Analysis Overview
SHA256
7edabdb1bf38c20a929240234848e4b9351ed3ead0d72aa87a4cf575329ecb78
Threat Level: Known bad
The file 118409a64b0d207166c07ccf998fe3f9_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Adds policy Run key to start application
Impair Defenses: Safe Mode Boot
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Checks whether UAC is enabled
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 09:28
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 09:28
Reported
2024-06-26 09:30
Platform
win7-20240611-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "aizrezmbytrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "aizrezmbytrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "bmgbrpfxxvwhxxbrgmx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "hqibplzpnjirfdftg.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "dqmjbbtnppsfxzfxowjfc.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "bmgbrpfxxvwhxxbrgmx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "dqmjbbtnppsfxzfxowjfc.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "aizrezmbytrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "oavrihyrsrtfwxctjqcx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "dqmjbbtnppsfxzfxowjfc.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "aizrezmbytrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "dqmjbbtnppsfxzfxowjfc.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "oavrihyrsrtfwxctjqcx.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "hqibplzpnjirfdftg.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "hqibplzpnjirfdftg.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "hqibplzpnjirfdftg.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "dqmjbbtnppsfxzfxowjfc.exe ." | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ewxzwbyxejrjgnyvrewxzw.yxe | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File created | C:\Windows\SysWOW64\ewxzwbyxejrjgnyvrewxzw.yxe | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File created | C:\Windows\SysWOW64\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File created | C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File opened for modification | C:\Program Files (x86)\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File created | C:\Program Files (x86)\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\ewxzwbyxejrjgnyvrewxzw.yxe | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File opened for modification | C:\Windows\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File created | C:\Windows\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| File opened for modification | C:\Windows\ewxzwbyxejrjgnyvrewxzw.yxe | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\omtbep.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\omtbep.exe
"C:\Users\Admin\AppData\Local\Temp\omtbep.exe" "-"
C:\Users\Admin\AppData\Local\Temp\omtbep.exe
"C:\Users\Admin\AppData\Local\Temp\omtbep.exe" "-"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.11:80 | www.yahoo.com | tcp |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | dzuzrg.info | udp |
| US | 8.8.8.8:53 | qutenwnox.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | jubgsuh.org | udp |
| US | 8.8.8.8:53 | uuzqrv.net | udp |
| US | 8.8.8.8:53 | yaecmm.com | udp |
| US | 8.8.8.8:53 | akznvakqu.net | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | vagyntub.info | udp |
| US | 8.8.8.8:53 | osiqqws.net | udp |
| US | 8.8.8.8:53 | htbbrj.info | udp |
| US | 8.8.8.8:53 | uimescouwmsm.com | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | tzpntkn.info | udp |
| US | 8.8.8.8:53 | gvvtnkepxgro.net | udp |
| US | 8.8.8.8:53 | gsmagewakkac.org | udp |
| US | 8.8.8.8:53 | dmlqfdncupgd.net | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | tbljgbiadn.info | udp |
| US | 8.8.8.8:53 | remlfmfdaz.net | udp |
| US | 8.8.8.8:53 | iijeavl.info | udp |
| US | 8.8.8.8:53 | hzhpjryxes.net | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | kgqscsckqk.org | udp |
| US | 8.8.8.8:53 | ejvyphcteke.info | udp |
| US | 8.8.8.8:53 | caksglyiyh.net | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | nrhguvbcvdds.net | udp |
| US | 8.8.8.8:53 | fshxdrvmmgy.com | udp |
| US | 8.8.8.8:53 | sbkfzk.info | udp |
| US | 8.8.8.8:53 | fehhbmeyim.net | udp |
| US | 8.8.8.8:53 | tjldthng.info | udp |
| US | 8.8.8.8:53 | ykkmmsoi.org | udp |
| US | 8.8.8.8:53 | ueyoekwyyceg.org | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | hmrcxijqdgt.org | udp |
| US | 8.8.8.8:53 | vjbntnfjkt.net | udp |
| US | 8.8.8.8:53 | petyru.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | gzukviikx.net | udp |
| US | 8.8.8.8:53 | bktmnxjujuh.info | udp |
| US | 8.8.8.8:53 | zowyskvyjaz.net | udp |
| US | 8.8.8.8:53 | hkyxoq.net | udp |
| US | 8.8.8.8:53 | kuvgoefcz.info | udp |
| US | 8.8.8.8:53 | edjgxjbwkpxh.info | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | atierp.info | udp |
| US | 8.8.8.8:53 | rrkrbx.net | udp |
| US | 8.8.8.8:53 | jpncvgwgnh.info | udp |
| US | 8.8.8.8:53 | wiqprizclev.net | udp |
| US | 8.8.8.8:53 | uzyeen.info | udp |
| US | 8.8.8.8:53 | tztthyxh.net | udp |
| US | 8.8.8.8:53 | rukiivnqi.org | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | fujehadwb.com | udp |
| US | 8.8.8.8:53 | jcrizhrahvx.net | udp |
| US | 8.8.8.8:53 | qqmcgygssm.com | udp |
| US | 8.8.8.8:53 | hmjyzgfadan.net | udp |
| US | 8.8.8.8:53 | jqyohwzjpwn.org | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | iqitrb.info | udp |
| US | 8.8.8.8:53 | odtmnuhmz.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\omtbep.exe
| MD5 | ca18aa497603dfc516ff8b1241ee5c5d |
| SHA1 | eae8d8d467250f285a51797d4b36ed9ba023e4de |
| SHA256 | f6bfeb0b702f8969bfc86d6b7bb710945588fdcc67297e1a477dec54a3afd5f5 |
| SHA512 | 06fb6d71364ce6b1f874641995deeaf89053c6cf59b76050a3ae7e73b535977611f68835393a0d4d0349e2e453fbc93592dedabcb618bb9d2e8e0f9744e7d256 |
C:\Users\Admin\AppData\Local\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | 63178f7dc599dad86dc25dbe48185b82 |
| SHA1 | 81bb04096522fcb0455c4912b056d6f919249cbc |
| SHA256 | 421d1c11e70ddeaa8259a050c4101bdaff7f96e186433f5456844ff001950ff8 |
| SHA512 | 7b9c93ab3b949a458f5ecf74c6c5cbb5479abc160b56b52b0164278755125f6890a60693cf9fa75a66b9de0c3c117cfe69f1db7db32eac8d5398beaf57691657 |
C:\Users\Admin\AppData\Local\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu
| MD5 | 024d0d9621836b344e339c4f7349e786 |
| SHA1 | f84ad9891d16f48bf832c78689819e4319f700cb |
| SHA256 | 11f5d45badab73335b639711973c3d742eead88b7ef2895f0b88b8ee43eb1f13 |
| SHA512 | 42406b133c44beffceb5103293e19d9f9790462f48f618d7684089e2ff9634db11251f611c5b860f8731b6d96664da2a0b9ea0c7c0d37cee4324e136178f4d4d |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | 33abb0db2cb87cd0dcc106df58d8cc53 |
| SHA1 | b073f108ae6e6423f279456ca0fb0f5d610e368c |
| SHA256 | 1c8df5bee0e7654c14dd2e34060048b170a1d6ca387d215ed9d6eca7cd556add |
| SHA512 | 446a89c5698cb92ab217a37880ef7489936fd730d67fdd338441a116d6a84ee32a16645b45dbfe6adea40898d563d8b54f20f6973cbaf86e23c7bc23702fcca2 |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | bedebe40f0c608d2e3a990bbff7f62aa |
| SHA1 | 815d3a1d2479f7974fc22141b634d5e324082e9d |
| SHA256 | 7fff78ee38cc2702f509b19610d56c63f77b792e417676a358df8b5ced3cf7a6 |
| SHA512 | 2be95630c66347a37ae5f7c069912c3c00c1579ac29f1cab6b84b83d04f1a2ada763aa5cef2b389d2eeccb66edf62c4e7e54db08088e553f85594d3de6f1e90f |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | 24cdf08b47b2679b203e0132b773d012 |
| SHA1 | aec163b73e3dbf02909ed7f70cb996d7e33ba923 |
| SHA256 | 8ddd544aefa0281da20dc69f888b075b9beb577e84c9ae935510860ed5e40402 |
| SHA512 | 2fc138b6be80a942e7c6854e1500446668ff6bc7652ce1dd8cbf0ec7760b8ec04bd5206ab247432911ab53072e37cb634427258a17db07151475f6fbb8b1c793 |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | 83eeeb2a25642c86af36e7533a1fe392 |
| SHA1 | f9b24dbd90e2b7bacbf62727eeb7a64dc863f61a |
| SHA256 | 847dcf2c5c0a60e8257469a276aee6d7708f9b4d6858e76bb77a5ba9996f1c8d |
| SHA512 | e4351aebc50de0b826942c5b2a0407a95bb3732488e9c19153765a24d461dcb507e763e56ae8b95fe019a08f7f30967d9d405199ca00cc9954faffa5a74eb2dc |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | 45507e06ea5e8cdda50602207c041084 |
| SHA1 | 480bac8fc75d482c2beb87b0adbb059594597a95 |
| SHA256 | 433a26cd537fd4a31d671d172c52c69a43865870da83f554d9e83fd0cbb43954 |
| SHA512 | 59efed5f89230eed4bedb2f678d313f1c3772571d6716e4a849ab1c8d180922d9593da2046daee42f4afd79bc66a4d7fb23496d05625b22bef3f6105248e014a |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | 78b8b3f2448204004f92e91e05571962 |
| SHA1 | c270613079c012140f474b43222d7c0e365bd743 |
| SHA256 | 5a366c6898e95b99142a05c07991ffb8e78d3e30f4763561fc3c9a9a9339b2ed |
| SHA512 | e09a8db18635d21f5933ff8221363960d6561413967e1106d5b157700582b77c0af43cac6d59f7f793cb48c04fb3271ff1fe56880ccd393f2dd694e62cc13873 |
C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe
| MD5 | a5ec834753b868dfff36a4803007907c |
| SHA1 | caf0239babc0c363c36421a977d40cde587723be |
| SHA256 | 75397b1a5d1814d9c6b93c9c7750ac3702a0762fcd0fd4b221f0b01d62def555 |
| SHA512 | aa2526c68227d89f8d852ed7df89e95a3745f0ece0f06616d1822d026f36b7077cd2c283dd32d056ea7933842a3601d0ad814ac065690166d0187fe3ce91a479 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 09:28
Reported
2024-06-26 09:30
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "cshcumjeqjtwfzqdoog.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "boashwqirhooulzj.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "pgwslecylfquezrfrslc.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "iwjcsidwgxfgnfufo.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "iwjcsidwgxfgnfufo.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "boashwqirhooulzj.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "cshcumjeqjtwfzqdoog.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "ewnkeyxuidpufbujwyskb.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "pgwslecylfquezrfrslc.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "rguofwsmxpyaibrdnm.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "cshcumjeqjtwfzqdoog.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "cshcumjeqjtwfzqdoog.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "rguofwsmxpyaibrdnm.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "pgwslecylfquezrfrslc.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "iwjcsidwgxfgnfufo.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe ." | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "ewnkeyxuidpufbujwyskb.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "ewnkeyxuidpufbujwyskb.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "boashwqirhooulzj.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "boashwqirhooulzj.exe ." | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\fcyazycexxoyopnhzgfcya.yce | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\welyishuyjlghtchkcmuboyixkozbwxjs.asc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File created | C:\Windows\SysWOW64\welyishuyjlghtchkcmuboyixkozbwxjs.asc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fcyazycexxoyopnhzgfcya.yce | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File created | C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File opened for modification | C:\Program Files (x86)\welyishuyjlghtchkcmuboyixkozbwxjs.asc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File created | C:\Program Files (x86)\welyishuyjlghtchkcmuboyixkozbwxjs.asc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\fcyazycexxoyopnhzgfcya.yce | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File created | C:\Windows\fcyazycexxoyopnhzgfcya.yce | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File opened for modification | C:\Windows\welyishuyjlghtchkcmuboyixkozbwxjs.asc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| File created | C:\Windows\welyishuyjlghtchkcmuboyixkozbwxjs.asc | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\eghos.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\eghos.exe
"C:\Users\Admin\AppData\Local\Temp\eghos.exe" "-"
C:\Users\Admin\AppData\Local\Temp\eghos.exe
"C:\Users\Admin\AppData\Local\Temp\eghos.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.imdb.com | udp |
| FR | 52.222.167.201:80 | www.imdb.com | tcp |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 201.167.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yjyaladocuc.net | udp |
| US | 8.8.8.8:53 | uezolsm.net | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ykzthgudze.net | udp |
| US | 8.8.8.8:53 | gkucss.org | udp |
| US | 8.8.8.8:53 | zkmgpbhgj.com | udp |
| US | 8.8.8.8:53 | dvfwqikkdn.info | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | aemovgzgftg.info | udp |
| US | 8.8.8.8:53 | retvxe.net | udp |
| US | 8.8.8.8:53 | akxucef.info | udp |
| US | 8.8.8.8:53 | ztqwlmqob.com | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | lebcyqd.com | udp |
| US | 8.8.8.8:53 | tknysgkzt.net | udp |
| US | 8.8.8.8:53 | dsjvnelr.net | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | bcagsggzlmnj.info | udp |
| US | 8.8.8.8:53 | qtqixxfqe.net | udp |
| US | 8.8.8.8:53 | ngodfstltvni.net | udp |
| US | 8.8.8.8:53 | cunivwtsujk.info | udp |
| US | 8.8.8.8:53 | rgtcrebgl.info | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | tmbwtoxxnog.com | udp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | lbbyqkwsa.org | udp |
| US | 8.8.8.8:53 | xmfftnfvt.info | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | yodbamrci.net | udp |
| US | 8.8.8.8:53 | pxncoedltqd.info | udp |
| US | 8.8.8.8:53 | cgvsxqbdl.net | udp |
| US | 8.8.8.8:53 | sfbvncka.net | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | bynkxn.net | udp |
| US | 8.8.8.8:53 | bznxfufj.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | plyqwryarhgd.info | udp |
| US | 8.8.8.8:53 | zqfsuyn.org | udp |
| US | 8.8.8.8:53 | zaonbwzcd.net | udp |
| US | 8.8.8.8:53 | fdtcsoxm.net | udp |
| US | 8.8.8.8:53 | kqazblnj.net | udp |
| US | 8.8.8.8:53 | ddhwham.info | udp |
| US | 8.8.8.8:53 | jnlutxxxbb.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | rbbitee.net | udp |
| US | 8.8.8.8:53 | gbjhyy.info | udp |
| US | 8.8.8.8:53 | cksyoqqiyoeo.org | udp |
| US | 8.8.8.8:53 | ejkwarpooqax.info | udp |
| US | 8.8.8.8:53 | ugnhqqfo.info | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | ymhluaqf.net | udp |
| US | 8.8.8.8:53 | ncsbpfzktd.info | udp |
| US | 8.8.8.8:53 | qqmcgygssm.com | udp |
| US | 8.8.8.8:53 | lmfgtmnejje.com | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | dxuolqscrjz.net | udp |
| US | 8.8.8.8:53 | fdabrivmxgn.com | udp |
| US | 8.8.8.8:53 | crjmbukkjdbw.net | udp |
| US | 8.8.8.8:53 | jndtsqhi.net | udp |
| US | 8.8.8.8:53 | skkamoqsic.org | udp |
| US | 8.8.8.8:53 | cqaakhrql.net | udp |
| US | 8.8.8.8:53 | zffqpiudbqob.info | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | qumocg.org | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | scqwikgk.org | udp |
| US | 8.8.8.8:53 | pyxvoewpds.net | udp |
| US | 8.8.8.8:53 | glhktuvujed.net | udp |
| US | 8.8.8.8:53 | ndsjoe.net | udp |
| US | 8.8.8.8:53 | laypxhqjvcmn.info | udp |
| US | 8.8.8.8:53 | zedhwdeisode.net | udp |
| US | 8.8.8.8:53 | tsqdaqzkv.net | udp |
| US | 8.8.8.8:53 | cjdkskbxu.info | udp |
| US | 8.8.8.8:53 | uwqyue.org | udp |
| US | 8.8.8.8:53 | nrnlnch.org | udp |
| US | 8.8.8.8:53 | yuuymumuqwoy.com | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| US | 8.8.8.8:53 | iywyaumkoi.org | udp |
| US | 8.8.8.8:53 | jafyptu.net | udp |
| US | 8.8.8.8:53 | gkyyuogiok.com | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | ribglrrku.com | udp |
| US | 8.8.8.8:53 | oofsicvgk.net | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | jfwmvap.net | udp |
| US | 8.8.8.8:53 | udiuvazud.info | udp |
| US | 8.8.8.8:53 | tvpmuunno.net | udp |
| US | 8.8.8.8:53 | gqhggzzsso.net | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | sgryhunqt.info | udp |
| US | 8.8.8.8:53 | yjptxmotf.info | udp |
| US | 8.8.8.8:53 | reriubgqea.info | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| US | 8.8.8.8:53 | dprfye.net | udp |
| US | 8.8.8.8:53 | fkwxwkegc.net | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | asysgwueei.org | udp |
| US | 8.8.8.8:53 | vobgxuy.net | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | pknuhylyaqe.com | udp |
| US | 8.8.8.8:53 | tyypjhxszh.net | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | fionle.net | udp |
| US | 8.8.8.8:53 | aolerejpua.net | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | nrplkiujlm.info | udp |
| US | 8.8.8.8:53 | egbakym.net | udp |
| US | 8.8.8.8:53 | xdfylylksix.info | udp |
| US | 8.8.8.8:53 | zjswuwos.info | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | kuyceqam.org | udp |
| US | 8.8.8.8:53 | lflwqwvdsn.info | udp |
| US | 8.8.8.8:53 | rnwxnrvlej.net | udp |
| US | 8.8.8.8:53 | zetflkl.org | udp |
| US | 8.8.8.8:53 | kbhsnz.info | udp |
| US | 8.8.8.8:53 | xgevxg.net | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | kxyhfcazbd.net | udp |
| US | 8.8.8.8:53 | keqsihtsnob.info | udp |
| US | 8.8.8.8:53 | bogtgu.info | udp |
| US | 8.8.8.8:53 | yuxgzfjlql.info | udp |
| US | 8.8.8.8:53 | xvcpdhpfrmyv.net | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | ugkyyg.org | udp |
| US | 8.8.8.8:53 | vaqhcszbberx.net | udp |
| US | 8.8.8.8:53 | cucqeu.com | udp |
| US | 8.8.8.8:53 | linyrahgjztb.net | udp |
| US | 8.8.8.8:53 | xpxwbyp.net | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| US | 8.8.8.8:53 | objszqxufyx.info | udp |
| US | 8.8.8.8:53 | mmsgbehenil.info | udp |
| US | 8.8.8.8:53 | csgeec.org | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | aqawuk.com | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | fwhfhuuun.com | udp |
| US | 8.8.8.8:53 | hnatzywd.info | udp |
| US | 8.8.8.8:53 | wqugyoiime.org | udp |
| US | 8.8.8.8:53 | ifangs.info | udp |
| US | 8.8.8.8:53 | amdmnsbonit.info | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | awfcvld.info | udp |
| US | 8.8.8.8:53 | iueyaacs.com | udp |
| US | 8.8.8.8:53 | fmasycnsb.net | udp |
| US | 8.8.8.8:53 | pcdtxylthwb.info | udp |
| US | 8.8.8.8:53 | hrzypddipjy.com | udp |
| US | 8.8.8.8:53 | wkgwddtffo.info | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | dgojgrvzxz.info | udp |
| US | 8.8.8.8:53 | hsksahhs.net | udp |
| US | 8.8.8.8:53 | gqjgdgd.info | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | sbquvspvnr.info | udp |
| US | 8.8.8.8:53 | vovshqno.net | udp |
| US | 8.8.8.8:53 | dxpuzatb.info | udp |
| US | 8.8.8.8:53 | hhjopwuux.info | udp |
| US | 8.8.8.8:53 | fyedhyft.net | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | ybkfgv.net | udp |
| US | 8.8.8.8:53 | geawlxzejcw.net | udp |
| US | 8.8.8.8:53 | ilwnrc.info | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | ygukukwaak.org | udp |
| US | 8.8.8.8:53 | wxxwdqd.info | udp |
| US | 8.8.8.8:53 | rqsgzyp.org | udp |
| US | 8.8.8.8:53 | kshylkw.net | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | gbxsqkenmgge.info | udp |
| US | 8.8.8.8:53 | kgeseogswa.com | udp |
| US | 8.8.8.8:53 | mwlzynv.info | udp |
| US | 8.8.8.8:53 | zkxwyv.info | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | agvakue.info | udp |
| US | 8.8.8.8:53 | lpjwhfvs.info | udp |
| US | 8.8.8.8:53 | jvkgyplkfgf.net | udp |
| US | 8.8.8.8:53 | gykasymq.org | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | zjzbeqyt.info | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | ykqgzrlqx.net | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | gegqai.com | udp |
| US | 8.8.8.8:53 | rkhunwg.com | udp |
| US | 8.8.8.8:53 | tnfgvu.info | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | owgnxbuxbbo.net | udp |
| US | 8.8.8.8:53 | yuwemy.org | udp |
| US | 8.8.8.8:53 | woilsbpt.info | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | npxfpgnszdof.net | udp |
| US | 8.8.8.8:53 | kgwkzwnuv.info | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | rdvqtn.info | udp |
| US | 8.8.8.8:53 | buntpilhk.com | udp |
| US | 8.8.8.8:53 | tlqdbu.net | udp |
| US | 8.8.8.8:53 | wnzshgnguffc.net | udp |
| US | 8.8.8.8:53 | sqiqsuckwy.org | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | efkyvvbbggoz.info | udp |
| US | 8.8.8.8:53 | wmiqccygkq.com | udp |
| US | 8.8.8.8:53 | eisuqa.com | udp |
| US | 8.8.8.8:53 | dsryrhamwnz.info | udp |
| US | 8.8.8.8:53 | kgzmsqyyn.info | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | gwuyucyo.com | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | wmqsmkckweic.org | udp |
| US | 8.8.8.8:53 | kwwuaykioase.com | udp |
| US | 8.8.8.8:53 | yqbhlbl.info | udp |
| US | 8.8.8.8:53 | tpfxojmc.net | udp |
| US | 8.8.8.8:53 | ilusdc.info | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | zaoipqhmv.info | udp |
| US | 8.8.8.8:53 | mwawsoweaa.org | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | aceksuiqygsi.org | udp |
| US | 8.8.8.8:53 | rwnyqm.net | udp |
| US | 8.8.8.8:53 | gwtkxehswgm.info | udp |
| US | 8.8.8.8:53 | kyquigcgcwyg.com | udp |
| US | 8.8.8.8:53 | lrakkngm.net | udp |
| US | 8.8.8.8:53 | tusejmd.org | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | bijzltttzcxh.info | udp |
| US | 8.8.8.8:53 | hegqjwbejgh.info | udp |
| US | 8.8.8.8:53 | roaxrljzqb.info | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | ibagxupenfu.info | udp |
| US | 8.8.8.8:53 | bawjrskskqv.net | udp |
| US | 8.8.8.8:53 | vkwiix.info | udp |
| US | 8.8.8.8:53 | qhldjsp.net | udp |
| US | 8.8.8.8:53 | cgpetec.net | udp |
| US | 8.8.8.8:53 | xqnkjsj.info | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | ooqusoqegi.com | udp |
| US | 8.8.8.8:53 | tauyiicd.info | udp |
| US | 8.8.8.8:53 | gknesehgnxb.net | udp |
| US | 8.8.8.8:53 | bocmdkvowko.net | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hatxpnagwufv.info | udp |
| US | 8.8.8.8:53 | qetqcmnjpgi.net | udp |
| US | 8.8.8.8:53 | ducibir.org | udp |
| US | 8.8.8.8:53 | iwemuzvi.info | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | igmkkkqmaeye.com | udp |
| US | 8.8.8.8:53 | jmxoblnmbevp.info | udp |
| US | 8.8.8.8:53 | ajiawbfs.info | udp |
| US | 8.8.8.8:53 | eqiese.org | udp |
| US | 8.8.8.8:53 | tbcumriorjll.info | udp |
| US | 8.8.8.8:53 | qolyxyvkfvl.net | udp |
| US | 8.8.8.8:53 | dovpnbswrh.info | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | oysqvgqttof.info | udp |
| US | 8.8.8.8:53 | earykm.net | udp |
| US | 8.8.8.8:53 | hufbuml.org | udp |
| US | 8.8.8.8:53 | wcyscmim.org | udp |
| US | 8.8.8.8:53 | tcpcbgjjfyh.com | udp |
| US | 8.8.8.8:53 | npupnd.info | udp |
| US | 8.8.8.8:53 | fchyiw.net | udp |
| US | 8.8.8.8:53 | cbjzcgfy.net | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | wketnwlljum.net | udp |
| US | 8.8.8.8:53 | eqykkm.com | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | yysknzzav.info | udp |
| US | 8.8.8.8:53 | tihmaaaejlzb.info | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | kaykiyuc.org | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | rvigzhhw.info | udp |
| US | 8.8.8.8:53 | qowgxzsf.info | udp |
| US | 8.8.8.8:53 | johvnugiauej.net | udp |
| US | 8.8.8.8:53 | nivzjyxmdcn.info | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | gldwfjbk.info | udp |
| US | 8.8.8.8:53 | fxntxjyfuq.net | udp |
| US | 8.8.8.8:53 | bcvuherif.info | udp |
| US | 8.8.8.8:53 | ocdkbyr.net | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | liiinj.info | udp |
| US | 8.8.8.8:53 | dcxebv.net | udp |
| US | 8.8.8.8:53 | jqredmyeb.net | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | nsephu.info | udp |
| US | 8.8.8.8:53 | tsxahrlt.info | udp |
| US | 8.8.8.8:53 | hqumvpfmmyn.net | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | oudqwgrqu.net | udp |
| US | 8.8.8.8:53 | cugyqsoswc.org | udp |
| US | 8.8.8.8:53 | dlenlm.net | udp |
| US | 8.8.8.8:53 | zojafdj.info | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | sxbztnlzjsr.net | udp |
| US | 8.8.8.8:53 | xrtrbrsuhcd.info | udp |
| US | 8.8.8.8:53 | oenlbjpudhx.info | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | ikceekom.com | udp |
| US | 8.8.8.8:53 | rgjppolx.info | udp |
| US | 8.8.8.8:53 | jqhiiibml.org | udp |
| US | 8.8.8.8:53 | veeirzl.com | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | vgfgxccc.info | udp |
| US | 8.8.8.8:53 | nkpmaevo.info | udp |
| US | 8.8.8.8:53 | hgfizrutddl.info | udp |
| US | 8.8.8.8:53 | vqoekmqbnkjk.net | udp |
| US | 8.8.8.8:53 | auiowousua.com | udp |
| US | 8.8.8.8:53 | cyqows.org | udp |
| US | 8.8.8.8:53 | xesnlz.info | udp |
| US | 8.8.8.8:53 | xwhbasdnp.info | udp |
| US | 8.8.8.8:53 | qwtsdhbwh.net | udp |
| US | 8.8.8.8:53 | dfbjbaqnenmo.net | udp |
| US | 8.8.8.8:53 | wyrrdmy.net | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | kjzmxnhubot.info | udp |
| US | 8.8.8.8:53 | wyqcaxiaddji.net | udp |
| US | 8.8.8.8:53 | yswyuakuwu.org | udp |
| US | 8.8.8.8:53 | ksmqumocei.org | udp |
| US | 8.8.8.8:53 | iukmabtovtrt.net | udp |
| US | 8.8.8.8:53 | suzqynuzjka.net | udp |
| US | 8.8.8.8:53 | kcwiiy.org | udp |
| US | 8.8.8.8:53 | gvnwjzmmu.info | udp |
| US | 8.8.8.8:53 | fowwhqbjil.info | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | eueeawlqb.net | udp |
| US | 8.8.8.8:53 | hvdwzczsr.info | udp |
| US | 8.8.8.8:53 | qcgagcerhei.info | udp |
| US | 8.8.8.8:53 | pkyvhyf.info | udp |
| US | 8.8.8.8:53 | pjvcgqno.info | udp |
| US | 8.8.8.8:53 | jxftzikqehgg.info | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | woxevkxmpgr.info | udp |
| US | 8.8.8.8:53 | awtueufca.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | devnxiqxbx.net | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | ygfkmcpnvevl.info | udp |
| US | 8.8.8.8:53 | ktjrvfni.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | moukjezcbfq.info | udp |
| US | 8.8.8.8:53 | uvyiwulxn.net | udp |
| US | 8.8.8.8:53 | xobzexfvbdji.net | udp |
| US | 8.8.8.8:53 | ryierst.net | udp |
| US | 8.8.8.8:53 | qopzyihxlxh.info | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | mnktbdxujf.info | udp |
| US | 8.8.8.8:53 | mlrdccwdlebo.info | udp |
| US | 8.8.8.8:53 | xskurrzl.info | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | jufyekcgsgl.info | udp |
| US | 8.8.8.8:53 | jexllrnohaer.info | udp |
| US | 8.8.8.8:53 | txsatkxkh.net | udp |
| US | 8.8.8.8:53 | gdrsyeltgf.net | udp |
| US | 8.8.8.8:53 | xrzafeae.info | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | tppgwk.net | udp |
| US | 8.8.8.8:53 | uzeisptacdzd.info | udp |
| US | 8.8.8.8:53 | gamwhe.info | udp |
| US | 8.8.8.8:53 | wcuubrarf.info | udp |
| US | 8.8.8.8:53 | kyayrrx.info | udp |
| US | 8.8.8.8:53 | eqphft.info | udp |
| US | 8.8.8.8:53 | dwhjvypyy.info | udp |
| US | 8.8.8.8:53 | navfjv.info | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | bezijaa.com | udp |
| US | 8.8.8.8:53 | qpnsccbcj.info | udp |
| US | 8.8.8.8:53 | zxlqrpiujp.net | udp |
| US | 8.8.8.8:53 | kerkzaz.info | udp |
| US | 8.8.8.8:53 | nyncnhtblcds.info | udp |
| US | 8.8.8.8:53 | usqayacwag.com | udp |
| US | 8.8.8.8:53 | zyoqpctyb.com | udp |
| US | 8.8.8.8:53 | tcfjfkiyhji.com | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | kudchqwepyr.net | udp |
| US | 8.8.8.8:53 | mczczcy.info | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | eiyqoeci.org | udp |
| US | 8.8.8.8:53 | ieoohldyg.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | udnbmxnx.info | udp |
| US | 8.8.8.8:53 | vxjdgjwipz.info | udp |
| US | 8.8.8.8:53 | wskeguqa.org | udp |
| US | 8.8.8.8:53 | bghtuizz.net | udp |
| US | 8.8.8.8:53 | dsotih.info | udp |
| US | 8.8.8.8:53 | hlgxyqryl.com | udp |
| US | 8.8.8.8:53 | gsyrbannjyhc.info | udp |
| US | 8.8.8.8:53 | wsygcc.com | udp |
| US | 8.8.8.8:53 | acrnwcp.net | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | oknmxgaxdkf.net | udp |
| US | 8.8.8.8:53 | cyltuqrr.net | udp |
| US | 8.8.8.8:53 | hoqkysj.info | udp |
| US | 8.8.8.8:53 | tsnxecjs.net | udp |
| US | 8.8.8.8:53 | weeuiqkeea.org | udp |
| US | 8.8.8.8:53 | sqwjtpxip.info | udp |
| US | 8.8.8.8:53 | gzelninr.net | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | aglommn.net | udp |
| US | 8.8.8.8:53 | bbqrpzbcvupc.info | udp |
| US | 8.8.8.8:53 | pdsknsughu.net | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | wqvkxzrifmn.net | udp |
| US | 8.8.8.8:53 | rdloworiw.com | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | ypphcb.info | udp |
| US | 8.8.8.8:53 | qiwvjy.info | udp |
| US | 8.8.8.8:53 | ftinhytctjdm.net | udp |
| US | 8.8.8.8:53 | xusuahgmdjxv.net | udp |
| US | 8.8.8.8:53 | mhyijq.info | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | wgaacavqxhs.info | udp |
| US | 8.8.8.8:53 | lerurqr.com | udp |
| US | 8.8.8.8:53 | rvhelwy.net | udp |
| US | 8.8.8.8:53 | aoueeueg.org | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | pwwleb.info | udp |
| US | 8.8.8.8:53 | uckmkewakoos.org | udp |
| US | 8.8.8.8:53 | kdbpzlv.net | udp |
| US | 8.8.8.8:53 | cciqygswcm.org | udp |
| US | 8.8.8.8:53 | slfopkzdq.net | udp |
| US | 8.8.8.8:53 | dohqfnvkn.net | udp |
| US | 8.8.8.8:53 | dgsozle.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | qieskwaeumgu.com | udp |
| US | 8.8.8.8:53 | vmlhqgobkpwh.net | udp |
| US | 8.8.8.8:53 | anjihtgn.info | udp |
| US | 8.8.8.8:53 | vtbtwnprdtdr.info | udp |
| US | 8.8.8.8:53 | teywtwk.com | udp |
| US | 8.8.8.8:53 | qckxwaittnuu.net | udp |
| US | 8.8.8.8:53 | ccdmtofmr.info | udp |
| US | 8.8.8.8:53 | tqvzkzco.info | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | fjavevjc.net | udp |
| US | 8.8.8.8:53 | flzsrj.net | udp |
| US | 8.8.8.8:53 | ymcgceaqcu.org | udp |
| US | 8.8.8.8:53 | smppzsvy.info | udp |
| US | 8.8.8.8:53 | nkcovn.net | udp |
| US | 8.8.8.8:53 | fqfltd.info | udp |
| US | 8.8.8.8:53 | qaacrknzh.net | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | ajjojwjwphb.info | udp |
| US | 8.8.8.8:53 | inxpxkfmh.info | udp |
| US | 8.8.8.8:53 | dgbcaun.net | udp |
| US | 8.8.8.8:53 | ycigxmkcnxg.info | udp |
| US | 8.8.8.8:53 | dpwthhxfnpje.info | udp |
| US | 8.8.8.8:53 | zqodwvfcywxt.info | udp |
| US | 8.8.8.8:53 | jecgvwjvqgl.com | udp |
| US | 8.8.8.8:53 | behcphxlkgz.org | udp |
| US | 8.8.8.8:53 | kwcgdid.net | udp |
| US | 8.8.8.8:53 | wuheyzj.info | udp |
| US | 8.8.8.8:53 | bmnnfmtkdxl.info | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | eimwgiceiy.org | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | osqchip.net | udp |
| US | 8.8.8.8:53 | dedjzp.net | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | vuxulyal.info | udp |
| US | 8.8.8.8:53 | gsuwyuaqyicg.org | udp |
| US | 8.8.8.8:53 | frfsfjyr.info | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | vyigmkbsn.net | udp |
| US | 8.8.8.8:53 | jgisxmd.info | udp |
| US | 8.8.8.8:53 | fzmwinbmvsnt.info | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | kwjqwys.info | udp |
| US | 8.8.8.8:53 | jtyyhv.net | udp |
| US | 8.8.8.8:53 | ommkcakc.com | udp |
| US | 8.8.8.8:53 | zylyqstmdoh.org | udp |
| US | 8.8.8.8:53 | lxfctfb.com | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | nggzqtxt.info | udp |
| US | 8.8.8.8:53 | vxjoacz.info | udp |
| US | 8.8.8.8:53 | taawvvlqgwvi.net | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | mnhnrjucnmln.net | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | rmlgyge.net | udp |
| US | 8.8.8.8:53 | haldabzprdfo.info | udp |
| US | 8.8.8.8:53 | wmnyodav.net | udp |
| US | 8.8.8.8:53 | ekskoc.com | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | zkvypwmsh.net | udp |
| US | 8.8.8.8:53 | quhjbdqou.net | udp |
| US | 8.8.8.8:53 | puusmn.net | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | gwuiyg.com | udp |
| US | 8.8.8.8:53 | jsvqhcltow.info | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | zktvgivr.info | udp |
| US | 8.8.8.8:53 | phfqsn.net | udp |
| US | 8.8.8.8:53 | mxfseadcb.info | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | tojbfbtgmfty.net | udp |
| US | 8.8.8.8:53 | lgjnbpojmm.info | udp |
| US | 8.8.8.8:53 | rxihyknm.net | udp |
| US | 8.8.8.8:53 | yowashmh.net | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | lauwjsahfqe.com | udp |
| US | 8.8.8.8:53 | drdglop.com | udp |
| US | 8.8.8.8:53 | xbjvou.net | udp |
| US | 8.8.8.8:53 | dtdkfhyx.net | udp |
| US | 8.8.8.8:53 | zrjkew.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | rgsyxmfarbh.net | udp |
| US | 8.8.8.8:53 | pjouzypsxqx.net | udp |
| US | 8.8.8.8:53 | pgzkvyz.com | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | afqcpwssbe.info | udp |
| US | 8.8.8.8:53 | lvnllgfef.com | udp |
| US | 8.8.8.8:53 | pilfkibvly.net | udp |
| US | 8.8.8.8:53 | phzoxcjclch.org | udp |
| US | 8.8.8.8:53 | equhrhl.net | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | rrooupzvputl.net | udp |
| US | 8.8.8.8:53 | bmxnhudn.net | udp |
| US | 8.8.8.8:53 | uoqguq.com | udp |
| US | 8.8.8.8:53 | qapsshk.net | udp |
| US | 8.8.8.8:53 | sxxizutlvant.net | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | fentxwuggn.info | udp |
| US | 8.8.8.8:53 | iaaoakause.org | udp |
| US | 8.8.8.8:53 | lopswkzypsb.org | udp |
| US | 8.8.8.8:53 | ydgezsywjtli.info | udp |
| US | 8.8.8.8:53 | palavclsh.info | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | hfkgwjruvzfx.info | udp |
| US | 8.8.8.8:53 | dilibghinoj.com | udp |
| US | 8.8.8.8:53 | vphmnl.info | udp |
| US | 8.8.8.8:53 | vgwwlyzwn.org | udp |
| US | 8.8.8.8:53 | lsawoyz.net | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | rilgoql.info | udp |
| US | 8.8.8.8:53 | uavyekreff.info | udp |
| US | 8.8.8.8:53 | imnqnbyod.info | udp |
| US | 8.8.8.8:53 | kwlxazgum.net | udp |
| US | 8.8.8.8:53 | mmncloetjqv.info | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | ehdcuajdzthn.info | udp |
| US | 8.8.8.8:53 | lmpdnk.net | udp |
| US | 8.8.8.8:53 | tuzblutwnwb.net | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | nkxapthjcw.info | udp |
| US | 8.8.8.8:53 | zbtgaub.com | udp |
| US | 8.8.8.8:53 | yuekak.com | udp |
| US | 8.8.8.8:53 | soibtqaozldc.net | udp |
| US | 8.8.8.8:53 | eypmhvxox.info | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | buhqoyzy.net | udp |
| US | 8.8.8.8:53 | rojwsqumfvt.com | udp |
| US | 8.8.8.8:53 | dsjoajgdum.info | udp |
| US | 8.8.8.8:53 | gwmjvulol.net | udp |
| US | 8.8.8.8:53 | mcimqueg.com | udp |
| US | 8.8.8.8:53 | lkegbexufcp.net | udp |
| US | 8.8.8.8:53 | tixlgcs.info | udp |
| US | 8.8.8.8:53 | tjbxolvdpmqc.info | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | puhnmbvjwcyo.info | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | lmlshcwbw.info | udp |
| US | 8.8.8.8:53 | owkuimiokg.com | udp |
| US | 8.8.8.8:53 | tmhmvauwx.org | udp |
| US | 8.8.8.8:53 | iybucwuoz.net | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | rxphdafgz.info | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | vwzlbkneb.info | udp |
| US | 8.8.8.8:53 | gwgrzthgisir.net | udp |
| US | 8.8.8.8:53 | zrzbimdx.info | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 8.8.8.8:53 | tpdmlt.info | udp |
| US | 8.8.8.8:53 | mmeofunehfk.info | udp |
| US | 8.8.8.8:53 | cepjxldeu.info | udp |
| US | 8.8.8.8:53 | vwacrgroz.info | udp |
| US | 8.8.8.8:53 | lwwxpkwvzaki.net | udp |
| US | 8.8.8.8:53 | qbelrytcd.info | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | ntehezbc.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | qtjixsthzxnb.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | eggihif.info | udp |
| US | 8.8.8.8:53 | poyzac.net | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | podzfziejc.info | udp |
| US | 8.8.8.8:53 | lictginm.info | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | famdhrjmvh.net | udp |
| US | 8.8.8.8:53 | iuucwa.org | udp |
| US | 8.8.8.8:53 | aqhyxevud.net | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | vsfgngxssqp.org | udp |
| US | 8.8.8.8:53 | zuqiqxqzmb.info | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | akcrxihch.info | udp |
| US | 8.8.8.8:53 | wyuusgseka.org | udp |
| US | 8.8.8.8:53 | wrzmpwckvtog.info | udp |
| US | 8.8.8.8:53 | eypegkf.net | udp |
| US | 8.8.8.8:53 | njdqzmpci.com | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | bhiidlyihaz.com | udp |
| US | 8.8.8.8:53 | bydodr.net | udp |
| US | 8.8.8.8:53 | yquuacmk.org | udp |
| US | 8.8.8.8:53 | ludqvit.info | udp |
| US | 8.8.8.8:53 | yboeosp.net | udp |
| US | 8.8.8.8:53 | scwiikiswu.com | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | hgnkroto.info | udp |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | vqpexkdqbab.com | udp |
| US | 8.8.8.8:53 | rexhfkbczid.com | udp |
| US | 8.8.8.8:53 | weyrtj.net | udp |
| US | 8.8.8.8:53 | gnurqsarfdrx.info | udp |
| US | 8.8.8.8:53 | qicceo.com | udp |
| US | 8.8.8.8:53 | csfnvv.net | udp |
| US | 8.8.8.8:53 | nyufpcuymu.net | udp |
| US | 8.8.8.8:53 | grbysiyi.net | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | oqmaeauy.org | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| US | 8.8.8.8:53 | wsgaxdb.net | udp |
| US | 8.8.8.8:53 | daefkcec.net | udp |
| US | 8.8.8.8:53 | eyckcsekkkwc.com | udp |
| US | 8.8.8.8:53 | zghgjuuch.info | udp |
| US | 8.8.8.8:53 | ffdmxaa.info | udp |
| US | 8.8.8.8:53 | sidlvctfcd.net | udp |
| US | 8.8.8.8:53 | xpdppur.com | udp |
| US | 8.8.8.8:53 | hihohlztfd.info | udp |
| US | 8.8.8.8:53 | hasyua.info | udp |
| US | 8.8.8.8:53 | zphlrd.info | udp |
| US | 8.8.8.8:53 | yyymwqyqcg.com | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | ndlehiq.com | udp |
| US | 8.8.8.8:53 | lisuez.info | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | iyogkwiquaqs.org | udp |
| US | 8.8.8.8:53 | qnqfwtccro.info | udp |
| US | 8.8.8.8:53 | wadlzibwm.info | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | zlpcbh.net | udp |
| US | 8.8.8.8:53 | goeivnxgm.net | udp |
| US | 8.8.8.8:53 | blpbrshidkt.net | udp |
| US | 8.8.8.8:53 | uobmfgjcztv.info | udp |
| US | 8.8.8.8:53 | niuvzzbu.info | udp |
| US | 8.8.8.8:53 | asnapiuotwf.net | udp |
| US | 8.8.8.8:53 | rartvm.info | udp |
| US | 8.8.8.8:53 | bkpkvekvzgd.net | udp |
| US | 8.8.8.8:53 | hhryrezmrwf.com | udp |
| US | 8.8.8.8:53 | ygvmourunatx.net | udp |
| US | 8.8.8.8:53 | vubkfchdjeh.org | udp |
| US | 8.8.8.8:53 | xfvqmg.info | udp |
| US | 8.8.8.8:53 | czyqpobo.info | udp |
| US | 8.8.8.8:53 | barkbgzj.net | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | wyxrnriz.net | udp |
| US | 8.8.8.8:53 | rflinejkdgl.com | udp |
| US | 8.8.8.8:53 | akjazyhklea.info | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | lvxsvjfhey.net | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | kbrfawy.net | udp |
| US | 8.8.8.8:53 | aacwwkuymqiq.com | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | ntxkswwzvtf.org | udp |
| US | 8.8.8.8:53 | lqwkdqhkoej.net | udp |
| US | 8.8.8.8:53 | kqwkgkawws.org | udp |
| US | 8.8.8.8:53 | hjzcbquzos.net | udp |
| US | 8.8.8.8:53 | peffyirwg.net | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | ljthpivgt.info | udp |
| US | 8.8.8.8:53 | qmeegmaw.org | udp |
| US | 8.8.8.8:53 | yceqcskoeg.org | udp |
| US | 162.249.65.164:80 | yceqcskoeg.org | tcp |
| US | 8.8.8.8:53 | selhpuz.info | udp |
| US | 8.8.8.8:53 | mtwkhnhsulgn.net | udp |
| US | 8.8.8.8:53 | dwrfzvkwzpnm.info | udp |
| US | 8.8.8.8:53 | adomofxvpaq.net | udp |
| US | 8.8.8.8:53 | sjxngw.net | udp |
| US | 8.8.8.8:53 | giqvbt.info | udp |
| US | 8.8.8.8:53 | hvhwaohmcx.info | udp |
| US | 8.8.8.8:53 | lqnjiqbi.net | udp |
| US | 8.8.8.8:53 | cgwgaguesg.org | udp |
| US | 162.249.65.164:80 | cgwgaguesg.org | tcp |
| US | 8.8.8.8:53 | dantbsrqhmsd.info | udp |
| US | 8.8.8.8:53 | emyogg.com | udp |
| US | 8.8.8.8:53 | qkogdsn.net | udp |
| US | 8.8.8.8:53 | wlntlryx.net | udp |
| US | 8.8.8.8:53 | julxerwaocda.net | udp |
| US | 8.8.8.8:53 | spjusakr.net | udp |
| US | 8.8.8.8:53 | nkybtwpgzoi.info | udp |
| US | 8.8.8.8:53 | slhelwdsl.info | udp |
| US | 8.8.8.8:53 | temkffdqhcx.net | udp |
| US | 8.8.8.8:53 | eeddaicgvrn.net | udp |
| US | 8.8.8.8:53 | tnxpffhon.com | udp |
| US | 8.8.8.8:53 | pnznddghonhc.net | udp |
| US | 8.8.8.8:53 | hjwaewpidch.info | udp |
| US | 8.8.8.8:53 | gwmeafacbwrh.info | udp |
| US | 8.8.8.8:53 | iwdmnio.net | udp |
| US | 8.8.8.8:53 | pqnawd.net | udp |
| US | 8.8.8.8:53 | dlwgskqidpsc.info | udp |
| US | 8.8.8.8:53 | rtldxgzsr.com | udp |
| US | 8.8.8.8:53 | nggwvdxldwy.org | udp |
| US | 8.8.8.8:53 | sddcnvhmxghk.net | udp |
| US | 8.8.8.8:53 | aewiiuaw.com | udp |
| US | 8.8.8.8:53 | qkdqch.net | udp |
| US | 8.8.8.8:53 | giqpub.info | udp |
| US | 8.8.8.8:53 | nczndunqshyx.info | udp |
| US | 8.8.8.8:53 | gaewuaquesmc.com | udp |
| US | 8.8.8.8:53 | hmwddezd.net | udp |
| US | 8.8.8.8:53 | ngnmzh.net | udp |
| US | 8.8.8.8:53 | dmvsbvtlq.org | udp |
| US | 8.8.8.8:53 | fauqlob.info | udp |
| US | 8.8.8.8:53 | vewkdsdnhy.info | udp |
| US | 8.8.8.8:53 | eaisokwcuc.com | udp |
| US | 8.8.8.8:53 | oaxybkrkbnh.net | udp |
| US | 8.8.8.8:53 | qcxitck.info | udp |
| US | 8.8.8.8:53 | lblxlwomf.net | udp |
| US | 8.8.8.8:53 | dqktjez.info | udp |
| US | 8.8.8.8:53 | ndyvalrcfvke.net | udp |
| US | 8.8.8.8:53 | cuuewa.org | udp |
| US | 8.8.8.8:53 | ltmznw.net | udp |
| US | 8.8.8.8:53 | cznfqexekbez.info | udp |
| US | 8.8.8.8:53 | ekamqi.org | udp |
| US | 162.249.65.164:80 | ekamqi.org | tcp |
| US | 8.8.8.8:53 | mwjmyuhxiuhw.net | udp |
| US | 8.8.8.8:53 | zjnnisjzumd.net | udp |
| US | 8.8.8.8:53 | xtqolix.net | udp |
| US | 8.8.8.8:53 | smyoemiywgye.org | udp |
| US | 8.8.8.8:53 | ohtaebbybj.info | udp |
| US | 8.8.8.8:53 | eocwqaoqwk.com | udp |
| US | 8.8.8.8:53 | xopgozy.com | udp |
| US | 8.8.8.8:53 | edwqbtrqlybj.info | udp |
| US | 8.8.8.8:53 | bhdzedxh.net | udp |
| US | 8.8.8.8:53 | ownfpcvxhj.info | udp |
| US | 8.8.8.8:53 | amhsiqjwugt.net | udp |
| US | 8.8.8.8:53 | ogcuekiaes.org | udp |
| US | 8.8.8.8:53 | zmdxlwjpyt.net | udp |
| US | 8.8.8.8:53 | tgvofvdsh.net | udp |
| US | 8.8.8.8:53 | udblefgmmj.info | udp |
| US | 8.8.8.8:53 | jeicvcdhmk.net | udp |
| US | 8.8.8.8:53 | ifvpahngdwtg.info | udp |
| US | 8.8.8.8:53 | eqcsskwyyiug.org | udp |
| US | 162.249.65.164:80 | eqcsskwyyiug.org | tcp |
| US | 8.8.8.8:53 | hhpsvcwfmgfg.net | udp |
| US | 8.8.8.8:53 | tbfbcyarly.info | udp |
| US | 8.8.8.8:53 | pgchlxgc.net | udp |
| US | 8.8.8.8:53 | dybivyzgd.net | udp |
| US | 8.8.8.8:53 | puvtiu.net | udp |
| US | 8.8.8.8:53 | mgqyklbwl.info | udp |
| US | 8.8.8.8:53 | mpzblpvaj.info | udp |
| US | 8.8.8.8:53 | kuphnghstgl.info | udp |
| US | 8.8.8.8:53 | jsnojd.net | udp |
| US | 8.8.8.8:53 | eweuaigycy.org | udp |
| US | 162.249.65.164:80 | eweuaigycy.org | tcp |
| US | 8.8.8.8:53 | hdhkhzpq.net | udp |
| US | 8.8.8.8:53 | 26.178.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jatcfib.com | udp |
| US | 8.8.8.8:53 | dtlosfhbjv.info | udp |
| US | 8.8.8.8:53 | ishstyjyxiz.net | udp |
| US | 8.8.8.8:53 | clpuesoas.info | udp |
| US | 8.8.8.8:53 | kpdhjzgfkn.info | udp |
| US | 8.8.8.8:53 | ckqqaueogk.com | udp |
| US | 8.8.8.8:53 | cagbtgo.net | udp |
| US | 8.8.8.8:53 | cfjafxls.info | udp |
| US | 8.8.8.8:53 | luqvio.net | udp |
| US | 8.8.8.8:53 | lnpypgxguq.net | udp |
| US | 8.8.8.8:53 | kgimjwxavqm.net | udp |
| US | 8.8.8.8:53 | uxfhrqtkdtxg.net | udp |
| US | 8.8.8.8:53 | rgrdpwvmpxbc.net | udp |
| US | 8.8.8.8:53 | akcagk.org | udp |
| US | 8.8.8.8:53 | eqfjmqldzg.net | udp |
| US | 8.8.8.8:53 | qrhivuxkrwl.net | udp |
| US | 8.8.8.8:53 | iqyukmiauscg.org | udp |
| US | 8.8.8.8:53 | suzenupya.info | udp |
| US | 8.8.8.8:53 | gzzhsqoo.info | udp |
| US | 8.8.8.8:53 | ewaucwue.org | udp |
| US | 8.8.8.8:53 | typynlerfdxk.info | udp |
| US | 8.8.8.8:53 | jormhevcmsp.org | udp |
| US | 8.8.8.8:53 | rdrsxai.info | udp |
| US | 8.8.8.8:53 | iesciysueugw.org | udp |
| US | 8.8.8.8:53 | eelsjguensp.info | udp |
| US | 8.8.8.8:53 | tnaazauab.info | udp |
| US | 8.8.8.8:53 | nowtvupct.net | udp |
| US | 8.8.8.8:53 | agsgbgzcrpv.info | udp |
| US | 8.8.8.8:53 | fnqsmcftroxg.info | udp |
| US | 8.8.8.8:53 | swwqwozy.net | udp |
| US | 8.8.8.8:53 | cwtklwbjrwg.net | udp |
| US | 8.8.8.8:53 | xgtsict.com | udp |
| US | 8.8.8.8:53 | wzxqqsksmhht.net | udp |
| US | 8.8.8.8:53 | nscquai.org | udp |
| US | 8.8.8.8:53 | wgayocoiwm.com | udp |
| US | 8.8.8.8:53 | gohcfyv.net | udp |
| US | 8.8.8.8:53 | foafmnzmsn.info | udp |
| US | 8.8.8.8:53 | vhldzhjm.net | udp |
| US | 8.8.8.8:53 | kcguuuas.com | udp |
| US | 8.8.8.8:53 | nzjclvdw.net | udp |
| US | 8.8.8.8:53 | ycaunmdur.net | udp |
| US | 8.8.8.8:53 | peemhkot.net | udp |
| US | 8.8.8.8:53 | gucgyo.org | udp |
| US | 8.8.8.8:53 | cmioyuoiuaik.com | udp |
| US | 8.8.8.8:53 | durehqhuh.info | udp |
| US | 8.8.8.8:53 | bdbjeqarfj.info | udp |
| US | 8.8.8.8:53 | wlflblpcjarz.info | udp |
| US | 8.8.8.8:53 | jwlmww.info | udp |
| US | 8.8.8.8:53 | llkarod.info | udp |
| US | 8.8.8.8:53 | usnrlododvf.info | udp |
| US | 8.8.8.8:53 | maiguo.org | udp |
| US | 8.8.8.8:53 | ukilhqxx.info | udp |
| US | 8.8.8.8:53 | jrrmaepcv.com | udp |
| US | 8.8.8.8:53 | qyiwrcy.info | udp |
| US | 8.8.8.8:53 | soyukqekksum.com | udp |
| US | 8.8.8.8:53 | nizybszil.info | udp |
| US | 8.8.8.8:53 | eeraolcegam.net | udp |
| US | 8.8.8.8:53 | xynktqvih.info | udp |
| US | 8.8.8.8:53 | otjneshvxgn.info | udp |
| US | 8.8.8.8:53 | ruzaxrpvmyd.org | udp |
| US | 8.8.8.8:53 | ljxaidzkgeyt.net | udp |
| US | 8.8.8.8:53 | yqxwvdhwae.net | udp |
| US | 8.8.8.8:53 | aqkysoao.com | udp |
| US | 8.8.8.8:53 | hyxkzecod.net | udp |
| US | 8.8.8.8:53 | pmdaylo.net | udp |
| US | 8.8.8.8:53 | ykhkvljit.info | udp |
| US | 8.8.8.8:53 | wdafvcx.info | udp |
| US | 8.8.8.8:53 | sobyjoxadyw.info | udp |
| US | 8.8.8.8:53 | uyegugkcwque.com | udp |
| US | 8.8.8.8:53 | hnfclldjdx.info | udp |
| US | 8.8.8.8:53 | riapuihdbpcl.net | udp |
| US | 8.8.8.8:53 | neotjkse.info | udp |
| US | 8.8.8.8:53 | oforpwmb.info | udp |
| US | 8.8.8.8:53 | uwaekcyseggi.org | udp |
| US | 8.8.8.8:53 | jrkznsbm.net | udp |
| US | 8.8.8.8:53 | ukdltgkqjoxu.net | udp |
| US | 8.8.8.8:53 | zoduyutrbgu.net | udp |
| US | 8.8.8.8:53 | qhhtehri.info | udp |
| US | 8.8.8.8:53 | ieprwgvxkx.net | udp |
| US | 8.8.8.8:53 | icqeyi.org | udp |
| US | 8.8.8.8:53 | nefwulmsyx.net | udp |
| US | 8.8.8.8:53 | kejuzgzxamd.info | udp |
| US | 8.8.8.8:53 | tkhtbh.net | udp |
| US | 8.8.8.8:53 | dozidko.info | udp |
| US | 8.8.8.8:53 | ospkce.net | udp |
| US | 8.8.8.8:53 | xknxpkj.com | udp |
| US | 8.8.8.8:53 | lrbqxqikxvb.info | udp |
| US | 8.8.8.8:53 | nakolhsvxk.net | udp |
| US | 8.8.8.8:53 | lfsjnt.net | udp |
| US | 8.8.8.8:53 | ywkmamaiqk.org | udp |
| US | 8.8.8.8:53 | jgzqagzv.net | udp |
| US | 8.8.8.8:53 | mkcwrolda.info | udp |
| US | 8.8.8.8:53 | bnignq.net | udp |
| US | 8.8.8.8:53 | wgphziznfz.info | udp |
| US | 8.8.8.8:53 | uohyimrkg.net | udp |
| US | 8.8.8.8:53 | znpsldu.org | udp |
| US | 162.249.65.164:80 | znpsldu.org | tcp |
| US | 8.8.8.8:53 | navcxlk.org | udp |
| US | 8.8.8.8:53 | eqhwcizabib.net | udp |
| US | 8.8.8.8:53 | thlivefbx.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\eghos.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\eghos.exe
| MD5 | e593c52730dbb8f8745bcb31f5b46a10 |
| SHA1 | 7e161f7b905f840d75ba2f425081a760d0a70576 |
| SHA256 | a59a69faef6309e8c85bc7bc62612c96f17f8a967676d2f3b7a41120007ac0a0 |
| SHA512 | 3cd6b1f76ffc7dea2f71ea674b95a25fa3867bb1345d8cd1a37563611202f3072c9c0329c38077c5112a57460c8023114613d641a796444f16dccbc14b98ddad |
C:\Users\Admin\AppData\Local\fcyazycexxoyopnhzgfcya.yce
| MD5 | f7177575bf3d1cab47228938f5a4e053 |
| SHA1 | 73a0c6d006d0703219207deb0ba546dc54faea5c |
| SHA256 | 5d813bb94a2cde20933dcff4880ac530a2fd8388725c13a6dcd2d942c45e4ef0 |
| SHA512 | 616415b222a0ae7e6b4f622e9a533f8d71bd1b0818d60b96a378c65645c97a0a30ccd821d8dc9821aeb7e2d71e58155969139ad2e9d8271a533ec312648c145a |
C:\Users\Admin\AppData\Local\welyishuyjlghtchkcmuboyixkozbwxjs.asc
| MD5 | 26ffb2c4561032c097905c4c651eeebf |
| SHA1 | 144f32f32c9cfc488742fa74ec8b567e5fec85c3 |
| SHA256 | 083ddd6b4cf19857b8181cb15c5af7ec4b3c303eeee91390231d1528dbcf8825 |
| SHA512 | cb38d4c70318d1a50bb0071fad98c9b6fec3322fcc0bdedf524ff7dae81eceaec139850d0720e777ab265e698b6818727d1b5e13fd90ebec5808a8cba1fe6bf0 |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | 2fa9cae76b369ae6e0ef38bdea2b86cd |
| SHA1 | 20fb6cae7c5cc31ee7b60262f7753bb8318518ac |
| SHA256 | 2a3c7b335c66447b9d7148d509f9fa1181a5de2c76ae6bc8dd0ce9fc99813198 |
| SHA512 | 9f18b705176138d1d24347a24fecf6cde3af999d5c703545aea3441520ea9ba051a9579c2d119f18c22119016b9c3078a3171c7435381149e867b84ca627d3f4 |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | be06d01628fbbac093ecb9f6fce0323d |
| SHA1 | 7609f8c88dbc63cc7896a995622734194ba0cedd |
| SHA256 | 4832d8a50c021d92f08df677f4fedd040af5e83ecc7f962c0ae58180fbcfe3e8 |
| SHA512 | 1b955852ef95173c22f07c89036a6dceca41caa7d036e6850e04ebc20b51980e88ceaac6b1966f69eeb3877cd60d3837a46ce514cea4c35188326aa8c66268ed |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | e8cc5809800f7221dc387714c1a35567 |
| SHA1 | ec0a2a1fb0287e5d427cfd93576c370144cc3100 |
| SHA256 | 04676cee499f3eb943a31c7f66a2e55e60121554b73ee8d5bb6fed0c20270af0 |
| SHA512 | a19b01024334df0b0613720b12c1b6162bbc7e1bd0253da0b519778866fad8af20fb26dcaa690c3db5df9aebb282ad04c972dbdd17d0ee713b31c1c49a440f12 |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | 2c4faf3b264695e9f93ed635e6afa420 |
| SHA1 | 653519f3cdc13f7027412820ab330190839703ed |
| SHA256 | 967822fa4d24ffd7a43fc89acd6707629e88f54c82e9d194d918fda2aeb328b7 |
| SHA512 | 13ceaf65a3ab2afe1ea291c2418406a53466cfe220156d6960d19a32c8f43fe58aed78e23ccd8977172e8f2218752078b17debdacf4d77a01004cd41a00268f2 |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | 1cb04e4da1423a29c4b076349f255f72 |
| SHA1 | 3bb511ba0cef650317362ee0dc35494deca11076 |
| SHA256 | f345fc8076a3f588d44ef9496da9a5e0edacbc1732ee756bf81c615b4e78c3c5 |
| SHA512 | 3d57f7d18a0d5f6350e9a623ac77aeca1c4f6848011131b59c78f5f007e1ed095f85e28572c8f3ac6d8ea9c9d2e52544667298eb587f7c694a7c0da937dd8e84 |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | b2afab728098431a4d7e9ecb7d23def4 |
| SHA1 | f9427e819d329d39dc7c1c3eb4d58d975bc269da |
| SHA256 | 7cc74809c8bfb7a2b2e10eafd61e5e64ed11b35e2d519499419215da34300226 |
| SHA512 | 11fe881e1ef262febe2fb1ad1378f595ba085772cb9489c67899cdfec8bc938e4c5c5f50b0ea2bce959514aa727c44ec99510e5c3b65c04018abbe302b74a076 |
C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce
| MD5 | 584dfd61f6ab7805afab76e5651c53f9 |
| SHA1 | 9bcb60bcffe3e514d9faa4c98bce113977288d22 |
| SHA256 | 84f3bcd0b205508dc35b3a1cb1205288e2bd794d1697ead0c90a060261ffdf2b |
| SHA512 | b80459229726eff5db45c855dcacd136f55df4a1c774e1f925e58b10b9f0055d52972a0b6141f470d742700f9c3be59005eb22dc27c92adeb4637d8ceba4b611 |