 kktahqmxtlpn.net udp
US 8.8.8.8:53 adomofxvpaq.net udp
US 8.8.8.8:53 ksbpwyejzjxo.info udp
US 8.8.8.8:53 cgwgaguesg.org udp
US 162.249.65.164:80 cgwgaguesg.org tcp
US 8.8.8.8:53 rwcgvob.com udp
US 8.8.8.8:53 zrxtuic.info udp
US 8.8.8.8:53 gicuaswsiwgw.org udp
US 8.8.8.8:53 wqaqesmgmk.com udp
US 8.8.8.8:53 qkogdsn.net udp
US 8.8.8.8:53 qeoimmug.org udp
US 8.8.8.8:53 julxerwaocda.net udp
US 8.8.8.8:53 wbtlxues.net udp
US 8.8.8.8:53 wkkckgygsw.com udp
US 8.8.8.8:53 evwoaknfln.info udp
US 8.8.8.8:53 neqbbwsgo.org udp
US 8.8.8.8:53 syddlcscu.net udp
US 8.8.8.8:53 vorsxqf.com udp
US 8.8.8.8:53 nokmlmmal.net udp
US 8.8.8.8:53 nkybtwpgzoi.info udp
US 8.8.8.8:53 ybtdzhzohy.net udp
US 8.8.8.8:53 yajccbienx.info udp
US 8.8.8.8:53 elzmqdgihrj.net udp
US 8.8.8.8:53 tyyafiyv.net udp
US 8.8.8.8:53 mflenibkh.info udp
US 8.8.8.8:53 gwmeafacbwrh.info udp
US 8.8.8.8:53 pfntsuls.info udp
US 8.8.8.8:53 fbpeolofrb.info udp
US 8.8.8.8:53 wteamqbdkqbi.net udp
US 8.8.8.8:53 vkdopa.info udp
US 8.8.8.8:53 bmzshyd.org udp
US 8.8.8.8:53 qkdqch.net udp
US 8.8.8.8:53 pyfcfanofzvw.info udp
US 8.8.8.8:53 nubsmcbjrzi.info udp
US 8.8.8.8:53 nzzmvbaf.info udp
US 8.8.8.8:53 zdoosv.info udp
US 8.8.8.8:53 leioryfzykd.info udp
US 8.8.8.8:53 eaisokwcuc.com udp
US 8.8.8.8:53 bjqvdvvip.com udp
US 8.8.8.8:53 ngtazyp.net udp
US 8.8.8.8:53 jjgkgshjfjeq.info udp
US 8.8.8.8:53 nrvrjgomzw.net udp
US 8.8.8.8:53 lzrogwj.net udp
US 8.8.8.8:53 omklxxad.info udp
US 8.8.8.8:53 pygnvd.net udp
US 8.8.8.8:53 tivulxwxt.org udp
US 8.8.8.8:53 lblxlwomf.net udp
US 8.8.8.8:53 agggqiaa.org udp
US 8.8.8.8:53 tebmrt.info udp
US 8.8.8.8:53 fffdjlyjyi.net udp
US 8.8.8.8:53 ekamqi.org udp
US 162.249.65.164:80 ekamqi.org tcp
US 8.8.8.8:53 eevwkmdwg.net udp
US 8.8.8.8:53 sqojjnvd.info udp
US 8.8.8.8:53 eaqeicwoga.com udp
US 8.8.8.8:53 lxbmxzoctd.info udp
US 8.8.8.8:53 ggqcqc.org udp
US 8.8.8.8:53 ymidkhgqkwh.net udp
US 8.8.8.8:53 cvwpfiesyd.info udp
US 8.8.8.8:53 iwhvmoj.net udp
US 8.8.8.8:53 cybjralsuq.info udp
US 8.8.8.8:53 mggrrlfuqz.info udp
US 8.8.8.8:53 xopgozy.com udp
US 8.8.8.8:53 lgrkapskjte.info udp
US 8.8.8.8:53 oszjxzhkklmh.info udp
US 8.8.8.8:53 hyafbvpm.net udp
US 8.8.8.8:53 equytmb.info udp
US 8.8.8.8:53 ebbjvmph.net udp
US 8.8.8.8:53 qwcyywog.org udp
US 8.8.8.8:53 eqcsskwyyiug.org udp
US 162.249.65.164:80 eqcsskwyyiug.org tcp
US 8.8.8.8:53 qiywawcaieio.com udp
US 8.8.8.8:53 nexptxdvrjm.com udp
US 8.8.8.8:53 ugsymcceuw.com udp
US 8.8.8.8:53 pgchlxgc.net udp
US 8.8.8.8:53 zjhbfg.info udp
US 8.8.8.8:53 yyezlphjnigg.net udp
US 8.8.8.8:53 pcuesfaaps.net udp
US 8.8.8.8:53 tshxehbpzhzh.info udp
US 8.8.8.8:53 fqzylyeur.org udp
US 8.8.8.8:53 uegbhivkk.net udp
US 8.8.8.8:53 eweuaigycy.org udp
US 162.249.65.164:80 eweuaigycy.org tcp
US 8.8.8.8:53 dqlcmg.net udp
US 8.8.8.8:53 ishstyjyxiz.net udp
US 8.8.8.8:53 oqpeldfrzuf.net udp
US 8.8.8.8:53 svvfhutc.net udp
US 8.8.8.8:53 kgyqoaosga.com udp
US 8.8.8.8:53 gkdwqmbggusb.info udp
US 8.8.8.8:53 zwnmndf.com udp
US 8.8.8.8:53 woqaemce.com udp
US 8.8.8.8:53 xrliqghkq.info udp
US 8.8.8.8:53 eqkicsgsmikw.org udp
US 8.8.8.8:53 ckqqaueogk.com udp
US 8.8.8.8:53 lhbtecpktqp.info udp
US 8.8.8.8:53 caovemaplod.net udp
US 8.8.8.8:53 rgrdpwvmpxbc.net udp
US 8.8.8.8:53 scqbahug.info udp
US 8.8.8.8:53 qwggecuq.com udp
US 8.8.8.8:53 fryvpc.net udp
US 8.8.8.8:53 jfqippqwid.info udp
US 8.8.8.8:53 gzzhsqoo.info udp
US 8.8.8.8:53 lgbwjeb.info udp
US 8.8.8.8:53 ljxsyj.info udp
US 8.8.8.8:53 dvgluu.net udp
US 8.8.8.8:53 wmigouqasi.com udp
US 8.8.8.8:53 qkfgnhnovf.info udp
US 8.8.8.8:53 rdrsxai.info udp
US 8.8.8.8:53 ikdmrcx.net udp
US 8.8.8.8:53 kaxlkqpaeau.info udp
US 8.8.8.8:53 biwuvoz.net udp
US 8.8.8.8:53 vqinviwwl.com udp
US 8.8.8.8:53 mskxktalrtqc.info udp
US 8.8.8.8:53 ssxmkvkzh.net udp
US 8.8.8.8:53 vnuecxqlijil.info udp
US 8.8.8.8:53 fnqsmcftroxg.info udp
US 8.8.8.8:53 wiscceuk.com udp
US 8.8.8.8:53 qxjkbfr.net udp
US 8.8.8.8:53 yvntbhcyshap.net udp
US 8.8.8.8:53 riubvohx.info udp
US 8.8.8.8:53 xndjzjne.net udp
US 8.8.8.8:53 psbqrwrmd.com udp
US 8.8.8.8:53 fxyctxci.info udp
US 8.8.8.8:53 wzxqqsksmhht.net udp
US 8.8.8.8:53 iyyiwuwe.com udp
US 8.8.8.8:53 kcguuuas.com udp
US 8.8.8.8:53 wztgljscry.net udp
US 8.8.8.8:53 ggjsnccky.info udp
US 8.8.8.8:53 pntijcvgpz.info udp
US 8.8.8.8:53 cklwdebofut.net udp
US 8.8.8.8:53 djtqbgpepjm.org udp
US 8.8.8.8:53 qzhwkkfuohwz.info udp
US 8.8.8.8:53 ycaunmdur.net udp
US 8.8.8.8:53 xzxwrxdcbwng.info udp
US 8.8.8.8:53 aufghykyzpb.net udp
US 8.8.8.8:53 jwlmww.info udp
US 8.8.8.8:53 xavihqzvnel.info udp
US 8.8.8.8:53 cjijxxflavpd.net udp
US 8.8.8.8:53 utjwasqdm.info udp
US 8.8.8.8:53 qyiwrcy.info udp
US 8.8.8.8:53 euiciw.com udp
US 8.8.8.8:53 kucwuo.org udp
US 8.8.8.8:53 utgbxyiuzm.info udp
US 8.8.8.8:53 kdvucwxcpef.net udp
US 8.8.8.8:53 nizybszil.info udp
US 8.8.8.8:53 cuwkbspypvr.net udp
US 8.8.8.8:53 rcwrvlrut.net udp
US 8.8.8.8:53 ykhkvljit.info udp
US 8.8.8.8:53 yenxjuh.info udp
US 8.8.8.8:53 vipcpee.info udp
US 8.8.8.8:53 efoobg.info udp
US 8.8.8.8:53 wbnblzvzlbds.info udp
US 8.8.8.8:53 ianuxyntnig.net udp
US 8.8.8.8:53 neotjkse.info udp
US 8.8.8.8:53 guvixyyc.net udp
US 8.8.8.8:53 ydlgemxmbef.info udp
US 8.8.8.8:53 aeukcyzmq.net udp
US 8.8.8.8:53 jetdfmxyl.info udp
US 8.8.8.8:53 dwhsxl.info udp
US 8.8.8.8:53 tfduch.net udp
US 8.8.8.8:53 ukdltgkqjoxu.net udp
US 8.8.8.8:53 qbjibqzauqf.net udp
US 8.8.8.8:53 dbujhkime.org udp
US 8.8.8.8:53 izgmvndvmxji.info udp
US 8.8.8.8:53 jgxacpcgnlcd.net udp
US 8.8.8.8:53 rflrgemzhqqn.info udp
US 8.8.8.8:53 tsrkmfalccr.org udp
US 8.8.8.8:53 nefwulmsyx.net udp
US 8.8.8.8:53 bvjtxub.com udp
US 8.8.8.8:53 xhghhfm.info udp
US 8.8.8.8:53 daqcxittsf.info udp
US 8.8.8.8:53 lrbqxqikxvb.info udp
US 8.8.8.8:53 bvytrkzb.net udp
US 8.8.8.8:53 zqjkpyjb.net udp
US 8.8.8.8:53 gvwnphxucy.net udp
US 8.8.8.8:53 znpsldu.org udp
US 162.249.65.164:80 znpsldu.org tcp
US 8.8.8.8:53 cxdsdqrlthax.info udp
US 8.8.8.8:53 mkyflshooir.net udp
US 8.8.8.8:53 nkrzvcyyty.info udp
US 8.8.8.8:53 zqpiugf.net udp
US 8.8.8.8:53 ecuejswxb.net udp
US 8.8.8.8:53 djdjhidqmwh.com udp
US 8.8.8.8:53 miswccdu.net udp
US 8.8.8.8:53 tstspn.info udp
US 8.8.8.8:53 innmsdmgu.net udp
US 8.8.8.8:53 jdhuukvnr.net udp
US 8.8.8.8:53 uckymuoq.com udp
US 8.8.8.8:53 amcwaiuumg.com udp
US 8.8.8.8:53 qaycsesu.com udp
US 8.8.8.8:53 sqggyg.com udp
US 8.8.8.8:53 phtriqr.com udp
US 8.8.8.8:53 kmkgsypnlw.net udp
US 8.8.8.8:53 xgyatjz.org udp
US 8.8.8.8:53 flfqdbkdtg.info udp
US 8.8.8.8:53 cugcmy.org udp
US 162.249.65.164:80 cugcmy.org tcp
US 8.8.8.8:53 fybwznx.com udp
US 8.8.8.8:53 ufofpq.info udp
US 8.8.8.8:53 brckjebfu.info udp
US 8.8.8.8:53 brtcguciq.com udp
US 8.8.8.8:53 dwrcnyp.org udp
US 8.8.8.8:53 kqrhhigmwu.net udp
US 8.8.8.8:53 hsyamiwnw.org udp
US 8.8.8.8:53 lqipkjmf.info udp
US 8.8.8.8:53 zawufqzwz.net udp
US 8.8.8.8:53 oqhurmoup.info udp
US 8.8.8.8:53 lpwllrni.net udp
US 8.8.8.8:53 raiobwskm.info udp
US 8.8.8.8:53 eqacmi.com udp
US 8.8.8.8:53 lysassfobzx.net udp
US 8.8.8.8:53 gdhbkydv.info udp
US 8.8.8.8:53 gsmxuo.net udp
US 8.8.8.8:53 cyxzcronhm.info udp
US 8.8.8.8:53 pslhln.info udp
US 8.8.8.8:53 flaalsa.org udp
US 8.8.8.8:53 bhuibffgut.net udp
US 8.8.8.8:53 xbdyxk.info udp
US 8.8.8.8:53 uetkfumipfn.net udp
US 8.8.8.8:53 acugsqoaqosk.com udp
US 8.8.8.8:53 emyadgxgp.net udp
US 8.8.8.8:53 jahgdst.net udp
US 8.8.8.8:53 lkottrd.info udp
US 8.8.8.8:53 eotkdgrsk.info udp
US 8.8.8.8:53 vklrrkpgb.info udp
US 8.8.8.8:53 jipvfcix.net udp
US 8.8.8.8:53 pnwegh.info udp
US 8.8.8.8:53 pysrnffivqp.net udp
US 8.8.8.8:53 cnfozmq.info udp
US 8.8.8.8:53 208.143.182.52.in-addr.arpa udp
US 8.8.8.8:53 psxcdyj.net udp
US 8.8.8.8:53 gshqxwi.info udp
US 8.8.8.8:53 qqnbgcmtpa.net udp
US 8.8.8.8:53 yxqnxnt.info udp
US 8.8.8.8:53 rprltsmo.net udp
US 8.8.8.8:53 wqjarqltoeo.net udp
US 8.8.8.8:53 gwicgecw.org udp
US 8.8.8.8:53 pedyxcrohat.org udp
DE 85.214.228.140:80 pedyxcrohat.org tcp
US 8.8.8.8:53 ueeaayogko.com udp
US 8.8.8.8:53 pdaxzfogwz.net udp
US 8.8.8.8:53 rdijpyfskf.net udp
US 8.8.8.8:53 smtoteputmr.net udp
US 8.8.8.8:53 geiehohtveh.net udp
US 8.8.8.8:53 oawqiemgumku.org udp
US 8.8.8.8:53 acwqgwaqcm.org udp
US 8.8.8.8:53 eazcntnslud.net udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 jnfber.net udp
US 8.8.8.8:53 dgzyemj.net udp
US 8.8.8.8:53 qqbthpxjhm.net udp
US 8.8.8.8:53 ukwmsa.org udp
US 8.8.8.8:53 sgknktan.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe

MD5 56be524c2d0d736eee7f97eaeac18b8e
SHA1 e2376a438df7ac4229e56716b9ec1207bc0abcea
SHA256 72b7cd8421c04d1d3b4f46011115cdbba630c2a656baba229ce51c0891d061f7
SHA512 9d9ca2415281c5caf8ea596558d430b6405e1e3d8b5e557a211c09dab9eb428fe7ad08d084941d04bfb7705c7efac396335aac57dfc41fae5947f85cf56ba5f5

C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe

MD5 1402edfdcc8d1c5f9ec36eba012a8d37
SHA1 cfbe8acbaec2676015c7105032d1da134f31c1ab
SHA256 96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def
SHA512 a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9

C:\Users\Admin\AppData\Local\Temp\jrzznr.exe

MD5 812a7f266902a0708d3a45f13d56295e
SHA1 24807ab9314718a1635f94ea37113ef3b6f0348d
SHA256 ed693666e371f7704f2d5541c7aeed7fc0b3043608cbac43b7d25ba8f36b2a8b
SHA512 9a8edd0565ab91684188133711556e5407f4cf429b19fd823a0e9795873dfc2689649642e2bb3a08150864274177edc73ad9e16fc3190eaeb51f830c46929a2b

C:\Users\Admin\AppData\Local\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 5c414493f2339a3e7c45dad02151c453
SHA1 7a8e868c2c51668306e9bfa3010b645148160a86
SHA256 58356979579d1b9a838e34cac313919cd5efe6e4b44e37e6843379435d453e31
SHA512 8210f5a8ca09b987c1ef7ce18477dff90ed7a10790c352711b4625f8733694cef306ce6ad962772ebd43ccb43e1d0fd980914da8f816688267f518c5b9f73dec

C:\Users\Admin\AppData\Local\qdqvoxctxksfddjiiygtglensjnaivttz.yow

MD5 7e3903c9f0a3e42bef254721daf74ff8
SHA1 229b5e479dcc9c564d5f531a0bbb899f1124336f
SHA256 63ef88e924f22a3ce1bebbf668db697ebd126fa9596b2df24232615fcfc1dcb7
SHA512 2eab31e30f338cc848a577a3a70fb7ac53a3177feaa27240cdf6980a308a348f9d53a8346e20368edd4c8630bb221821a428fafc35e19713347f0a65d7f42df1

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 64814025f1cdb96524d5d0dfa9db0955
SHA1 904de8cc347d83f922ee8c74ef2744a0cd6d11ce
SHA256 c3f87754f6c9c0f1bd902e2cd9e948a17a37661162cc624ae58399e6aaec29b2
SHA512 74441208e71375849a268382cf76e176fa881378276ba8d33a364ad9b3409fd215e2ce453e29814d4f6954a4993ef4d82f2ec2b8629a8898543bf406c006bee6

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 799bcd86da8921e7bf5b88bc67f60198
SHA1 00c46280c1952bdc1da57932b366e993b7aed0ce
SHA256 4b089cddd5e042e726c589b83eeb8f185bcffc1a6782500161b5a76882d9849d
SHA512 37d565b69dc38fe8df5f8ce6e7c176925b5c2799e3045c7d1f27b93507abf1f6784b81ef013e70afb3cd3f12c198edb5fcb8b1234013bc5c6ef21802199ee9db

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 8a25d67b1dc82cb6563a6eb2beeaafcc
SHA1 c31c5dfa1f21f23a877464a2bd96a2031ba95c25
SHA256 50ca49b6491e1f27e0e430ca3529b8fcc0c3fd69890daf618b2969bb4ca95037
SHA512 bf379bc858d9a73689449146ff8efc8632760dc84cb681c781837f667908e3984880cac0c976eb0a1d2e43327b8078d49c2f13164628ecb95933e9739d4362f6

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 cde79bdda4555b800aa4d1cc00e5c415
SHA1 9fa0b04dbb61cae742de7791bc7666da4d516126
SHA256 ca5450ae48b78e9eb9ce225103d5c0ebc53693220364968858d28f79fc79a427
SHA512 e96b02169be8160399dafd9e53329df61bb0d500d1fc44892bf92ee773a111425532b1d89ef79097f4988f60d540f73133b45775478e230cbc4f263ed5898b94

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 291960a9af7c524780bef3576fd7d53c
SHA1 ad66e4b8375cd70c4534b7a776bc017fa74eb1f3
SHA256 a43d64f9a41db0a13dc4f3311ee0999b9a4b1f712d99521a72680b0519b26eeb
SHA512 4547fc5293c49b403b5e92518ee4086ab9886d8e75098b21d9eb103a7e52a4369a6fdfb6c323b1d1468bfef6fe03ca3de3dd21b136c0b769083b128f594234fb

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 d6b2158244c6cd8d9d2e76f886cf0c45
SHA1 f17f62372560bffe2a843210f80907c211933e13
SHA256 89534a66ebb144f14dc4474fb6192f4004b0836949704d72ea43d41ad1a1ca15
SHA512 590371aabb237f7af43253cbf4cb8d10b07677854f2c796c0c1b056a85f5353215ecac75f406577d9ce3ce0c4d4e1e95dcfb928594136be6ddb55bd9dc59ca22

C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd

MD5 4a5bd3643ab425590d08fae093ce9691
SHA1 1945915eae5b4873a970dd048018ee84a6f05108
SHA256 d6bf3b96bf1743894436955d575f67f161b02c875520328d090b01d42af18819
SHA512 d34de0c0b5879795842ad176e401c5206af9254cb49dcd387a6a58eedce584f2d8e25338e4ed47cb2cbec7cb69235b051f3cc10f0eae06241e13a115915bb69a