Analysis Overview
SHA256
96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def
Threat Level: Known bad
The file 1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Adds policy Run key to start application
Disables RegEdit via registry modification
Loads dropped DLL
Impair Defenses: Safe Mode Boot
Checks computer location settings
Executes dropped EXE
Looks up external IP address via web service
Checks whether UAC is enabled
Adds Run key to start application
Drops autorun.inf file
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
System policy modification
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-27 00:20
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 00:20
Reported
2024-06-27 00:22
Platform
win7-20240611-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "ncamkbnmyiqjhbtruh.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pyqwozfyeikx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sezidrawfmrhcti = "astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "xkgqmblisagxtlbx.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "xkgqmblisagxtlbx.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "ncamkbnmyiqjhbtruh.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "xkgqmblisagxtlbx.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "ncamkbnmyiqjhbtruh.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "lccqqjxymyiddzttynee.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lccqqjxymyiddzttynee.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "lccqqjxymyiddzttynee.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "ncamkbnmyiqjhbtruh.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "ncamkbnmyiqjhbtruh.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "espaxnywhqxpmfwtv.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "lccqqjxymyiddzttynee.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "lccqqjxymyiddzttynee.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "C:\\Users\\Admin\\AppData\\Local\\Temp\\espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "astijdsujwhdebwxdtlmb.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\espaxnywhqxpmfwtv = "astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "astijdsujwhdebwxdtlmb.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\ncamkbnmyiqjhbtruh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\paucwjrmuaetnd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yonazreerclfezsrvjz.exe ." | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xkgqmblisagxtlbx.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\oyryrdkelqtha = "espaxnywhqxpmfwtv.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\yonazreerclfezsrvjz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ncamkbnmyiqjhbtruh.exe" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\xkgqmblisagxtlbx = "yonazreerclfezsrvjz.exe" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File created | C:\Windows\SysWOW64\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File created | C:\Windows\SysWOW64\femiqrnwsmehptvdqnmuqyzv.aum | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\femiqrnwsmehptvdqnmuqyzv.aum | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File created | C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File created | C:\Windows\femiqrnwsmehptvdqnmuqyzv.aum | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\espaxnywhqxpmfwtv.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File created | C:\Windows\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\lccqqjxymyiddzttynee.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\femiqrnwsmehptvdqnmuqyzv.aum | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\yonazreerclfezsrvjz.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\rkmcezpsiwifhfbdkbuwmo.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\ncamkbnmyiqjhbtruh.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| File opened for modification | C:\Windows\astijdsujwhdebwxdtlmb.exe | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| File opened for modification | C:\Windows\xkgqmblisagxtlbx.exe | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\loaamr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\loaamr.exe
"C:\Users\Admin\AppData\Local\Temp\loaamr.exe" "-C:\Users\Admin\AppData\Local\Temp\xkgqmblisagxtlbx.exe"
C:\Users\Admin\AppData\Local\Temp\loaamr.exe
"C:\Users\Admin\AppData\Local\Temp\loaamr.exe" "-C:\Users\Admin\AppData\Local\Temp\xkgqmblisagxtlbx.exe"
C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
"C:\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.imdb.com | udp |
| GB | 143.204.182.185:80 | www.imdb.com | tcp |
| LV | 78.84.44.143:15896 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | vfvcqz.info | udp |
| US | 8.8.8.8:53 | blumhkper.org | udp |
| LV | 78.84.44.143:15896 | tcp | |
| US | 8.8.8.8:53 | esqewcusmyke.com | udp |
| US | 8.8.8.8:53 | nfaazpfkdijh.net | udp |
| US | 8.8.8.8:53 | ojwyxefnq.info | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | jujscjr.info | udp |
| US | 8.8.8.8:53 | naxgpeb.info | udp |
| US | 8.8.8.8:53 | vcuahutubfr.info | udp |
| US | 8.8.8.8:53 | pqvwihfl.info | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | mmxyych.net | udp |
| US | 8.8.8.8:53 | licwkmh.info | udp |
| US | 8.8.8.8:53 | aisgkquwmi.org | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | dplwgsy.com | udp |
| US | 8.8.8.8:53 | vtuchdyp.net | udp |
| US | 8.8.8.8:53 | asaieemikaoc.com | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | zpmmfjrj.info | udp |
| US | 8.8.8.8:53 | tmqnhsg.info | udp |
| US | 8.8.8.8:53 | wszxpgcencx.info | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | phkkxj.info | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | bqztam.net | udp |
| US | 8.8.8.8:53 | ywosyimzua.info | udp |
| US | 8.8.8.8:53 | gpipnj.net | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | vzwjvwhrcf.info | udp |
| US | 8.8.8.8:53 | rnzabyp.info | udp |
| US | 8.8.8.8:53 | wekuqguegw.org | udp |
| US | 8.8.8.8:53 | dfrxdc.info | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | nupcwtehbj.net | udp |
| US | 8.8.8.8:53 | nwqgdulxv.net | udp |
| US | 8.8.8.8:53 | rosjipzf.info | udp |
| US | 8.8.8.8:53 | jpttmocqb.com | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | hejognpazmw.info | udp |
| US | 8.8.8.8:53 | yxfqlxyhjwfw.net | udp |
| US | 8.8.8.8:53 | vmompla.info | udp |
| US | 8.8.8.8:53 | uzplvx.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | awdqcylajab.info | udp |
| US | 8.8.8.8:53 | tvwixzxpdrzh.info | udp |
| US | 8.8.8.8:53 | nynepdwl.info | udp |
| US | 8.8.8.8:53 | bclttefpnho.com | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | ddrbopbgtd.info | udp |
| US | 8.8.8.8:53 | pidsjmg.info | udp |
| US | 8.8.8.8:53 | djwnewnxwaum.info | udp |
| US | 8.8.8.8:53 | cepwskrua.info | udp |
| US | 8.8.8.8:53 | lcbxzjfvr.org | udp |
| US | 8.8.8.8:53 | jbmqhuvdbube.net | udp |
| US | 8.8.8.8:53 | wsfcjoxxn.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | ioknztsrpi.info | udp |
| US | 8.8.8.8:53 | axvedelyw.info | udp |
| US | 8.8.8.8:53 | cummaokcis.org | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | gktaomddok.info | udp |
| US | 8.8.8.8:53 | rumsjqb.info | udp |
| US | 8.8.8.8:53 | ocmifsjxx.info | udp |
| US | 8.8.8.8:53 | oeocgocqws.com | udp |
| US | 8.8.8.8:53 | oormsqtmn.info | udp |
Files
\Users\Admin\AppData\Local\Temp\hiulyjawrse.exe
| MD5 | 134d068cc73ba4c3603bbd3e2a4cbe61 |
| SHA1 | f963b42b1dfde721b8e7a495aea206e34dca43a1 |
| SHA256 | a392af48ac00136ad4fb383c8c357e1d30d5802880c5dd47b9063860dd087bde |
| SHA512 | 50c57a317d58c0be8f0d89d3399f5e42b1cce9e504e5139cdc7fb4320150b4ec311e9b1b8643fc0075820981930241a52297efc5257750ac671b02e172f55eb8 |
C:\Windows\SysWOW64\ncamkbnmyiqjhbtruh.exe
| MD5 | 1402edfdcc8d1c5f9ec36eba012a8d37 |
| SHA1 | cfbe8acbaec2676015c7105032d1da134f31c1ab |
| SHA256 | 96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def |
| SHA512 | a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9 |
\Users\Admin\AppData\Local\Temp\loaamr.exe
| MD5 | 83b22a30081165473641487d5725e1d5 |
| SHA1 | 8fa117ca2b20b908d2e5981c0c936e0250d02bda |
| SHA256 | 71ec7832e99237ae3ede9231db507db60a71f0632117320234631d1e2cdae3ef |
| SHA512 | 09c76214caa129beb381eb1fd972f5ed5266fe2a443129ed6d1d9b1c60bee82ee80605186fa3335de6dfca9bde1e8bffdf9b4482c30fd91767aedde60db5aa2d |
C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | d248acdb9149d1d5535de002eec46e84 |
| SHA1 | 5ab2be1e0beedfd64bebc04e186c09551388013a |
| SHA256 | 43c01c062d2362cb26cdf0a55ec61ebcd116f3a9d0487448dfcbdd19cc921966 |
| SHA512 | 58ff2aeff614602761377c70ec0671c4fb49d6ee88af25f05c81ee9dc805ff375e4bd632f93836fcb60500b33479a23c74d2a743ab5849497c3a9ceb18755834 |
C:\Users\Admin\AppData\Local\oyryrdkelqthapcvtbleleqxrydguncpigo.ryr
| MD5 | 181b1fb739fa1a8878a324bfdd5fa015 |
| SHA1 | 08dac393714225c2843386c41ecd697c0fec2103 |
| SHA256 | 343b71aba8083c9c46e8425f40d21a924a1c9437cfe99ef78795251e6faa48dd |
| SHA512 | d0f663ff033bfd456b2eebe7a1e57bc7466047c482288338ce38c6e804cd3c7ae6c7f3e6b38ca735f7698fc872104cc428349bf9b8e52f33d131d866995190a4 |
C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | 87a1b9c2fb7e43b4706a4e3e180c1788 |
| SHA1 | cd8cc6e6bf2f8654159df4169e9db5ce82a668f9 |
| SHA256 | c130c2220b2d90625716cbfdfdb27baab0cc8ccc74925839ef9f0c85805b54cb |
| SHA512 | adedd4c81a6fceb586e437a1c434b260bb2c496939237c5b696e1134bd769a32680289d54ebad0d2b94ccce234fce36932787b871224a8778506f131b6cd3dbd |
C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | a7df3efdf40341d4172f6c8cd21af5ee |
| SHA1 | 8d43ca8ad69f37c73cf498fba1d4fd8e70aec663 |
| SHA256 | c08002f040016dfdafd0d748ea1c417cd2d006d56f39ef4740a93d692f0aaf84 |
| SHA512 | 5100279717f98e8cbb4c1edd4d360aa4c259f2713afc1c1181bb35c359bfc18c055aa93d4a5c8b0e388b4446375e0bc3a8d8488ddef6e1c4d6225090e81d7b6c |
C:\sarwnxcuzcd.bat
| MD5 | 66c2974e4d4e293f27aee7af72bb89c7 |
| SHA1 | 5351bf94c6ac1f4a7c76b18b6f1f7d8543c0a96d |
| SHA256 | d0ffc434571d9f80ab9451fe2416d6963274a9a38a7d02ee873d3c541ba70544 |
| SHA512 | 8b55c0c68e4a93233875aa60873aec5508dfaeea65e314f71b828785eb57bb9f3e5c9af24932683cc0fb3b3071d0120b20b02b6b54112b3bbf182df2a504f02d |
C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | f5593508bf59de9ab7ba2c6288bd1f1b |
| SHA1 | af92de2ad116660441caab8182744dbd3345897d |
| SHA256 | 3a1d5c09d3311bb72823ff1e0a470f839d7a6c135c8aa325105ec4b064a024c1 |
| SHA512 | 41cc3433d6dc1b93382ba6182aba780d6d9c91b701c4f86e357dcd0b7e0e0577b6ec0574bfb7c7b08a626cec994b1923a17f6a5a1cb1fc53ed4dcec7f024fbc2 |
C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | f9b3d857c2357e90300fb60160c28bf4 |
| SHA1 | 138380cb9f082ae45589d9bb4bca81d8e8ba92ac |
| SHA256 | 96c9e21c6a15d315470149661358aaa160396546db464315a01e43d61fa1de91 |
| SHA512 | f140997aed45b39b84cf1a6fdf54cc1e3f6dd2e3a28d22426f13c80e813526b58d77dbb1988068faecade53c54b58c7b5382da08371c2711257a6f895dcf9304 |
C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | b7429e737babd07b475ab65dc0442b4e |
| SHA1 | 69b6b39bafc9396fd0615a754ff1c81779822250 |
| SHA256 | 63c34bedfde8f3d3a2c03f70dd2486cc54a63b4f4ebfa45aae0a53395138e285 |
| SHA512 | 4782a6c18c2575a4e73cd029d0b48dda6a332034b54ce46ca29cfb74e915668b9c22d5886c0362016e9b88a988cb62bc51a3fcee957fc010c63a6d7c6d45ecc6 |
C:\Users\Admin\AppData\Local\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | d8000634ff1f272ff1ce7f911616cc17 |
| SHA1 | 3b86cc0de072811f50c7f8dadbb065afc83d647f |
| SHA256 | e3f23a246ca6278ae192c3b85124939afa4ff32aa48452372214133426cca213 |
| SHA512 | e2315ff1d62e1258c82836305cbdb6a9e517366f696193a929f96b3fd6c8e4f186a5dc7363c01da08a14791ff0cb1c8a619120973e384dfaeb27be4ebdb53031 |
C:\Program Files (x86)\femiqrnwsmehptvdqnmuqyzv.aum
| MD5 | 1a5fd6f8b48ac7a56adffc534ec411a0 |
| SHA1 | b2b544c3c3c494b52a5a97666d68cd57f4f883a9 |
| SHA256 | e57539b17ada985918b11fccc7dbd5e61bdd5b426962fc56e674a7f265ed81d5 |
| SHA512 | 730044355b293294ce1f5e303d4463675cbc34e4ced7cac1e12f3e9f6dceaaa98d728aec081b49cc40e4b8aa6709d4dc765cda9f14941c1e95f1add00719961a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 00:20
Reported
2024-06-27 00:22
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\yfmly = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\lvfhxdft = "wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "lfzllbnlwqfzelyeli.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "wrmzaredpkavbjxemka.exe ." | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "lfzllbnlwqfzelyeli.exe ." | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "cvozynyvfymfjpbgm.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "yvshkdsthewtblbkuumjg.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "wrmzaredpkavbjxemka.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvshkdsthewtblbkuumjg.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "wrmzaredpkavbjxemka.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jfbprjxxkgxtajygpofb.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "lfzllbnlwqfzelyeli.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qdqvoxctxks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "jfbprjxxkgxtajygpofb.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cnybszcrt = "yvshkdsthewtblbkuumjg.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvozynyvfymfjpbgm.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wrmzaredpkavbjxemka.exe" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "jfbprjxxkgxtajygpofb.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nbpvpzfxcqzn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jrzznr = "vnfpnblhqivnqvgk.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "cvozynyvfymfjpbgm.exe ." | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jrzznr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfopejk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lfzllbnlwqfzelyeli.exe ." | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vhtxpxbrug = "vnfpnblhqivnqvgk.exe ." | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\qdqvoxctxksfddjiiygtglensjnaivttz.yow | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File created | C:\Windows\SysWOW64\qdqvoxctxksfddjiiygtglensjnaivttz.yow | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zbdxfdxdwyvxkzuixczbdx.dxd | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File created | C:\Windows\SysWOW64\zbdxfdxdwyvxkzuixczbdx.dxd | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\qdqvoxctxksfddjiiygtglensjnaivttz.yow | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File created | C:\Program Files (x86)\qdqvoxctxksfddjiiygtglensjnaivttz.yow | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File created | C:\Windows\zbdxfdxdwyvxkzuixczbdx.dxd | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\qdqvoxctxksfddjiiygtglensjnaivttz.yow | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\vnfpnblhqivnqvgk.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\lfzllbnlwqfzelyeli.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\pnlbfzprgexvepgqbcvtrh.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\zbdxfdxdwyvxkzuixczbdx.dxd | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\yvshkdsthewtblbkuumjg.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| File opened for modification | C:\Windows\cvozynyvfymfjpbgm.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\jfbprjxxkgxtajygpofb.exe | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File created | C:\Windows\qdqvoxctxksfddjiiygtglensjnaivttz.yow | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| File opened for modification | C:\Windows\wrmzaredpkavbjxemka.exe | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\jrzznr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1402edfdcc8d1c5f9ec36eba012a8d37_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
"C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe*"
C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
"C:\Users\Admin\AppData\Local\Temp\jrzznr.exe" "-C:\Users\Admin\AppData\Local\Temp\vnfpnblhqivnqvgk.exe"
C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
"C:\Users\Admin\AppData\Local\Temp\jrzznr.exe" "-C:\Users\Admin\AppData\Local\Temp\vnfpnblhqivnqvgk.exe"
C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
"C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe" "c:\users\admin\appdata\local\temp\1402edfdcc8d1c5f9ec36eba012a8d37_jaffacakes118.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| BE | 2.17.107.105:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| GB | 142.250.187.196:80 | www.google.com | tcp |
| LV | 78.84.44.143:15896 | tcp | |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eckiewmugw.org | udp |
| US | 8.8.8.8:53 | tkrggwgdlt.info | udp |
| US | 8.8.8.8:53 | vmgnso.net | udp |
| US | 8.8.8.8:53 | skocyuos.org | udp |
| US | 8.8.8.8:53 | nbdboizswev.info | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | idmdtvqr.info | udp |
| US | 8.8.8.8:53 | tzcozg.net | udp |
| US | 8.8.8.8:53 | xwnizsvsz.com | udp |
| US | 8.8.8.8:53 | khiftw.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| LV | 78.84.44.143:15896 | tcp | |
| US | 8.8.8.8:53 | xsjloeuaexsi.info | udp |
| US | 8.8.8.8:53 | tsjjrwn.net | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | gedpfnatsumb.info | udp |
| US | 8.8.8.8:53 | migqpgc.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | euaiocigiw.com | udp |
| US | 8.8.8.8:53 | crpylskijwj.net | udp |
| US | 8.8.8.8:53 | vzbehibesqp.org | udp |
| US | 8.8.8.8:53 | ugoimw.net | udp |
| US | 8.8.8.8:53 | wsnvsazgr.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | jsgjempgore.info | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | tyukzh.net | udp |
| US | 8.8.8.8:53 | paakdnzwrvy.org | udp |
| US | 8.8.8.8:53 | vwebfaxv.info | udp |
| US | 8.8.8.8:53 | cmpmpyz.info | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | smrdtv.net | udp |
| US | 8.8.8.8:53 | puxoplqkt.net | udp |
| US | 8.8.8.8:53 | ijzixwxcowj.info | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wjdobfdd.net | udp |
| US | 8.8.8.8:53 | tvwdubzl.info | udp |
| US | 8.8.8.8:53 | aqhgmj.net | udp |
| US | 8.8.8.8:53 | nofutrwsp.info | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | qihiraoeb.info | udp |
| US | 8.8.8.8:53 | qerwmsxil.net | udp |
| US | 8.8.8.8:53 | nwqgdulxv.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | dfugxcskokj.net | udp |
| US | 8.8.8.8:53 | gczhlqhypjmz.net | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | eaazplccwb.info | udp |
| US | 8.8.8.8:53 | wqlshww.net | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | jxwhcs.info | udp |
| US | 8.8.8.8:53 | gjznbmlgwon.net | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | njqkqncik.net | udp |
| US | 8.8.8.8:53 | jyevniawle.info | udp |
| US | 8.8.8.8:53 | gqajqpquz.net | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | yosozwxkf.info | udp |
| US | 8.8.8.8:53 | vmgdpfin.info | udp |
| US | 8.8.8.8:53 | zqvanhjsu.info | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| US | 8.8.8.8:53 | muuagg.org | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | ulntaatcj.info | udp |
| US | 8.8.8.8:53 | edrxhiamad.net | udp |
| US | 8.8.8.8:53 | uwqkbvt.net | udp |
| US | 8.8.8.8:53 | easyuoyaesoe.com | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | bgktvuwmu.info | udp |
| US | 8.8.8.8:53 | jogvtml.com | udp |
| US | 8.8.8.8:53 | oeiwqe.com | udp |
| US | 8.8.8.8:53 | kzvswpfo.info | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | dqjnakhud.net | udp |
| US | 8.8.8.8:53 | zkbscmwomagg.info | udp |
| US | 8.8.8.8:53 | scckkyymkmuo.com | udp |
| US | 8.8.8.8:53 | lynyvziafz.net | udp |
| US | 8.8.8.8:53 | lkisorlj.info | udp |
| US | 8.8.8.8:53 | tcblvigv.net | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| US | 8.8.8.8:53 | sqrtwdbcdar.net | udp |
| US | 8.8.8.8:53 | ifiwgz.net | udp |
| US | 8.8.8.8:53 | fnoicopo.info | udp |
| US | 8.8.8.8:53 | smikkk.org | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | dgsoroign.info | udp |
| US | 8.8.8.8:53 | jqhahdiydrtq.info | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | emoykmuk.org | udp |
| US | 8.8.8.8:53 | czhdbwpockz.net | udp |
| US | 8.8.8.8:53 | yrvzcpdx.info | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | iusieqyk.org | udp |
| US | 8.8.8.8:53 | chtmriiyt.net | udp |
| US | 8.8.8.8:53 | ccyuis.info | udp |
| US | 8.8.8.8:53 | tttvdyyjcmin.info | udp |
| US | 8.8.8.8:53 | jhlphypfkb.net | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | iceoacec.org | udp |
| US | 8.8.8.8:53 | yxkhplvayu.info | udp |
| US | 8.8.8.8:53 | kuugwiwe.com | udp |
| US | 8.8.8.8:53 | hllgxwmuc.info | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | ujshseovck.info | udp |
| US | 8.8.8.8:53 | taydtvqdzh.info | udp |
| US | 8.8.8.8:53 | uekkhctuw.info | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | jixaqsl.net | udp |
| US | 8.8.8.8:53 | feyijafz.info | udp |
| US | 8.8.8.8:53 | stasje.net | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | ryqpnpjaz.net | udp |
| US | 8.8.8.8:53 | sacqyy.org | udp |
| US | 8.8.8.8:53 | rycwlmjczjn.info | udp |
| US | 8.8.8.8:53 | qscewa.org | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| US | 8.8.8.8:53 | ociokctoz.net | udp |
| US | 8.8.8.8:53 | patzdexrgkhy.net | udp |
| US | 8.8.8.8:53 | qxoesbxxaj.info | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | cosqdaqghon.net | udp |
| US | 8.8.8.8:53 | jyqgfmtyz.com | udp |
| US | 8.8.8.8:53 | lemomn.net | udp |
| US | 8.8.8.8:53 | ctcvaf.net | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | pvywiwql.net | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | zphblrztdb.info | udp |
| US | 8.8.8.8:53 | qkhktcawkce.info | udp |
| US | 8.8.8.8:53 | gkcsacokuq.com | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | hmeibptyi.org | udp |
| US | 8.8.8.8:53 | jobqhonuw.com | udp |
| US | 8.8.8.8:53 | ucswymsg.org | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | dmvaxdt.info | udp |
| US | 8.8.8.8:53 | yosuiwck.com | udp |
| US | 8.8.8.8:53 | jcxsnexfr.info | udp |
| US | 8.8.8.8:53 | semoyg.com | udp |
| US | 8.8.8.8:53 | bkxghrwhvf.net | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | jrbcowtp.info | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dpidzv.info | udp |
| US | 8.8.8.8:53 | dgwytkyj.info | udp |
| US | 8.8.8.8:53 | yyoisi.com | udp |
| US | 8.8.8.8:53 | kltqdpmwtuot.info | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | mccfjh.info | udp |
| US | 8.8.8.8:53 | rofxdaxwh.org | udp |
| US | 8.8.8.8:53 | ijskzyl.info | udp |
| US | 8.8.8.8:53 | uibkaibnh.info | udp |
| US | 8.8.8.8:53 | lznurtzgu.com | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | aoiasggywwyw.org | udp |
| US | 8.8.8.8:53 | lgneodtxcu.net | udp |
| US | 8.8.8.8:53 | hnfadwdzpa.net | udp |
| US | 8.8.8.8:53 | imxatgckwke.info | udp |
| US | 8.8.8.8:53 | ievqtwkuy.info | udp |
| US | 8.8.8.8:53 | cysqagkyowsy.com | udp |
| US | 8.8.8.8:53 | guyeonsiontw.info | udp |
| US | 8.8.8.8:53 | dhbcbfj.net | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | gerunhpf.net | udp |
| US | 8.8.8.8:53 | tblmdsokgrxu.net | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | yljamebfag.info | udp |
| US | 8.8.8.8:53 | lcjeydhp.info | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | feeiwzrxxk.info | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | lutjvzs.org | udp |
| US | 8.8.8.8:53 | tuhpwznayan.org | udp |
| US | 8.8.8.8:53 | pmokilmhf.org | udp |
| US | 8.8.8.8:53 | rrzstkxi.net | udp |
| US | 8.8.8.8:53 | umucaoemmk.org | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | uewiscpfp.info | udp |
| US | 8.8.8.8:53 | ljjitaty.net | udp |
| US | 8.8.8.8:53 | pczgznzws.com | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | giretml.info | udp |
| US | 8.8.8.8:53 | xyiqietogyz.info | udp |
| US | 8.8.8.8:53 | fsuatws.net | udp |
| US | 8.8.8.8:53 | zwtcba.info | udp |
| US | 8.8.8.8:53 | tnncrqy.org | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | rzmnoubunh.info | udp |
| US | 8.8.8.8:53 | yqpxpasybm.net | udp |
| US | 8.8.8.8:53 | zmmcovsqdyn.info | udp |
| US | 8.8.8.8:53 | chponqw.net | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | sytxwstmjot.net | udp |
| US | 8.8.8.8:53 | tonzfjf.com | udp |
| US | 8.8.8.8:53 | jumyllfsvux.org | udp |
| US | 8.8.8.8:53 | saycqwyq.com | udp |
| US | 8.8.8.8:53 | kejqtcu.net | udp |
| US | 8.8.8.8:53 | xuwjvoxkz.info | udp |
| US | 8.8.8.8:53 | wvdivuzroh.info | udp |
| US | 8.8.8.8:53 | yomkbuvcn.net | udp |
| US | 8.8.8.8:53 | vwzqbonybhv.net | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | yaouiasmso.com | udp |
| US | 8.8.8.8:53 | eaqyzbj.net | udp |
| US | 8.8.8.8:53 | vehtfhoepk.info | udp |
| US | 8.8.8.8:53 | pcmsxrjkys.info | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | ewqkmois.org | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | lutymwnvy.org | udp |
| US | 8.8.8.8:53 | vszdpjlsxz.info | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | hyjiypbtbkp.org | udp |
| US | 8.8.8.8:53 | zflnqt.net | udp |
| US | 8.8.8.8:53 | kmfmlumnr.info | udp |
| US | 8.8.8.8:53 | hebswwvcjkp.com | udp |
| US | 8.8.8.8:53 | xjnnlbhnpu.net | udp |
| US | 8.8.8.8:53 | qcueycmcp.info | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | mfivrlb.net | udp |
| US | 8.8.8.8:53 | yekuaeyq.org | udp |
| US | 8.8.8.8:53 | xxnhbviuim.net | udp |
| US | 8.8.8.8:53 | zzxmrhhhxl.info | udp |
| US | 8.8.8.8:53 | fsvwksd.info | udp |
| US | 8.8.8.8:53 | fkpkjsj.com | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | siffsyjcz.net | udp |
| US | 8.8.8.8:53 | shxctxvuvhti.net | udp |
| US | 8.8.8.8:53 | jtbojr.info | udp |
| US | 8.8.8.8:53 | oqgsrtfyzye.net | udp |
| US | 8.8.8.8:53 | jpipxftddf.net | udp |
| US | 8.8.8.8:53 | hxrpjoy.info | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | xyzqgc.info | udp |
| US | 8.8.8.8:53 | lypjpqgao.info | udp |
| US | 8.8.8.8:53 | igyaigaywg.com | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| US | 8.8.8.8:53 | uxldkohjxv.info | udp |
| US | 8.8.8.8:53 | yisqasmcay.com | udp |
| US | 8.8.8.8:53 | wpzwffdyxdlo.info | udp |
| US | 8.8.8.8:53 | ceucaeqm.com | udp |
| US | 8.8.8.8:53 | ogwsumeouc.org | udp |
| US | 8.8.8.8:53 | pgxzxcjmdmz.info | udp |
| US | 8.8.8.8:53 | suqkqk.org | udp |
| US | 8.8.8.8:53 | gyfuzmak.net | udp |
| US | 8.8.8.8:53 | knbuvdla.info | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | xuvvpcln.net | udp |
| US | 8.8.8.8:53 | hoephg.info | udp |
| US | 8.8.8.8:53 | ljjinmtet.org | udp |
| US | 8.8.8.8:53 | jzmowpz.com | udp |
| US | 8.8.8.8:53 | kgqwydv.info | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | kjqhmauqzyow.info | udp |
| US | 8.8.8.8:53 | kaiugywoco.com | udp |
| US | 8.8.8.8:53 | okxwfzdar.net | udp |
| US | 8.8.8.8:53 | vxskfyrvvcq.org | udp |
| US | 8.8.8.8:53 | qjbiuq.info | udp |
| US | 8.8.8.8:53 | pwxpcylo.info | udp |
| US | 8.8.8.8:53 | pwfbznesuzyd.info | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | ehrthbnqkba.info | udp |
| US | 8.8.8.8:53 | btmtmedn.net | udp |
| US | 8.8.8.8:53 | kkdgekcylcr.net | udp |
| US | 8.8.8.8:53 | ogwwkwqaookm.org | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | omgoscseqa.org | udp |
| US | 8.8.8.8:53 | wptqnf.info | udp |
| US | 8.8.8.8:53 | wgiaxqhoxfxl.net | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | smfoqodak.net | udp |
| US | 8.8.8.8:53 | yiquyy.com | udp |
| US | 170.130.114.59:80 | yiquyy.com | tcp |
| US | 8.8.8.8:53 | honkemm.org | udp |
| US | 8.8.8.8:53 | qcsicqyw.com | udp |
| US | 8.8.8.8:53 | ahsjckjod.net | udp |
| US | 8.8.8.8:53 | tjlvvh.net | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | 59.114.130.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ssrwes.net | udp |
| US | 8.8.8.8:53 | npxtibrwfr.info | udp |
| US | 8.8.8.8:53 | tktutifpq.info | udp |
| US | 8.8.8.8:53 | uoeayqwyic.org | udp |
| US | 8.8.8.8:53 | yatvyt.net | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | icwmouge.com | udp |
| US | 8.8.8.8:53 | amnsppfm.info | udp |
| US | 8.8.8.8:53 | umbdimjkmw.info | udp |
| US | 8.8.8.8:53 | fktnyddmbwip.net | udp |
| US | 8.8.8.8:53 | wezqzcegl.net | udp |
| US | 8.8.8.8:53 | biedutvzlvhu.info | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | smyyim.org | udp |
| US | 8.8.8.8:53 | lxrmeylzmin.net | udp |
| US | 8.8.8.8:53 | vlruwdroph.net | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | rkiwvizdh.org | udp |
| US | 8.8.8.8:53 | kjpzpm.info | udp |
| US | 8.8.8.8:53 | bacgtghkfvj.com | udp |
| US | 8.8.8.8:53 | qdaqqydwtys.info | udp |
| US | 8.8.8.8:53 | cyprnax.net | udp |
| US | 8.8.8.8:53 | xjhvdp.info | udp |
| US | 8.8.8.8:53 | mpihpkh.info | udp |
| US | 8.8.8.8:53 | xgxjjgt.org | udp |
| US | 8.8.8.8:53 | igwkukcyoiok.com | udp |
| US | 8.8.8.8:53 | ykgcyu.com | udp |
| US | 8.8.8.8:53 | nhxdqrbjrbfi.net | udp |
| US | 8.8.8.8:53 | gikqawcaaq.com | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | buvnucsm.net | udp |
| US | 8.8.8.8:53 | oemcwsugag.com | udp |
| US | 8.8.8.8:53 | usobdnptwp.info | udp |
| US | 8.8.8.8:53 | uswsgycuqcwy.com | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | pxmgbj.info | udp |
| US | 8.8.8.8:53 | muovzntcb.net | udp |
| US | 8.8.8.8:53 | xvjahnr.info | udp |
| US | 8.8.8.8:53 | baszpcbvz.info | udp |
| US | 8.8.8.8:53 | vzoenenbp.net | udp |
| US | 8.8.8.8:53 | tkngjra.info | udp |
| US | 8.8.8.8:53 | zihaqg.net | udp |
| US | 8.8.8.8:53 | gyqyuwesoaoc.org | udp |
| US | 8.8.8.8:53 | kcrdxklup.net | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | tsclzpfepqby.net | udp |
| US | 8.8.8.8:53 | mgqqiugikywg.org | udp |
| US | 8.8.8.8:53 | dgbdoglgbcal.net | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | hysljlek.net | udp |
| US | 8.8.8.8:53 | hcmuukbr.net | udp |
| US | 8.8.8.8:53 | snkfsdgrphho.net | udp |
| US | 8.8.8.8:53 | gppdfjmw.info | udp |
| US | 8.8.8.8:53 | qtrhichetl.net | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | xevyxyqnp.net | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | xuhsbqxl.net | udp |
| US | 8.8.8.8:53 | ddckrr.info | udp |
| US | 8.8.8.8:53 | exyujn.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | nkoews.net | udp |
| US | 8.8.8.8:53 | ijofqwpvnhpq.net | udp |
| US | 8.8.8.8:53 | naxiuuwss.net | udp |
| US | 8.8.8.8:53 | zoxlrmjevi.info | udp |
| US | 8.8.8.8:53 | oqmcoemgo.info | udp |
| US | 8.8.8.8:53 | bjgvoizh.info | udp |
| US | 8.8.8.8:53 | tsxuqrkl.info | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | lrvnvralborq.net | udp |
| US | 8.8.8.8:53 | luqluapwpg.info | udp |
| US | 8.8.8.8:53 | eaciykeeccui.org | udp |
| US | 8.8.8.8:53 | lfppeqe.org | udp |
| US | 8.8.8.8:53 | lxveqvqrez.info | udp |
| US | 8.8.8.8:53 | sooklqj.net | udp |
| US | 8.8.8.8:53 | jliefm.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | gpyvawv.info | udp |
| US | 8.8.8.8:53 | lkqtnskp.info | udp |
| US | 8.8.8.8:53 | xrpxttbzepoi.info | udp |
| US | 8.8.8.8:53 | eunqguv.info | udp |
| US | 8.8.8.8:53 | titiqwvq.net | udp |
| US | 8.8.8.8:53 | lyspbidj.net | udp |
| US | 8.8.8.8:53 | zqbdpmmjgzjk.net | udp |
| US | 8.8.8.8:53 | cuykyuwg.org | udp |
| US | 8.8.8.8:53 | tpdoeinqh.net | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | zgfimstfk.net | udp |
| US | 8.8.8.8:53 | xsrkotmy.info | udp |
| US | 8.8.8.8:53 | tctenjnn.net | udp |
| US | 8.8.8.8:53 | anptmvnhla.info | udp |
| US | 8.8.8.8:53 | kmysyi.info | udp |
| US | 8.8.8.8:53 | pelaghtbk.com | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | nidsrmzspbd.net | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | lhihpfmzbb.net | udp |
| US | 8.8.8.8:53 | vsyjdmli.net | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | zpbihodt.info | udp |
| US | 8.8.8.8:53 | brlexsniv.info | udp |
| US | 8.8.8.8:53 | kgrxufxij.info | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | agevnz.info | udp |
| US | 8.8.8.8:53 | tbenamucvu.info | udp |
| US | 8.8.8.8:53 | hkmcvvc.info | udp |
| US | 8.8.8.8:53 | rrbwxmkemd.info | udp |
| US | 8.8.8.8:53 | tmokjeliz.info | udp |
| US | 8.8.8.8:53 | ekytmwcr.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | wgkznif.net | udp |
| US | 8.8.8.8:53 | cklvjinm.net | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | tutudsdigor.com | udp |
| US | 8.8.8.8:53 | tpvawecqn.com | udp |
| US | 8.8.8.8:53 | tulncwdr.info | udp |
| US | 8.8.8.8:53 | rgpofqoapmb.info | udp |
| US | 8.8.8.8:53 | iceikg.org | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | qprxpk.net | udp |
| US | 8.8.8.8:53 | mszidfiqah.info | udp |
| US | 8.8.8.8:53 | mmoiaeiaocug.com | udp |
| US | 8.8.8.8:53 | gmessioiyesy.org | udp |
| US | 8.8.8.8:53 | logjpizsl.com | udp |
| US | 8.8.8.8:53 | bwbkdeh.com | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | nusuhyt.net | udp |
| US | 8.8.8.8:53 | nbfajgf.info | udp |
| US | 8.8.8.8:53 | zrpkrbmjmv.net | udp |
| US | 8.8.8.8:53 | fuxllxop.info | udp |
| US | 8.8.8.8:53 | cyxkjqpuzol.net | udp |
| US | 8.8.8.8:53 | rutqahlgxbz.org | udp |
| US | 8.8.8.8:53 | uqkygcak.com | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | nenafsjel.org | udp |
| US | 8.8.8.8:53 | kpwlqbdcgnou.info | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | ylzptbgj.net | udp |
| US | 8.8.8.8:53 | tolvdlrm.net | udp |
| US | 8.8.8.8:53 | jwgidaul.info | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | lorgzsl.info | udp |
| US | 8.8.8.8:53 | mexerz.net | udp |
| US | 8.8.8.8:53 | ayaikukyks.org | udp |
| US | 8.8.8.8:53 | vwfwxmf.net | udp |
| US | 8.8.8.8:53 | ncldubrp.net | udp |
| US | 8.8.8.8:53 | xfaruevqa.info | udp |
| US | 8.8.8.8:53 | hvxbueogvv.info | udp |
| US | 8.8.8.8:53 | mhpzkxfpcd.net | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | lxnqlkygdub.info | udp |
| US | 8.8.8.8:53 | qsxyuhfg.info | udp |
| US | 8.8.8.8:53 | qqzran.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | pfrcjbfqrgtb.info | udp |
| US | 8.8.8.8:53 | cyoqcyqo.com | udp |
| US | 8.8.8.8:53 | fonermiqt.net | udp |
| US | 8.8.8.8:53 | biwklwngsdt.org | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | emmekguy.com | udp |
| US | 8.8.8.8:53 | xqxqvobidee.net | udp |
| US | 8.8.8.8:53 | sotwljtecuh.net | udp |
| US | 8.8.8.8:53 | wgbmnurwp.info | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | xzgsxbb.com | udp |
| US | 8.8.8.8:53 | uldbtsfo.net | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | bblssfrfec.net | udp |
| US | 8.8.8.8:53 | jerbhbjmyll.com | udp |
| US | 8.8.8.8:53 | ewduukbqentw.net | udp |
| US | 8.8.8.8:53 | qwuclxiwzin.info | udp |
| US | 8.8.8.8:53 | aaouuouoiqmk.org | udp |
| US | 8.8.8.8:53 | oyphxqjbqo.info | udp |
| US | 8.8.8.8:53 | owcfpb.net | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | hqxgvizidil.com | udp |
| US | 8.8.8.8:53 | sumqcaai.org | udp |
| US | 8.8.8.8:53 | kcogoageam.com | udp |
| US | 8.8.8.8:53 | crzxuldzyj.net | udp |
| US | 8.8.8.8:53 | nnfbcvdk.info | udp |
| US | 8.8.8.8:53 | skoiwe.com | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | napshnj.net | udp |
| US | 8.8.8.8:53 | lksozka.net | udp |
| US | 8.8.8.8:53 | yvojwxwfiw.net | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | eepaxijrnwkv.net | udp |
| US | 8.8.8.8:53 | ldpkyqhkswd.info | udp |
| US | 8.8.8.8:53 | uryyyrprrlzw.info | udp |
| US | 8.8.8.8:53 | rpqdeifb.net | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | ixvbcgotbn.info | udp |
| US | 8.8.8.8:53 | citgksaxetvh.info | udp |
| US | 8.8.8.8:53 | vrwdvy.info | udp |
| US | 8.8.8.8:53 | rjwwrxmvvtg.org | udp |
| US | 8.8.8.8:53 | nrlvny.info | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | gywfzklbr.info | udp |
| US | 8.8.8.8:53 | abzwwvcx.net | udp |
| US | 8.8.8.8:53 | istkospymrt.net | udp |
| US | 8.8.8.8:53 | ftcjafkzpl.net | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | kkicou.com | udp |
| US | 8.8.8.8:53 | iscoyg.org | udp |
| US | 8.8.8.8:53 | gqdssetb.net | udp |
| US | 8.8.8.8:53 | nflgzgmp.info | udp |
| US | 8.8.8.8:53 | enlkthdkwj.net | udp |
| US | 8.8.8.8:53 | rvibgcghbvyo.info | udp |
| US | 8.8.8.8:53 | gphalz.net | udp |
| US | 8.8.8.8:53 | gvlsjuxsqxh.net | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | hiycbotsekd.com | udp |
| US | 8.8.8.8:53 | wstoqjg.info | udp |
| US | 8.8.8.8:53 | tbjvbefqr.info | udp |
| US | 8.8.8.8:53 | jaargjgadkst.info | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | wajypsjqrlc.info | udp |
| US | 8.8.8.8:53 | gkwmvfnvunqy.net | udp |
| US | 8.8.8.8:53 | okxtfcp.net | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | mkcgmdji.info | udp |
| US | 8.8.8.8:53 | mrxwdeao.info | udp |
| US | 8.8.8.8:53 | vqjpkwb.net | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | fecjlcn.info | udp |
| US | 8.8.8.8:53 | vftsat.net | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | zfusuibapjr.info | udp |
| US | 8.8.8.8:53 | zbolqasjxrfu.info | udp |
| US | 8.8.8.8:53 | imyqeqbstun.info | udp |
| US | 8.8.8.8:53 | zpwppcsawvmo.info | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | sctwdjwgvh.info | udp |
| US | 8.8.8.8:53 | nkjqpa.net | udp |
| US | 8.8.8.8:53 | nxluaatqq.com | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | sqguis.com | udp |
| US | 8.8.8.8:53 | yyrbfmjlmyqa.net | udp |
| US | 8.8.8.8:53 | pekjeo.net | udp |
| US | 8.8.8.8:53 | xzfumwodooyh.net | udp |
| US | 8.8.8.8:53 | ssmmjopmh.info | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | lmvxlmt.info | udp |
| US | 8.8.8.8:53 | qvvrhkrzrun.info | udp |
| US | 8.8.8.8:53 | ipcguhpomgso.net | udp |
| US | 8.8.8.8:53 | ujzlhj.info | udp |
| US | 8.8.8.8:53 | isokee.org | udp |
| US | 8.8.8.8:53 | bajfsbvxwd.info | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | sgphyamiz.info | udp |
| US | 8.8.8.8:53 | dspwhkz.org | udp |
| US | 8.8.8.8:53 | mywqcs.org | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | vzlavynhq.org | udp |
| US | 8.8.8.8:53 | esaocyaeyegw.com | udp |
| US | 8.8.8.8:53 | pclrlibqxkq.org | udp |
| US | 8.8.8.8:53 | ybtpvy.net | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | hprzcbvg.info | udp |
| US | 8.8.8.8:53 | afszbipjcgv.info | udp |
| US | 8.8.8.8:53 | aciwgi.org | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mejgpwvozsb.info | udp |
| US | 8.8.8.8:53 | qyaagi.com | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | udaajo.info | udp |
| US | 8.8.8.8:53 | qavxtnybal.net | udp |
| US | 8.8.8.8:53 | drehda.net | udp |
| US | 8.8.8.8:53 | cmhaassoxtc.info | udp |
| US | 8.8.8.8:53 | ascviapwshga.info | udp |
| US | 8.8.8.8:53 | mazmgkpb.info | udp |
| US | 8.8.8.8:53 | qwzajqy.info | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | huvinzvjdrfe.net | udp |
| US | 8.8.8.8:53 | nijpfwn.net | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | lklmymteg.info | udp |
| US | 8.8.8.8:53 | ebzrfww.net | udp |
| US | 8.8.8.8:53 | nqjjgapj.info | udp |
| US | 8.8.8.8:53 | nuhyxeigk.info | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | kspxda.info | udp |
| US | 8.8.8.8:53 | bjyklhhhkyoh.info | udp |
| US | 8.8.8.8:53 | bbrkykjh.info | udp |
| US | 8.8.8.8:53 | mygyykkqacqu.org | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | tarcbqr.net | udp |
| US | 8.8.8.8:53 | bheudz.info | udp |
| US | 8.8.8.8:53 | yqkikqoywaas.com | udp |
| US | 8.8.8.8:53 | bhtfjmvlkkhp.info | udp |
| US | 8.8.8.8:53 | yihgoczdn.info | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | wgbjaqsv.info | udp |
| US | 8.8.8.8:53 | kwkerzhgqns.net | udp |
| US | 8.8.8.8:53 | veuwbsjwtgh.net | udp |
| US | 8.8.8.8:53 | kcsskwaa.org | udp |
| US | 8.8.8.8:53 | kkknwihe.info | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | sltjlfdjbt.net | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | gdxcdi.info | udp |
| US | 8.8.8.8:53 | huvabqngfpaj.info | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | quewjglko.net | udp |
| US | 8.8.8.8:53 | ipxcbhnfnj.info | udp |
| US | 8.8.8.8:53 | wkmqakioaegs.com | udp |
| US | 8.8.8.8:53 | miheuwovp.net | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 8.8.8.8:53 | gixnnn.net | udp |
| US | 8.8.8.8:53 | oshrzlikl.info | udp |
| US | 8.8.8.8:53 | yqeikm.org | udp |
| US | 8.8.8.8:53 | vohxgjcknxx.info | udp |
| US | 8.8.8.8:53 | eawmqzrhvo.info | udp |
| US | 8.8.8.8:53 | lljnryhl.info | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | gdveixnmj.net | udp |
| US | 8.8.8.8:53 | qlgdxhio.info | udp |
| US | 8.8.8.8:53 | tfdammxsvmz.com | udp |
| US | 8.8.8.8:53 | iuuqoqgu.org | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | ikpmlcghqp.net | udp |
| US | 8.8.8.8:53 | qwmieckoacqw.org | udp |
| US | 8.8.8.8:53 | qricithapd.net | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | efjjliqd.info | udp |
| US | 8.8.8.8:53 | qyeunl.net | udp |
| US | 8.8.8.8:53 | uyusvwoit.net | udp |
| US | 8.8.8.8:53 | ksfzenpwavdw.info | udp |
| US | 8.8.8.8:53 | efubrmlh.net | udp |
| US | 8.8.8.8:53 | makpolzuol.net | udp |
| US | 8.8.8.8:53 | emxsqslwnub.net | udp |
| US | 8.8.8.8:53 | qigeuyqiga.com | udp |
| US | 8.8.8.8:53 | vufzxorwm.info | udp |
| US | 8.8.8.8:53 | awkizuysx.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | uplbmwjqn.net | udp |
| US | 8.8.8.8:53 | bcvuhficdeh.info | udp |
| US | 8.8.8.8:53 | oqugsiqwsquq.org | udp |
| US | 8.8.8.8:53 | ogkknfkefmf.net | udp |
| US | 8.8.8.8:53 | wuiscsccge.com | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | fqbjkr.info | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wyjudcxiq.info | udp |
| US | 8.8.8.8:53 | xqfimycsv.info | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | gmxolfmo.net | udp |
| US | 8.8.8.8:53 | dodzemngzpqv.net | udp |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | eeicoogwaugc.com | udp |
| US | 8.8.8.8:53 | wblqlfxqa.net | udp |
| US | 8.8.8.8:53 | lobesk.net | udp |
| US | 8.8.8.8:53 | eusosaok.com | udp |
| US | 8.8.8.8:53 | ourqucg.info | udp |
| US | 8.8.8.8:53 | gfxrwlbzamcu.net | udp |
| US | 8.8.8.8:53 | qqvmzuxczjx.net | udp |
| US | 8.8.8.8:53 | iebiyilqo.info | udp |
| US | 8.8.8.8:53 | vuzdkpreod.info | udp |
| US | 8.8.8.8:53 | wsrnpavrlayc.net | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | cnnwamf.net | udp |
| US | 8.8.8.8:53 | iiauic.com | udp |
| US | 8.8.8.8:53 | sslcoxdy.net | udp |
| US | 8.8.8.8:53 | mcqguiky.com | udp |
| US | 8.8.8.8:53 | ayxvdktpr.info | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| US | 8.8.8.8:53 | wiydtgwon.net | udp |
| US | 8.8.8.8:53 | ifxuep.net | udp |
| US | 8.8.8.8:53 | eozwvpi.net | udp |
| US | 8.8.8.8:53 | sidlvctfcd.net | udp |
| US | 8.8.8.8:53 | lexbrydecxe.org | udp |
| US | 8.8.8.8:53 | wkuezkn.net | udp |
| US | 8.8.8.8:53 | odzbxn.info | udp |
| US | 8.8.8.8:53 | acgwiwsisu.org | udp |
| US | 8.8.8.8:53 | udpurapqf.info | udp |
| US | 8.8.8.8:53 | vcapzsn.com | udp |
| US | 8.8.8.8:53 | ritdhsergsyd.net | udp |
| US | 8.8.8.8:53 | kyoaokueao.com | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | pfllud.info | udp |
| US | 8.8.8.8:53 | zlrajztb.net | udp |
| US | 8.8.8.8:53 | cgkkxyqwxsx.net | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | ekdyxagal.net | udp |
| US | 8.8.8.8:53 | najbjpny.net | udp |
| US | 8.8.8.8:53 | ctxbqaol.net | udp |
| US | 8.8.8.8:53 | oymsikma.org | udp |
| US | 8.8.8.8:53 | vnwetyaizu.net | udp |
| US | 8.8.8.8:53 | rnhevdvl.net | udp |
| US | 8.8.8.8:53 | velrfr.net | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | oaqsieunuuwe.net | udp |
| US | 8.8.8.8:53 | tkokqylbkqc.org | udp |
| US | 8.8.8.8:53 | pitqyi.info | udp |
| US | 8.8.8.8:53 | nfzmpq.info | udp |
| US | 8.8.8.8:53 | sjcbnztkskl.info | udp |
| US | 8.8.8.8:53 | asnapiuotwf.net | udp |
| US | 8.8.8.8:53 | ucahjlrsxiwp.net | udp |
| US | 8.8.8.8:53 | rgbwhwo.net | udp |
| US | 8.8.8.8:53 | qjdxrvwylqnk.info | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | pwjwayz.org | udp |
| US | 8.8.8.8:53 | pcrjxsbgiuj.net | udp |
| US | 8.8.8.8:53 | mmewkcaw.org | udp |
| US | 8.8.8.8:53 | zhbmwk.net | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | fwzmlrhodnx.org | udp |
| US | 8.8.8.8:53 | byphbmny.net | udp |
| US | 8.8.8.8:53 | fbjyqshd.info | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | gewymcss.com | udp |
| US | 8.8.8.8:53 | tlhagbuqfo.info | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | apkgjarprdwh.info | udp |
| US | 8.8.8.8:53 | ryzwfmlyw.info | udp |
| US | 8.8.8.8:53 | bgqdamdhpjse.info | udp |
| US | 8.8.8.8:53 | mmpqlyt.info | udp |
| US | 8.8.8.8:53 | kvcaeszv.info | udp |
| US | 8.8.8.8:53 | loxvpzn.info | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | hurjymry.info | udp |
| US | 8.8.8.8:53 | gyjznsxnzgh.info | udp |
| US | 8.8.8.8:53 | ymwhda.info | udp |
| US | 8.8.8.8:53 | hndzkwzhmxhs.info | udp |
| US | 8.8.8.8:53 | eeymkcci.com | udp |
| US | 8.8.8.8:53 | skompoxsmmz.net | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | xspajbn.net | udp |
| US | 8.8.8.8:53 | kktahqmxtlpn.net | udp |
| US | 8.8.8.8:53 | adomofxvpaq.net | udp |
| US | 8.8.8.8:53 | ksbpwyejzjxo.info | udp |
| US | 8.8.8.8:53 | cgwgaguesg.org | udp |
| US | 162.249.65.164:80 | cgwgaguesg.org | tcp |
| US | 8.8.8.8:53 | rwcgvob.com | udp |
| US | 8.8.8.8:53 | zrxtuic.info | udp |
| US | 8.8.8.8:53 | gicuaswsiwgw.org | udp |
| US | 8.8.8.8:53 | wqaqesmgmk.com | udp |
| US | 8.8.8.8:53 | qkogdsn.net | udp |
| US | 8.8.8.8:53 | qeoimmug.org | udp |
| US | 8.8.8.8:53 | julxerwaocda.net | udp |
| US | 8.8.8.8:53 | wbtlxues.net | udp |
| US | 8.8.8.8:53 | wkkckgygsw.com | udp |
| US | 8.8.8.8:53 | evwoaknfln.info | udp |
| US | 8.8.8.8:53 | neqbbwsgo.org | udp |
| US | 8.8.8.8:53 | syddlcscu.net | udp |
| US | 8.8.8.8:53 | vorsxqf.com | udp |
| US | 8.8.8.8:53 | nokmlmmal.net | udp |
| US | 8.8.8.8:53 | nkybtwpgzoi.info | udp |
| US | 8.8.8.8:53 | ybtdzhzohy.net | udp |
| US | 8.8.8.8:53 | yajccbienx.info | udp |
| US | 8.8.8.8:53 | elzmqdgihrj.net | udp |
| US | 8.8.8.8:53 | tyyafiyv.net | udp |
| US | 8.8.8.8:53 | mflenibkh.info | udp |
| US | 8.8.8.8:53 | gwmeafacbwrh.info | udp |
| US | 8.8.8.8:53 | pfntsuls.info | udp |
| US | 8.8.8.8:53 | fbpeolofrb.info | udp |
| US | 8.8.8.8:53 | wteamqbdkqbi.net | udp |
| US | 8.8.8.8:53 | vkdopa.info | udp |
| US | 8.8.8.8:53 | bmzshyd.org | udp |
| US | 8.8.8.8:53 | qkdqch.net | udp |
| US | 8.8.8.8:53 | pyfcfanofzvw.info | udp |
| US | 8.8.8.8:53 | nubsmcbjrzi.info | udp |
| US | 8.8.8.8:53 | nzzmvbaf.info | udp |
| US | 8.8.8.8:53 | zdoosv.info | udp |
| US | 8.8.8.8:53 | leioryfzykd.info | udp |
| US | 8.8.8.8:53 | eaisokwcuc.com | udp |
| US | 8.8.8.8:53 | bjqvdvvip.com | udp |
| US | 8.8.8.8:53 | ngtazyp.net | udp |
| US | 8.8.8.8:53 | jjgkgshjfjeq.info | udp |
| US | 8.8.8.8:53 | nrvrjgomzw.net | udp |
| US | 8.8.8.8:53 | lzrogwj.net | udp |
| US | 8.8.8.8:53 | omklxxad.info | udp |
| US | 8.8.8.8:53 | pygnvd.net | udp |
| US | 8.8.8.8:53 | tivulxwxt.org | udp |
| US | 8.8.8.8:53 | lblxlwomf.net | udp |
| US | 8.8.8.8:53 | agggqiaa.org | udp |
| US | 8.8.8.8:53 | tebmrt.info | udp |
| US | 8.8.8.8:53 | fffdjlyjyi.net | udp |
| US | 8.8.8.8:53 | ekamqi.org | udp |
| US | 162.249.65.164:80 | ekamqi.org | tcp |
| US | 8.8.8.8:53 | eevwkmdwg.net | udp |
| US | 8.8.8.8:53 | sqojjnvd.info | udp |
| US | 8.8.8.8:53 | eaqeicwoga.com | udp |
| US | 8.8.8.8:53 | lxbmxzoctd.info | udp |
| US | 8.8.8.8:53 | ggqcqc.org | udp |
| US | 8.8.8.8:53 | ymidkhgqkwh.net | udp |
| US | 8.8.8.8:53 | cvwpfiesyd.info | udp |
| US | 8.8.8.8:53 | iwhvmoj.net | udp |
| US | 8.8.8.8:53 | cybjralsuq.info | udp |
| US | 8.8.8.8:53 | mggrrlfuqz.info | udp |
| US | 8.8.8.8:53 | xopgozy.com | udp |
| US | 8.8.8.8:53 | lgrkapskjte.info | udp |
| US | 8.8.8.8:53 | oszjxzhkklmh.info | udp |
| US | 8.8.8.8:53 | hyafbvpm.net | udp |
| US | 8.8.8.8:53 | equytmb.info | udp |
| US | 8.8.8.8:53 | ebbjvmph.net | udp |
| US | 8.8.8.8:53 | qwcyywog.org | udp |
| US | 8.8.8.8:53 | eqcsskwyyiug.org | udp |
| US | 162.249.65.164:80 | eqcsskwyyiug.org | tcp |
| US | 8.8.8.8:53 | qiywawcaieio.com | udp |
| US | 8.8.8.8:53 | nexptxdvrjm.com | udp |
| US | 8.8.8.8:53 | ugsymcceuw.com | udp |
| US | 8.8.8.8:53 | pgchlxgc.net | udp |
| US | 8.8.8.8:53 | zjhbfg.info | udp |
| US | 8.8.8.8:53 | yyezlphjnigg.net | udp |
| US | 8.8.8.8:53 | pcuesfaaps.net | udp |
| US | 8.8.8.8:53 | tshxehbpzhzh.info | udp |
| US | 8.8.8.8:53 | fqzylyeur.org | udp |
| US | 8.8.8.8:53 | uegbhivkk.net | udp |
| US | 8.8.8.8:53 | eweuaigycy.org | udp |
| US | 162.249.65.164:80 | eweuaigycy.org | tcp |
| US | 8.8.8.8:53 | dqlcmg.net | udp |
| US | 8.8.8.8:53 | ishstyjyxiz.net | udp |
| US | 8.8.8.8:53 | oqpeldfrzuf.net | udp |
| US | 8.8.8.8:53 | svvfhutc.net | udp |
| US | 8.8.8.8:53 | kgyqoaosga.com | udp |
| US | 8.8.8.8:53 | gkdwqmbggusb.info | udp |
| US | 8.8.8.8:53 | zwnmndf.com | udp |
| US | 8.8.8.8:53 | woqaemce.com | udp |
| US | 8.8.8.8:53 | xrliqghkq.info | udp |
| US | 8.8.8.8:53 | eqkicsgsmikw.org | udp |
| US | 8.8.8.8:53 | ckqqaueogk.com | udp |
| US | 8.8.8.8:53 | lhbtecpktqp.info | udp |
| US | 8.8.8.8:53 | caovemaplod.net | udp |
| US | 8.8.8.8:53 | rgrdpwvmpxbc.net | udp |
| US | 8.8.8.8:53 | scqbahug.info | udp |
| US | 8.8.8.8:53 | qwggecuq.com | udp |
| US | 8.8.8.8:53 | fryvpc.net | udp |
| US | 8.8.8.8:53 | jfqippqwid.info | udp |
| US | 8.8.8.8:53 | gzzhsqoo.info | udp |
| US | 8.8.8.8:53 | lgbwjeb.info | udp |
| US | 8.8.8.8:53 | ljxsyj.info | udp |
| US | 8.8.8.8:53 | dvgluu.net | udp |
| US | 8.8.8.8:53 | wmigouqasi.com | udp |
| US | 8.8.8.8:53 | qkfgnhnovf.info | udp |
| US | 8.8.8.8:53 | rdrsxai.info | udp |
| US | 8.8.8.8:53 | ikdmrcx.net | udp |
| US | 8.8.8.8:53 | kaxlkqpaeau.info | udp |
| US | 8.8.8.8:53 | biwuvoz.net | udp |
| US | 8.8.8.8:53 | vqinviwwl.com | udp |
| US | 8.8.8.8:53 | mskxktalrtqc.info | udp |
| US | 8.8.8.8:53 | ssxmkvkzh.net | udp |
| US | 8.8.8.8:53 | vnuecxqlijil.info | udp |
| US | 8.8.8.8:53 | fnqsmcftroxg.info | udp |
| US | 8.8.8.8:53 | wiscceuk.com | udp |
| US | 8.8.8.8:53 | qxjkbfr.net | udp |
| US | 8.8.8.8:53 | yvntbhcyshap.net | udp |
| US | 8.8.8.8:53 | riubvohx.info | udp |
| US | 8.8.8.8:53 | xndjzjne.net | udp |
| US | 8.8.8.8:53 | psbqrwrmd.com | udp |
| US | 8.8.8.8:53 | fxyctxci.info | udp |
| US | 8.8.8.8:53 | wzxqqsksmhht.net | udp |
| US | 8.8.8.8:53 | iyyiwuwe.com | udp |
| US | 8.8.8.8:53 | kcguuuas.com | udp |
| US | 8.8.8.8:53 | wztgljscry.net | udp |
| US | 8.8.8.8:53 | ggjsnccky.info | udp |
| US | 8.8.8.8:53 | pntijcvgpz.info | udp |
| US | 8.8.8.8:53 | cklwdebofut.net | udp |
| US | 8.8.8.8:53 | djtqbgpepjm.org | udp |
| US | 8.8.8.8:53 | qzhwkkfuohwz.info | udp |
| US | 8.8.8.8:53 | ycaunmdur.net | udp |
| US | 8.8.8.8:53 | xzxwrxdcbwng.info | udp |
| US | 8.8.8.8:53 | aufghykyzpb.net | udp |
| US | 8.8.8.8:53 | jwlmww.info | udp |
| US | 8.8.8.8:53 | xavihqzvnel.info | udp |
| US | 8.8.8.8:53 | cjijxxflavpd.net | udp |
| US | 8.8.8.8:53 | utjwasqdm.info | udp |
| US | 8.8.8.8:53 | qyiwrcy.info | udp |
| US | 8.8.8.8:53 | euiciw.com | udp |
| US | 8.8.8.8:53 | kucwuo.org | udp |
| US | 8.8.8.8:53 | utgbxyiuzm.info | udp |
| US | 8.8.8.8:53 | kdvucwxcpef.net | udp |
| US | 8.8.8.8:53 | nizybszil.info | udp |
| US | 8.8.8.8:53 | cuwkbspypvr.net | udp |
| US | 8.8.8.8:53 | rcwrvlrut.net | udp |
| US | 8.8.8.8:53 | ykhkvljit.info | udp |
| US | 8.8.8.8:53 | yenxjuh.info | udp |
| US | 8.8.8.8:53 | vipcpee.info | udp |
| US | 8.8.8.8:53 | efoobg.info | udp |
| US | 8.8.8.8:53 | wbnblzvzlbds.info | udp |
| US | 8.8.8.8:53 | ianuxyntnig.net | udp |
| US | 8.8.8.8:53 | neotjkse.info | udp |
| US | 8.8.8.8:53 | guvixyyc.net | udp |
| US | 8.8.8.8:53 | ydlgemxmbef.info | udp |
| US | 8.8.8.8:53 | aeukcyzmq.net | udp |
| US | 8.8.8.8:53 | jetdfmxyl.info | udp |
| US | 8.8.8.8:53 | dwhsxl.info | udp |
| US | 8.8.8.8:53 | tfduch.net | udp |
| US | 8.8.8.8:53 | ukdltgkqjoxu.net | udp |
| US | 8.8.8.8:53 | qbjibqzauqf.net | udp |
| US | 8.8.8.8:53 | dbujhkime.org | udp |
| US | 8.8.8.8:53 | izgmvndvmxji.info | udp |
| US | 8.8.8.8:53 | jgxacpcgnlcd.net | udp |
| US | 8.8.8.8:53 | rflrgemzhqqn.info | udp |
| US | 8.8.8.8:53 | tsrkmfalccr.org | udp |
| US | 8.8.8.8:53 | nefwulmsyx.net | udp |
| US | 8.8.8.8:53 | bvjtxub.com | udp |
| US | 8.8.8.8:53 | xhghhfm.info | udp |
| US | 8.8.8.8:53 | daqcxittsf.info | udp |
| US | 8.8.8.8:53 | lrbqxqikxvb.info | udp |
| US | 8.8.8.8:53 | bvytrkzb.net | udp |
| US | 8.8.8.8:53 | zqjkpyjb.net | udp |
| US | 8.8.8.8:53 | gvwnphxucy.net | udp |
| US | 8.8.8.8:53 | znpsldu.org | udp |
| US | 162.249.65.164:80 | znpsldu.org | tcp |
| US | 8.8.8.8:53 | cxdsdqrlthax.info | udp |
| US | 8.8.8.8:53 | mkyflshooir.net | udp |
| US | 8.8.8.8:53 | nkrzvcyyty.info | udp |
| US | 8.8.8.8:53 | zqpiugf.net | udp |
| US | 8.8.8.8:53 | ecuejswxb.net | udp |
| US | 8.8.8.8:53 | djdjhidqmwh.com | udp |
| US | 8.8.8.8:53 | miswccdu.net | udp |
| US | 8.8.8.8:53 | tstspn.info | udp |
| US | 8.8.8.8:53 | innmsdmgu.net | udp |
| US | 8.8.8.8:53 | jdhuukvnr.net | udp |
| US | 8.8.8.8:53 | uckymuoq.com | udp |
| US | 8.8.8.8:53 | amcwaiuumg.com | udp |
| US | 8.8.8.8:53 | qaycsesu.com | udp |
| US | 8.8.8.8:53 | sqggyg.com | udp |
| US | 8.8.8.8:53 | phtriqr.com | udp |
| US | 8.8.8.8:53 | kmkgsypnlw.net | udp |
| US | 8.8.8.8:53 | xgyatjz.org | udp |
| US | 8.8.8.8:53 | flfqdbkdtg.info | udp |
| US | 8.8.8.8:53 | cugcmy.org | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| US | 8.8.8.8:53 | fybwznx.com | udp |
| US | 8.8.8.8:53 | ufofpq.info | udp |
| US | 8.8.8.8:53 | brckjebfu.info | udp |
| US | 8.8.8.8:53 | brtcguciq.com | udp |
| US | 8.8.8.8:53 | dwrcnyp.org | udp |
| US | 8.8.8.8:53 | kqrhhigmwu.net | udp |
| US | 8.8.8.8:53 | hsyamiwnw.org | udp |
| US | 8.8.8.8:53 | lqipkjmf.info | udp |
| US | 8.8.8.8:53 | zawufqzwz.net | udp |
| US | 8.8.8.8:53 | oqhurmoup.info | udp |
| US | 8.8.8.8:53 | lpwllrni.net | udp |
| US | 8.8.8.8:53 | raiobwskm.info | udp |
| US | 8.8.8.8:53 | eqacmi.com | udp |
| US | 8.8.8.8:53 | lysassfobzx.net | udp |
| US | 8.8.8.8:53 | gdhbkydv.info | udp |
| US | 8.8.8.8:53 | gsmxuo.net | udp |
| US | 8.8.8.8:53 | cyxzcronhm.info | udp |
| US | 8.8.8.8:53 | pslhln.info | udp |
| US | 8.8.8.8:53 | flaalsa.org | udp |
| US | 8.8.8.8:53 | bhuibffgut.net | udp |
| US | 8.8.8.8:53 | xbdyxk.info | udp |
| US | 8.8.8.8:53 | uetkfumipfn.net | udp |
| US | 8.8.8.8:53 | acugsqoaqosk.com | udp |
| US | 8.8.8.8:53 | emyadgxgp.net | udp |
| US | 8.8.8.8:53 | jahgdst.net | udp |
| US | 8.8.8.8:53 | lkottrd.info | udp |
| US | 8.8.8.8:53 | eotkdgrsk.info | udp |
| US | 8.8.8.8:53 | vklrrkpgb.info | udp |
| US | 8.8.8.8:53 | jipvfcix.net | udp |
| US | 8.8.8.8:53 | pnwegh.info | udp |
| US | 8.8.8.8:53 | pysrnffivqp.net | udp |
| US | 8.8.8.8:53 | cnfozmq.info | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | psxcdyj.net | udp |
| US | 8.8.8.8:53 | gshqxwi.info | udp |
| US | 8.8.8.8:53 | qqnbgcmtpa.net | udp |
| US | 8.8.8.8:53 | yxqnxnt.info | udp |
| US | 8.8.8.8:53 | rprltsmo.net | udp |
| US | 8.8.8.8:53 | wqjarqltoeo.net | udp |
| US | 8.8.8.8:53 | gwicgecw.org | udp |
| US | 8.8.8.8:53 | pedyxcrohat.org | udp |
| DE | 85.214.228.140:80 | pedyxcrohat.org | tcp |
| US | 8.8.8.8:53 | ueeaayogko.com | udp |
| US | 8.8.8.8:53 | pdaxzfogwz.net | udp |
| US | 8.8.8.8:53 | rdijpyfskf.net | udp |
| US | 8.8.8.8:53 | smtoteputmr.net | udp |
| US | 8.8.8.8:53 | geiehohtveh.net | udp |
| US | 8.8.8.8:53 | oawqiemgumku.org | udp |
| US | 8.8.8.8:53 | acwqgwaqcm.org | udp |
| US | 8.8.8.8:53 | eazcntnslud.net | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jnfber.net | udp |
| US | 8.8.8.8:53 | dgzyemj.net | udp |
| US | 8.8.8.8:53 | qqbthpxjhm.net | udp |
| US | 8.8.8.8:53 | ukwmsa.org | udp |
| US | 8.8.8.8:53 | sgknktan.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\mzxxdccswjh.exe
| MD5 | 56be524c2d0d736eee7f97eaeac18b8e |
| SHA1 | e2376a438df7ac4229e56716b9ec1207bc0abcea |
| SHA256 | 72b7cd8421c04d1d3b4f46011115cdbba630c2a656baba229ce51c0891d061f7 |
| SHA512 | 9d9ca2415281c5caf8ea596558d430b6405e1e3d8b5e557a211c09dab9eb428fe7ad08d084941d04bfb7705c7efac396335aac57dfc41fae5947f85cf56ba5f5 |
C:\Windows\SysWOW64\lfzllbnlwqfzelyeli.exe
| MD5 | 1402edfdcc8d1c5f9ec36eba012a8d37 |
| SHA1 | cfbe8acbaec2676015c7105032d1da134f31c1ab |
| SHA256 | 96c5aeea64be8ac8173f07a0f8c7d252a83eb2fad215160f36078829856c0def |
| SHA512 | a9baa0af65f8c3893673becc7235a3641ba4db0ac850a120431d85c38768dd10ceeb2becc7b9983088b5c65fa644f9b2b1f72b03ab4893518b1e23263d0856d9 |
C:\Users\Admin\AppData\Local\Temp\jrzznr.exe
| MD5 | 812a7f266902a0708d3a45f13d56295e |
| SHA1 | 24807ab9314718a1635f94ea37113ef3b6f0348d |
| SHA256 | ed693666e371f7704f2d5541c7aeed7fc0b3043608cbac43b7d25ba8f36b2a8b |
| SHA512 | 9a8edd0565ab91684188133711556e5407f4cf429b19fd823a0e9795873dfc2689649642e2bb3a08150864274177edc73ad9e16fc3190eaeb51f830c46929a2b |
C:\Users\Admin\AppData\Local\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | 5c414493f2339a3e7c45dad02151c453 |
| SHA1 | 7a8e868c2c51668306e9bfa3010b645148160a86 |
| SHA256 | 58356979579d1b9a838e34cac313919cd5efe6e4b44e37e6843379435d453e31 |
| SHA512 | 8210f5a8ca09b987c1ef7ce18477dff90ed7a10790c352711b4625f8733694cef306ce6ad962772ebd43ccb43e1d0fd980914da8f816688267f518c5b9f73dec |
C:\Users\Admin\AppData\Local\qdqvoxctxksfddjiiygtglensjnaivttz.yow
| MD5 | 7e3903c9f0a3e42bef254721daf74ff8 |
| SHA1 | 229b5e479dcc9c564d5f531a0bbb899f1124336f |
| SHA256 | 63ef88e924f22a3ce1bebbf668db697ebd126fa9596b2df24232615fcfc1dcb7 |
| SHA512 | 2eab31e30f338cc848a577a3a70fb7ac53a3177feaa27240cdf6980a308a348f9d53a8346e20368edd4c8630bb221821a428fafc35e19713347f0a65d7f42df1 |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | 64814025f1cdb96524d5d0dfa9db0955 |
| SHA1 | 904de8cc347d83f922ee8c74ef2744a0cd6d11ce |
| SHA256 | c3f87754f6c9c0f1bd902e2cd9e948a17a37661162cc624ae58399e6aaec29b2 |
| SHA512 | 74441208e71375849a268382cf76e176fa881378276ba8d33a364ad9b3409fd215e2ce453e29814d4f6954a4993ef4d82f2ec2b8629a8898543bf406c006bee6 |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | 799bcd86da8921e7bf5b88bc67f60198 |
| SHA1 | 00c46280c1952bdc1da57932b366e993b7aed0ce |
| SHA256 | 4b089cddd5e042e726c589b83eeb8f185bcffc1a6782500161b5a76882d9849d |
| SHA512 | 37d565b69dc38fe8df5f8ce6e7c176925b5c2799e3045c7d1f27b93507abf1f6784b81ef013e70afb3cd3f12c198edb5fcb8b1234013bc5c6ef21802199ee9db |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | 8a25d67b1dc82cb6563a6eb2beeaafcc |
| SHA1 | c31c5dfa1f21f23a877464a2bd96a2031ba95c25 |
| SHA256 | 50ca49b6491e1f27e0e430ca3529b8fcc0c3fd69890daf618b2969bb4ca95037 |
| SHA512 | bf379bc858d9a73689449146ff8efc8632760dc84cb681c781837f667908e3984880cac0c976eb0a1d2e43327b8078d49c2f13164628ecb95933e9739d4362f6 |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | cde79bdda4555b800aa4d1cc00e5c415 |
| SHA1 | 9fa0b04dbb61cae742de7791bc7666da4d516126 |
| SHA256 | ca5450ae48b78e9eb9ce225103d5c0ebc53693220364968858d28f79fc79a427 |
| SHA512 | e96b02169be8160399dafd9e53329df61bb0d500d1fc44892bf92ee773a111425532b1d89ef79097f4988f60d540f73133b45775478e230cbc4f263ed5898b94 |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | 291960a9af7c524780bef3576fd7d53c |
| SHA1 | ad66e4b8375cd70c4534b7a776bc017fa74eb1f3 |
| SHA256 | a43d64f9a41db0a13dc4f3311ee0999b9a4b1f712d99521a72680b0519b26eeb |
| SHA512 | 4547fc5293c49b403b5e92518ee4086ab9886d8e75098b21d9eb103a7e52a4369a6fdfb6c323b1d1468bfef6fe03ca3de3dd21b136c0b769083b128f594234fb |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | d6b2158244c6cd8d9d2e76f886cf0c45 |
| SHA1 | f17f62372560bffe2a843210f80907c211933e13 |
| SHA256 | 89534a66ebb144f14dc4474fb6192f4004b0836949704d72ea43d41ad1a1ca15 |
| SHA512 | 590371aabb237f7af43253cbf4cb8d10b07677854f2c796c0c1b056a85f5353215ecac75f406577d9ce3ce0c4d4e1e95dcfb928594136be6ddb55bd9dc59ca22 |
C:\Program Files (x86)\zbdxfdxdwyvxkzuixczbdx.dxd
| MD5 | 4a5bd3643ab425590d08fae093ce9691 |
| SHA1 | 1945915eae5b4873a970dd048018ee84a6f05108 |
| SHA256 | d6bf3b96bf1743894436955d575f67f161b02c875520328d090b01d42af18819 |
| SHA512 | d34de0c0b5879795842ad176e401c5206af9254cb49dcd387a6a58eedce584f2d8e25338e4ed47cb2cbec7cb69235b051f3cc10f0eae06241e13a115915bb69a |