Malware Analysis Report

2025-03-15 00:49

Sample ID 240626-lfgr4a1arn
Target 118409a64b0d207166c07ccf998fe3f9_JaffaCakes118
SHA256 7edabdb1bf38c20a929240234848e4b9351ed3ead0d72aa87a4cf575329ecb78
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7edabdb1bf38c20a929240234848e4b9351ed3ead0d72aa87a4cf575329ecb78

Threat Level: Known bad

The file 118409a64b0d207166c07ccf998fe3f9_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Adds policy Run key to start application

Impair Defenses: Safe Mode Boot

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Looks up external IP address via web service

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 09:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 09:28

Reported

2024-06-26 09:30

Platform

win7-20240611-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "aizrezmbytrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "aizrezmbytrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\acnzgvclcr = "bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bairvhl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "bmgbrpfxxvwhxxbrgmx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "hqibplzpnjirfdftg.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "dqmjbbtnppsfxzfxowjfc.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "bmgbrpfxxvwhxxbrgmx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "dqmjbbtnppsfxzfxowjfc.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "aizrezmbytrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "oavrihyrsrtfwxctjqcx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "dqmjbbtnppsfxzfxowjfc.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "aizrezmbytrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dqmjbbtnppsfxzfxowjfc.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "dqmjbbtnppsfxzfxowjfc.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "oavrihyrsrtfwxctjqcx.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\swjxgxgrkbvz = "aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\syndohsfatpvgb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "hqibplzpnjirfdftg.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "hqibplzpnjirfdftg.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oavrihyrsrtfwxctjqcx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qatnczofebblazcrfk.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rwkzjblxrjejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aizrezmbytrzmjkx.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\vykxfvdnfvo = "hqibplzpnjirfdftg.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\qqzjobgn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bmgbrpfxxvwhxxbrgmx.exe" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hisdjxdlb = "dqmjbbtnppsfxzfxowjfc.exe ." C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ewxzwbyxejrjgnyvrewxzw.yxe C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File created C:\Windows\SysWOW64\ewxzwbyxejrjgnyvrewxzw.yxe C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File opened for modification C:\Windows\SysWOW64\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File created C:\Windows\SysWOW64\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File created C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File opened for modification C:\Program Files (x86)\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File created C:\Program Files (x86)\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\ewxzwbyxejrjgnyvrewxzw.yxe C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File opened for modification C:\Windows\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File created C:\Windows\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
File opened for modification C:\Windows\ewxzwbyxejrjgnyvrewxzw.yxe C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\omtbep.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\omtbep.exe

"C:\Users\Admin\AppData\Local\Temp\omtbep.exe" "-"

C:\Users\Admin\AppData\Local\Temp\omtbep.exe

"C:\Users\Admin\AppData\Local\Temp\omtbep.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.11:80 www.yahoo.com tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 dzuzrg.info udp
US 8.8.8.8:53 qutenwnox.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 jubgsuh.org udp
US 8.8.8.8:53 uuzqrv.net udp
US 8.8.8.8:53 yaecmm.com udp
US 8.8.8.8:53 akznvakqu.net udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 vagyntub.info udp
US 8.8.8.8:53 osiqqws.net udp
US 8.8.8.8:53 htbbrj.info udp
US 8.8.8.8:53 uimescouwmsm.com udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 tzpntkn.info udp
US 8.8.8.8:53 gvvtnkepxgro.net udp
US 8.8.8.8:53 gsmagewakkac.org udp
US 8.8.8.8:53 dmlqfdncupgd.net udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 tbljgbiadn.info udp
US 8.8.8.8:53 remlfmfdaz.net udp
US 8.8.8.8:53 iijeavl.info udp
US 8.8.8.8:53 hzhpjryxes.net udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 kgqscsckqk.org udp
US 8.8.8.8:53 ejvyphcteke.info udp
US 8.8.8.8:53 caksglyiyh.net udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 nrhguvbcvdds.net udp
US 8.8.8.8:53 fshxdrvmmgy.com udp
US 8.8.8.8:53 sbkfzk.info udp
US 8.8.8.8:53 fehhbmeyim.net udp
US 8.8.8.8:53 tjldthng.info udp
US 8.8.8.8:53 ykkmmsoi.org udp
US 8.8.8.8:53 ueyoekwyyceg.org udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 hmrcxijqdgt.org udp
US 8.8.8.8:53 vjbntnfjkt.net udp
US 8.8.8.8:53 petyru.net udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 gzukviikx.net udp
US 8.8.8.8:53 bktmnxjujuh.info udp
US 8.8.8.8:53 zowyskvyjaz.net udp
US 8.8.8.8:53 hkyxoq.net udp
US 8.8.8.8:53 kuvgoefcz.info udp
US 8.8.8.8:53 edjgxjbwkpxh.info udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 atierp.info udp
US 8.8.8.8:53 rrkrbx.net udp
US 8.8.8.8:53 jpncvgwgnh.info udp
US 8.8.8.8:53 wiqprizclev.net udp
US 8.8.8.8:53 uzyeen.info udp
US 8.8.8.8:53 tztthyxh.net udp
US 8.8.8.8:53 rukiivnqi.org udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 fujehadwb.com udp
US 8.8.8.8:53 jcrizhrahvx.net udp
US 8.8.8.8:53 qqmcgygssm.com udp
US 8.8.8.8:53 hmjyzgfadan.net udp
US 8.8.8.8:53 jqyohwzjpwn.org udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 iqitrb.info udp
US 8.8.8.8:53 odtmnuhmz.net udp

Files

C:\Users\Admin\AppData\Local\Temp\omtbep.exe

MD5 ca18aa497603dfc516ff8b1241ee5c5d
SHA1 eae8d8d467250f285a51797d4b36ed9ba023e4de
SHA256 f6bfeb0b702f8969bfc86d6b7bb710945588fdcc67297e1a477dec54a3afd5f5
SHA512 06fb6d71364ce6b1f874641995deeaf89053c6cf59b76050a3ae7e73b535977611f68835393a0d4d0349e2e453fbc93592dedabcb618bb9d2e8e0f9744e7d256

C:\Users\Admin\AppData\Local\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 63178f7dc599dad86dc25dbe48185b82
SHA1 81bb04096522fcb0455c4912b056d6f919249cbc
SHA256 421d1c11e70ddeaa8259a050c4101bdaff7f96e186433f5456844ff001950ff8
SHA512 7b9c93ab3b949a458f5ecf74c6c5cbb5479abc160b56b52b0164278755125f6890a60693cf9fa75a66b9de0c3c117cfe69f1db7db32eac8d5398beaf57691657

C:\Users\Admin\AppData\Local\vykxfvdnfvorzrnvcadpckaiskatwewsa.fiu

MD5 024d0d9621836b344e339c4f7349e786
SHA1 f84ad9891d16f48bf832c78689819e4319f700cb
SHA256 11f5d45badab73335b639711973c3d742eead88b7ef2895f0b88b8ee43eb1f13
SHA512 42406b133c44beffceb5103293e19d9f9790462f48f618d7684089e2ff9634db11251f611c5b860f8731b6d96664da2a0b9ea0c7c0d37cee4324e136178f4d4d

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 33abb0db2cb87cd0dcc106df58d8cc53
SHA1 b073f108ae6e6423f279456ca0fb0f5d610e368c
SHA256 1c8df5bee0e7654c14dd2e34060048b170a1d6ca387d215ed9d6eca7cd556add
SHA512 446a89c5698cb92ab217a37880ef7489936fd730d67fdd338441a116d6a84ee32a16645b45dbfe6adea40898d563d8b54f20f6973cbaf86e23c7bc23702fcca2

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 bedebe40f0c608d2e3a990bbff7f62aa
SHA1 815d3a1d2479f7974fc22141b634d5e324082e9d
SHA256 7fff78ee38cc2702f509b19610d56c63f77b792e417676a358df8b5ced3cf7a6
SHA512 2be95630c66347a37ae5f7c069912c3c00c1579ac29f1cab6b84b83d04f1a2ada763aa5cef2b389d2eeccb66edf62c4e7e54db08088e553f85594d3de6f1e90f

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 24cdf08b47b2679b203e0132b773d012
SHA1 aec163b73e3dbf02909ed7f70cb996d7e33ba923
SHA256 8ddd544aefa0281da20dc69f888b075b9beb577e84c9ae935510860ed5e40402
SHA512 2fc138b6be80a942e7c6854e1500446668ff6bc7652ce1dd8cbf0ec7760b8ec04bd5206ab247432911ab53072e37cb634427258a17db07151475f6fbb8b1c793

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 83eeeb2a25642c86af36e7533a1fe392
SHA1 f9b24dbd90e2b7bacbf62727eeb7a64dc863f61a
SHA256 847dcf2c5c0a60e8257469a276aee6d7708f9b4d6858e76bb77a5ba9996f1c8d
SHA512 e4351aebc50de0b826942c5b2a0407a95bb3732488e9c19153765a24d461dcb507e763e56ae8b95fe019a08f7f30967d9d405199ca00cc9954faffa5a74eb2dc

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 45507e06ea5e8cdda50602207c041084
SHA1 480bac8fc75d482c2beb87b0adbb059594597a95
SHA256 433a26cd537fd4a31d671d172c52c69a43865870da83f554d9e83fd0cbb43954
SHA512 59efed5f89230eed4bedb2f678d313f1c3772571d6716e4a849ab1c8d180922d9593da2046daee42f4afd79bc66a4d7fb23496d05625b22bef3f6105248e014a

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 78b8b3f2448204004f92e91e05571962
SHA1 c270613079c012140f474b43222d7c0e365bd743
SHA256 5a366c6898e95b99142a05c07991ffb8e78d3e30f4763561fc3c9a9a9339b2ed
SHA512 e09a8db18635d21f5933ff8221363960d6561413967e1106d5b157700582b77c0af43cac6d59f7f793cb48c04fb3271ff1fe56880ccd393f2dd694e62cc13873

C:\Program Files (x86)\ewxzwbyxejrjgnyvrewxzw.yxe

MD5 a5ec834753b868dfff36a4803007907c
SHA1 caf0239babc0c363c36421a977d40cde587723be
SHA256 75397b1a5d1814d9c6b93c9c7750ac3702a0762fcd0fd4b221f0b01d62def555
SHA512 aa2526c68227d89f8d852ed7df89e95a3745f0ece0f06616d1822d026f36b7077cd2c283dd32d056ea7933842a3601d0ad814ac065690166d0187fe3ce91a479

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 09:28

Reported

2024-06-26 09:30

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vwwc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\cgjsyep = "ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "cshcumjeqjtwfzqdoog.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "boashwqirhooulzj.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "pgwslecylfquezrfrslc.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "iwjcsidwgxfgnfufo.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "iwjcsidwgxfgnfufo.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "boashwqirhooulzj.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "cshcumjeqjtwfzqdoog.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "ewnkeyxuidpufbujwyskb.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "pgwslecylfquezrfrslc.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "rguofwsmxpyaibrdnm.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "cshcumjeqjtwfzqdoog.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "cshcumjeqjtwfzqdoog.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "rguofwsmxpyaibrdnm.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iwjcsidwgxfgnfufo.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "pgwslecylfquezrfrslc.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\psuchm = "iwjcsidwgxfgnfufo.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bioajsgsvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe ." C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rguofwsmxpyaibrdnm.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\eghos = "C:\\Users\\Admin\\AppData\\Local\\Temp\\boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "ewnkeyxuidpufbujwyskb.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\eghos = "ewnkeyxuidpufbujwyskb.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rwakryku = "boashwqirhooulzj.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\welyishuyjl = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pgwslecylfquezrfrslc.exe" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\iotemuhsu = "boashwqirhooulzj.exe ." C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\fcyazycexxoyopnhzgfcya.yce C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File opened for modification C:\Windows\SysWOW64\welyishuyjlghtchkcmuboyixkozbwxjs.asc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File created C:\Windows\SysWOW64\welyishuyjlghtchkcmuboyixkozbwxjs.asc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File opened for modification C:\Windows\SysWOW64\fcyazycexxoyopnhzgfcya.yce C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File created C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File opened for modification C:\Program Files (x86)\welyishuyjlghtchkcmuboyixkozbwxjs.asc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File created C:\Program Files (x86)\welyishuyjlghtchkcmuboyixkozbwxjs.asc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\fcyazycexxoyopnhzgfcya.yce C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File created C:\Windows\fcyazycexxoyopnhzgfcya.yce C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File opened for modification C:\Windows\welyishuyjlghtchkcmuboyixkozbwxjs.asc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
File created C:\Windows\welyishuyjlghtchkcmuboyixkozbwxjs.asc C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\eghos.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\118409a64b0d207166c07ccf998fe3f9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\eghos.exe

"C:\Users\Admin\AppData\Local\Temp\eghos.exe" "-"

C:\Users\Admin\AppData\Local\Temp\eghos.exe

"C:\Users\Admin\AppData\Local\Temp\eghos.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.imdb.com udp
FR 52.222.167.201:80 www.imdb.com tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 201.167.222.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 yjyaladocuc.net udp
US 8.8.8.8:53 uezolsm.net udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 ykzthgudze.net udp
US 8.8.8.8:53 gkucss.org udp
US 8.8.8.8:53 zkmgpbhgj.com udp
US 8.8.8.8:53 dvfwqikkdn.info udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 aemovgzgftg.info udp
US 8.8.8.8:53 retvxe.net udp
US 8.8.8.8:53 akxucef.info udp
US 8.8.8.8:53 ztqwlmqob.com udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 lebcyqd.com udp
US 8.8.8.8:53 tknysgkzt.net udp
US 8.8.8.8:53 dsjvnelr.net udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 bcagsggzlmnj.info udp
US 8.8.8.8:53 qtqixxfqe.net udp
US 8.8.8.8:53 ngodfstltvni.net udp
US 8.8.8.8:53 cunivwtsujk.info udp
US 8.8.8.8:53 rgtcrebgl.info udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 tmbwtoxxnog.com udp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 lbbyqkwsa.org udp
US 8.8.8.8:53 xmfftnfvt.info udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 yodbamrci.net udp
US 8.8.8.8:53 pxncoedltqd.info udp
US 8.8.8.8:53 cgvsxqbdl.net udp
US 8.8.8.8:53 sfbvncka.net udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 bynkxn.net udp
US 8.8.8.8:53 bznxfufj.net udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 plyqwryarhgd.info udp
US 8.8.8.8:53 zqfsuyn.org udp
US 8.8.8.8:53 zaonbwzcd.net udp
US 8.8.8.8:53 fdtcsoxm.net udp
US 8.8.8.8:53 kqazblnj.net udp
US 8.8.8.8:53 ddhwham.info udp
US 8.8.8.8:53 jnlutxxxbb.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 rbbitee.net udp
US 8.8.8.8:53 gbjhyy.info udp
US 8.8.8.8:53 cksyoqqiyoeo.org udp
US 8.8.8.8:53 ejkwarpooqax.info udp
US 8.8.8.8:53 ugnhqqfo.info udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 ymhluaqf.net udp
US 8.8.8.8:53 ncsbpfzktd.info udp
US 8.8.8.8:53 qqmcgygssm.com udp
US 8.8.8.8:53 lmfgtmnejje.com udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 dxuolqscrjz.net udp
US 8.8.8.8:53 fdabrivmxgn.com udp
US 8.8.8.8:53 crjmbukkjdbw.net udp
US 8.8.8.8:53 jndtsqhi.net udp
US 8.8.8.8:53 skkamoqsic.org udp
US 8.8.8.8:53 cqaakhrql.net udp
US 8.8.8.8:53 zffqpiudbqob.info udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 qumocg.org udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 scqwikgk.org udp
US 8.8.8.8:53 pyxvoewpds.net udp
US 8.8.8.8:53 glhktuvujed.net udp
US 8.8.8.8:53 ndsjoe.net udp
US 8.8.8.8:53 laypxhqjvcmn.info udp
US 8.8.8.8:53 zedhwdeisode.net udp
US 8.8.8.8:53 tsqdaqzkv.net udp
US 8.8.8.8:53 cjdkskbxu.info udp
US 8.8.8.8:53 uwqyue.org udp
US 8.8.8.8:53 nrnlnch.org udp
US 8.8.8.8:53 yuuymumuqwoy.com udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
US 8.8.8.8:53 iywyaumkoi.org udp
US 8.8.8.8:53 jafyptu.net udp
US 8.8.8.8:53 gkyyuogiok.com udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 ribglrrku.com udp
US 8.8.8.8:53 oofsicvgk.net udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 jfwmvap.net udp
US 8.8.8.8:53 udiuvazud.info udp
US 8.8.8.8:53 tvpmuunno.net udp
US 8.8.8.8:53 gqhggzzsso.net udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 sgryhunqt.info udp
US 8.8.8.8:53 yjptxmotf.info udp
US 8.8.8.8:53 reriubgqea.info udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
US 8.8.8.8:53 dprfye.net udp
US 8.8.8.8:53 fkwxwkegc.net udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 asysgwueei.org udp
US 8.8.8.8:53 vobgxuy.net udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 pknuhylyaqe.com udp
US 8.8.8.8:53 tyypjhxszh.net udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 fionle.net udp
US 8.8.8.8:53 aolerejpua.net udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 nrplkiujlm.info udp
US 8.8.8.8:53 egbakym.net udp
US 8.8.8.8:53 xdfylylksix.info udp
US 8.8.8.8:53 zjswuwos.info udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 kuyceqam.org udp
US 8.8.8.8:53 lflwqwvdsn.info udp
US 8.8.8.8:53 rnwxnrvlej.net udp
US 8.8.8.8:53 zetflkl.org udp
US 8.8.8.8:53 kbhsnz.info udp
US 8.8.8.8:53 xgevxg.net udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 kxyhfcazbd.net udp
US 8.8.8.8:53 keqsihtsnob.info udp
US 8.8.8.8:53 bogtgu.info udp
US 8.8.8.8:53 yuxgzfjlql.info udp
US 8.8.8.8:53 xvcpdhpfrmyv.net udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 ugkyyg.org udp
US 8.8.8.8:53 vaqhcszbberx.net udp
US 8.8.8.8:53 cucqeu.com udp
US 8.8.8.8:53 linyrahgjztb.net udp
US 8.8.8.8:53 xpxwbyp.net udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
US 8.8.8.8:53 objszqxufyx.info udp
US 8.8.8.8:53 mmsgbehenil.info udp
US 8.8.8.8:53 csgeec.org udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 aqawuk.com udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 fwhfhuuun.com udp
US 8.8.8.8:53 hnatzywd.info udp
US 8.8.8.8:53 wqugyoiime.org udp
US 8.8.8.8:53 ifangs.info udp
US 8.8.8.8:53 amdmnsbonit.info udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 awfcvld.info udp
US 8.8.8.8:53 iueyaacs.com udp
US 8.8.8.8:53 fmasycnsb.net udp
US 8.8.8.8:53 pcdtxylthwb.info udp
US 8.8.8.8:53 hrzypddipjy.com udp
US 8.8.8.8:53 wkgwddtffo.info udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 dgojgrvzxz.info udp
US 8.8.8.8:53 hsksahhs.net udp
US 8.8.8.8:53 gqjgdgd.info udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 sbquvspvnr.info udp
US 8.8.8.8:53 vovshqno.net udp
US 8.8.8.8:53 dxpuzatb.info udp
US 8.8.8.8:53 hhjopwuux.info udp
US 8.8.8.8:53 fyedhyft.net udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 ybkfgv.net udp
US 8.8.8.8:53 geawlxzejcw.net udp
US 8.8.8.8:53 ilwnrc.info udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 ygukukwaak.org udp
US 8.8.8.8:53 wxxwdqd.info udp
US 8.8.8.8:53 rqsgzyp.org udp
US 8.8.8.8:53 kshylkw.net udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 gbxsqkenmgge.info udp
US 8.8.8.8:53 kgeseogswa.com udp
US 8.8.8.8:53 mwlzynv.info udp
US 8.8.8.8:53 zkxwyv.info udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 agvakue.info udp
US 8.8.8.8:53 lpjwhfvs.info udp
US 8.8.8.8:53 jvkgyplkfgf.net udp
US 8.8.8.8:53 gykasymq.org udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 zjzbeqyt.info udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 ykqgzrlqx.net udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 gegqai.com udp
US 8.8.8.8:53 rkhunwg.com udp
US 8.8.8.8:53 tnfgvu.info udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 owgnxbuxbbo.net udp
US 8.8.8.8:53 yuwemy.org udp
US 8.8.8.8:53 woilsbpt.info udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 npxfpgnszdof.net udp
US 8.8.8.8:53 kgwkzwnuv.info udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 rdvqtn.info udp
US 8.8.8.8:53 buntpilhk.com udp
US 8.8.8.8:53 tlqdbu.net udp
US 8.8.8.8:53 wnzshgnguffc.net udp
US 8.8.8.8:53 sqiqsuckwy.org udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 efkyvvbbggoz.info udp
US 8.8.8.8:53 wmiqccygkq.com udp
US 8.8.8.8:53 eisuqa.com udp
US 8.8.8.8:53 dsryrhamwnz.info udp
US 8.8.8.8:53 kgzmsqyyn.info udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 gwuyucyo.com udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 wmqsmkckweic.org udp
US 8.8.8.8:53 kwwuaykioase.com udp
US 8.8.8.8:53 yqbhlbl.info udp
US 8.8.8.8:53 tpfxojmc.net udp
US 8.8.8.8:53 ilusdc.info udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 zaoipqhmv.info udp
US 8.8.8.8:53 mwawsoweaa.org udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 aceksuiqygsi.org udp
US 8.8.8.8:53 rwnyqm.net udp
US 8.8.8.8:53 gwtkxehswgm.info udp
US 8.8.8.8:53 kyquigcgcwyg.com udp
US 8.8.8.8:53 lrakkngm.net udp
US 8.8.8.8:53 tusejmd.org udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 bijzltttzcxh.info udp
US 8.8.8.8:53 hegqjwbejgh.info udp
US 8.8.8.8:53 roaxrljzqb.info udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 ibagxupenfu.info udp
US 8.8.8.8:53 bawjrskskqv.net udp
US 8.8.8.8:53 vkwiix.info udp
US 8.8.8.8:53 qhldjsp.net udp
US 8.8.8.8:53 cgpetec.net udp
US 8.8.8.8:53 xqnkjsj.info udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 ooqusoqegi.com udp
US 8.8.8.8:53 tauyiicd.info udp
US 8.8.8.8:53 gknesehgnxb.net udp
US 8.8.8.8:53 bocmdkvowko.net udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 hatxpnagwufv.info udp
US 8.8.8.8:53 qetqcmnjpgi.net udp
US 8.8.8.8:53 ducibir.org udp
US 8.8.8.8:53 iwemuzvi.info udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 igmkkkqmaeye.com udp
US 8.8.8.8:53 jmxoblnmbevp.info udp
US 8.8.8.8:53 ajiawbfs.info udp
US 8.8.8.8:53 eqiese.org udp
US 8.8.8.8:53 tbcumriorjll.info udp
US 8.8.8.8:53 qolyxyvkfvl.net udp
US 8.8.8.8:53 dovpnbswrh.info udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 oysqvgqttof.info udp
US 8.8.8.8:53 earykm.net udp
US 8.8.8.8:53 hufbuml.org udp
US 8.8.8.8:53 wcyscmim.org udp
US 8.8.8.8:53 tcpcbgjjfyh.com udp
US 8.8.8.8:53 npupnd.info udp
US 8.8.8.8:53 fchyiw.net udp
US 8.8.8.8:53 cbjzcgfy.net udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 wketnwlljum.net udp
US 8.8.8.8:53 eqykkm.com udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 yysknzzav.info udp
US 8.8.8.8:53 tihmaaaejlzb.info udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 kaykiyuc.org udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 rvigzhhw.info udp
US 8.8.8.8:53 qowgxzsf.info udp
US 8.8.8.8:53 johvnugiauej.net udp
US 8.8.8.8:53 nivzjyxmdcn.info udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 gldwfjbk.info udp
US 8.8.8.8:53 fxntxjyfuq.net udp
US 8.8.8.8:53 bcvuherif.info udp
US 8.8.8.8:53 ocdkbyr.net udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 liiinj.info udp
US 8.8.8.8:53 dcxebv.net udp
US 8.8.8.8:53 jqredmyeb.net udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 nsephu.info udp
US 8.8.8.8:53 tsxahrlt.info udp
US 8.8.8.8:53 hqumvpfmmyn.net udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 oudqwgrqu.net udp
US 8.8.8.8:53 cugyqsoswc.org udp
US 8.8.8.8:53 dlenlm.net udp
US 8.8.8.8:53 zojafdj.info udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 sxbztnlzjsr.net udp
US 8.8.8.8:53 xrtrbrsuhcd.info udp
US 8.8.8.8:53 oenlbjpudhx.info udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 ikceekom.com udp
US 8.8.8.8:53 rgjppolx.info udp
US 8.8.8.8:53 jqhiiibml.org udp
US 8.8.8.8:53 veeirzl.com udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 vgfgxccc.info udp
US 8.8.8.8:53 nkpmaevo.info udp
US 8.8.8.8:53 hgfizrutddl.info udp
US 8.8.8.8:53 vqoekmqbnkjk.net udp
US 8.8.8.8:53 auiowousua.com udp
US 8.8.8.8:53 cyqows.org udp
US 8.8.8.8:53 xesnlz.info udp
US 8.8.8.8:53 xwhbasdnp.info udp
US 8.8.8.8:53 qwtsdhbwh.net udp
US 8.8.8.8:53 dfbjbaqnenmo.net udp
US 8.8.8.8:53 wyrrdmy.net udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 kjzmxnhubot.info udp
US 8.8.8.8:53 wyqcaxiaddji.net udp
US 8.8.8.8:53 yswyuakuwu.org udp
US 8.8.8.8:53 ksmqumocei.org udp
US 8.8.8.8:53 iukmabtovtrt.net udp
US 8.8.8.8:53 suzqynuzjka.net udp
US 8.8.8.8:53 kcwiiy.org udp
US 8.8.8.8:53 gvnwjzmmu.info udp
US 8.8.8.8:53 fowwhqbjil.info udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 eueeawlqb.net udp
US 8.8.8.8:53 hvdwzczsr.info udp
US 8.8.8.8:53 qcgagcerhei.info udp
US 8.8.8.8:53 pkyvhyf.info udp
US 8.8.8.8:53 pjvcgqno.info udp
US 8.8.8.8:53 jxftzikqehgg.info udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 woxevkxmpgr.info udp
US 8.8.8.8:53 awtueufca.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 devnxiqxbx.net udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 ygfkmcpnvevl.info udp
US 8.8.8.8:53 ktjrvfni.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 moukjezcbfq.info udp
US 8.8.8.8:53 uvyiwulxn.net udp
US 8.8.8.8:53 xobzexfvbdji.net udp
US 8.8.8.8:53 ryierst.net udp
US 8.8.8.8:53 qopzyihxlxh.info udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 mnktbdxujf.info udp
US 8.8.8.8:53 mlrdccwdlebo.info udp
US 8.8.8.8:53 xskurrzl.info udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 jufyekcgsgl.info udp
US 8.8.8.8:53 jexllrnohaer.info udp
US 8.8.8.8:53 txsatkxkh.net udp
US 8.8.8.8:53 gdrsyeltgf.net udp
US 8.8.8.8:53 xrzafeae.info udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 tppgwk.net udp
US 8.8.8.8:53 uzeisptacdzd.info udp
US 8.8.8.8:53 gamwhe.info udp
US 8.8.8.8:53 wcuubrarf.info udp
US 8.8.8.8:53 kyayrrx.info udp
US 8.8.8.8:53 eqphft.info udp
US 8.8.8.8:53 dwhjvypyy.info udp
US 8.8.8.8:53 navfjv.info udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 bezijaa.com udp
US 8.8.8.8:53 qpnsccbcj.info udp
US 8.8.8.8:53 zxlqrpiujp.net udp
US 8.8.8.8:53 kerkzaz.info udp
US 8.8.8.8:53 nyncnhtblcds.info udp
US 8.8.8.8:53 usqayacwag.com udp
US 8.8.8.8:53 zyoqpctyb.com udp
US 8.8.8.8:53 tcfjfkiyhji.com udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 kudchqwepyr.net udp
US 8.8.8.8:53 mczczcy.info udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 eiyqoeci.org udp
US 8.8.8.8:53 ieoohldyg.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 udnbmxnx.info udp
US 8.8.8.8:53 vxjdgjwipz.info udp
US 8.8.8.8:53 wskeguqa.org udp
US 8.8.8.8:53 bghtuizz.net udp
US 8.8.8.8:53 dsotih.info udp
US 8.8.8.8:53 hlgxyqryl.com udp
US 8.8.8.8:53 gsyrbannjyhc.info udp
US 8.8.8.8:53 wsygcc.com udp
US 8.8.8.8:53 acrnwcp.net udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 oknmxgaxdkf.net udp
US 8.8.8.8:53 cyltuqrr.net udp
US 8.8.8.8:53 hoqkysj.info udp
US 8.8.8.8:53 tsnxecjs.net udp
US 8.8.8.8:53 weeuiqkeea.org udp
US 8.8.8.8:53 sqwjtpxip.info udp
US 8.8.8.8:53 gzelninr.net udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 aglommn.net udp
US 8.8.8.8:53 bbqrpzbcvupc.info udp
US 8.8.8.8:53 pdsknsughu.net udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 wqvkxzrifmn.net udp
US 8.8.8.8:53 rdloworiw.com udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 ypphcb.info udp
US 8.8.8.8:53 qiwvjy.info udp
US 8.8.8.8:53 ftinhytctjdm.net udp
US 8.8.8.8:53 xusuahgmdjxv.net udp
US 8.8.8.8:53 mhyijq.info udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 wgaacavqxhs.info udp
US 8.8.8.8:53 lerurqr.com udp
US 8.8.8.8:53 rvhelwy.net udp
US 8.8.8.8:53 aoueeueg.org udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 pwwleb.info udp
US 8.8.8.8:53 uckmkewakoos.org udp
US 8.8.8.8:53 kdbpzlv.net udp
US 8.8.8.8:53 cciqygswcm.org udp
US 8.8.8.8:53 slfopkzdq.net udp
US 8.8.8.8:53 dohqfnvkn.net udp
US 8.8.8.8:53 dgsozle.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 qieskwaeumgu.com udp
US 8.8.8.8:53 vmlhqgobkpwh.net udp
US 8.8.8.8:53 anjihtgn.info udp
US 8.8.8.8:53 vtbtwnprdtdr.info udp
US 8.8.8.8:53 teywtwk.com udp
US 8.8.8.8:53 qckxwaittnuu.net udp
US 8.8.8.8:53 ccdmtofmr.info udp
US 8.8.8.8:53 tqvzkzco.info udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 fjavevjc.net udp
US 8.8.8.8:53 flzsrj.net udp
US 8.8.8.8:53 ymcgceaqcu.org udp
US 8.8.8.8:53 smppzsvy.info udp
US 8.8.8.8:53 nkcovn.net udp
US 8.8.8.8:53 fqfltd.info udp
US 8.8.8.8:53 qaacrknzh.net udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 ajjojwjwphb.info udp
US 8.8.8.8:53 inxpxkfmh.info udp
US 8.8.8.8:53 dgbcaun.net udp
US 8.8.8.8:53 ycigxmkcnxg.info udp
US 8.8.8.8:53 dpwthhxfnpje.info udp
US 8.8.8.8:53 zqodwvfcywxt.info udp
US 8.8.8.8:53 jecgvwjvqgl.com udp
US 8.8.8.8:53 behcphxlkgz.org udp
US 8.8.8.8:53 kwcgdid.net udp
US 8.8.8.8:53 wuheyzj.info udp
US 8.8.8.8:53 bmnnfmtkdxl.info udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 eimwgiceiy.org udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 osqchip.net udp
US 8.8.8.8:53 dedjzp.net udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 vuxulyal.info udp
US 8.8.8.8:53 gsuwyuaqyicg.org udp
US 8.8.8.8:53 frfsfjyr.info udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 vyigmkbsn.net udp
US 8.8.8.8:53 jgisxmd.info udp
US 8.8.8.8:53 fzmwinbmvsnt.info udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 kwjqwys.info udp
US 8.8.8.8:53 jtyyhv.net udp
US 8.8.8.8:53 ommkcakc.com udp
US 8.8.8.8:53 zylyqstmdoh.org udp
US 8.8.8.8:53 lxfctfb.com udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 nggzqtxt.info udp
US 8.8.8.8:53 vxjoacz.info udp
US 8.8.8.8:53 taawvvlqgwvi.net udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 mnhnrjucnmln.net udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 rmlgyge.net udp
US 8.8.8.8:53 haldabzprdfo.info udp
US 8.8.8.8:53 wmnyodav.net udp
US 8.8.8.8:53 ekskoc.com udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 zkvypwmsh.net udp
US 8.8.8.8:53 quhjbdqou.net udp
US 8.8.8.8:53 puusmn.net udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 gwuiyg.com udp
US 8.8.8.8:53 jsvqhcltow.info udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 zktvgivr.info udp
US 8.8.8.8:53 phfqsn.net udp
US 8.8.8.8:53 mxfseadcb.info udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 tojbfbtgmfty.net udp
US 8.8.8.8:53 lgjnbpojmm.info udp
US 8.8.8.8:53 rxihyknm.net udp
US 8.8.8.8:53 yowashmh.net udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 lauwjsahfqe.com udp
US 8.8.8.8:53 drdglop.com udp
US 8.8.8.8:53 xbjvou.net udp
US 8.8.8.8:53 dtdkfhyx.net udp
US 8.8.8.8:53 zrjkew.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 rgsyxmfarbh.net udp
US 8.8.8.8:53 pjouzypsxqx.net udp
US 8.8.8.8:53 pgzkvyz.com udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 afqcpwssbe.info udp
US 8.8.8.8:53 lvnllgfef.com udp
US 8.8.8.8:53 pilfkibvly.net udp
US 8.8.8.8:53 phzoxcjclch.org udp
US 8.8.8.8:53 equhrhl.net udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 rrooupzvputl.net udp
US 8.8.8.8:53 bmxnhudn.net udp
US 8.8.8.8:53 uoqguq.com udp
US 8.8.8.8:53 qapsshk.net udp
US 8.8.8.8:53 sxxizutlvant.net udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 fentxwuggn.info udp
US 8.8.8.8:53 iaaoakause.org udp
US 8.8.8.8:53 lopswkzypsb.org udp
US 8.8.8.8:53 ydgezsywjtli.info udp
US 8.8.8.8:53 palavclsh.info udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 hfkgwjruvzfx.info udp
US 8.8.8.8:53 dilibghinoj.com udp
US 8.8.8.8:53 vphmnl.info udp
US 8.8.8.8:53 vgwwlyzwn.org udp
US 8.8.8.8:53 lsawoyz.net udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 rilgoql.info udp
US 8.8.8.8:53 uavyekreff.info udp
US 8.8.8.8:53 imnqnbyod.info udp
US 8.8.8.8:53 kwlxazgum.net udp
US 8.8.8.8:53 mmncloetjqv.info udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 ehdcuajdzthn.info udp
US 8.8.8.8:53 lmpdnk.net udp
US 8.8.8.8:53 tuzblutwnwb.net udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 nkxapthjcw.info udp
US 8.8.8.8:53 zbtgaub.com udp
US 8.8.8.8:53 yuekak.com udp
US 8.8.8.8:53 soibtqaozldc.net udp
US 8.8.8.8:53 eypmhvxox.info udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 buhqoyzy.net udp
US 8.8.8.8:53 rojwsqumfvt.com udp
US 8.8.8.8:53 dsjoajgdum.info udp
US 8.8.8.8:53 gwmjvulol.net udp
US 8.8.8.8:53 mcimqueg.com udp
US 8.8.8.8:53 lkegbexufcp.net udp
US 8.8.8.8:53 tixlgcs.info udp
US 8.8.8.8:53 tjbxolvdpmqc.info udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 puhnmbvjwcyo.info udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 lmlshcwbw.info udp
US 8.8.8.8:53 owkuimiokg.com udp
US 8.8.8.8:53 tmhmvauwx.org udp
US 8.8.8.8:53 iybucwuoz.net udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 rxphdafgz.info udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 vwzlbkneb.info udp
US 8.8.8.8:53 gwgrzthgisir.net udp
US 8.8.8.8:53 zrzbimdx.info udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 8.8.8.8:53 tpdmlt.info udp
US 8.8.8.8:53 mmeofunehfk.info udp
US 8.8.8.8:53 cepjxldeu.info udp
US 8.8.8.8:53 vwacrgroz.info udp
US 8.8.8.8:53 lwwxpkwvzaki.net udp
US 8.8.8.8:53 qbelrytcd.info udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 ntehezbc.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 qtjixsthzxnb.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 eggihif.info udp
US 8.8.8.8:53 poyzac.net udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 podzfziejc.info udp
US 8.8.8.8:53 lictginm.info udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 famdhrjmvh.net udp
US 8.8.8.8:53 iuucwa.org udp
US 8.8.8.8:53 aqhyxevud.net udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 vsfgngxssqp.org udp
US 8.8.8.8:53 zuqiqxqzmb.info udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 akcrxihch.info udp
US 8.8.8.8:53 wyuusgseka.org udp
US 8.8.8.8:53 wrzmpwckvtog.info udp
US 8.8.8.8:53 eypegkf.net udp
US 8.8.8.8:53 njdqzmpci.com udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 bhiidlyihaz.com udp
US 8.8.8.8:53 bydodr.net udp
US 8.8.8.8:53 yquuacmk.org udp
US 8.8.8.8:53 ludqvit.info udp
US 8.8.8.8:53 yboeosp.net udp
US 8.8.8.8:53 scwiikiswu.com udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 hgnkroto.info udp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 vqpexkdqbab.com udp
US 8.8.8.8:53 rexhfkbczid.com udp
US 8.8.8.8:53 weyrtj.net udp
US 8.8.8.8:53 gnurqsarfdrx.info udp
US 8.8.8.8:53 qicceo.com udp
US 8.8.8.8:53 csfnvv.net udp
US 8.8.8.8:53 nyufpcuymu.net udp
US 8.8.8.8:53 grbysiyi.net udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 oqmaeauy.org udp
US 8.8.8.8:53 jfzciyx.org udp
US 162.249.65.164:80 jfzciyx.org tcp
US 8.8.8.8:53 wsgaxdb.net udp
US 8.8.8.8:53 daefkcec.net udp
US 8.8.8.8:53 eyckcsekkkwc.com udp
US 8.8.8.8:53 zghgjuuch.info udp
US 8.8.8.8:53 ffdmxaa.info udp
US 8.8.8.8:53 sidlvctfcd.net udp
US 8.8.8.8:53 xpdppur.com udp
US 8.8.8.8:53 hihohlztfd.info udp
US 8.8.8.8:53 hasyua.info udp
US 8.8.8.8:53 zphlrd.info udp
US 8.8.8.8:53 yyymwqyqcg.com udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 ndlehiq.com udp
US 8.8.8.8:53 lisuez.info udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 iyogkwiquaqs.org udp
US 8.8.8.8:53 qnqfwtccro.info udp
US 8.8.8.8:53 wadlzibwm.info udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 zlpcbh.net udp
US 8.8.8.8:53 goeivnxgm.net udp
US 8.8.8.8:53 blpbrshidkt.net udp
US 8.8.8.8:53 uobmfgjcztv.info udp
US 8.8.8.8:53 niuvzzbu.info udp
US 8.8.8.8:53 asnapiuotwf.net udp
US 8.8.8.8:53 rartvm.info udp
US 8.8.8.8:53 bkpkvekvzgd.net udp
US 8.8.8.8:53 hhryrezmrwf.com udp
US 8.8.8.8:53 ygvmourunatx.net udp
US 8.8.8.8:53 vubkfchdjeh.org udp
US 8.8.8.8:53 xfvqmg.info udp
US 8.8.8.8:53 czyqpobo.info udp
US 8.8.8.8:53 barkbgzj.net udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 wyxrnriz.net udp
US 8.8.8.8:53 rflinejkdgl.com udp
US 8.8.8.8:53 akjazyhklea.info udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 lvxsvjfhey.net udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 kbrfawy.net udp
US 8.8.8.8:53 aacwwkuymqiq.com udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 ntxkswwzvtf.org udp
US 8.8.8.8:53 lqwkdqhkoej.net udp
US 8.8.8.8:53 kqwkgkawws.org udp
US 8.8.8.8:53 hjzcbquzos.net udp
US 8.8.8.8:53 peffyirwg.net udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 ljthpivgt.info udp
US 8.8.8.8:53 qmeegmaw.org udp
US 8.8.8.8:53 yceqcskoeg.org udp
US 162.249.65.164:80 yceqcskoeg.org tcp
US 8.8.8.8:53 selhpuz.info udp
US 8.8.8.8:53 mtwkhnhsulgn.net udp
US 8.8.8.8:53 dwrfzvkwzpnm.info udp
US 8.8.8.8:53 adomofxvpaq.net udp
US 8.8.8.8:53 sjxngw.net udp
US 8.8.8.8:53 giqvbt.info udp
US 8.8.8.8:53 hvhwaohmcx.info udp
US 8.8.8.8:53 lqnjiqbi.net udp
US 8.8.8.8:53 cgwgaguesg.org udp
US 162.249.65.164:80 cgwgaguesg.org tcp
US 8.8.8.8:53 dantbsrqhmsd.info udp
US 8.8.8.8:53 emyogg.com udp
US 8.8.8.8:53 qkogdsn.net udp
US 8.8.8.8:53 wlntlryx.net udp
US 8.8.8.8:53 julxerwaocda.net udp
US 8.8.8.8:53 spjusakr.net udp
US 8.8.8.8:53 nkybtwpgzoi.info udp
US 8.8.8.8:53 slhelwdsl.info udp
US 8.8.8.8:53 temkffdqhcx.net udp
US 8.8.8.8:53 eeddaicgvrn.net udp
US 8.8.8.8:53 tnxpffhon.com udp
US 8.8.8.8:53 pnznddghonhc.net udp
US 8.8.8.8:53 hjwaewpidch.info udp
US 8.8.8.8:53 gwmeafacbwrh.info udp
US 8.8.8.8:53 iwdmnio.net udp
US 8.8.8.8:53 pqnawd.net udp
US 8.8.8.8:53 dlwgskqidpsc.info udp
US 8.8.8.8:53 rtldxgzsr.com udp
US 8.8.8.8:53 nggwvdxldwy.org udp
US 8.8.8.8:53 sddcnvhmxghk.net udp
US 8.8.8.8:53 aewiiuaw.com udp
US 8.8.8.8:53 qkdqch.net udp
US 8.8.8.8:53 giqpub.info udp
US 8.8.8.8:53 nczndunqshyx.info udp
US 8.8.8.8:53 gaewuaquesmc.com udp
US 8.8.8.8:53 hmwddezd.net udp
US 8.8.8.8:53 ngnmzh.net udp
US 8.8.8.8:53 dmvsbvtlq.org udp
US 8.8.8.8:53 fauqlob.info udp
US 8.8.8.8:53 vewkdsdnhy.info udp
US 8.8.8.8:53 eaisokwcuc.com udp
US 8.8.8.8:53 oaxybkrkbnh.net udp
US 8.8.8.8:53 qcxitck.info udp
US 8.8.8.8:53 lblxlwomf.net udp
US 8.8.8.8:53 dqktjez.info udp
US 8.8.8.8:53 ndyvalrcfvke.net udp
US 8.8.8.8:53 cuuewa.org udp
US 8.8.8.8:53 ltmznw.net udp
US 8.8.8.8:53 cznfqexekbez.info udp
US 8.8.8.8:53 ekamqi.org udp
US 162.249.65.164:80 ekamqi.org tcp
US 8.8.8.8:53 mwjmyuhxiuhw.net udp
US 8.8.8.8:53 zjnnisjzumd.net udp
US 8.8.8.8:53 xtqolix.net udp
US 8.8.8.8:53 smyoemiywgye.org udp
US 8.8.8.8:53 ohtaebbybj.info udp
US 8.8.8.8:53 eocwqaoqwk.com udp
US 8.8.8.8:53 xopgozy.com udp
US 8.8.8.8:53 edwqbtrqlybj.info udp
US 8.8.8.8:53 bhdzedxh.net udp
US 8.8.8.8:53 ownfpcvxhj.info udp
US 8.8.8.8:53 amhsiqjwugt.net udp
US 8.8.8.8:53 ogcuekiaes.org udp
US 8.8.8.8:53 zmdxlwjpyt.net udp
US 8.8.8.8:53 tgvofvdsh.net udp
US 8.8.8.8:53 udblefgmmj.info udp
US 8.8.8.8:53 jeicvcdhmk.net udp
US 8.8.8.8:53 ifvpahngdwtg.info udp
US 8.8.8.8:53 eqcsskwyyiug.org udp
US 162.249.65.164:80 eqcsskwyyiug.org tcp
US 8.8.8.8:53 hhpsvcwfmgfg.net udp
US 8.8.8.8:53 tbfbcyarly.info udp
US 8.8.8.8:53 pgchlxgc.net udp
US 8.8.8.8:53 dybivyzgd.net udp
US 8.8.8.8:53 puvtiu.net udp
US 8.8.8.8:53 mgqyklbwl.info udp
US 8.8.8.8:53 mpzblpvaj.info udp
US 8.8.8.8:53 kuphnghstgl.info udp
US 8.8.8.8:53 jsnojd.net udp
US 8.8.8.8:53 eweuaigycy.org udp
US 162.249.65.164:80 eweuaigycy.org tcp
US 8.8.8.8:53 hdhkhzpq.net udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp
US 8.8.8.8:53 jatcfib.com udp
US 8.8.8.8:53 dtlosfhbjv.info udp
US 8.8.8.8:53 ishstyjyxiz.net udp
US 8.8.8.8:53 clpuesoas.info udp
US 8.8.8.8:53 kpdhjzgfkn.info udp
US 8.8.8.8:53 ckqqaueogk.com udp
US 8.8.8.8:53 cagbtgo.net udp
US 8.8.8.8:53 cfjafxls.info udp
US 8.8.8.8:53 luqvio.net udp
US 8.8.8.8:53 lnpypgxguq.net udp
US 8.8.8.8:53 kgimjwxavqm.net udp
US 8.8.8.8:53 uxfhrqtkdtxg.net udp
US 8.8.8.8:53 rgrdpwvmpxbc.net udp
US 8.8.8.8:53 akcagk.org udp
US 8.8.8.8:53 eqfjmqldzg.net udp
US 8.8.8.8:53 qrhivuxkrwl.net udp
US 8.8.8.8:53 iqyukmiauscg.org udp
US 8.8.8.8:53 suzenupya.info udp
US 8.8.8.8:53 gzzhsqoo.info udp
US 8.8.8.8:53 ewaucwue.org udp
US 8.8.8.8:53 typynlerfdxk.info udp
US 8.8.8.8:53 jormhevcmsp.org udp
US 8.8.8.8:53 rdrsxai.info udp
US 8.8.8.8:53 iesciysueugw.org udp
US 8.8.8.8:53 eelsjguensp.info udp
US 8.8.8.8:53 tnaazauab.info udp
US 8.8.8.8:53 nowtvupct.net udp
US 8.8.8.8:53 agsgbgzcrpv.info udp
US 8.8.8.8:53 fnqsmcftroxg.info udp
US 8.8.8.8:53 swwqwozy.net udp
US 8.8.8.8:53 cwtklwbjrwg.net udp
US 8.8.8.8:53 xgtsict.com udp
US 8.8.8.8:53 wzxqqsksmhht.net udp
US 8.8.8.8:53 nscquai.org udp
US 8.8.8.8:53 wgayocoiwm.com udp
US 8.8.8.8:53 gohcfyv.net udp
US 8.8.8.8:53 foafmnzmsn.info udp
US 8.8.8.8:53 vhldzhjm.net udp
US 8.8.8.8:53 kcguuuas.com udp
US 8.8.8.8:53 nzjclvdw.net udp
US 8.8.8.8:53 ycaunmdur.net udp
US 8.8.8.8:53 peemhkot.net udp
US 8.8.8.8:53 gucgyo.org udp
US 8.8.8.8:53 cmioyuoiuaik.com udp
US 8.8.8.8:53 durehqhuh.info udp
US 8.8.8.8:53 bdbjeqarfj.info udp
US 8.8.8.8:53 wlflblpcjarz.info udp
US 8.8.8.8:53 jwlmww.info udp
US 8.8.8.8:53 llkarod.info udp
US 8.8.8.8:53 usnrlododvf.info udp
US 8.8.8.8:53 maiguo.org udp
US 8.8.8.8:53 ukilhqxx.info udp
US 8.8.8.8:53 jrrmaepcv.com udp
US 8.8.8.8:53 qyiwrcy.info udp
US 8.8.8.8:53 soyukqekksum.com udp
US 8.8.8.8:53 nizybszil.info udp
US 8.8.8.8:53 eeraolcegam.net udp
US 8.8.8.8:53 xynktqvih.info udp
US 8.8.8.8:53 otjneshvxgn.info udp
US 8.8.8.8:53 ruzaxrpvmyd.org udp
US 8.8.8.8:53 ljxaidzkgeyt.net udp
US 8.8.8.8:53 yqxwvdhwae.net udp
US 8.8.8.8:53 aqkysoao.com udp
US 8.8.8.8:53 hyxkzecod.net udp
US 8.8.8.8:53 pmdaylo.net udp
US 8.8.8.8:53 ykhkvljit.info udp
US 8.8.8.8:53 wdafvcx.info udp
US 8.8.8.8:53 sobyjoxadyw.info udp
US 8.8.8.8:53 uyegugkcwque.com udp
US 8.8.8.8:53 hnfclldjdx.info udp
US 8.8.8.8:53 riapuihdbpcl.net udp
US 8.8.8.8:53 neotjkse.info udp
US 8.8.8.8:53 oforpwmb.info udp
US 8.8.8.8:53 uwaekcyseggi.org udp
US 8.8.8.8:53 jrkznsbm.net udp
US 8.8.8.8:53 ukdltgkqjoxu.net udp
US 8.8.8.8:53 zoduyutrbgu.net udp
US 8.8.8.8:53 qhhtehri.info udp
US 8.8.8.8:53 ieprwgvxkx.net udp
US 8.8.8.8:53 icqeyi.org udp
US 8.8.8.8:53 nefwulmsyx.net udp
US 8.8.8.8:53 kejuzgzxamd.info udp
US 8.8.8.8:53 tkhtbh.net udp
US 8.8.8.8:53 dozidko.info udp
US 8.8.8.8:53 ospkce.net udp
US 8.8.8.8:53 xknxpkj.com udp
US 8.8.8.8:53 lrbqxqikxvb.info udp
US 8.8.8.8:53 nakolhsvxk.net udp
US 8.8.8.8:53 lfsjnt.net udp
US 8.8.8.8:53 ywkmamaiqk.org udp
US 8.8.8.8:53 jgzqagzv.net udp
US 8.8.8.8:53 mkcwrolda.info udp
US 8.8.8.8:53 bnignq.net udp
US 8.8.8.8:53 wgphziznfz.info udp
US 8.8.8.8:53 uohyimrkg.net udp
US 8.8.8.8:53 znpsldu.org udp
US 162.249.65.164:80 znpsldu.org tcp
US 8.8.8.8:53 navcxlk.org udp
US 8.8.8.8:53 eqhwcizabib.net udp
US 8.8.8.8:53 thlivefbx.net udp

Files

C:\Users\Admin\AppData\Local\Temp\eghos.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\eghos.exe

MD5 e593c52730dbb8f8745bcb31f5b46a10
SHA1 7e161f7b905f840d75ba2f425081a760d0a70576
SHA256 a59a69faef6309e8c85bc7bc62612c96f17f8a967676d2f3b7a41120007ac0a0
SHA512 3cd6b1f76ffc7dea2f71ea674b95a25fa3867bb1345d8cd1a37563611202f3072c9c0329c38077c5112a57460c8023114613d641a796444f16dccbc14b98ddad

C:\Users\Admin\AppData\Local\fcyazycexxoyopnhzgfcya.yce

MD5 f7177575bf3d1cab47228938f5a4e053
SHA1 73a0c6d006d0703219207deb0ba546dc54faea5c
SHA256 5d813bb94a2cde20933dcff4880ac530a2fd8388725c13a6dcd2d942c45e4ef0
SHA512 616415b222a0ae7e6b4f622e9a533f8d71bd1b0818d60b96a378c65645c97a0a30ccd821d8dc9821aeb7e2d71e58155969139ad2e9d8271a533ec312648c145a

C:\Users\Admin\AppData\Local\welyishuyjlghtchkcmuboyixkozbwxjs.asc

MD5 26ffb2c4561032c097905c4c651eeebf
SHA1 144f32f32c9cfc488742fa74ec8b567e5fec85c3
SHA256 083ddd6b4cf19857b8181cb15c5af7ec4b3c303eeee91390231d1528dbcf8825
SHA512 cb38d4c70318d1a50bb0071fad98c9b6fec3322fcc0bdedf524ff7dae81eceaec139850d0720e777ab265e698b6818727d1b5e13fd90ebec5808a8cba1fe6bf0

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 2fa9cae76b369ae6e0ef38bdea2b86cd
SHA1 20fb6cae7c5cc31ee7b60262f7753bb8318518ac
SHA256 2a3c7b335c66447b9d7148d509f9fa1181a5de2c76ae6bc8dd0ce9fc99813198
SHA512 9f18b705176138d1d24347a24fecf6cde3af999d5c703545aea3441520ea9ba051a9579c2d119f18c22119016b9c3078a3171c7435381149e867b84ca627d3f4

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 be06d01628fbbac093ecb9f6fce0323d
SHA1 7609f8c88dbc63cc7896a995622734194ba0cedd
SHA256 4832d8a50c021d92f08df677f4fedd040af5e83ecc7f962c0ae58180fbcfe3e8
SHA512 1b955852ef95173c22f07c89036a6dceca41caa7d036e6850e04ebc20b51980e88ceaac6b1966f69eeb3877cd60d3837a46ce514cea4c35188326aa8c66268ed

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 e8cc5809800f7221dc387714c1a35567
SHA1 ec0a2a1fb0287e5d427cfd93576c370144cc3100
SHA256 04676cee499f3eb943a31c7f66a2e55e60121554b73ee8d5bb6fed0c20270af0
SHA512 a19b01024334df0b0613720b12c1b6162bbc7e1bd0253da0b519778866fad8af20fb26dcaa690c3db5df9aebb282ad04c972dbdd17d0ee713b31c1c49a440f12

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 2c4faf3b264695e9f93ed635e6afa420
SHA1 653519f3cdc13f7027412820ab330190839703ed
SHA256 967822fa4d24ffd7a43fc89acd6707629e88f54c82e9d194d918fda2aeb328b7
SHA512 13ceaf65a3ab2afe1ea291c2418406a53466cfe220156d6960d19a32c8f43fe58aed78e23ccd8977172e8f2218752078b17debdacf4d77a01004cd41a00268f2

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 1cb04e4da1423a29c4b076349f255f72
SHA1 3bb511ba0cef650317362ee0dc35494deca11076
SHA256 f345fc8076a3f588d44ef9496da9a5e0edacbc1732ee756bf81c615b4e78c3c5
SHA512 3d57f7d18a0d5f6350e9a623ac77aeca1c4f6848011131b59c78f5f007e1ed095f85e28572c8f3ac6d8ea9c9d2e52544667298eb587f7c694a7c0da937dd8e84

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 b2afab728098431a4d7e9ecb7d23def4
SHA1 f9427e819d329d39dc7c1c3eb4d58d975bc269da
SHA256 7cc74809c8bfb7a2b2e10eafd61e5e64ed11b35e2d519499419215da34300226
SHA512 11fe881e1ef262febe2fb1ad1378f595ba085772cb9489c67899cdfec8bc938e4c5c5f50b0ea2bce959514aa727c44ec99510e5c3b65c04018abbe302b74a076

C:\Program Files (x86)\fcyazycexxoyopnhzgfcya.yce

MD5 584dfd61f6ab7805afab76e5651c53f9
SHA1 9bcb60bcffe3e514d9faa4c98bce113977288d22
SHA256 84f3bcd0b205508dc35b3a1cb1205288e2bd794d1697ead0c90a060261ffdf2b
SHA512 b80459229726eff5db45c855dcacd136f55df4a1c774e1f925e58b10b9f0055d52972a0b6141f470d742700f9c3be59005eb22dc27c92adeb4637d8ceba4b611