Analysis Overview
SHA256
e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d
Threat Level: Known bad
The file 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Pykspa family
UAC bypass
Pykspa
Detect Pykspa worm
Adds policy Run key to start application
Disables RegEdit via registry modification
Loads dropped DLL
Executes dropped EXE
Impair Defenses: Safe Mode Boot
Checks computer location settings
Looks up external IP address via web service
Hijack Execution Flow: Executable Installer File Permissions Weakness
Checks whether UAC is enabled
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Modifies registry class
System policy modification
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2024-10-31 02:26
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 02:26
Reported
2024-10-31 03:29
Platform
win7-20241023-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "zriyvgaolytmygmnl.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "gbvooczqqgeapajnoocx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "zriyvgaolytmygmnl.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "sjzokunawicufmrr.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "gbvooczqqgeapajnoocx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "vrmghwumnedaqcmrtujfa.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "gbvooczqqgeapajnoocx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "tngyxkgwvkhcqaillkx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "zriyvgaolytmygmnl.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "sjzokunawicufmrr.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "sjzokunawicufmrr.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "ibtkiupecqmgtcjlki.exe" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "zriyvgaolytmygmnl.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "tngyxkgwvkhcqaillkx.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "ibtkiupecqmgtcjlki.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "ibtkiupecqmgtcjlki.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\xxwuzsuqvqtuoesbhmffe.hac | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\sdnwmqdkaguglmlfwmqblukobiyesejk.duk | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File created | C:\Windows\SysWOW64\sdnwmqdkaguglmlfwmqblukobiyesejk.duk | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\xxwuzsuqvqtuoesbhmffe.hac | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File created | C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File opened for modification | C:\Program Files (x86)\sdnwmqdkaguglmlfwmqblukobiyesejk.duk | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File created | C:\Program Files (x86)\sdnwmqdkaguglmlfwmqblukobiyesejk.duk | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\xxwuzsuqvqtuoesbhmffe.hac | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File created | C:\Windows\xxwuzsuqvqtuoesbhmffe.hac | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File opened for modification | C:\Windows\sdnwmqdkaguglmlfwmqblukobiyesejk.duk | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| File created | C:\Windows\sdnwmqdkaguglmlfwmqblukobiyesejk.duk | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\gntykk.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\gntykk.exe
"C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"
C:\Users\Admin\AppData\Local\Temp\gntykk.exe
"C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.ebay.com | udp |
| GB | 23.192.21.160:80 | www.ebay.com | tcp |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | nbaiaejk.info | udp |
| US | 8.8.8.8:53 | gwlmooffz.info | udp |
| US | 8.8.8.8:53 | acyoecymoo.com | udp |
| US | 8.8.8.8:53 | uiwyys.com | udp |
| US | 8.8.8.8:53 | fxblbctqx.net | udp |
| US | 8.8.8.8:53 | kavtbvqf.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | lmklfsc.info | udp |
| US | 8.8.8.8:53 | ssagiea.net | udp |
| US | 8.8.8.8:53 | eciiwm.com | udp |
| US | 8.8.8.8:53 | sejibalqxar.net | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | cykizwu.net | udp |
| US | 8.8.8.8:53 | zcnnvad.info | udp |
| US | 8.8.8.8:53 | kpnytctyv.info | udp |
| US | 8.8.8.8:53 | zwgnqfhdpwlr.net | udp |
| US | 8.8.8.8:53 | nomacuw.info | udp |
| US | 8.8.8.8:53 | beduljxc.net | udp |
| US | 8.8.8.8:53 | egksyqv.info | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | hkignkxfrsq.org | udp |
| US | 8.8.8.8:53 | igxmmap.net | udp |
| US | 8.8.8.8:53 | pnsdfbklr.com | udp |
| US | 8.8.8.8:53 | zrzdfl.net | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | prjctfxfnalz.net | udp |
| US | 8.8.8.8:53 | rulmiuoebex.com | udp |
| US | 8.8.8.8:53 | ptbfaqx.com | udp |
| US | 8.8.8.8:53 | siiieg.com | udp |
| US | 8.8.8.8:53 | ilsuhfnamzie.info | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | nybylwfyr.info | udp |
| US | 8.8.8.8:53 | kblyjmxqp.info | udp |
| US | 8.8.8.8:53 | trjalhftkjd.com | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | uylheqvecsf.info | udp |
| US | 8.8.8.8:53 | emxlsyzmrkh.net | udp |
| US | 8.8.8.8:53 | lulakfq.info | udp |
| US | 8.8.8.8:53 | twuwuamyshz.net | udp |
| US | 8.8.8.8:53 | mrbhwa.info | udp |
| US | 8.8.8.8:53 | neppotyzwb.net | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | tugybdv.org | udp |
| US | 8.8.8.8:53 | syakbm.info | udp |
| US | 8.8.8.8:53 | wiacookkae.org | udp |
| US | 8.8.8.8:53 | ugeicw.org | udp |
| US | 8.8.8.8:53 | hyoavqad.net | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | betzxjpx.net | udp |
| US | 8.8.8.8:53 | smpairrt.info | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | fuoefjzoo.info | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | kflxpc.info | udp |
| US | 8.8.8.8:53 | lmixcv.info | udp |
| US | 8.8.8.8:53 | vydgtseob.net | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | arckxut.info | udp |
| US | 8.8.8.8:53 | xetlgoslllok.info | udp |
| US | 8.8.8.8:53 | eikemiiymkem.org | udp |
| US | 8.8.8.8:53 | nqtodvg.info | udp |
| US | 8.8.8.8:53 | kadtlbjp.info | udp |
| US | 8.8.8.8:53 | amacco.com | udp |
| US | 8.8.8.8:53 | gotqpsxeq.net | udp |
| US | 8.8.8.8:53 | fpusoiz.net | udp |
| US | 8.8.8.8:53 | fncmhxudak.info | udp |
| US | 8.8.8.8:53 | hkrkrsjqrq.info | udp |
Files
\Users\Admin\AppData\Local\Temp\gntykk.exe
| MD5 | 23da8c70234ad82083977a176f7b182b |
| SHA1 | 6ec55e256151e2b0e20bfafd3b9c5dfa8a30a831 |
| SHA256 | 51ecf28c3dfe6429007902f96dc2abb319ff296ae39b492ef9e89f4dc2d32e04 |
| SHA512 | 614340e77fa26cc9d89ee1aa622a28e50f7baa3fe8a1769760398f2c8f9d58c91d11376f9975e506ca0b55281d65d35fb7082edc51163a4f7385c31ac76568d3 |
C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | d59af82888de7665ca41a85b16bc2fb8 |
| SHA1 | c76261fee4f9081ab1e8b8e69b506458143a3ec0 |
| SHA256 | 71f1ba6620a286e34c686296940935510838b54c25d9a0d81c233b55f38ed1d8 |
| SHA512 | b6314aba624ce3f3d68c30053d6d83e69a03b150cf43012bb7324914a16b79fa97d618ed4dfecc92df7cf65b7753c7ee3eb1758b26027f9eeaaa1ceb2fbae3a4 |
C:\Users\Admin\AppData\Local\sdnwmqdkaguglmlfwmqblukobiyesejk.duk
| MD5 | 1d6c0d0e16bab99e4caea6ea96941e50 |
| SHA1 | 7bff05a7036caefad80a8f27459ae108561e27c9 |
| SHA256 | 3194dbf98acdca12cb762156ee650a292cb23b541ac5632aff70ee12f2973ac4 |
| SHA512 | 78712a27c57ac941d7b137a0d2313c442526a9838f5ad300146f1aed34f9420aae5d1321667e12179a3de9b18cf97de9e1090f20d957144be44bb774ba48d21d |
C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | 2361d686cc863f817dd97006fcf2137a |
| SHA1 | f045f6a650fc9e2f44ac072de1c88c080cf73e76 |
| SHA256 | 348f23df7d8ac548d30541068e9e950a3739bab9008bb1113f4477c3c7836434 |
| SHA512 | 5e329a1f5f15e6a444ff62062caf34044f74e24d15188c61fc3ea81ca802a441efbea7be3e51a75b456ff268aed23f80a23349ded5901fbe8a6d990143f171be |
C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | edb7fb7176f0e98a66d508e5d12cc3db |
| SHA1 | c31ee5476ff54d4b496ada6f49614a7d0481b2d8 |
| SHA256 | abb9203da8d05c5a4dcbbf13752dc4cb971c81ce95ad7a84e69dbb3c40ab60b7 |
| SHA512 | 7f0b80a63390a78a34dd25738e612d93140cc1feb664c51c2c60511e8090de4230b9506492eeb7c795a21203626ef8adb72346a1efc99faae5d5855787cb0f72 |
C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | 72eb2d192442aa4f87d720f94a739bef |
| SHA1 | b6e01dbf4f0cd73c5d7d2907a51297d179f31645 |
| SHA256 | e6528ebd23c36be58345c31b71f7d8f66db8b30437d448b822664ee26a032393 |
| SHA512 | c46a549bbef7a447b08d9a83595244c469faeb05266e8f9b96b210368c6d29c0f5e6d1243c198696f89e8a02915444dd174c7fd0974e82f33222618135b8766d |
C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | 2ff93e17adbef39f5140fd7584782fab |
| SHA1 | 0d583f223aa0dc9212ce5921adcac454824130d5 |
| SHA256 | d17f03b074275a9fb904b6c96d67f59d4e8da294a70b74c9007697566505f3b7 |
| SHA512 | 46609c0e4848986ce4c67b33bc249b4179d906a58d08aa226c1dcf3246daefed2b73d00da0f37b3776bc70d49c1eb5653725caa4ea06c0e0dbac77821020de33 |
C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | cd20324b24c3a3316dcc9c8a147f451a |
| SHA1 | 3d19be4a7ff3aef1dd401bc308573fa98fb87727 |
| SHA256 | 255a779d72156d8c622ea472ae23b52f9f4974ef1c2055848bc68f546ad6447a |
| SHA512 | 9a29adaa3dbd250c0fc07cada4a85ebc71efdf946ce277c54d77bb46c177dc0c3eb40d133df193425a66233732c891ff4323d969d239ca6ab9b2d4c0407ce66f |
C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | b5eb3ceb015e29461b685708ee3b0d1f |
| SHA1 | aa08ab133785cff5a06810db1fce2d6555d85d13 |
| SHA256 | 6314329d3951efe28ac1e910a8ec88bf0010bdc480de4cb2fcda649697bce504 |
| SHA512 | 67045daaae4839b04bb077832197189ffd3276b22e1d64b9dc6fcc7e53418a25f20948624fe42df504f806df064f07f98f81624cd3e003e608fd6380f0a48b54 |
C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac
| MD5 | a64dc1cf41b9c06ea08707fd1170a94e |
| SHA1 | 87e8fb1d26b856740d39df1de2c17e4fe99ba900 |
| SHA256 | b867fed39402e3ba1114cdb4991fb087882635ea8ed49577b74c359b77be97c9 |
| SHA512 | 708ef8f57fbd5ece43e0dd32ddff1ccdc7593804abfa3b7deebabd361003b82861133401eb713c575e5a14410aa3bcbc9c24514ca582b95a729248c798c50686 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 02:26
Reported
2024-10-31 03:28
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Pykspa
Pykspa family
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Detect Pykspa worm
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "itmhsmgulzwgavusa.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "cpkhuqmcvlkwspqqabg.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "bldxhatgwjfohbzw.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "itmhsmgulzwgavusa.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "cpkhuqmcvlkwspqqabg.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "pdzxlifwqhhurprsdflz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "bldxhatgwjfohbzw.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "pdzxlifwqhhurprsdflz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "pdzxlifwqhhurprsdflz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "cpkhuqmcvlkwspqqabg.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "cpkhuqmcvlkwspqqabg.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "etqpecasnfgusruwilshe.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "rdxtfavkcrpavrrqzz.exe" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "cpkhuqmcvlkwspqqabg.exe ." | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\vtzhfmtuyzjgnvhsnzpntbzgno.tda | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File created | C:\Windows\SysWOW64\vtzhfmtuyzjgnvhsnzpntbzgno.tda | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File created | C:\Windows\SysWOW64\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File opened for modification | C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File created | C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File opened for modification | C:\Program Files (x86)\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\vtzhfmtuyzjgnvhsnzpntbzgno.tda | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File opened for modification | C:\Windows\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File created | C:\Windows\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| File opened for modification | C:\Windows\vtzhfmtuyzjgnvhsnzpntbzgno.tda | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\edkts.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\edkts.exe
"C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"
C:\Users\Admin\AppData\Local\Temp\edkts.exe
"C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.imdb.com | udp |
| GB | 13.224.77.40:80 | www.imdb.com | tcp |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | lrjekrdt.net | udp |
| US | 8.8.8.8:53 | uslitd.info | udp |
| US | 8.8.8.8:53 | xiotup.net | udp |
| US | 8.8.8.8:53 | fxblbctqx.net | udp |
| US | 8.8.8.8:53 | kavtbvqf.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | kwumekgqia.com | udp |
| US | 8.8.8.8:53 | bzyutxxz.info | udp |
| US | 8.8.8.8:53 | sejibalqxar.net | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | vypkbavuo.org | udp |
| US | 8.8.8.8:53 | cwfantxz.info | udp |
| US | 8.8.8.8:53 | yblhskh.net | udp |
| US | 8.8.8.8:53 | slfgkrnyo.info | udp |
| US | 8.8.8.8:53 | lynjnajtllk.com | udp |
| US | 8.8.8.8:53 | egksyqv.info | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | pnsdfbklr.com | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | dobjvwgu.info | udp |
| US | 8.8.8.8:53 | djhadjdgz.com | udp |
| US | 8.8.8.8:53 | ptbfaqx.com | udp |
| US | 8.8.8.8:53 | ayuaamsuiu.com | udp |
| US | 8.8.8.8:53 | izdsfsmdfd.info | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | zpnmsj.info | udp |
| US | 8.8.8.8:53 | wqvuzi.net | udp |
| US | 8.8.8.8:53 | wytqwaxvp.info | udp |
| US | 8.8.8.8:53 | tilmejkgujt.org | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | mrwymkwmeqn.net | udp |
| US | 8.8.8.8:53 | tsnmbypuq.org | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | dztikwcfpyq.org | udp |
| US | 8.8.8.8:53 | usnagwwav.info | udp |
| US | 8.8.8.8:53 | syakbm.info | udp |
| US | 8.8.8.8:53 | rolotstxbgxp.net | udp |
| US | 8.8.8.8:53 | pzjyflnpdt.info | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | uiflvyd.net | udp |
| US | 8.8.8.8:53 | wpwiddtuz.info | udp |
| US | 8.8.8.8:53 | bkfjjz.info | udp |
| US | 8.8.8.8:53 | gwwkgesoos.com | udp |
| US | 8.8.8.8:53 | ynwkmyevvcby.info | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | jzjmhydspt.info | udp |
| US | 8.8.8.8:53 | cagkgacmgy.com | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | vuxqewiexcy.com | udp |
| US | 8.8.8.8:53 | tdfmzmpohez.net | udp |
| US | 8.8.8.8:53 | yikmaa.org | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | vxjohqvpcxkz.net | udp |
| US | 8.8.8.8:53 | yemuko.com | udp |
| US | 8.8.8.8:53 | ayoeisyw.org | udp |
| US | 8.8.8.8:53 | gotqpsxeq.net | udp |
| US | 8.8.8.8:53 | hgaylyxar.com | udp |
| US | 8.8.8.8:53 | ekuedqrcp.info | udp |
| US | 8.8.8.8:53 | irbebixmt.info | udp |
| US | 8.8.8.8:53 | vljgbupsl.net | udp |
| US | 8.8.8.8:53 | bwpexfisrlxk.net | udp |
| US | 8.8.8.8:53 | rqjofoxckmz.com | udp |
| US | 8.8.8.8:53 | qpejngowavjy.info | udp |
| US | 8.8.8.8:53 | xqyftgnfmn.net | udp |
| US | 8.8.8.8:53 | lcbsfiyyz.com | udp |
| US | 8.8.8.8:53 | rjfshz.net | udp |
| US | 8.8.8.8:53 | haimrezv.net | udp |
| US | 8.8.8.8:53 | qkwkeu.org | udp |
| US | 8.8.8.8:53 | dmbealkee.net | udp |
| US | 8.8.8.8:53 | dvpwqozo.info | udp |
| US | 8.8.8.8:53 | fqpkffged.org | udp |
| US | 8.8.8.8:53 | miqdvet.info | udp |
| US | 8.8.8.8:53 | yqiweowi.com | udp |
| US | 8.8.8.8:53 | xupglkfya.info | udp |
| US | 8.8.8.8:53 | kmqykuyaoc.org | udp |
| US | 8.8.8.8:53 | madxxqmepwdi.net | udp |
| US | 8.8.8.8:53 | fszehlnx.net | udp |
| US | 8.8.8.8:53 | icbcbitpwo.net | udp |
| US | 8.8.8.8:53 | zcyghg.net | udp |
| US | 8.8.8.8:53 | gywoomcuskmm.org | udp |
| US | 8.8.8.8:53 | gzcwnopqd.info | udp |
| US | 8.8.8.8:53 | jkdcdyf.com | udp |
| US | 8.8.8.8:53 | ikocwcv.info | udp |
| US | 8.8.8.8:53 | kswwkwkcyy.org | udp |
| US | 8.8.8.8:53 | eawcugewukwu.com | udp |
| US | 8.8.8.8:53 | gfuvwmjpgb.net | udp |
| US | 8.8.8.8:53 | ociybcn.net | udp |
| US | 8.8.8.8:53 | zdcuoogt.net | udp |
| US | 8.8.8.8:53 | zsqxejydfpnt.info | udp |
| US | 8.8.8.8:53 | dcvqfjgcgcha.net | udp |
| US | 8.8.8.8:53 | scrsroanu.info | udp |
| US | 8.8.8.8:53 | dsnqrlvd.net | udp |
| US | 8.8.8.8:53 | qudyrmntuow.info | udp |
| US | 8.8.8.8:53 | ithaweln.info | udp |
| US | 8.8.8.8:53 | olxepkirnbgt.net | udp |
| US | 8.8.8.8:53 | isksiukggo.org | udp |
| US | 8.8.8.8:53 | pcbxjozyvft.info | udp |
| US | 8.8.8.8:53 | usiikeyy.org | udp |
| US | 8.8.8.8:53 | yxjoqhsg.net | udp |
| US | 8.8.8.8:53 | skdsjmrur.info | udp |
| US | 8.8.8.8:53 | uspavcp.net | udp |
| US | 8.8.8.8:53 | eoegyqea.com | udp |
| US | 8.8.8.8:53 | zfxeloistaz.org | udp |
| US | 8.8.8.8:53 | melldli.info | udp |
| US | 8.8.8.8:53 | vqnerbhobpn.info | udp |
| US | 8.8.8.8:53 | hrnujmsfph.net | udp |
| US | 8.8.8.8:53 | muqltofy.net | udp |
| US | 8.8.8.8:53 | qreifitmc.net | udp |
| US | 8.8.8.8:53 | yoctvrd.info | udp |
| US | 8.8.8.8:53 | mukwiqsccq.com | udp |
| US | 8.8.8.8:53 | oiiuowmoci.org | udp |
| US | 8.8.8.8:53 | ourepitvklx.info | udp |
| US | 8.8.8.8:53 | ymtwnie.info | udp |
| US | 8.8.8.8:53 | hlfslgfgzax.net | udp |
| US | 8.8.8.8:53 | oovhaclofch.info | udp |
| US | 8.8.8.8:53 | bsvtdu.net | udp |
| US | 8.8.8.8:53 | nldxrnje.info | udp |
| US | 8.8.8.8:53 | xhisrub.org | udp |
| US | 8.8.8.8:53 | tgxauf.info | udp |
| US | 8.8.8.8:53 | octpnmfeveb.net | udp |
| US | 8.8.8.8:53 | ueorvkndllkl.info | udp |
| US | 8.8.8.8:53 | mbvjdcw.net | udp |
| US | 8.8.8.8:53 | fwwaqwlraa.net | udp |
| US | 8.8.8.8:53 | ykrwhyswx.net | udp |
| US | 8.8.8.8:53 | gcguwsqukaqa.org | udp |
| US | 8.8.8.8:53 | dlpacqwzfypv.net | udp |
| US | 8.8.8.8:53 | cwbobcrni.info | udp |
| US | 8.8.8.8:53 | swdbmuwabyg.info | udp |
| US | 8.8.8.8:53 | nydiniprh.net | udp |
| US | 8.8.8.8:53 | ruksvdctcqr.com | udp |
| US | 8.8.8.8:53 | aejudfc.net | udp |
| US | 8.8.8.8:53 | ibfqlkqa.net | udp |
| US | 8.8.8.8:53 | rajolyvids.net | udp |
| US | 8.8.8.8:53 | mpdkhtwobgb.info | udp |
| US | 8.8.8.8:53 | bsrweqh.net | udp |
| N/A | 192.168.28.2:445 | tcp | |
| US | 8.8.8.8:53 | vqykjdsal.info | udp |
| US | 8.8.8.8:53 | ckokse.org | udp |
| US | 8.8.8.8:53 | wksxzacdg.info | udp |
| US | 8.8.8.8:53 | kutwpzjci.net | udp |
| US | 8.8.8.8:53 | pytuhehbua.info | udp |
| US | 8.8.8.8:53 | kshgvj.net | udp |
| US | 8.8.8.8:53 | vcqzpegbipvo.net | udp |
| US | 8.8.8.8:53 | sphyyqs.net | udp |
| US | 8.8.8.8:53 | mvzfupmyik.info | udp |
| US | 8.8.8.8:53 | cowyqc.com | udp |
| US | 8.8.8.8:53 | cjqbxmuj.info | udp |
| US | 8.8.8.8:53 | pyrfgftlhxqp.net | udp |
| US | 8.8.8.8:53 | xykutplmhmfn.net | udp |
| US | 8.8.8.8:53 | oegkwuakgo.com | udp |
| US | 8.8.8.8:53 | tsvrdkobl.org | udp |
| US | 8.8.8.8:53 | quudzbuydvd.info | udp |
| US | 8.8.8.8:53 | mlgsxflu.net | udp |
| US | 8.8.8.8:53 | sprebwbix.net | udp |
| US | 8.8.8.8:53 | polsjsrhn.net | udp |
| US | 8.8.8.8:53 | miqwfwiqw.net | udp |
| US | 8.8.8.8:53 | qnppws.net | udp |
| N/A | 192.168.28.2:139 | tcp | |
| US | 8.8.8.8:53 | ykwkia.com | udp |
| US | 8.8.8.8:53 | lctlkjdqx.info | udp |
| US | 8.8.8.8:53 | kmpdjanxcx.info | udp |
| US | 8.8.8.8:53 | etqiwj.net | udp |
| US | 8.8.8.8:53 | hgpydyr.org | udp |
| US | 8.8.8.8:53 | hppzxxehhl.info | udp |
| US | 8.8.8.8:53 | zaqzpq.info | udp |
| US | 8.8.8.8:53 | tqtktklmz.com | udp |
| US | 8.8.8.8:53 | jljcywgh.info | udp |
| US | 8.8.8.8:53 | jnhwdk.net | udp |
| US | 8.8.8.8:53 | ywqeeyee.com | udp |
| US | 8.8.8.8:53 | xywkttkauuaw.net | udp |
| US | 8.8.8.8:53 | mkscaqaagkiq.org | udp |
| US | 8.8.8.8:53 | gqaiuysqey.com | udp |
| US | 8.8.8.8:53 | aptavxszku.info | udp |
| US | 8.8.8.8:53 | cufabqp.info | udp |
| US | 8.8.8.8:53 | ugiyui.com | udp |
| US | 8.8.8.8:53 | omakdrgxpzkd.info | udp |
| US | 8.8.8.8:53 | ovvmeermlar.net | udp |
| US | 8.8.8.8:53 | iqkoqmoe.com | udp |
| US | 8.8.8.8:53 | ubyzha.net | udp |
| US | 8.8.8.8:53 | repfdblfnk.info | udp |
| US | 8.8.8.8:53 | oesmaemmgi.com | udp |
| US | 8.8.8.8:53 | iqsosto.net | udp |
| US | 8.8.8.8:53 | jinfugfp.net | udp |
| US | 8.8.8.8:53 | tcryvorurah.net | udp |
| US | 8.8.8.8:53 | aorgtmo.net | udp |
| US | 8.8.8.8:53 | xhyirilhl.com | udp |
| US | 8.8.8.8:53 | lbpvdhzvln.net | udp |
| US | 8.8.8.8:53 | gqtchqiurvo.net | udp |
| US | 8.8.8.8:53 | isiium.com | udp |
| US | 8.8.8.8:53 | oajgaevwg.info | udp |
| US | 8.8.8.8:53 | mulrdidgrt.info | udp |
| US | 8.8.8.8:53 | oyikuckiuu.org | udp |
| US | 8.8.8.8:53 | qdaqwtlafa.info | udp |
| US | 8.8.8.8:53 | hymgxqs.info | udp |
| US | 8.8.8.8:53 | tesojizevjxy.info | udp |
| US | 8.8.8.8:53 | vizsvatjt.net | udp |
| US | 8.8.8.8:53 | oqipihfqzz.info | udp |
| US | 8.8.8.8:53 | hirultsib.info | udp |
| US | 8.8.8.8:53 | gxjmexojzn.info | udp |
| US | 8.8.8.8:53 | irvylsdkdul.info | udp |
| US | 8.8.8.8:53 | nuzbgmrhcaec.net | udp |
| US | 8.8.8.8:53 | anubtiye.net | udp |
| US | 8.8.8.8:53 | rwsvyk.net | udp |
| US | 8.8.8.8:53 | lgmblm.info | udp |
| US | 8.8.8.8:53 | ecwakk.com | udp |
| US | 8.8.8.8:53 | idjlaq.info | udp |
| US | 8.8.8.8:53 | bsnecvoxzhhe.net | udp |
| US | 8.8.8.8:53 | ekysuwaiqs.org | udp |
| US | 8.8.8.8:53 | qmlmnkvpa.info | udp |
| US | 8.8.8.8:53 | xwhuost.com | udp |
| US | 8.8.8.8:53 | qyeizgaudgu.info | udp |
| US | 8.8.8.8:53 | viocnhvrbl.net | udp |
| US | 8.8.8.8:53 | mbiiznxdulyh.net | udp |
| US | 8.8.8.8:53 | xwdqxgxphkv.org | udp |
| US | 8.8.8.8:53 | nlbahvjmkh.net | udp |
| US | 8.8.8.8:53 | jhbcxlabiepi.net | udp |
| US | 8.8.8.8:53 | rqpmbatiw.info | udp |
| US | 8.8.8.8:53 | qpeavxszku.net | udp |
| US | 8.8.8.8:53 | emidtypxv.info | udp |
| US | 8.8.8.8:53 | pldcab.net | udp |
| US | 8.8.8.8:53 | ymiwoyie.com | udp |
| US | 8.8.8.8:53 | nvqhtsfzlm.info | udp |
| US | 8.8.8.8:53 | nvpyks.info | udp |
| US | 8.8.8.8:53 | ywsuqyqigu.com | udp |
| US | 8.8.8.8:53 | frakpnhrjl.net | udp |
| US | 8.8.8.8:53 | qcgwluvqzgl.info | udp |
| US | 8.8.8.8:53 | ooyuegia.org | udp |
| US | 8.8.8.8:53 | fqvopkmiayu.org | udp |
| US | 8.8.8.8:53 | oabojeh.info | udp |
| US | 8.8.8.8:53 | jcuivq.info | udp |
| US | 8.8.8.8:53 | rxfrpvbblodg.net | udp |
| US | 8.8.8.8:53 | oqhajmtmnmh.info | udp |
| US | 8.8.8.8:53 | eqtemumneyf.info | udp |
| US | 8.8.8.8:53 | lgphlalcq.org | udp |
| US | 8.8.8.8:53 | oizmlun.info | udp |
| US | 8.8.8.8:53 | uqlrrgfksgo.info | udp |
| US | 8.8.8.8:53 | fqayjauwuwki.net | udp |
| US | 8.8.8.8:53 | cdxzhhnuxsds.net | udp |
| US | 8.8.8.8:53 | wieavxszku.net | udp |
| US | 8.8.8.8:53 | ewcxxuv.info | udp |
| US | 8.8.8.8:53 | rreplnac.info | udp |
| US | 8.8.8.8:53 | deplsmueqaht.info | udp |
| US | 8.8.8.8:53 | oypkmuaop.info | udp |
| US | 8.8.8.8:53 | bilxbt.info | udp |
| US | 8.8.8.8:53 | egkmws.org | udp |
| US | 8.8.8.8:53 | mekwbmjjy.net | udp |
| US | 8.8.8.8:53 | xqeqvctmsuh.net | udp |
| US | 8.8.8.8:53 | tjhjuybds.net | udp |
| US | 8.8.8.8:53 | tipwbma.org | udp |
| US | 8.8.8.8:53 | jcrajiersib.org | udp |
| US | 8.8.8.8:53 | qqksfedvgei.net | udp |
| US | 8.8.8.8:53 | qxrwrxkgnrd.net | udp |
| US | 8.8.8.8:53 | kyjfbtbgeqk.net | udp |
| US | 8.8.8.8:53 | tktpoplyvofk.net | udp |
| US | 8.8.8.8:53 | wwocfmch.net | udp |
| US | 8.8.8.8:53 | yoosywpoyq.info | udp |
| US | 8.8.8.8:53 | qxflylnf.info | udp |
| US | 8.8.8.8:53 | qagoeiyu.org | udp |
| US | 8.8.8.8:53 | nwjyjdkebk.info | udp |
| US | 8.8.8.8:53 | eaoxchywpf.net | udp |
| US | 8.8.8.8:53 | tvaazk.info | udp |
| US | 8.8.8.8:53 | gdrzehzm.net | udp |
| US | 8.8.8.8:53 | cutoprb.net | udp |
| US | 8.8.8.8:53 | zrfldn.info | udp |
| US | 8.8.8.8:53 | hgxntkm.net | udp |
| US | 8.8.8.8:53 | gicqywqkcoim.com | udp |
| US | 8.8.8.8:53 | zbifhlqbzq.info | udp |
| US | 8.8.8.8:53 | eufmpkoyb.info | udp |
| US | 8.8.8.8:53 | nyswayxgzci.org | udp |
| US | 8.8.8.8:53 | sgsoagiiccyw.com | udp |
| US | 8.8.8.8:53 | gmwqadzidaz.net | udp |
| US | 8.8.8.8:53 | zgxascec.net | udp |
| US | 8.8.8.8:53 | sgtxzaxwver.net | udp |
| US | 8.8.8.8:53 | mskyii.com | udp |
| US | 8.8.8.8:53 | glcbnfqcwf.info | udp |
| US | 8.8.8.8:53 | owdqaydgrsg.net | udp |
| US | 8.8.8.8:53 | grblyx.net | udp |
| US | 8.8.8.8:53 | ruhafmocr.com | udp |
| US | 8.8.8.8:53 | mwqiog.com | udp |
| US | 8.8.8.8:53 | mawocsgges.org | udp |
| US | 8.8.8.8:53 | dzhuxknzcsyd.net | udp |
| US | 8.8.8.8:53 | djlicfxk.net | udp |
| US | 8.8.8.8:53 | vpzobqz.net | udp |
| US | 8.8.8.8:53 | ykznheipxvr.net | udp |
| US | 8.8.8.8:53 | kocadusob.info | udp |
| US | 8.8.8.8:53 | dbuguvooxgpt.info | udp |
| US | 8.8.8.8:53 | koyoaciymqik.org | udp |
| US | 8.8.8.8:53 | yanbdy.info | udp |
| US | 8.8.8.8:53 | rwbklxfvdgn.net | udp |
| US | 8.8.8.8:53 | uamsfdlwwt.info | udp |
| US | 8.8.8.8:53 | bpuclgzgz.org | udp |
| US | 8.8.8.8:53 | hidatmy.net | udp |
| US | 8.8.8.8:53 | dfpdvbtrlw.net | udp |
| US | 8.8.8.8:53 | ikumjvulnq.net | udp |
| US | 8.8.8.8:53 | kajpailpjmp.info | udp |
| US | 8.8.8.8:53 | iamikuwa.org | udp |
| US | 8.8.8.8:53 | fnnioigjlfne.net | udp |
| US | 8.8.8.8:53 | spnqjc.net | udp |
| US | 8.8.8.8:53 | goueeysuie.org | udp |
| US | 8.8.8.8:53 | zfeotfr.info | udp |
| US | 8.8.8.8:53 | gwgoqq.com | udp |
| US | 8.8.8.8:53 | cquaqcqy.org | udp |
| US | 8.8.8.8:53 | cvhyxcvn.net | udp |
| US | 8.8.8.8:53 | gwlaftrtj.info | udp |
| US | 8.8.8.8:53 | mcaacfuazbfc.net | udp |
| US | 8.8.8.8:53 | hygqnw.net | udp |
| US | 8.8.8.8:53 | tmpqpkdyhed.info | udp |
| US | 8.8.8.8:53 | gislpxktd.info | udp |
| US | 8.8.8.8:53 | favyruoahqs.org | udp |
| US | 8.8.8.8:53 | apkyhy.net | udp |
| US | 8.8.8.8:53 | mctqrcngxld.net | udp |
| US | 8.8.8.8:53 | dcpopmtez.com | udp |
| US | 8.8.8.8:53 | dpwoyczy.info | udp |
| US | 8.8.8.8:53 | vbguulkzamnl.net | udp |
| US | 8.8.8.8:53 | audkbiamncc.info | udp |
| US | 8.8.8.8:53 | uaxcibdzau.info | udp |
| US | 8.8.8.8:53 | zqcvgx.net | udp |
| US | 8.8.8.8:53 | ugugmeso.org | udp |
| US | 8.8.8.8:53 | fnribni.net | udp |
| US | 8.8.8.8:53 | kqqyayqyseek.com | udp |
| US | 8.8.8.8:53 | rbpwaopv.info | udp |
| US | 8.8.8.8:53 | vqrheyzex.net | udp |
| US | 8.8.8.8:53 | dttwnz.info | udp |
| US | 8.8.8.8:53 | pmnovgmmi.com | udp |
| US | 8.8.8.8:53 | jkegrujevkd.info | udp |
| US | 8.8.8.8:53 | uhpfrmiwxfmb.info | udp |
| US | 8.8.8.8:53 | xtikhexh.info | udp |
| US | 8.8.8.8:53 | rznejoyw.net | udp |
| US | 8.8.8.8:53 | yrpebucfcmmy.info | udp |
| US | 8.8.8.8:53 | benjkycqgtgi.info | udp |
| US | 8.8.8.8:53 | iptkqwxaxip.net | udp |
| US | 8.8.8.8:53 | xuzcbseiwj.net | udp |
| US | 8.8.8.8:53 | wuyaiqgeqy.com | udp |
| US | 8.8.8.8:53 | oufffbpajxrm.info | udp |
| US | 8.8.8.8:53 | vhmwlkbloe.info | udp |
| US | 8.8.8.8:53 | jjluutfrvjjy.net | udp |
| US | 8.8.8.8:53 | apwkcgfmgf.info | udp |
| US | 8.8.8.8:53 | yossigegie.org | udp |
| US | 8.8.8.8:53 | kiojjl.net | udp |
| US | 8.8.8.8:53 | uhpmrupuasn.net | udp |
| US | 8.8.8.8:53 | jfmarejsj.info | udp |
| US | 8.8.8.8:53 | iccwsyousq.com | udp |
| US | 8.8.8.8:53 | egbtjszalubd.info | udp |
| US | 8.8.8.8:53 | jonvxahqjdr.net | udp |
| US | 8.8.8.8:53 | lipurll.info | udp |
| US | 8.8.8.8:53 | hllixmp.net | udp |
| US | 8.8.8.8:53 | jdjllejihxl.net | udp |
| US | 8.8.8.8:53 | jrzyrcaozcr.org | udp |
| US | 8.8.8.8:53 | szrffljhsu.info | udp |
| US | 8.8.8.8:53 | jvgmqjnd.net | udp |
| US | 8.8.8.8:53 | tfntenujumjp.net | udp |
| US | 8.8.8.8:53 | ncwinvmbmw.net | udp |
| US | 8.8.8.8:53 | wtxthacu.net | udp |
| US | 8.8.8.8:53 | mtpahplbuo.info | udp |
| US | 8.8.8.8:53 | jthtvhsl.net | udp |
| US | 8.8.8.8:53 | lqrllmxgjjj.info | udp |
| US | 8.8.8.8:53 | qweceiiiuo.com | udp |
| US | 8.8.8.8:53 | cxlkhikkn.net | udp |
| US | 8.8.8.8:53 | uboxmv.net | udp |
| US | 8.8.8.8:53 | iacwswysqowu.com | udp |
| US | 8.8.8.8:53 | tficbrfivs.info | udp |
| US | 8.8.8.8:53 | rojfjj.info | udp |
| US | 8.8.8.8:53 | jzvilnybsmnm.net | udp |
| US | 8.8.8.8:53 | qkvkhqzazbb.net | udp |
| US | 8.8.8.8:53 | lklqdaq.com | udp |
| US | 8.8.8.8:53 | ryxdtsd.net | udp |
| US | 8.8.8.8:53 | rtdrjqux.info | udp |
| US | 8.8.8.8:53 | ymflfmomjrz.net | udp |
| US | 8.8.8.8:53 | msfmtzx.info | udp |
| US | 8.8.8.8:53 | hcjcfkproin.info | udp |
| US | 8.8.8.8:53 | gcmsyksmqe.org | udp |
| US | 8.8.8.8:53 | segaqk.com | udp |
| US | 8.8.8.8:53 | socjvnzh.net | udp |
| US | 8.8.8.8:53 | mqlssyflfus.net | udp |
| US | 8.8.8.8:53 | cikgciaceciq.org | udp |
| US | 8.8.8.8:53 | ccfgjkb.info | udp |
| US | 8.8.8.8:53 | ouqoeesiae.org | udp |
| US | 8.8.8.8:53 | jmagpwxcx.net | udp |
| US | 8.8.8.8:53 | ionojeyfxuwx.info | udp |
| US | 8.8.8.8:53 | lumwsqhoz.net | udp |
| US | 8.8.8.8:53 | agcqeyaogeek.com | udp |
| US | 8.8.8.8:53 | gvdohoqeo.info | udp |
| US | 8.8.8.8:53 | fmhiqazsog.info | udp |
| US | 8.8.8.8:53 | qubqirdevwh.net | udp |
| US | 8.8.8.8:53 | mvdksercocl.net | udp |
| US | 8.8.8.8:53 | reewxp.info | udp |
| US | 8.8.8.8:53 | mcbpfmljtmv.info | udp |
| US | 8.8.8.8:53 | ooacagqgmg.org | udp |
| US | 8.8.8.8:53 | eimuee.org | udp |
| US | 8.8.8.8:53 | jfrenmxp.net | udp |
| US | 8.8.8.8:53 | aesogkss.org | udp |
| US | 8.8.8.8:53 | sumahgtab.net | udp |
| US | 8.8.8.8:53 | fnfannqvfrh.org | udp |
| US | 8.8.8.8:53 | bmhydmh.com | udp |
| US | 8.8.8.8:53 | vrmjjlzsrn.net | udp |
| US | 8.8.8.8:53 | pgxukyi.com | udp |
| US | 8.8.8.8:53 | ryrfdcrh.info | udp |
| US | 8.8.8.8:53 | dunolqrmder.net | udp |
| US | 8.8.8.8:53 | cytbhiggufu.net | udp |
| US | 8.8.8.8:53 | tnpsragw.net | udp |
| US | 8.8.8.8:53 | hshaluj.com | udp |
| US | 8.8.8.8:53 | wsggaqgaoi.com | udp |
| US | 8.8.8.8:53 | sebgahhsh.info | udp |
| US | 8.8.8.8:53 | ajeufitgtoe.info | udp |
| US | 8.8.8.8:53 | yqqigogwgs.org | udp |
| US | 8.8.8.8:53 | ebtwtcvwacd.info | udp |
| US | 8.8.8.8:53 | oesaeigqwuki.com | udp |
| US | 8.8.8.8:53 | goegcm.org | udp |
| US | 8.8.8.8:53 | kgmgmyx.net | udp |
| US | 8.8.8.8:53 | hhbibsteqcn.info | udp |
| US | 8.8.8.8:53 | ftuvbkwe.net | udp |
| US | 8.8.8.8:53 | zzxueudu.info | udp |
| US | 8.8.8.8:53 | qgnkcaclr.info | udp |
| US | 8.8.8.8:53 | iyysmcgaoq.com | udp |
| US | 8.8.8.8:53 | qeeecquo.org | udp |
| US | 8.8.8.8:53 | pxsrzfbyrb.net | udp |
| US | 8.8.8.8:53 | muhkjsldcuj.info | udp |
| US | 8.8.8.8:53 | qcaequgeic.org | udp |
| US | 8.8.8.8:53 | acwdhrdtlp.net | udp |
| US | 8.8.8.8:53 | giziolf.info | udp |
| US | 8.8.8.8:53 | plfwlpro.info | udp |
| US | 8.8.8.8:53 | teaacdtqjap.net | udp |
| US | 8.8.8.8:53 | lrvcjxdsa.info | udp |
| US | 8.8.8.8:53 | uuegmmsyiwai.com | udp |
| US | 8.8.8.8:53 | fojyelncx.org | udp |
| US | 8.8.8.8:53 | vqprbn.net | udp |
| US | 8.8.8.8:53 | xwqowmqjhuy.info | udp |
| US | 8.8.8.8:53 | mogbcwb.net | udp |
| US | 8.8.8.8:53 | ocwxqrlmzrqp.info | udp |
| US | 8.8.8.8:53 | zskhjbnriv.net | udp |
| US | 8.8.8.8:53 | kihhfha.info | udp |
| US | 8.8.8.8:53 | ncrmjafuzox.net | udp |
| US | 8.8.8.8:53 | qedszti.info | udp |
| US | 8.8.8.8:53 | pelarcwqs.net | udp |
| US | 8.8.8.8:53 | mdainrbbifun.net | udp |
| US | 8.8.8.8:53 | ssywwsui.com | udp |
| US | 8.8.8.8:53 | yokqrnj.info | udp |
| US | 8.8.8.8:53 | bsqxxa.info | udp |
| US | 8.8.8.8:53 | qoweledox.info | udp |
| US | 8.8.8.8:53 | ruqgvfx.org | udp |
| US | 8.8.8.8:53 | zozgcobcaq.net | udp |
| US | 8.8.8.8:53 | jsbhtweal.info | udp |
| US | 8.8.8.8:53 | cywyfnhxhsxe.info | udp |
| US | 8.8.8.8:53 | cmldxprav.net | udp |
| US | 8.8.8.8:53 | lvvbnnsi.info | udp |
| US | 8.8.8.8:53 | gwofpraijm.info | udp |
| US | 8.8.8.8:53 | hjjakml.com | udp |
| US | 8.8.8.8:53 | ckqiiwceew.com | udp |
| US | 8.8.8.8:53 | virnrasrtsb.net | udp |
| US | 8.8.8.8:53 | jkyejortd.com | udp |
| US | 8.8.8.8:53 | egmxhgalqdg.net | udp |
| US | 8.8.8.8:53 | mvrlhhspnj.info | udp |
| US | 8.8.8.8:53 | rwkhidqqzk.info | udp |
| US | 8.8.8.8:53 | auhhmqeap.info | udp |
| US | 8.8.8.8:53 | pubdtrzkyif.com | udp |
| US | 8.8.8.8:53 | kadqpkblpux.info | udp |
| US | 8.8.8.8:53 | xezrsm.net | udp |
| US | 8.8.8.8:53 | emiigsiuqucm.com | udp |
| US | 8.8.8.8:53 | hiwkhqjlaks.com | udp |
| US | 8.8.8.8:53 | zcfarupgs.com | udp |
| US | 8.8.8.8:53 | ladtlpne.net | udp |
| US | 8.8.8.8:53 | ltzlgs.info | udp |
| US | 8.8.8.8:53 | rxhxfw.net | udp |
| US | 8.8.8.8:53 | tusofikpe.com | udp |
| US | 8.8.8.8:53 | zkykjxrhzafp.net | udp |
| US | 8.8.8.8:53 | iahinikmcop.info | udp |
| US | 8.8.8.8:53 | uybmdacpfmv.info | udp |
| US | 8.8.8.8:53 | qgiqgu.org | udp |
| US | 8.8.8.8:53 | lmqitul.net | udp |
| US | 8.8.8.8:53 | loregqo.com | udp |
| US | 8.8.8.8:53 | boiufieudh.info | udp |
| US | 8.8.8.8:53 | mexsbsbhjgq.info | udp |
| US | 8.8.8.8:53 | ueuzss.net | udp |
| US | 8.8.8.8:53 | pezidjrvpf.net | udp |
| US | 8.8.8.8:53 | xiorwc.net | udp |
| US | 8.8.8.8:53 | dyzlhiddzhc.org | udp |
| US | 8.8.8.8:53 | npnkxcktktuc.info | udp |
| US | 8.8.8.8:53 | liccme.net | udp |
| US | 8.8.8.8:53 | uvcodihahbp.net | udp |
| US | 8.8.8.8:53 | qackawugqsgu.org | udp |
| US | 8.8.8.8:53 | prrjtbjytutt.info | udp |
| US | 8.8.8.8:53 | ixehpua.info | udp |
| US | 8.8.8.8:53 | ylaxujjvpzdt.info | udp |
| US | 8.8.8.8:53 | xxsywgrsbmt.com | udp |
| US | 8.8.8.8:53 | veogdsdjx.com | udp |
| US | 8.8.8.8:53 | hlqltge.net | udp |
| US | 8.8.8.8:53 | rxdggychgc.info | udp |
| US | 8.8.8.8:53 | vmvulmrtvml.info | udp |
| US | 8.8.8.8:53 | wcaugq.com | udp |
| US | 8.8.8.8:53 | pedxzbrhzb.info | udp |
| US | 8.8.8.8:53 | ahhvtmpmcwa.net | udp |
| US | 8.8.8.8:53 | epjhfbjupvt.net | udp |
| US | 8.8.8.8:53 | vlsqekixshcp.net | udp |
| US | 8.8.8.8:53 | acrtztoja.net | udp |
| US | 8.8.8.8:53 | zylazkhtxwul.net | udp |
| US | 8.8.8.8:53 | wohienuohjxy.info | udp |
| US | 8.8.8.8:53 | fgnadsuyr.info | udp |
| US | 8.8.8.8:53 | vjtbergzacvr.net | udp |
| US | 8.8.8.8:53 | iwwmiiga.org | udp |
| US | 8.8.8.8:53 | utvahafwbyb.net | udp |
| US | 8.8.8.8:53 | emunwayp.info | udp |
| US | 8.8.8.8:53 | feawjoykmt.info | udp |
| US | 8.8.8.8:53 | djdyjmq.org | udp |
| US | 8.8.8.8:53 | jgzbxllqdecg.net | udp |
| US | 8.8.8.8:53 | wtigijfy.info | udp |
| US | 8.8.8.8:53 | hglapmy.com | udp |
| US | 8.8.8.8:53 | kwjynf.net | udp |
| US | 8.8.8.8:53 | iewsuwgismyc.com | udp |
| US | 8.8.8.8:53 | wejrsgt.info | udp |
| US | 8.8.8.8:53 | ikukswsqug.com | udp |
| US | 8.8.8.8:53 | asecuyemymyi.org | udp |
| US | 8.8.8.8:53 | ivvpsfru.info | udp |
| US | 8.8.8.8:53 | ovucoarud.net | udp |
| US | 8.8.8.8:53 | fiywgsvmy.org | udp |
| US | 8.8.8.8:53 | zmrarczuld.net | udp |
| US | 8.8.8.8:53 | risqvpksno.info | udp |
| US | 8.8.8.8:53 | rqvdtqhbrov.net | udp |
| US | 8.8.8.8:53 | klldkcxt.info | udp |
| US | 8.8.8.8:53 | petqhqgurso.info | udp |
| US | 8.8.8.8:53 | rwhmsmd.org | udp |
| US | 8.8.8.8:53 | dwpkzhv.com | udp |
| US | 8.8.8.8:53 | dmdszuzox.info | udp |
| US | 8.8.8.8:53 | rltwexojzn.net | udp |
| US | 8.8.8.8:53 | uwzhgmzuv.net | udp |
| US | 8.8.8.8:53 | yidwfxx.net | udp |
| US | 8.8.8.8:53 | manfclrtps.net | udp |
| US | 8.8.8.8:53 | yuuiomoyyy.org | udp |
| US | 8.8.8.8:53 | dayucgzmwkv.net | udp |
| US | 8.8.8.8:53 | ysyqiatjfqn.net | udp |
| US | 8.8.8.8:53 | aklwdjw.net | udp |
| US | 8.8.8.8:53 | awbcmj.info | udp |
| US | 8.8.8.8:53 | smbxlew.net | udp |
| US | 8.8.8.8:53 | bjpbnv.info | udp |
| US | 8.8.8.8:53 | gmcomsscmm.com | udp |
| US | 8.8.8.8:53 | wuybayvsmwt.info | udp |
| US | 8.8.8.8:53 | acvijwfis.info | udp |
| US | 8.8.8.8:53 | mgbwnoz.info | udp |
| US | 8.8.8.8:53 | zfyhyz.net | udp |
| US | 8.8.8.8:53 | lexvdclytw.net | udp |
| US | 8.8.8.8:53 | qisakqeiecqu.org | udp |
| US | 8.8.8.8:53 | fakqnwtio.info | udp |
| US | 8.8.8.8:53 | lqxrrchymdd.net | udp |
| US | 8.8.8.8:53 | iggcfwpytwa.net | udp |
| US | 8.8.8.8:53 | rhrrzodshs.net | udp |
| US | 8.8.8.8:53 | zmviuqc.net | udp |
| US | 8.8.8.8:53 | cjbbfa.info | udp |
| US | 8.8.8.8:53 | fbuolny.info | udp |
| US | 8.8.8.8:53 | ubjkxvdyen.info | udp |
| US | 8.8.8.8:53 | tuaxjj.net | udp |
| US | 8.8.8.8:53 | vkylhtylchns.net | udp |
| US | 8.8.8.8:53 | kwldve.net | udp |
| US | 8.8.8.8:53 | ushkxbyxdgg.net | udp |
| US | 8.8.8.8:53 | jgsuxu.info | udp |
| US | 8.8.8.8:53 | biztqcpnbo.info | udp |
| US | 8.8.8.8:53 | jalkbr.info | udp |
| US | 8.8.8.8:53 | ywwmui.com | udp |
| US | 8.8.8.8:53 | icamqekk.com | udp |
| US | 8.8.8.8:53 | cxffzmlflm.info | udp |
| US | 8.8.8.8:53 | tzitmdbojg.info | udp |
| US | 8.8.8.8:53 | jbcvjgvwyjs.com | udp |
| US | 8.8.8.8:53 | gqcaieqq.com | udp |
| US | 8.8.8.8:53 | qybzbvijw.net | udp |
| US | 8.8.8.8:53 | maltyz.net | udp |
| US | 8.8.8.8:53 | qqaakgik.com | udp |
| US | 8.8.8.8:53 | geaaww.com | udp |
| US | 8.8.8.8:53 | jiepvplpp.com | udp |
| US | 8.8.8.8:53 | nzhiqmukju.net | udp |
| US | 8.8.8.8:53 | usztsauxtyh.net | udp |
| US | 8.8.8.8:53 | dwfebekyt.org | udp |
| US | 8.8.8.8:53 | foxunotgt.info | udp |
| US | 8.8.8.8:53 | jljmmpkm.info | udp |
| US | 8.8.8.8:53 | bktpfwsl.net | udp |
| US | 8.8.8.8:53 | umaisoki.org | udp |
| US | 8.8.8.8:53 | nkngwelszpw.com | udp |
| US | 8.8.8.8:53 | iplqdlbmaiyt.info | udp |
| US | 8.8.8.8:53 | chjexjzkhlkh.net | udp |
| US | 8.8.8.8:53 | nleosc.info | udp |
| US | 8.8.8.8:53 | fqnmjmuhxok.com | udp |
| US | 8.8.8.8:53 | rxwwcoo.info | udp |
| US | 8.8.8.8:53 | yeseee.com | udp |
| HK | 156.237.207.232:80 | yeseee.com | tcp |
| US | 8.8.8.8:53 | nsdczpbuv.org | udp |
| US | 8.8.8.8:53 | ooqukgac.org | udp |
| US | 8.8.8.8:53 | jupejihn.info | udp |
| US | 8.8.8.8:53 | qixixgm.info | udp |
| US | 8.8.8.8:53 | rglihqg.net | udp |
| US | 8.8.8.8:53 | xcuoob.net | udp |
| US | 8.8.8.8:53 | zglmzwrvfqt.net | udp |
| US | 8.8.8.8:53 | taxsnux.com | udp |
| US | 8.8.8.8:53 | ctnnvorm.net | udp |
| US | 8.8.8.8:53 | rwppcksgvpr.info | udp |
| US | 8.8.8.8:53 | iwlpzasaqq.net | udp |
| US | 8.8.8.8:53 | xufmbifox.com | udp |
| US | 8.8.8.8:53 | oltwlpckmgjf.net | udp |
| US | 8.8.8.8:53 | dqdclqf.org | udp |
| US | 8.8.8.8:53 | zcqtozpvxqyv.info | udp |
| US | 8.8.8.8:53 | dhcotdckbsyv.info | udp |
| US | 8.8.8.8:53 | zgytjbbbat.net | udp |
| US | 8.8.8.8:53 | ojtqeup.net | udp |
| US | 8.8.8.8:53 | eeoywock.org | udp |
| US | 8.8.8.8:53 | bakfznqyjrsl.net | udp |
| US | 8.8.8.8:53 | logqtj.info | udp |
| US | 8.8.8.8:53 | tfmcwyiwg.net | udp |
| US | 8.8.8.8:53 | ogwohcrtdrb.net | udp |
| US | 8.8.8.8:53 | lsguvuwcdhr.org | udp |
| US | 8.8.8.8:53 | mgmuaquyaqku.com | udp |
| US | 8.8.8.8:53 | tsxauoqgjzf.net | udp |
| US | 8.8.8.8:53 | vccialjax.com | udp |
| US | 8.8.8.8:53 | zlnsqae.org | udp |
| US | 8.8.8.8:53 | dgdmerp.com | udp |
| US | 8.8.8.8:53 | vvtmefthxtnh.info | udp |
| US | 8.8.8.8:53 | kyxaonsuhep.info | udp |
| US | 8.8.8.8:53 | qroqqmldjbct.net | udp |
| US | 8.8.8.8:53 | hudifyjmlqhj.info | udp |
| US | 8.8.8.8:53 | dqgihaaagkt.net | udp |
| US | 8.8.8.8:53 | beklnku.com | udp |
| US | 8.8.8.8:53 | kigkawog.org | udp |
| US | 8.8.8.8:53 | zojrhyubimxp.info | udp |
| US | 8.8.8.8:53 | gyjspysibox.net | udp |
| US | 8.8.8.8:53 | tixevcrizvei.info | udp |
| US | 8.8.8.8:53 | jzprnhdk.info | udp |
| US | 8.8.8.8:53 | nicxrmrxya.net | udp |
| US | 8.8.8.8:53 | dvxstrjqf.org | udp |
| US | 8.8.8.8:53 | syxplyhsp.info | udp |
| US | 8.8.8.8:53 | xwpgntks.info | udp |
| US | 8.8.8.8:53 | lwjpkg.info | udp |
| US | 8.8.8.8:53 | rhlajjwstnu.info | udp |
| US | 8.8.8.8:53 | awuswsny.info | udp |
| US | 8.8.8.8:53 | bjteet.info | udp |
| US | 8.8.8.8:53 | kcckannujgyh.info | udp |
| US | 8.8.8.8:53 | pvabwcrw.info | udp |
| US | 8.8.8.8:53 | qmvygc.net | udp |
| US | 8.8.8.8:53 | liwertlarxh.info | udp |
| US | 8.8.8.8:53 | wuaowaqemkyq.com | udp |
| US | 8.8.8.8:53 | kspgprq.net | udp |
| US | 8.8.8.8:53 | vdinsezipu.net | udp |
| US | 8.8.8.8:53 | wkxvpfh.net | udp |
| US | 8.8.8.8:53 | jyptjre.info | udp |
| US | 8.8.8.8:53 | yyhhtddubytv.info | udp |
| US | 8.8.8.8:53 | rvmonfphd.org | udp |
| US | 8.8.8.8:53 | nuwaragvj.net | udp |
| US | 8.8.8.8:53 | cgqlzteyzjzc.net | udp |
| US | 8.8.8.8:53 | mlibuksr.net | udp |
| US | 8.8.8.8:53 | qeaqigwkksuy.org | udp |
| US | 8.8.8.8:53 | wcjnfqest.net | udp |
| US | 8.8.8.8:53 | rbgixyjadaw.org | udp |
| US | 8.8.8.8:53 | oycopuz.net | udp |
| US | 8.8.8.8:53 | gkqmmayc.com | udp |
| US | 8.8.8.8:53 | mfxmirp.net | udp |
| US | 8.8.8.8:53 | nyzxtwhngyy.net | udp |
| US | 8.8.8.8:53 | bcksphj.net | udp |
| US | 8.8.8.8:53 | nawqpqdy.net | udp |
| US | 8.8.8.8:53 | pazukwh.net | udp |
| US | 8.8.8.8:53 | fyfeusbapkt.com | udp |
| US | 8.8.8.8:53 | moyswwkmmo.com | udp |
| US | 8.8.8.8:53 | lafqxmoqvsn.net | udp |
| US | 8.8.8.8:53 | kqlhdfowfszv.net | udp |
| US | 8.8.8.8:53 | egpfexyxtqp.net | udp |
| US | 8.8.8.8:53 | kmoeky.org | udp |
| US | 8.8.8.8:53 | xanwqkg.info | udp |
| US | 8.8.8.8:53 | halaxnxu.net | udp |
| US | 8.8.8.8:53 | bumwwqyapkv.com | udp |
| US | 8.8.8.8:53 | acjdjvbb.info | udp |
| US | 8.8.8.8:53 | xygbdoqlv.org | udp |
| US | 8.8.8.8:53 | wsxrzltsslvz.net | udp |
| US | 8.8.8.8:53 | lwoitwgsy.com | udp |
| US | 8.8.8.8:53 | khxrpyyoc.net | udp |
| US | 8.8.8.8:53 | pzeasebtsh.net | udp |
| US | 8.8.8.8:53 | fofcgchur.net | udp |
| US | 8.8.8.8:53 | kgbgpalkjgb.net | udp |
| US | 8.8.8.8:53 | curalbjff.info | udp |
| US | 8.8.8.8:53 | ehzctauwlym.net | udp |
| US | 8.8.8.8:53 | sbaahgbwakv.info | udp |
| US | 8.8.8.8:53 | ukjetskkr.net | udp |
| US | 8.8.8.8:53 | icaijmduf.net | udp |
| US | 8.8.8.8:53 | yhnfzyj.net | udp |
| US | 8.8.8.8:53 | ttoezwzmr.info | udp |
| US | 8.8.8.8:53 | kazyicyavtoq.info | udp |
| US | 8.8.8.8:53 | bvnbig.net | udp |
| US | 8.8.8.8:53 | hiqbgazlts.info | udp |
| US | 8.8.8.8:53 | cfwjbujktq.info | udp |
| US | 8.8.8.8:53 | fgkxeu.info | udp |
| US | 8.8.8.8:53 | mcfxtyrct.net | udp |
| US | 8.8.8.8:53 | qyhssin.net | udp |
| US | 8.8.8.8:53 | stfhbwifvy.info | udp |
| US | 8.8.8.8:53 | mdocyfhi.net | udp |
| US | 8.8.8.8:53 | mogixirmhoe.info | udp |
| US | 8.8.8.8:53 | fgyojpnggd.info | udp |
| US | 8.8.8.8:53 | rsuwsvs.com | udp |
| US | 8.8.8.8:53 | hjjekqeyygjy.info | udp |
| US | 8.8.8.8:53 | eugibwzdzye.net | udp |
| US | 8.8.8.8:53 | bltnfskynsdk.info | udp |
| US | 8.8.8.8:53 | efdlohhy.info | udp |
| US | 8.8.8.8:53 | wyvslia.info | udp |
| US | 8.8.8.8:53 | uibqecrungi.info | udp |
| US | 8.8.8.8:53 | zitiqkxzo.info | udp |
| US | 8.8.8.8:53 | fvrzjt.net | udp |
| US | 8.8.8.8:53 | gwgmoe.org | udp |
| US | 8.8.8.8:53 | wouyskxop.net | udp |
| US | 8.8.8.8:53 | rzxkndphhhxo.info | udp |
| US | 8.8.8.8:53 | eyfmzzf.info | udp |
| US | 8.8.8.8:53 | xihsxopjngf.com | udp |
| US | 8.8.8.8:53 | pmvwlcgtpsd.com | udp |
| US | 8.8.8.8:53 | mfxipqvjadb.net | udp |
| US | 8.8.8.8:53 | xioxbgugln.info | udp |
| US | 8.8.8.8:53 | pzpoocqcwp.net | udp |
| US | 8.8.8.8:53 | oyyeygka.org | udp |
| US | 8.8.8.8:53 | ubiczifp.info | udp |
| US | 8.8.8.8:53 | bgdqgf.net | udp |
| US | 8.8.8.8:53 | ntnatkxsyx.info | udp |
| US | 8.8.8.8:53 | ecdidcfdvek.info | udp |
| US | 8.8.8.8:53 | jlhwlgwux.info | udp |
| US | 8.8.8.8:53 | zujpfgswhq.info | udp |
| US | 8.8.8.8:53 | cgkcui.org | udp |
| US | 8.8.8.8:53 | encztcna.net | udp |
| US | 8.8.8.8:53 | upxkhuzkr.info | udp |
| US | 8.8.8.8:53 | sggoigguci.org | udp |
| US | 8.8.8.8:53 | ycxvrvto.info | udp |
| US | 8.8.8.8:53 | uzyrzgnpof.info | udp |
| US | 8.8.8.8:53 | cuevrsal.net | udp |
| US | 8.8.8.8:53 | uejsewzctcp.info | udp |
| US | 8.8.8.8:53 | eqwkxorsw.net | udp |
| US | 8.8.8.8:53 | holzjirur.net | udp |
| US | 8.8.8.8:53 | sticcotobh.net | udp |
| US | 8.8.8.8:53 | amvbrfhisy.info | udp |
| US | 8.8.8.8:53 | abfumij.net | udp |
| US | 8.8.8.8:53 | dhdgtd.info | udp |
| US | 8.8.8.8:53 | zuigfimcq.org | udp |
| US | 8.8.8.8:53 | rzzqkof.com | udp |
| US | 8.8.8.8:53 | sbablr.net | udp |
| US | 8.8.8.8:53 | aeaqis.org | udp |
| US | 8.8.8.8:53 | oezfxoxed.info | udp |
| US | 8.8.8.8:53 | qutmlb.net | udp |
| US | 8.8.8.8:53 | mmmygcbl.info | udp |
| US | 8.8.8.8:53 | aubgzylblcd.info | udp |
| US | 8.8.8.8:53 | uuecll.net | udp |
| US | 8.8.8.8:53 | xbwrfdzo.net | udp |
| US | 8.8.8.8:53 | uacoqg.org | udp |
| US | 8.8.8.8:53 | mxdkvut.net | udp |
| US | 8.8.8.8:53 | okzmqiuyb.net | udp |
| US | 8.8.8.8:53 | zcydmjuf.net | udp |
| US | 8.8.8.8:53 | rkayvedtwt.net | udp |
| US | 8.8.8.8:53 | gemytokeg.info | udp |
| US | 8.8.8.8:53 | rzvctlgw.info | udp |
| US | 8.8.8.8:53 | rcrcrbxww.net | udp |
| US | 8.8.8.8:53 | irxlvbzv.net | udp |
| US | 8.8.8.8:53 | lzkscytm.net | udp |
| US | 8.8.8.8:53 | sdhwtkcotcx.info | udp |
| US | 8.8.8.8:53 | xjxxpnqk.info | udp |
| US | 8.8.8.8:53 | sxcxdyyo.net | udp |
| US | 8.8.8.8:53 | ocmwkuug.com | udp |
| US | 8.8.8.8:53 | pyjuxpj.info | udp |
| US | 8.8.8.8:53 | lswfftwe.info | udp |
| US | 8.8.8.8:53 | nqduclfqjcz.net | udp |
| US | 8.8.8.8:53 | qykiwwas.org | udp |
| US | 8.8.8.8:53 | kkfbin.net | udp |
| US | 8.8.8.8:53 | qpdrppjtoy.info | udp |
| US | 8.8.8.8:53 | pcjldzf.org | udp |
| US | 8.8.8.8:53 | nflpfx.info | udp |
| US | 8.8.8.8:53 | oqomegwymogm.com | udp |
| US | 8.8.8.8:53 | ptbxyixaqem.info | udp |
| US | 8.8.8.8:53 | hvwyzo.info | udp |
| US | 8.8.8.8:53 | xoxqgoahhc.info | udp |
| US | 8.8.8.8:53 | ogicoa.com | udp |
| US | 8.8.8.8:53 | quaegwsocm.com | udp |
| US | 8.8.8.8:53 | eiqxdmdcfsb.net | udp |
| US | 8.8.8.8:53 | hbxffqruv.com | udp |
| US | 8.8.8.8:53 | geysxeqmhf.net | udp |
| US | 8.8.8.8:53 | dwsikogj.info | udp |
| US | 8.8.8.8:53 | xlqwso.info | udp |
| US | 8.8.8.8:53 | abucqfvhsj.net | udp |
| US | 8.8.8.8:53 | vbuckblv.net | udp |
| US | 8.8.8.8:53 | xhfvtqlp.info | udp |
| US | 8.8.8.8:53 | mwvmlc.info | udp |
| US | 8.8.8.8:53 | wkgkywec.com | udp |
| US | 8.8.8.8:53 | tecjjzzorfjw.net | udp |
| US | 8.8.8.8:53 | dtburqbap.net | udp |
| US | 8.8.8.8:53 | xgnijggfclh.com | udp |
| US | 8.8.8.8:53 | wjdqglpu.net | udp |
| US | 8.8.8.8:53 | yaqyiwwmowiw.org | udp |
| US | 8.8.8.8:53 | gaicbilffnqm.net | udp |
| US | 8.8.8.8:53 | mmmwquoi.com | udp |
| US | 8.8.8.8:53 | sizstixqn.net | udp |
| US | 8.8.8.8:53 | xykijz.info | udp |
| US | 8.8.8.8:53 | aesemxraicga.net | udp |
| US | 8.8.8.8:53 | wsyqzjzsjih.info | udp |
| US | 8.8.8.8:53 | drzwdoay.info | udp |
| US | 8.8.8.8:53 | iwddnenj.net | udp |
| US | 8.8.8.8:53 | iuecpck.info | udp |
| US | 8.8.8.8:53 | duvprllelwtw.net | udp |
| US | 8.8.8.8:53 | siamww.com | udp |
| US | 8.8.8.8:53 | czcanez.net | udp |
| US | 8.8.8.8:53 | ilbehed.info | udp |
| US | 8.8.8.8:53 | rggdoixu.net | udp |
| US | 8.8.8.8:53 | linjuhruei.net | udp |
| US | 8.8.8.8:53 | ltnavcbkj.com | udp |
| US | 8.8.8.8:53 | eycowimwak.org | udp |
| US | 8.8.8.8:53 | hfgkacxqinla.net | udp |
| US | 8.8.8.8:53 | jflhce.net | udp |
| US | 8.8.8.8:53 | ggawyeqq.com | udp |
| US | 8.8.8.8:53 | jdtkmlvyly.info | udp |
| US | 8.8.8.8:53 | fcpobnvzhvdg.net | udp |
| US | 8.8.8.8:53 | uwougiow.com | udp |
| US | 8.8.8.8:53 | xizjfuqnvubh.info | udp |
| US | 8.8.8.8:53 | mlvgtfdc.info | udp |
| US | 8.8.8.8:53 | mopvtgceqps.net | udp |
| US | 8.8.8.8:53 | qbhrzdmj.info | udp |
| US | 8.8.8.8:53 | iusiogeeos.org | udp |
| US | 8.8.8.8:53 | gawwocagwamw.com | udp |
| US | 8.8.8.8:53 | aemnosge.net | udp |
| US | 8.8.8.8:53 | gzrccmtbj.info | udp |
| US | 8.8.8.8:53 | zimefilka.info | udp |
| US | 8.8.8.8:53 | lrowcjkt.net | udp |
| US | 8.8.8.8:53 | zwmpdvzgykqh.net | udp |
| US | 8.8.8.8:53 | xflmjpy.org | udp |
| US | 8.8.8.8:53 | umofvvuzanyj.info | udp |
| US | 8.8.8.8:53 | bytsckeozwz.info | udp |
| US | 8.8.8.8:53 | tqroxinv.info | udp |
| US | 8.8.8.8:53 | wuowykmi.com | udp |
| US | 8.8.8.8:53 | virzbcbvavzg.net | udp |
| US | 8.8.8.8:53 | gakqxzuyk.info | udp |
| US | 8.8.8.8:53 | ovmqtrznf.net | udp |
| US | 8.8.8.8:53 | jgvrkiyluw.net | udp |
| US | 8.8.8.8:53 | rvbptt.info | udp |
| US | 8.8.8.8:53 | yuzaphgs.info | udp |
| US | 8.8.8.8:53 | wzbpcjdgiy.info | udp |
| US | 8.8.8.8:53 | fjswfmxs.net | udp |
| US | 8.8.8.8:53 | edgyzltorwx.net | udp |
| US | 8.8.8.8:53 | vanjpyu.com | udp |
| US | 8.8.8.8:53 | aqgmkwgqmowe.com | udp |
| US | 8.8.8.8:53 | zlhivkfu.info | udp |
| US | 8.8.8.8:53 | wkfpjufcsit.info | udp |
| US | 8.8.8.8:53 | rawyyqaqr.info | udp |
| US | 8.8.8.8:53 | ecgmkrnfvh.net | udp |
| US | 8.8.8.8:53 | nymmyvhu.net | udp |
| US | 8.8.8.8:53 | oklwmhsexc.net | udp |
| US | 8.8.8.8:53 | mqflhpfwc.info | udp |
| US | 8.8.8.8:53 | iqgeguycas.com | udp |
| US | 8.8.8.8:53 | bjngfvowdxrl.net | udp |
| US | 8.8.8.8:53 | ugdmtph.net | udp |
| US | 8.8.8.8:53 | lupwbwqxxl.info | udp |
| US | 8.8.8.8:53 | kxzzuvklua.net | udp |
| US | 8.8.8.8:53 | zublrmoatxm.com | udp |
| US | 8.8.8.8:53 | ywbmxtjsfezl.info | udp |
| US | 8.8.8.8:53 | gaagqkyyskeg.com | udp |
| US | 8.8.8.8:53 | fytqtdparf.net | udp |
| US | 8.8.8.8:53 | intibfdqg.info | udp |
| US | 8.8.8.8:53 | qyqciooc.org | udp |
| US | 8.8.8.8:53 | ygaayqgs.com | udp |
| US | 8.8.8.8:53 | kzyjussbhp.net | udp |
| US | 8.8.8.8:53 | uxrmbazwdnqf.net | udp |
| US | 8.8.8.8:53 | rbcclaud.net | udp |
| US | 8.8.8.8:53 | raazpygl.net | udp |
| US | 8.8.8.8:53 | qunsptr.net | udp |
| US | 8.8.8.8:53 | wqaeamce.org | udp |
| US | 8.8.8.8:53 | mesoouesiwqo.com | udp |
| US | 8.8.8.8:53 | lgbyaoeqx.net | udp |
| US | 8.8.8.8:53 | kalwvvjyo.info | udp |
| US | 8.8.8.8:53 | ssmxzo.info | udp |
| US | 8.8.8.8:53 | jzylbwusi.com | udp |
| US | 8.8.8.8:53 | ingowfhbjs.info | udp |
| US | 8.8.8.8:53 | tboyrtniuyn.net | udp |
| US | 8.8.8.8:53 | sgjmtwuolmj.net | udp |
| US | 8.8.8.8:53 | lomwdbghox.info | udp |
| US | 8.8.8.8:53 | hjfkrp.net | udp |
| US | 8.8.8.8:53 | ikyzykqo.net | udp |
| US | 8.8.8.8:53 | htkinw.net | udp |
| US | 8.8.8.8:53 | macuaiyeuqqe.org | udp |
| US | 8.8.8.8:53 | pmfgftl.info | udp |
| US | 8.8.8.8:53 | trbiuudttbvu.info | udp |
| US | 8.8.8.8:53 | swckicsmiaiu.com | udp |
| US | 8.8.8.8:53 | hjzcbeg.net | udp |
| US | 8.8.8.8:53 | hqjkhqc.net | udp |
| US | 8.8.8.8:53 | iqjkiytxpcb.net | udp |
| US | 8.8.8.8:53 | haddjeg.net | udp |
| US | 8.8.8.8:53 | ldhhdhrsjsoa.net | udp |
| US | 8.8.8.8:53 | aaugmocmog.org | udp |
| US | 8.8.8.8:53 | tzhsthey.net | udp |
| US | 8.8.8.8:53 | zoiozxmw.info | udp |
| US | 8.8.8.8:53 | mwycqayuwe.com | udp |
| US | 8.8.8.8:53 | tqpwitfr.info | udp |
| US | 8.8.8.8:53 | euecceqesg.com | udp |
| US | 8.8.8.8:53 | lmwekvswnk.net | udp |
| US | 8.8.8.8:53 | fvljsbupim.net | udp |
| US | 8.8.8.8:53 | moecfgdk.net | udp |
| US | 8.8.8.8:53 | yssrraxqr.net | udp |
| US | 8.8.8.8:53 | atpsjmvhsmb.net | udp |
| US | 8.8.8.8:53 | whdbraphcsca.info | udp |
| US | 8.8.8.8:53 | gieczezmf.net | udp |
| US | 8.8.8.8:53 | emiiuqqoyiiu.org | udp |
| US | 8.8.8.8:53 | rocoyd.net | udp |
| US | 8.8.8.8:53 | picviuesvw.info | udp |
| US | 8.8.8.8:53 | jrjahxhbus.net | udp |
| US | 8.8.8.8:53 | dewgvrjsbws.org | udp |
| US | 8.8.8.8:53 | rkhebqt.info | udp |
| US | 8.8.8.8:53 | syafkh.net | udp |
| US | 8.8.8.8:53 | wnnzwwddch.net | udp |
| US | 8.8.8.8:53 | cmhonkuaizv.info | udp |
| US | 8.8.8.8:53 | pvtzfddc.net | udp |
| US | 8.8.8.8:53 | lqupeuhfcyok.net | udp |
| US | 8.8.8.8:53 | lpylljkacr.info | udp |
| US | 8.8.8.8:53 | rkbupqhgzew.org | udp |
| US | 8.8.8.8:53 | eazerazey.net | udp |
| US | 8.8.8.8:53 | gzzyucdpul.info | udp |
| US | 8.8.8.8:53 | suokgkay.com | udp |
| US | 8.8.8.8:53 | hgzurkt.org | udp |
| US | 8.8.8.8:53 | cydnzcjqzgl.net | udp |
| US | 8.8.8.8:53 | nkpcbsyoral.org | udp |
| US | 8.8.8.8:53 | gngjjmnlgqx.net | udp |
| US | 8.8.8.8:53 | vhveha.info | udp |
| US | 8.8.8.8:53 | qahujyee.net | udp |
| US | 8.8.8.8:53 | ymbczcvan.net | udp |
| US | 8.8.8.8:53 | ywtlxud.info | udp |
| US | 8.8.8.8:53 | sqqumgekumeo.org | udp |
| US | 8.8.8.8:53 | guafxghoz.info | udp |
| US | 8.8.8.8:53 | mdggorngtufc.info | udp |
| US | 8.8.8.8:53 | zkzjhg.net | udp |
| US | 8.8.8.8:53 | iknxwpo.net | udp |
| US | 8.8.8.8:53 | ohapibqjc.net | udp |
| US | 8.8.8.8:53 | oawwfdzrfbxg.info | udp |
| US | 8.8.8.8:53 | eusaqyog.com | udp |
| US | 8.8.8.8:53 | najsbktgpy.net | udp |
| US | 8.8.8.8:53 | utfnxtohvvct.info | udp |
| US | 8.8.8.8:53 | meumgzpu.info | udp |
| US | 8.8.8.8:53 | gqpyjyhir.info | udp |
| US | 8.8.8.8:53 | ymkwwyaiuw.com | udp |
| US | 8.8.8.8:53 | yufaxxx.net | udp |
| US | 8.8.8.8:53 | iwrgulkcked.net | udp |
| US | 8.8.8.8:53 | fshhtxpue.org | udp |
| US | 8.8.8.8:53 | weiywg.com | udp |
| US | 8.8.8.8:53 | miywcygc.org | udp |
| US | 8.8.8.8:53 | qqkoqqcwgg.com | udp |
| US | 8.8.8.8:53 | nmtwdksat.net | udp |
| US | 8.8.8.8:53 | lytuefatnbnu.net | udp |
| US | 8.8.8.8:53 | dnkehnj.org | udp |
| US | 8.8.8.8:53 | uaoeou.com | udp |
| US | 8.8.8.8:53 | nufohkpwfij.info | udp |
| US | 8.8.8.8:53 | swfehohol.info | udp |
| US | 8.8.8.8:53 | xdjysd.info | udp |
| US | 8.8.8.8:53 | fygibuxfqjpe.net | udp |
| US | 8.8.8.8:53 | jwfstmjim.info | udp |
| US | 8.8.8.8:53 | lnnvbcdyf.com | udp |
| US | 8.8.8.8:53 | ysmlrwz.net | udp |
| US | 8.8.8.8:53 | fazfhabzpq.info | udp |
| US | 8.8.8.8:53 | qyivdl.net | udp |
| US | 8.8.8.8:53 | ojmudjjzjaxu.info | udp |
| US | 8.8.8.8:53 | javjpwoegkbc.info | udp |
| US | 8.8.8.8:53 | acusuqym.com | udp |
| US | 8.8.8.8:53 | ewouyyek.org | udp |
| US | 8.8.8.8:53 | mtbwnwkbuc.info | udp |
| US | 8.8.8.8:53 | pmkpzkckjvqr.net | udp |
| US | 8.8.8.8:53 | oahzbczz.info | udp |
| US | 8.8.8.8:53 | yqlalaw.info | udp |
| US | 8.8.8.8:53 | dqnmpsook.org | udp |
| US | 8.8.8.8:53 | wellxuagb.net | udp |
| US | 8.8.8.8:53 | bsxjofye.info | udp |
| US | 8.8.8.8:53 | fsomzlulxrwz.info | udp |
| US | 8.8.8.8:53 | sfrqlwcsg.net | udp |
| US | 8.8.8.8:53 | wxpeyyrsbqz.net | udp |
| US | 8.8.8.8:53 | llmtynj.com | udp |
| US | 8.8.8.8:53 | ecszul.net | udp |
| US | 8.8.8.8:53 | vjwnrutj.info | udp |
| US | 8.8.8.8:53 | iiywku.com | udp |
| US | 8.8.8.8:53 | puedry.info | udp |
| US | 8.8.8.8:53 | dngfrgoifb.info | udp |
| US | 8.8.8.8:53 | xxhahzprfwqw.info | udp |
| US | 8.8.8.8:53 | mmmwcejycog.net | udp |
| US | 8.8.8.8:53 | bicrzc.net | udp |
| N/A | 192.168.28.2:445 | tcp | |
| US | 8.8.8.8:53 | huwjxvxnfl.net | udp |
| US | 8.8.8.8:53 | yqymqm.com | udp |
| US | 8.8.8.8:53 | siyqvceqj.info | udp |
| US | 8.8.8.8:53 | dlrcjqvpnkzo.net | udp |
| US | 8.8.8.8:53 | ourgvo.net | udp |
| US | 8.8.8.8:53 | kokiqmqoou.com | udp |
| US | 8.8.8.8:53 | zdfkioe.com | udp |
| US | 8.8.8.8:53 | zprqlehycmo.net | udp |
| US | 8.8.8.8:53 | jyknbtfah.com | udp |
| US | 8.8.8.8:53 | ltmundpr.info | udp |
| US | 8.8.8.8:53 | ybbwdyx.info | udp |
| US | 8.8.8.8:53 | awzixgn.net | udp |
| US | 8.8.8.8:53 | snhrfhtbnnuf.info | udp |
| US | 8.8.8.8:53 | nwowokqtbgnl.info | udp |
| US | 8.8.8.8:53 | wucwowkmieme.com | udp |
| US | 8.8.8.8:53 | efxlkinyt.info | udp |
| US | 8.8.8.8:53 | baiizeh.com | udp |
| US | 8.8.8.8:53 | zmpdhstkfdw.org | udp |
| US | 8.8.8.8:53 | uweqycuwak.org | udp |
| US | 8.8.8.8:53 | fihanthigbd.net | udp |
| US | 8.8.8.8:53 | lgyolapflyi.net | udp |
| N/A | 192.168.28.2:139 | tcp | |
| US | 8.8.8.8:53 | aaysukyqua.org | udp |
| US | 8.8.8.8:53 | qvngriouafoz.info | udp |
| US | 8.8.8.8:53 | lbrulyfyuxtz.net | udp |
| US | 8.8.8.8:53 | hwzqgmjwpvo.org | udp |
| US | 8.8.8.8:53 | wglxbeyixsg.info | udp |
| US | 8.8.8.8:53 | bungmsiqwnt.org | udp |
| US | 8.8.8.8:53 | leqwbjbs.net | udp |
| US | 8.8.8.8:53 | cmtpferjx.net | udp |
| US | 8.8.8.8:53 | gqhmpwnnpxv.net | udp |
| US | 8.8.8.8:53 | aogobal.info | udp |
| US | 8.8.8.8:53 | nhwpjsxbjzbj.info | udp |
| US | 8.8.8.8:53 | rftgfsvkv.info | udp |
| US | 8.8.8.8:53 | gmysum.org | udp |
| US | 8.8.8.8:53 | awdtxwiqpqp.info | udp |
| US | 8.8.8.8:53 | orknjc.net | udp |
| US | 8.8.8.8:53 | gudechrg.info | udp |
| US | 8.8.8.8:53 | qoiiswgeag.com | udp |
| US | 8.8.8.8:53 | sjkbkxjihq.net | udp |
| US | 8.8.8.8:53 | qetgvlifriyi.info | udp |
| US | 8.8.8.8:53 | zojarjnadol.net | udp |
| US | 8.8.8.8:53 | cnfifdr.info | udp |
| US | 8.8.8.8:53 | esojbeifrcfa.info | udp |
| US | 8.8.8.8:53 | mkqkgq.org | udp |
| US | 8.8.8.8:53 | ztqdje.info | udp |
| US | 8.8.8.8:53 | hctfjyswq.com | udp |
| US | 8.8.8.8:53 | rbnaasvolkp.net | udp |
| US | 8.8.8.8:53 | kshulyl.info | udp |
| US | 8.8.8.8:53 | gkpcqwilto.info | udp |
| US | 8.8.8.8:53 | kssuqy.org | udp |
| US | 8.8.8.8:53 | nqldnkf.com | udp |
| US | 8.8.8.8:53 | tsnohmpsvyf.info | udp |
| US | 8.8.8.8:53 | wfauslmm.info | udp |
| US | 8.8.8.8:53 | oniyclvk.info | udp |
| US | 8.8.8.8:53 | iudcnwtgx.net | udp |
| US | 8.8.8.8:53 | npaqgz.info | udp |
| US | 8.8.8.8:53 | psjgnfdmjwx.net | udp |
| US | 8.8.8.8:53 | wsgrvobrq.net | udp |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | hnzsaobn.net | udp |
| US | 8.8.8.8:53 | tcrghsqsf.net | udp |
| US | 8.8.8.8:53 | wdjgvyhpkmk.info | udp |
| US | 8.8.8.8:53 | tabgrcxct.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | eslkglxsoxno.info | udp |
| US | 8.8.8.8:53 | vouqnb.info | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | tnayhhovjm.info | udp |
| US | 8.8.8.8:53 | wcmoeygiyy.com | udp |
| US | 8.8.8.8:53 | sywsuc.org | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | exsexqpiyr.net | udp |
| US | 8.8.8.8:53 | finkrmqeo.info | udp |
| US | 8.8.8.8:53 | ljtidgakgux.info | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | igrpkspefisa.net | udp |
| US | 8.8.8.8:53 | ptflij.net | udp |
| US | 8.8.8.8:53 | xynvncmsla.info | udp |
| US | 8.8.8.8:53 | uyqvxdvprq.net | udp |
| US | 8.8.8.8:53 | virlvmcu.info | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | kwbylsjlpb.info | udp |
| US | 8.8.8.8:53 | dijmjtcge.info | udp |
| US | 8.8.8.8:53 | xdooerpr.info | udp |
| US | 8.8.8.8:53 | csauikci.org | udp |
| US | 8.8.8.8:53 | moxwwvno.info | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | uylheqvecsf.info | udp |
| US | 8.8.8.8:53 | uktnphod.net | udp |
| US | 8.8.8.8:53 | fhimhaxsj.com | udp |
| US | 8.8.8.8:53 | wguumkkaigou.com | udp |
| US | 8.8.8.8:53 | vwhcjiw.info | udp |
| US | 8.8.8.8:53 | thmfhw.info | udp |
| US | 8.8.8.8:53 | ygtojmicykn.info | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | vakgxgz.org | udp |
| US | 8.8.8.8:53 | islokmhmomj.net | udp |
| US | 8.8.8.8:53 | rolotstxbgxp.net | udp |
| US | 8.8.8.8:53 | gaiumgkswc.com | udp |
| US | 8.8.8.8:53 | hyoavqad.net | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | vjpukxfe.info | udp |
| US | 8.8.8.8:53 | wwuovmksj.info | udp |
| US | 8.8.8.8:53 | vwxxpiweubr.net | udp |
| US | 8.8.8.8:53 | ynwkmyevvcby.info | udp |
| US | 8.8.8.8:53 | awfidqspp.info | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | prssjyd.info | udp |
| US | 8.8.8.8:53 | jzjmhydspt.info | udp |
| US | 8.8.8.8:53 | gamtbu.net | udp |
| US | 8.8.8.8:53 | egvhxwm.net | udp |
| US | 8.8.8.8:53 | cbdiadzf.info | udp |
| US | 8.8.8.8:53 | buxfgafferff.net | udp |
| US | 8.8.8.8:53 | jihjxwjzn.info | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | yqgdcsw.info | udp |
| US | 8.8.8.8:53 | aeicmiaaki.org | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | iiesiukoui.com | udp |
| US | 8.8.8.8:53 | ueomoagk.com | udp |
| US | 8.8.8.8:53 | gotqpsxeq.net | udp |
| US | 8.8.8.8:53 | qewsqywq.org | udp |
| US | 8.8.8.8:53 | frvkvafelo.net | udp |
| US | 8.8.8.8:53 | ijvjbptwpafc.info | udp |
| US | 8.8.8.8:53 | vafvnmpv.info | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | akbduq.net | udp |
| US | 8.8.8.8:53 | ekuedqrcp.info | udp |
| US | 8.8.8.8:53 | uaqoieb.net | udp |
| US | 8.8.8.8:53 | fkmqnisgu.com | udp |
| US | 8.8.8.8:53 | vljgbupsl.net | udp |
| US | 8.8.8.8:53 | ljjhzdjdfbfd.info | udp |
| US | 8.8.8.8:53 | fuhkxarm.info | udp |
| US | 8.8.8.8:53 | vupwesfcv.info | udp |
| US | 8.8.8.8:53 | gomomqss.org | udp |
| US | 8.8.8.8:53 | lueqsrwvtk.net | udp |
| US | 8.8.8.8:53 | dcfcdrd.net | udp |
| US | 8.8.8.8:53 | qpejngowavjy.info | udp |
| US | 8.8.8.8:53 | laolfzvnpn.net | udp |
| US | 8.8.8.8:53 | xyssqix.info | udp |
| US | 8.8.8.8:53 | xmnfxzroezye.net | udp |
| US | 8.8.8.8:53 | wshlmolhd.net | udp |
| US | 8.8.8.8:53 | ajhiqylf.info | udp |
| US | 8.8.8.8:53 | pywtdsxnbwp.net | udp |
| US | 8.8.8.8:53 | rtoanuiluc.info | udp |
| US | 8.8.8.8:53 | qajczzhplm.net | udp |
| US | 8.8.8.8:53 | eucsmswe.com | udp |
| US | 8.8.8.8:53 | esdmzqm.info | udp |
| US | 8.8.8.8:53 | dmbealkee.net | udp |
| US | 8.8.8.8:53 | rlpyiayvh.org | udp |
| US | 8.8.8.8:53 | lqmphguwauj.net | udp |
| US | 8.8.8.8:53 | tlavbwn.info | udp |
| US | 8.8.8.8:53 | yqiweowi.com | udp |
| US | 8.8.8.8:53 | nqtmtedff.net | udp |
| US | 8.8.8.8:53 | skwoieesme.org | udp |
| US | 8.8.8.8:53 | jafeyelyi.info | udp |
| US | 8.8.8.8:53 | fszehlnx.net | udp |
| US | 8.8.8.8:53 | eiofbhzewyz.net | udp |
| US | 8.8.8.8:53 | lxotro.net | udp |
| US | 8.8.8.8:53 | bgdbhuhw.net | udp |
| US | 8.8.8.8:53 | uhhgaqbqfpv.info | udp |
| US | 8.8.8.8:53 | ywkobfgqoyt.net | udp |
| US | 8.8.8.8:53 | vfliva.net | udp |
| US | 8.8.8.8:53 | cpgtichpddon.net | udp |
| US | 8.8.8.8:53 | qssseuwikcew.org | udp |
| US | 8.8.8.8:53 | jkdcdyf.com | udp |
| US | 8.8.8.8:53 | cwexzpctmgvf.net | udp |
| US | 8.8.8.8:53 | qqkmtf.net | udp |
| US | 8.8.8.8:53 | njsnxfwdlrml.info | udp |
| US | 8.8.8.8:53 | eneeaton.info | udp |
| US | 8.8.8.8:53 | krkbawjsrlf.net | udp |
| US | 8.8.8.8:53 | amgemu.org | udp |
| US | 8.8.8.8:53 | mynatmacm.info | udp |
| US | 8.8.8.8:53 | gfuvwmjpgb.net | udp |
| US | 8.8.8.8:53 | mneehleczd.net | udp |
| US | 8.8.8.8:53 | fotrqtwvyx.net | udp |
| US | 8.8.8.8:53 | oaoyqiiq.org | udp |
| US | 8.8.8.8:53 | zsqxejydfpnt.info | udp |
| US | 8.8.8.8:53 | ltvwftzngl.net | udp |
| US | 8.8.8.8:53 | uqrxza.net | udp |
| US | 8.8.8.8:53 | woxgrtnoqu.info | udp |
| US | 8.8.8.8:53 | qudyrmntuow.info | udp |
| US | 8.8.8.8:53 | gswqsascgeei.com | udp |
| US | 8.8.8.8:53 | yvhvnbvl.net | udp |
| US | 8.8.8.8:53 | ildxta.info | udp |
| US | 8.8.8.8:53 | tafhzl.net | udp |
| US | 8.8.8.8:53 | tjrwwkdujvu.com | udp |
| US | 8.8.8.8:53 | uahyhazqex.net | udp |
| US | 8.8.8.8:53 | usiikeyy.org | udp |
| US | 8.8.8.8:53 | rmypbgvora.net | udp |
| US | 8.8.8.8:53 | aunudjnnlfbf.net | udp |
| US | 8.8.8.8:53 | ncxein.net | udp |
| US | 8.8.8.8:53 | vasirmd.net | udp |
| US | 8.8.8.8:53 | lrtlhktcld.info | udp |
| US | 8.8.8.8:53 | uspavcp.net | udp |
| US | 8.8.8.8:53 | nofgvankyr.net | udp |
| US | 8.8.8.8:53 | snfdvrpk.info | udp |
| US | 8.8.8.8:53 | nqmywwuukg.info | udp |
| US | 8.8.8.8:53 | hrnujmsfph.net | udp |
| US | 8.8.8.8:53 | wovorbeylyd.info | udp |
| US | 8.8.8.8:53 | zebqvcm.org | udp |
| US | 8.8.8.8:53 | ourepitvklx.info | udp |
| US | 8.8.8.8:53 | fsczualcjk.info | udp |
| US | 8.8.8.8:53 | tjjzmh.net | udp |
| US | 8.8.8.8:53 | eyyoscskuu.org | udp |
| US | 8.8.8.8:53 | hntzlysgnlj.net | udp |
| US | 8.8.8.8:53 | myqcoasa.com | udp |
| US | 8.8.8.8:53 | njxwrxma.info | udp |
| US | 8.8.8.8:53 | sefswvajalzq.net | udp |
| US | 8.8.8.8:53 | wfltvxfa.net | udp |
| US | 8.8.8.8:53 | octpnmfeveb.net | udp |
| US | 8.8.8.8:53 | iueuuewcygka.com | udp |
| US | 8.8.8.8:53 | owogfvcic.info | udp |
| US | 8.8.8.8:53 | zfvenyzb.info | udp |
| US | 8.8.8.8:53 | ruksvdctcqr.com | udp |
| US | 8.8.8.8:53 | znwjjxvv.net | udp |
| US | 8.8.8.8:53 | qygsmaii.org | udp |
| US | 8.8.8.8:53 | bsrweqh.net | udp |
| US | 8.8.8.8:53 | fcijoshipnl.net | udp |
| US | 8.8.8.8:53 | rrtfgazwmr.net | udp |
| US | 8.8.8.8:53 | tijgzafl.info | udp |
| US | 8.8.8.8:53 | lfnrjahslur.org | udp |
| US | 8.8.8.8:53 | tyxohrwsgwn.org | udp |
| US | 8.8.8.8:53 | kshgvj.net | udp |
| US | 8.8.8.8:53 | acaqlxuuzj.net | udp |
| US | 8.8.8.8:53 | aawlwzswp.net | udp |
| US | 8.8.8.8:53 | vxdcxapo.info | udp |
| US | 8.8.8.8:53 | xykutplmhmfn.net | udp |
| US | 8.8.8.8:53 | mqgiae.org | udp |
| US | 8.8.8.8:53 | mmkymmyciouo.com | udp |
| US | 8.8.8.8:53 | nzzixvjhxgkl.net | udp |
| US | 8.8.8.8:53 | xubevmxcvct.org | udp |
| US | 8.8.8.8:53 | mlgsxflu.net | udp |
| US | 8.8.8.8:53 | vaesksz.info | udp |
| US | 8.8.8.8:53 | hwkbucjz.info | udp |
| US | 8.8.8.8:53 | kmpdjanxcx.info | udp |
| US | 8.8.8.8:53 | jljcywgh.info | udp |
| US | 8.8.8.8:53 | tivqxa.info | udp |
| US | 8.8.8.8:53 | rsykvwxwwgy.org | udp |
| US | 8.8.8.8:53 | kyioaoce.com | udp |
| US | 8.8.8.8:53 | vquhxizndhg.net | udp |
| US | 8.8.8.8:53 | mkscaqaagkiq.org | udp |
| US | 8.8.8.8:53 | nszgvcoej.net | udp |
| US | 8.8.8.8:53 | nyfbzvxcrymk.info | udp |
| US | 8.8.8.8:53 | hddilmzcv.com | udp |
| US | 8.8.8.8:53 | oesmaemmgi.com | udp |
| US | 8.8.8.8:53 | twcqqmr.org | udp |
| US | 8.8.8.8:53 | zyoxmxebsrys.info | udp |
| US | 8.8.8.8:53 | jinfugfp.net | udp |
| US | 8.8.8.8:53 | dteixmpspgx.net | udp |
| US | 8.8.8.8:53 | isiium.com | udp |
| US | 8.8.8.8:53 | tipqbetfxac.info | udp |
| US | 8.8.8.8:53 | myyomoqewe.org | udp |
| US | 8.8.8.8:53 | jrzadp.net | udp |
| US | 8.8.8.8:53 | qdaqwtlafa.info | udp |
| US | 8.8.8.8:53 | hymgxqs.info | udp |
| US | 8.8.8.8:53 | mbqqzqrwd.net | udp |
| US | 8.8.8.8:53 | oqipihfqzz.info | udp |
| US | 8.8.8.8:53 | ybbmhcm.info | udp |
| US | 8.8.8.8:53 | vupvtfxvsupf.net | udp |
| US | 8.8.8.8:53 | gxjmexojzn.info | udp |
| US | 8.8.8.8:53 | dqlrehdz.net | udp |
| US | 8.8.8.8:53 | mqcuosioei.com | udp |
| US | 8.8.8.8:53 | pdnakhfafspz.info | udp |
| US | 8.8.8.8:53 | lgmblm.info | udp |
| US | 8.8.8.8:53 | pylczuk.org | udp |
| US | 8.8.8.8:53 | gsqxvir.net | udp |
| US | 8.8.8.8:53 | ekysuwaiqs.org | udp |
| US | 8.8.8.8:53 | edrrfgziz.net | udp |
| US | 8.8.8.8:53 | iyqyksiioumq.org | udp |
| US | 8.8.8.8:53 | asuypmj.net | udp |
| US | 8.8.8.8:53 | vtnzmy.info | udp |
| US | 8.8.8.8:53 | zwnrokv.info | udp |
| US | 8.8.8.8:53 | mbiiznxdulyh.net | udp |
| US | 8.8.8.8:53 | gjjboaieau.info | udp |
| US | 8.8.8.8:53 | kvtxxrhe.net | udp |
| US | 8.8.8.8:53 | bdiifm.net | udp |
| US | 8.8.8.8:53 | vrjepglttk.info | udp |
| US | 8.8.8.8:53 | rensjsymxwj.org | udp |
| US | 8.8.8.8:53 | mgpenyluayh.info | udp |
| US | 8.8.8.8:53 | qpeavxszku.net | udp |
| US | 8.8.8.8:53 | dozcombyz.net | udp |
| US | 8.8.8.8:53 | mmjnjuuzqufb.net | udp |
| US | 8.8.8.8:53 | lszothkejnl.net | udp |
| US | 8.8.8.8:53 | vmdhdpoe.net | udp |
| US | 8.8.8.8:53 | iwlzenvqj.info | udp |
| US | 8.8.8.8:53 | tzqwrzjv.info | udp |
| US | 8.8.8.8:53 | fqvopkmiayu.org | udp |
| US | 8.8.8.8:53 | nudhxou.org | udp |
| US | 8.8.8.8:53 | hpfheyyehz.info | udp |
| US | 8.8.8.8:53 | nxpqyz.info | udp |
| US | 8.8.8.8:53 | opulkubj.info | udp |
| US | 8.8.8.8:53 | ovqldk.info | udp |
| US | 8.8.8.8:53 | aopqvwd.info | udp |
| US | 8.8.8.8:53 | aekgyvebddls.net | udp |
| US | 8.8.8.8:53 | oqhajmtmnmh.info | udp |
| US | 8.8.8.8:53 | fqdoxzxe.net | udp |
| US | 8.8.8.8:53 | knsjcjfi.info | udp |
| US | 8.8.8.8:53 | apmpiqzzgaf.net | udp |
| US | 8.8.8.8:53 | wvybeh.info | udp |
| US | 8.8.8.8:53 | wieavxszku.net | udp |
| US | 8.8.8.8:53 | gswbzyo.net | udp |
| US | 8.8.8.8:53 | btoqxilgbeo.info | udp |
| US | 8.8.8.8:53 | rreplnac.info | udp |
| US | 8.8.8.8:53 | epzdvhmgd.net | udp |
| US | 8.8.8.8:53 | nhkypehsyyp.com | udp |
| US | 8.8.8.8:53 | fqdaag.net | udp |
| US | 8.8.8.8:53 | tjpuywymtbn.net | udp |
| US | 8.8.8.8:53 | tklmbt.net | udp |
| US | 8.8.8.8:53 | xqeqvctmsuh.net | udp |
| US | 8.8.8.8:53 | vrjezeqhecr.info | udp |
| US | 8.8.8.8:53 | ouqmae.org | udp |
| US | 8.8.8.8:53 | rfhlqf.info | udp |
| US | 8.8.8.8:53 | tipwbma.org | udp |
| US | 8.8.8.8:53 | pshzdkzmqox.com | udp |
| US | 8.8.8.8:53 | fhhjaijw.info | udp |
| US | 8.8.8.8:53 | qxrwrxkgnrd.net | udp |
| US | 8.8.8.8:53 | aksqcemessqs.com | udp |
| US | 8.8.8.8:53 | byrqryqwdal.info | udp |
| US | 8.8.8.8:53 | ipyhkdyc.info | udp |
| US | 8.8.8.8:53 | jreqfcfcsxz.info | udp |
| US | 8.8.8.8:53 | zwrwvmpjvqg.com | udp |
| US | 8.8.8.8:53 | vvnzzbhf.info | udp |
| US | 8.8.8.8:53 | yoosywpoyq.info | udp |
| US | 8.8.8.8:53 | qagoeiyu.org | udp |
| US | 8.8.8.8:53 | eaoxchywpf.net | udp |
| US | 8.8.8.8:53 | muavqhks.info | udp |
| US | 8.8.8.8:53 | sauiwicaugce.com | udp |
| US | 8.8.8.8:53 | wbfifrfkl.net | udp |
| US | 8.8.8.8:53 | hgxntkm.net | udp |
| US | 8.8.8.8:53 | bsocsfj.com | udp |
| US | 8.8.8.8:53 | kyyyemsu.com | udp |
| US | 8.8.8.8:53 | xvfdrg.net | udp |
| US | 8.8.8.8:53 | sgsoagiiccyw.com | udp |
| US | 8.8.8.8:53 | zerzpjcssj.info | udp |
| US | 8.8.8.8:53 | kwnthepwauq.net | udp |
| US | 8.8.8.8:53 | kjvqcas.net | udp |
| US | 8.8.8.8:53 | hytejid.org | udp |
| US | 8.8.8.8:53 | grblyx.net | udp |
| US | 8.8.8.8:53 | lyjqtmwovyk.info | udp |
| US | 8.8.8.8:53 | jsnshww.org | udp |
| US | 8.8.8.8:53 | ntfpxlc.info | udp |
| US | 8.8.8.8:53 | ecddjdwtjx.net | udp |
| US | 8.8.8.8:53 | pniiuswcyn.info | udp |
| US | 8.8.8.8:53 | pgjadfjhz.info | udp |
| US | 8.8.8.8:53 | djlicfxk.net | udp |
| US | 8.8.8.8:53 | lgfwgpjh.info | udp |
| US | 8.8.8.8:53 | vawtblup.info | udp |
| US | 8.8.8.8:53 | cmoaucco.com | udp |
| US | 8.8.8.8:53 | dbuguvooxgpt.info | udp |
| US | 8.8.8.8:53 | aebmraiqfkg.net | udp |
| US | 8.8.8.8:53 | nkjupcflzcz.net | udp |
| US | 8.8.8.8:53 | rlmcyd.info | udp |
| US | 8.8.8.8:53 | rwbklxfvdgn.net | udp |
| US | 8.8.8.8:53 | zxexwifiw.com | udp |
| US | 8.8.8.8:53 | kajpailpjmp.info | udp |
| US | 8.8.8.8:53 | oqbglin.net | udp |
| US | 8.8.8.8:53 | wrheqaaoxala.info | udp |
| US | 8.8.8.8:53 | jybqarvxmtwi.net | udp |
| US | 8.8.8.8:53 | iamikuwa.org | udp |
| US | 8.8.8.8:53 | zfeotfr.info | udp |
| US | 8.8.8.8:53 | gwgoqq.com | udp |
| US | 8.8.8.8:53 | fxbuhlpkmrp.info | udp |
| US | 8.8.8.8:53 | uorgdfjypbo.net | udp |
| US | 8.8.8.8:53 | ganjjhpqh.net | udp |
| US | 8.8.8.8:53 | cvhyxcvn.net | udp |
| US | 8.8.8.8:53 | xqtiskx.org | udp |
| US | 8.8.8.8:53 | vyfrzsxwp.com | udp |
| US | 8.8.8.8:53 | bleygeqeiojn.net | udp |
| US | 8.8.8.8:53 | cauqakigqmmy.org | udp |
| US | 8.8.8.8:53 | lnbghiem.net | udp |
| US | 8.8.8.8:53 | gislpxktd.info | udp |
| US | 8.8.8.8:53 | sqoogaaomawi.org | udp |
| US | 8.8.8.8:53 | kygwckgiqw.org | udp |
| US | 8.8.8.8:53 | dlfrrizghml.net | udp |
| US | 8.8.8.8:53 | dpwoyczy.info | udp |
| US | 8.8.8.8:53 | vkdglooqv.net | udp |
| US | 8.8.8.8:53 | pteiccedes.info | udp |
| US | 8.8.8.8:53 | vqrheyzex.net | udp |
| US | 8.8.8.8:53 | qqmswwes.org | udp |
| US | 8.8.8.8:53 | kbddptq.net | udp |
| US | 8.8.8.8:53 | dtstumsd.info | udp |
| US | 8.8.8.8:53 | jkegrujevkd.info | udp |
| US | 8.8.8.8:53 | iptkqwxaxip.net | udp |
| US | 8.8.8.8:53 | dhgyqeq.com | udp |
| US | 8.8.8.8:53 | nerfiob.info | udp |
| US | 8.8.8.8:53 | wuyaiqgeqy.com | udp |
| US | 8.8.8.8:53 | rvvgvhudrpzk.info | udp |
| US | 8.8.8.8:53 | aweggucoqcaq.com | udp |
| US | 8.8.8.8:53 | wuseguuw.com | udp |
| US | 8.8.8.8:53 | uhpmrupuasn.net | udp |
| US | 8.8.8.8:53 | owumsvhs.info | udp |
| US | 8.8.8.8:53 | axiieqnyu.info | udp |
| US | 8.8.8.8:53 | tzzkvgabgkh.com | udp |
| US | 8.8.8.8:53 | mayjoqxhhnqj.info | udp |
| US | 8.8.8.8:53 | wobslkgem.info | udp |
| US | 8.8.8.8:53 | kepjub.net | udp |
| US | 8.8.8.8:53 | kmgiic.com | udp |
| US | 8.8.8.8:53 | jrzyrcaozcr.org | udp |
| US | 8.8.8.8:53 | wovoaa.net | udp |
| US | 8.8.8.8:53 | zwaoqhbaiyze.net | udp |
| US | 8.8.8.8:53 | neawedj.net | udp |
| US | 8.8.8.8:53 | asuyko.com | udp |
| US | 8.8.8.8:53 | cxlkhikkn.net | udp |
| US | 8.8.8.8:53 | mwocxdfe.info | udp |
| US | 8.8.8.8:53 | iakdqzhqfnig.net | udp |
| US | 8.8.8.8:53 | tqjfbnjjvs.info | udp |
| US | 8.8.8.8:53 | kewimq.com | udp |
| US | 8.8.8.8:53 | cobzlqabmd.net | udp |
| US | 8.8.8.8:53 | qkyiqqee.com | udp |
| US | 8.8.8.8:53 | huvwtwpaf.net | udp |
| US | 8.8.8.8:53 | oyxbnjvjsriz.net | udp |
| US | 8.8.8.8:53 | ryxdtsd.net | udp |
| US | 8.8.8.8:53 | tnysqzbku.net | udp |
| US | 8.8.8.8:53 | pnhljkwp.info | udp |
| US | 8.8.8.8:53 | xclkigtmfti.org | udp |
| US | 8.8.8.8:53 | xmgqhcfky.net | udp |
| US | 8.8.8.8:53 | pvlvjjmzzp.info | udp |
| US | 8.8.8.8:53 | msfmtzx.info | udp |
| US | 8.8.8.8:53 | ishwimazy.info | udp |
| US | 8.8.8.8:53 | zvlybsn.net | udp |
| US | 8.8.8.8:53 | kutsuanaebr.net | udp |
| US | 8.8.8.8:53 | ouqoeesiae.org | udp |
| US | 8.8.8.8:53 | vbuhppak.net | udp |
| US | 8.8.8.8:53 | qubqirdevwh.net | udp |
| US | 8.8.8.8:53 | cjjcde.net | udp |
| US | 8.8.8.8:53 | fjafurvk.net | udp |
| US | 8.8.8.8:53 | knvaqvpkjmdc.info | udp |
| US | 8.8.8.8:53 | hwlsbgdjsg.net | udp |
| US | 8.8.8.8:53 | cjrqlsgyvrf.net | udp |
| US | 8.8.8.8:53 | reewxp.info | udp |
| US | 8.8.8.8:53 | hwfaxnesaqn.com | udp |
| US | 8.8.8.8:53 | ztvrtsrci.com | udp |
| US | 8.8.8.8:53 | woipmktcih.info | udp |
| US | 8.8.8.8:53 | gtlvtg.info | udp |
| US | 8.8.8.8:53 | todrzzrsrc.info | udp |
| US | 8.8.8.8:53 | jfrenmxp.net | udp |
| US | 8.8.8.8:53 | iuisosewuk.org | udp |
| US | 8.8.8.8:53 | yoqflnpue.info | udp |
| US | 8.8.8.8:53 | mggokq.com | udp |
| US | 8.8.8.8:53 | gticzgxparlp.net | udp |
| US | 8.8.8.8:53 | pgxukyi.com | udp |
| US | 8.8.8.8:53 | dunolqrmder.net | udp |
| US | 8.8.8.8:53 | glhixth.net | udp |
| US | 8.8.8.8:53 | ukazxxl.info | udp |
| US | 8.8.8.8:53 | pipoto.info | udp |
| US | 8.8.8.8:53 | vqluaab.info | udp |
| US | 8.8.8.8:53 | ajeufitgtoe.info | udp |
| US | 8.8.8.8:53 | mrpgbqlzd.info | udp |
| US | 8.8.8.8:53 | smpnkub.net | udp |
| US | 8.8.8.8:53 | xmvrsfpjbd.net | udp |
| US | 8.8.8.8:53 | iuxcbitgu.info | udp |
| US | 8.8.8.8:53 | ofcpxecy.net | udp |
| US | 8.8.8.8:53 | oesaeigqwuki.com | udp |
| US | 8.8.8.8:53 | ympqrlpxpmd.info | udp |
| US | 8.8.8.8:53 | goegcm.org | udp |
| US | 8.8.8.8:53 | mpnwiwpprlrf.net | udp |
| US | 8.8.8.8:53 | qylrlrblzyl.net | udp |
| US | 8.8.8.8:53 | hhbibsteqcn.info | udp |
| US | 8.8.8.8:53 | ujaqbfsgqyym.net | udp |
| US | 8.8.8.8:53 | xnzihqrl.net | udp |
| US | 8.8.8.8:53 | czsexcrsz.net | udp |
| US | 8.8.8.8:53 | gfqpricm.info | udp |
| US | 8.8.8.8:53 | zrjrngatxhkg.info | udp |
| US | 8.8.8.8:53 | qcaequgeic.org | udp |
| US | 8.8.8.8:53 | isomkmsuaksc.com | udp |
| US | 8.8.8.8:53 | bczrpep.com | udp |
| US | 8.8.8.8:53 | junkjbxeukbw.info | udp |
| US | 8.8.8.8:53 | zarirqdth.com | udp |
| US | 8.8.8.8:53 | teaacdtqjap.net | udp |
| US | 8.8.8.8:53 | kycmiu.com | udp |
| US | 8.8.8.8:53 | rpepxhegkh.net | udp |
| US | 8.8.8.8:53 | unirpw.net | udp |
| US | 8.8.8.8:53 | xwqowmqjhuy.info | udp |
| US | 8.8.8.8:53 | foopxtqr.info | udp |
| US | 8.8.8.8:53 | kcdmpzd.info | udp |
| US | 8.8.8.8:53 | wksamqag.org | udp |
| US | 8.8.8.8:53 | gymjghenod.info | udp |
| US | 8.8.8.8:53 | hcckvejyt.org | udp |
| US | 8.8.8.8:53 | xwxtwf.info | udp |
| US | 8.8.8.8:53 | mdainrbbifun.net | udp |
| US | 8.8.8.8:53 | ibklxltvzgat.info | udp |
| US | 8.8.8.8:53 | dmaxuonu.net | udp |
| US | 8.8.8.8:53 | ssywwsui.com | udp |
| US | 8.8.8.8:53 | zozgcobcaq.net | udp |
| US | 8.8.8.8:53 | lwshvoth.net | udp |
| US | 8.8.8.8:53 | hjjakml.com | udp |
| US | 8.8.8.8:53 | cuggigam.com | udp |
| US | 8.8.8.8:53 | tvzrkn.net | udp |
| US | 8.8.8.8:53 | qaiiww.org | udp |
| US | 8.8.8.8:53 | myvicvzmjk.net | udp |
| US | 8.8.8.8:53 | mvrlhhspnj.info | udp |
| US | 8.8.8.8:53 | nodhuy.info | udp |
| US | 8.8.8.8:53 | osaycqqk.org | udp |
| US | 8.8.8.8:53 | pubdtrzkyif.com | udp |
| US | 8.8.8.8:53 | seghjqrmn.net | udp |
| US | 8.8.8.8:53 | skvtfml.net | udp |
| US | 8.8.8.8:53 | qubgtlyf.info | udp |
| US | 8.8.8.8:53 | ncrxnzg.info | udp |
| US | 8.8.8.8:53 | royidr.info | udp |
| US | 8.8.8.8:53 | eybaidoema.info | udp |
| US | 8.8.8.8:53 | axxkmn.net | udp |
| US | 8.8.8.8:53 | bifggqrkn.net | udp |
| US | 8.8.8.8:53 | usiqwg.org | udp |
| US | 8.8.8.8:53 | hcponxd.info | udp |
| US | 8.8.8.8:53 | zkykjxrhzafp.net | udp |
| US | 8.8.8.8:53 | qgjgbaaezar.net | udp |
| US | 8.8.8.8:53 | plmhhs.net | udp |
| US | 8.8.8.8:53 | vkcxio.net | udp |
| US | 8.8.8.8:53 | nvuiwqem.net | udp |
| US | 8.8.8.8:53 | rmncjn.net | udp |
| US | 8.8.8.8:53 | mexsbsbhjgq.info | udp |
| US | 8.8.8.8:53 | qqhgihlt.info | udp |
| US | 8.8.8.8:53 | ffprjsdwmir.com | udp |
| US | 8.8.8.8:53 | jlffbn.net | udp |
| US | 8.8.8.8:53 | qyjtmq.net | udp |
| US | 8.8.8.8:53 | jgiejumiu.org | udp |
| US | 8.8.8.8:53 | uvcodihahbp.net | udp |
| US | 8.8.8.8:53 | alkkabndrdcf.net | udp |
| US | 8.8.8.8:53 | xedmksb.org | udp |
| US | 8.8.8.8:53 | egkiyqgycmeq.org | udp |
| US | 8.8.8.8:53 | prrjtbjytutt.info | udp |
| US | 8.8.8.8:53 | ylaxujjvpzdt.info | udp |
| US | 8.8.8.8:53 | yuiyisws.org | udp |
| US | 8.8.8.8:53 | wuymamuqycua.com | udp |
| US | 8.8.8.8:53 | zsspoi.net | udp |
| US | 8.8.8.8:53 | jmxkfifup.com | udp |
| US | 8.8.8.8:53 | hlqltge.net | udp |
| US | 8.8.8.8:53 | cuvgecojxm.net | udp |
| US | 8.8.8.8:53 | vlsqekixshcp.net | udp |
| US | 8.8.8.8:53 | zepzsaggphf.net | udp |
| US | 8.8.8.8:53 | xtrylcfjxzdj.net | udp |
| US | 8.8.8.8:53 | iwwmiiga.org | udp |
| US | 8.8.8.8:53 | tzhnbqxtxw.net | udp |
| US | 8.8.8.8:53 | aaxyaxqfil.net | udp |
| US | 8.8.8.8:53 | ggvzbdp.net | udp |
| US | 8.8.8.8:53 | jgzbxllqdecg.net | udp |
| US | 8.8.8.8:53 | jjjhhexogy.info | udp |
| US | 8.8.8.8:53 | adfstc.info | udp |
| US | 8.8.8.8:53 | igrcfcs.net | udp |
| US | 8.8.8.8:53 | qcwovsf.net | udp |
| US | 8.8.8.8:53 | fiytppt.info | udp |
| US | 8.8.8.8:53 | asecuyemymyi.org | udp |
| US | 8.8.8.8:53 | jpjonzpys.net | udp |
| US | 8.8.8.8:53 | lmpzzissdes.net | udp |
| US | 8.8.8.8:53 | zmrarczuld.net | udp |
| US | 8.8.8.8:53 | ucqgqgck.com | udp |
| US | 8.8.8.8:53 | cutijmn.net | udp |
| US | 8.8.8.8:53 | vscwznlyx.net | udp |
| US | 8.8.8.8:53 | emukkc.org | udp |
| US | 8.8.8.8:53 | dwpkzhv.com | udp |
| US | 8.8.8.8:53 | dmdszuzox.info | udp |
| US | 8.8.8.8:53 | lptydccj.info | udp |
| US | 8.8.8.8:53 | apzsjzd.info | udp |
| US | 8.8.8.8:53 | mluytpsvvs.net | udp |
| US | 8.8.8.8:53 | oqgzhgbwtilb.info | udp |
| US | 8.8.8.8:53 | ffqdpsmrimzw.net | udp |
| US | 8.8.8.8:53 | fhxgjijs.info | udp |
| US | 8.8.8.8:53 | aayeieoamcqe.org | udp |
| US | 8.8.8.8:53 | ktzxxkpjzr.net | udp |
| US | 8.8.8.8:53 | vjrldfxtlozv.net | udp |
| US | 8.8.8.8:53 | rltwexojzn.net | udp |
| US | 8.8.8.8:53 | biijzl.net | udp |
| US | 8.8.8.8:53 | zwrhzlujfnbm.net | udp |
| US | 8.8.8.8:53 | gmawgg.com | udp |
| US | 8.8.8.8:53 | ogkcbud.net | udp |
| US | 8.8.8.8:53 | dayucgzmwkv.net | udp |
| US | 8.8.8.8:53 | irsgxcvwi.net | udp |
| US | 8.8.8.8:53 | nutufbzujxr.net | udp |
| US | 8.8.8.8:53 | wuybayvsmwt.info | udp |
| US | 8.8.8.8:53 | zcgctmf.info | udp |
| US | 8.8.8.8:53 | gbfsui.net | udp |
| US | 8.8.8.8:53 | ygkiqkicik.org | udp |
| US | 8.8.8.8:53 | zqkquvavyykf.info | udp |
| US | 8.8.8.8:53 | wvmbsvngzon.info | udp |
| US | 8.8.8.8:53 | rydwnkvugx.info | udp |
| US | 8.8.8.8:53 | uvcxju.net | udp |
| US | 8.8.8.8:53 | gepsxgopp.net | udp |
| US | 8.8.8.8:53 | yespxyc.info | udp |
| US | 8.8.8.8:53 | kuzclqc.net | udp |
| US | 8.8.8.8:53 | tuaxjj.net | udp |
| US | 8.8.8.8:53 | mqsebfpkycx.net | udp |
| US | 8.8.8.8:53 | uyromod.info | udp |
| US | 8.8.8.8:53 | tunwakrkbdpp.info | udp |
| US | 8.8.8.8:53 | fwywvldqyvuz.net | udp |
| US | 8.8.8.8:53 | nrmdvxbmzkzv.net | udp |
| US | 8.8.8.8:53 | ofvsaojytgx.net | udp |
| US | 8.8.8.8:53 | qoisqsqu.com | udp |
| US | 8.8.8.8:53 | jalkbr.info | udp |
| US | 8.8.8.8:53 | mgwkixummo.net | udp |
| US | 8.8.8.8:53 | wijwiid.info | udp |
| US | 8.8.8.8:53 | ouokdcrlfre.info | udp |
| US | 8.8.8.8:53 | cxffzmlflm.info | udp |
| US | 8.8.8.8:53 | gqskegqcee.org | udp |
| US | 8.8.8.8:53 | maltyz.net | udp |
| US | 8.8.8.8:53 | mcyygosm.com | udp |
| US | 8.8.8.8:53 | xcyazktir.net | udp |
| US | 8.8.8.8:53 | usztsauxtyh.net | udp |
| US | 8.8.8.8:53 | dwfebekyt.org | udp |
| US | 8.8.8.8:53 | evrupmhif.net | udp |
| US | 8.8.8.8:53 | vebczah.com | udp |
| US | 8.8.8.8:53 | ukdpsmsqb.info | udp |
| US | 8.8.8.8:53 | ceyszipsl.info | udp |
| US | 8.8.8.8:53 | ouygamskyscq.com | udp |
| US | 8.8.8.8:53 | bktpfwsl.net | udp |
| US | 8.8.8.8:53 | gkwwamigcscm.org | udp |
| US | 8.8.8.8:53 | uiccyyiqqo.org | udp |
| US | 8.8.8.8:53 | iplqdlbmaiyt.info | udp |
| US | 8.8.8.8:53 | hxmwygixflnm.info | udp |
| US | 8.8.8.8:53 | chjexjzkhlkh.net | udp |
| US | 8.8.8.8:53 | jwrkbjy.net | udp |
| US | 8.8.8.8:53 | dtzozacei.info | udp |
| US | 8.8.8.8:53 | rcpyhkwxjinm.info | udp |
| US | 8.8.8.8:53 | yyuaoeumqmki.com | udp |
| HK | 156.237.207.232:80 | yeseee.com | tcp |
| US | 8.8.8.8:53 | islprqc.info | udp |
| US | 8.8.8.8:53 | ccnadwtihas.info | udp |
| US | 8.8.8.8:53 | xtjozyspnen.com | udp |
| US | 8.8.8.8:53 | bebgftfgvufy.info | udp |
| US | 8.8.8.8:53 | fvzwjj.info | udp |
| US | 8.8.8.8:53 | dpbmxwhqz.net | udp |
| US | 8.8.8.8:53 | omwaswaswiyk.org | udp |
| US | 8.8.8.8:53 | kyiqacma.com | udp |
| US | 8.8.8.8:53 | cyctrezujql.net | udp |
| US | 8.8.8.8:53 | sbyihvvwvuuf.info | udp |
| US | 8.8.8.8:53 | taxsnux.com | udp |
| US | 8.8.8.8:53 | kmkquol.net | udp |
| US | 8.8.8.8:53 | xdtdub.net | udp |
| US | 8.8.8.8:53 | xfxejix.org | udp |
| US | 8.8.8.8:53 | wqlwsh.info | udp |
| US | 8.8.8.8:53 | qeuqeywmsuoe.org | udp |
| US | 8.8.8.8:53 | bakfznqyjrsl.net | udp |
| US | 8.8.8.8:53 | mcpmajvv.net | udp |
| US | 8.8.8.8:53 | tsxauoqgjzf.net | udp |
| US | 8.8.8.8:53 | rulszqn.org | udp |
| US | 8.8.8.8:53 | beklnku.com | udp |
| US | 8.8.8.8:53 | fphdgqkfna.net | udp |
| US | 8.8.8.8:53 | zixkkwdeyysf.info | udp |
| US | 8.8.8.8:53 | vyslgop.com | udp |
| US | 8.8.8.8:53 | wobibeblwl.net | udp |
| US | 8.8.8.8:53 | nicxrmrxya.net | udp |
| US | 8.8.8.8:53 | rsruaf.info | udp |
| US | 8.8.8.8:53 | rhlajjwstnu.info | udp |
| US | 8.8.8.8:53 | lyrkvutvzap.info | udp |
| US | 8.8.8.8:53 | uzjazabtdknu.info | udp |
| US | 8.8.8.8:53 | nupybyvsh.com | udp |
| US | 8.8.8.8:53 | qmvygc.net | udp |
| US | 8.8.8.8:53 | ldhnyd.net | udp |
| US | 8.8.8.8:53 | adszpmp.info | udp |
| US | 8.8.8.8:53 | pfdwrmr.com | udp |
| US | 8.8.8.8:53 | vdinsezipu.net | udp |
| US | 8.8.8.8:53 | cksgemke.org | udp |
| US | 8.8.8.8:53 | nbnsxqviaj.net | udp |
| US | 8.8.8.8:53 | lphkdsza.net | udp |
| US | 8.8.8.8:53 | dtsfmugccp.net | udp |
| US | 8.8.8.8:53 | rvmonfphd.org | udp |
| US | 8.8.8.8:53 | gsiyksiyyc.com | udp |
| US | 8.8.8.8:53 | iwucsmcs.com | udp |
| US | 8.8.8.8:53 | jmiwcuwc.info | udp |
| US | 8.8.8.8:53 | fyraxtqe.net | udp |
| US | 8.8.8.8:53 | mfxmirp.net | udp |
| US | 8.8.8.8:53 | dlrebkump.org | udp |
| US | 8.8.8.8:53 | fvzprz.net | udp |
| US | 8.8.8.8:53 | iyoobnqnrj.net | udp |
| US | 8.8.8.8:53 | ugxzpkqsvwl.net | udp |
| US | 8.8.8.8:53 | tswuel.info | udp |
| US | 8.8.8.8:53 | dsimtsnnr.net | udp |
| US | 8.8.8.8:53 | ngkpnunolvco.info | udp |
| US | 8.8.8.8:53 | bcksphj.net | udp |
| US | 8.8.8.8:53 | xofaqjd.net | udp |
| US | 8.8.8.8:53 | jwwwkkr.com | udp |
| US | 8.8.8.8:53 | wgequy.org | udp |
| US | 8.8.8.8:53 | lafqxmoqvsn.net | udp |
| US | 8.8.8.8:53 | otwgjfw.net | udp |
| US | 8.8.8.8:53 | ppxkrfexgic.info | udp |
| US | 8.8.8.8:53 | mifyjiudd.net | udp |
| US | 8.8.8.8:53 | jptdfc.net | udp |
| US | 8.8.8.8:53 | ziwcuvbz.info | udp |
| US | 8.8.8.8:53 | rqdkyeowgcx.net | udp |
| US | 8.8.8.8:53 | orclfhxvz.net | udp |
| US | 8.8.8.8:53 | vxlndodwc.info | udp |
| US | 8.8.8.8:53 | xygbdoqlv.org | udp |
| US | 8.8.8.8:53 | nylyept.net | udp |
| US | 8.8.8.8:53 | fofcgchur.net | udp |
| US | 8.8.8.8:53 | oaseisayei.org | udp |
| US | 8.8.8.8:53 | kksmegsc.org | udp |
| US | 8.8.8.8:53 | pyciysmlxsnb.net | udp |
| US | 8.8.8.8:53 | tiuqaquue.info | udp |
| US | 8.8.8.8:53 | dxywpyz.net | udp |
| US | 8.8.8.8:53 | icaijmduf.net | udp |
| US | 8.8.8.8:53 | bzahdmouucjt.net | udp |
| US | 8.8.8.8:53 | magorkpcddsb.net | udp |
| US | 8.8.8.8:53 | cfwjbujktq.info | udp |
| US | 8.8.8.8:53 | stfhbwifvy.info | udp |
| US | 8.8.8.8:53 | iikuzurue.info | udp |
| US | 8.8.8.8:53 | lvnyvv.info | udp |
| US | 8.8.8.8:53 | meyijo.net | udp |
| US | 8.8.8.8:53 | ekvplevweg.info | udp |
| US | 8.8.8.8:53 | hjzixyxmj.net | udp |
| US | 8.8.8.8:53 | tlbhpd.net | udp |
| US | 8.8.8.8:53 | cwdsfop.net | udp |
| US | 8.8.8.8:53 | zoeiyjfk.net | udp |
| US | 8.8.8.8:53 | afpklezhcsnz.net | udp |
| US | 8.8.8.8:53 | qgiidcxpjhfo.info | udp |
| US | 8.8.8.8:53 | efdlohhy.info | udp |
| US | 8.8.8.8:53 | zitiqkxzo.info | udp |
| US | 8.8.8.8:53 | fupiwnq.info | udp |
| US | 8.8.8.8:53 | dndpmsxxqiih.info | udp |
| US | 8.8.8.8:53 | lejqvol.com | udp |
| US | 8.8.8.8:53 | vytozklcx.net | udp |
| US | 8.8.8.8:53 | vuzhhg.net | udp |
| US | 8.8.8.8:53 | pmvwlcgtpsd.com | udp |
| US | 8.8.8.8:53 | yrdfxmpiswk.net | udp |
| US | 8.8.8.8:53 | aqnkbnnftpdf.info | udp |
| US | 8.8.8.8:53 | bgdqgf.net | udp |
| US | 8.8.8.8:53 | syfcwmd.net | udp |
| US | 8.8.8.8:53 | ydesxaw.info | udp |
| US | 8.8.8.8:53 | szgsjsiqx.net | udp |
| US | 8.8.8.8:53 | cgkcui.org | udp |
| US | 8.8.8.8:53 | bgrjiamjyfh.org | udp |
| US | 8.8.8.8:53 | upxkhuzkr.info | udp |
| US | 8.8.8.8:53 | ahwnnqflrtza.net | udp |
| US | 8.8.8.8:53 | lpjxkcqd.info | udp |
| US | 8.8.8.8:53 | rvuohxku.info | udp |
| US | 8.8.8.8:53 | nciiiiuzn.org | udp |
| US | 8.8.8.8:53 | ycxvrvto.info | udp |
| US | 8.8.8.8:53 | hcrclcu.net | udp |
| US | 8.8.8.8:53 | golxlbzt.info | udp |
| US | 8.8.8.8:53 | cfsrwclbqoh.net | udp |
| US | 8.8.8.8:53 | kdlffj.net | udp |
| US | 8.8.8.8:53 | eqwkxorsw.net | udp |
| US | 8.8.8.8:53 | svimmsrwby.info | udp |
| US | 8.8.8.8:53 | dglxccedkdp.com | udp |
| US | 8.8.8.8:53 | amvbrfhisy.info | udp |
| US | 8.8.8.8:53 | hluhnt.info | udp |
| US | 8.8.8.8:53 | ameaeyuugags.org | udp |
| US | 8.8.8.8:53 | mioqmq.com | udp |
| US | 8.8.8.8:53 | kewccc.org | udp |
| US | 8.8.8.8:53 | sbablr.net | udp |
| US | 8.8.8.8:53 | bbeajqylxs.net | udp |
| US | 8.8.8.8:53 | gspcscvkpby.net | udp |
| US | 8.8.8.8:53 | oezfxoxed.info | udp |
| US | 8.8.8.8:53 | wscgjiieh.net | udp |
| US | 8.8.8.8:53 | aubgzylblcd.info | udp |
| US | 8.8.8.8:53 | xbwrfdzo.net | udp |
| US | 8.8.8.8:53 | vyjusif.info | udp |
| US | 8.8.8.8:53 | rzbgiunhta.info | udp |
| US | 8.8.8.8:53 | uacoqg.org | udp |
| US | 8.8.8.8:53 | unpudkvtcsmq.info | udp |
| US | 8.8.8.8:53 | darwnbg.net | udp |
| US | 8.8.8.8:53 | rcrcrbxww.net | udp |
| US | 8.8.8.8:53 | kuamvwz.net | udp |
| US | 8.8.8.8:53 | mmjcfgv.net | udp |
| US | 8.8.8.8:53 | uymgwc.com | udp |
| US | 8.8.8.8:53 | nuplzq.info | udp |
| US | 8.8.8.8:53 | zofgtijpaoh.net | udp |
| US | 8.8.8.8:53 | ywbuvursjyq.net | udp |
| US | 8.8.8.8:53 | tsntrdtvcuvf.info | udp |
| US | 8.8.8.8:53 | tcnoictbpxwr.net | udp |
| US | 8.8.8.8:53 | vugggrrxv.net | udp |
| US | 8.8.8.8:53 | mlfcdejcu.net | udp |
| US | 8.8.8.8:53 | ztxtjwlr.net | udp |
| US | 8.8.8.8:53 | coruzetyj.info | udp |
| US | 8.8.8.8:53 | qzgmtdn.net | udp |
| US | 8.8.8.8:53 | ptbxyixaqem.info | udp |
| US | 8.8.8.8:53 | dwbmpixhor.info | udp |
| US | 8.8.8.8:53 | ykjqdatyd.info | udp |
| US | 8.8.8.8:53 | egoioi.com | udp |
| US | 8.8.8.8:53 | dwsikogj.info | udp |
| US | 8.8.8.8:53 | abucqfvhsj.net | udp |
| US | 8.8.8.8:53 | gekocewsmkey.org | udp |
| US | 8.8.8.8:53 | eanuqcn.info | udp |
| US | 8.8.8.8:53 | fyvihcbav.com | udp |
| US | 8.8.8.8:53 | xgnijggfclh.com | udp |
| US | 8.8.8.8:53 | lkxmpkc.net | udp |
| N/A | 192.168.28.2:445 | tcp | |
| US | 8.8.8.8:53 | osgyoymcci.org | udp |
| US | 8.8.8.8:53 | nnycbrtaroy.com | udp |
| US | 8.8.8.8:53 | iwiygmuo.com | udp |
| US | 8.8.8.8:53 | xykijz.info | udp |
| US | 8.8.8.8:53 | liwifrxwfia.net | udp |
| US | 8.8.8.8:53 | zhhifuw.net | udp |
| US | 8.8.8.8:53 | wsyqzjzsjih.info | udp |
| US | 8.8.8.8:53 | youcuqaiommc.com | udp |
| US | 8.8.8.8:53 | tujrgyxyplkw.info | udp |
| US | 8.8.8.8:53 | sgciwi.org | udp |
| US | 8.8.8.8:53 | xyjexubj.info | udp |
| US | 8.8.8.8:53 | xotflcbuuvt.net | udp |
| US | 8.8.8.8:53 | duvprllelwtw.net | udp |
| US | 8.8.8.8:53 | imelnaloojvk.info | udp |
| US | 8.8.8.8:53 | uwmuwg.com | udp |
| US | 8.8.8.8:53 | uqryzsh.info | udp |
| US | 8.8.8.8:53 | rucodvypprap.info | udp |
| US | 8.8.8.8:53 | hfgkacxqinla.net | udp |
| US | 8.8.8.8:53 | ucoswwqeie.org | udp |
| US | 8.8.8.8:53 | pkbpbyz.org | udp |
| N/A | 192.168.28.2:139 | tcp | |
| US | 8.8.8.8:53 | tgriewchck.net | udp |
| US | 8.8.8.8:53 | jdtkmlvyly.info | udp |
| US | 8.8.8.8:53 | pujdtcryo.net | udp |
| US | 8.8.8.8:53 | yueceequcu.com | udp |
| US | 8.8.8.8:53 | zumutd.info | udp |
| US | 8.8.8.8:53 | xizjfuqnvubh.info | udp |
| US | 8.8.8.8:53 | netmitnmrw.info | udp |
| US | 8.8.8.8:53 | tywuwr.net | udp |
| US | 8.8.8.8:53 | xwzkzmvsnbv.info | udp |
| US | 8.8.8.8:53 | iusiogeeos.org | udp |
| US | 8.8.8.8:53 | ggeuskuwwk.org | udp |
| US | 8.8.8.8:53 | aemnosge.net | udp |
| US | 8.8.8.8:53 | lrowcjkt.net | udp |
| US | 8.8.8.8:53 | bybptgxz.info | udp |
| US | 8.8.8.8:53 | mliezefccn.info | udp |
| US | 8.8.8.8:53 | cycanm.net | udp |
| US | 8.8.8.8:53 | mbioneboepjc.info | udp |
| US | 8.8.8.8:53 | glwnhzzmn.net | udp |
| US | 8.8.8.8:53 | uoucnjgszqbg.info | udp |
| US | 8.8.8.8:53 | rqtuscv.com | udp |
| US | 8.8.8.8:53 | jilaeczcnaz.com | udp |
| US | 8.8.8.8:53 | pffzah.net | udp |
| US | 8.8.8.8:53 | fjswfmxs.net | udp |
| US | 8.8.8.8:53 | jjhshwvawlc.org | udp |
| US | 8.8.8.8:53 | kbhwixrgpk.net | udp |
| US | 8.8.8.8:53 | fyimvdv.net | udp |
| US | 8.8.8.8:53 | akcamgacoe.com | udp |
| US | 8.8.8.8:53 | jaisaez.net | udp |
| US | 8.8.8.8:53 | wbpgvufi.net | udp |
| US | 8.8.8.8:53 | mclezuvdv.net | udp |
| US | 8.8.8.8:53 | iyjlfazy.net | udp |
| US | 8.8.8.8:53 | rawyyqaqr.info | udp |
| US | 8.8.8.8:53 | tmgitgnmr.info | udp |
| US | 8.8.8.8:53 | cerzsio.info | udp |
| US | 8.8.8.8:53 | oklwmhsexc.net | udp |
| US | 8.8.8.8:53 | saxraaxnn.net | udp |
| US | 8.8.8.8:53 | ugdmtph.net | udp |
| US | 8.8.8.8:53 | dxjwlzdpbd.info | udp |
| US | 8.8.8.8:53 | haqhkwrmyttv.net | udp |
| US | 8.8.8.8:53 | hitgpy.net | udp |
| US | 8.8.8.8:53 | ywbmxtjsfezl.info | udp |
| US | 8.8.8.8:53 | tommnif.com | udp |
| US | 8.8.8.8:53 | ilbmdexfoxje.info | udp |
| US | 8.8.8.8:53 | nhbxvbyi.net | udp |
| US | 8.8.8.8:53 | hsbdjmzcgeh.org | udp |
| US | 8.8.8.8:53 | osjqxa.info | udp |
| US | 8.8.8.8:53 | intibfdqg.info | udp |
| US | 8.8.8.8:53 | wwmook.org | udp |
| US | 8.8.8.8:53 | ygaayqgs.com | udp |
| US | 8.8.8.8:53 | debgfcf.org | udp |
| US | 8.8.8.8:53 | kuozxaqwv.info | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\edkts.exe
| MD5 | f196c33bc700545ced4f24c4dd321fc9 |
| SHA1 | c8e46a70920d93e6fd24aec624610828fd4a1ef3 |
| SHA256 | c095994da53e13dcffb50fd33a6a6de4a6dc7c3b5c5213c77344da8446c69f01 |
| SHA512 | 2952019338d8ba004101e3822bba235835cdab1d3d5db78c5c47d86087a500a21178a22d488042e463dd4fd0201f238c3db545268bdfa1daa107d9b77c83d274 |
C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | 79cfa24a7b1f0b182deed9c7ade2fb76 |
| SHA1 | 5cc271e703d245116b6814db44244e6730dd98ab |
| SHA256 | e4f999a8fe21085ec68762812cbbb94107adbd84d887ad1f2e9ca32b69b2bf86 |
| SHA512 | 8bf63a9b84016acaea800ffa789bc23624eb9a2332a71b67b08f204c81693a11a6c0e4cde27b59ced03ade19aa6e2d0f5ae770c0e75319fb96a353934cdb7dc6 |
C:\Users\Admin\AppData\Local\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs
| MD5 | 9f289e2923206c04b8cfe855492c5986 |
| SHA1 | 75d22b34af6a17983563291514565aa8f4068359 |
| SHA256 | 1b8a16abf586d253f66d51e65c891859fe8d6ae796df7f1b5658d5b330d31a98 |
| SHA512 | dc6cefb509eab43f5bcffddb45991692db3f99acd96aedc99bb772b9a4d012d0a9b8b0f77e5d78ac82c67f01f81a7bdcf3168a074c4804b2d558f4af0079ac45 |
C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | 417b61f8ec53265751c09f28d4831da6 |
| SHA1 | 710d83c09b490eb54d4a8af8521d0feb898f13ea |
| SHA256 | fb562cad74df0b40fd96eb7a574b98f70e7f8bb826e1200c86dd406d63ffa084 |
| SHA512 | 2c655b8c69bdfac1681e8d44c51cfb7739a242be6c0d4a9b1484202f9df3cafedcbb70cc3b649c62ea8b9eb511cdf2528125e1ac3f31972d655ff1abfb355c07 |
C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | ede15df8e32ac3d9d648c215c0551dc2 |
| SHA1 | 82f3b51dbd202ddc515d62742ff24bd6585ad360 |
| SHA256 | 79bff2fc93df0100c0ff8ff5ed5a17ddb72d58ecbac8d9d41b9ffd428b7c6fba |
| SHA512 | fbeb60ec43bd76c374e64183cf3e050f0965d7592b85bc5697ad72abb4fa20e4c9554f94b8233479293684b3b63b849f8cba1b401c9ea1ff654e82e52248e491 |
C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | 6f3f2406a2f139059ea9e840f0348804 |
| SHA1 | a5eba04f60365f00c1e21585c80900f5dbc567ca |
| SHA256 | 260e320b38132150343efb19b6c93a910190b4bdaeaeec4129857b840f44f5f4 |
| SHA512 | 4ac5826d45bd403c71a45032f8de19351e1a3af4fe34e1c8fb6fef32dbe464c75219919194d2712ab11118ebf8eabb9a07a635087f2770bb1f53fff482eb82c7 |
C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | 28ae0d37ef6f445447a2f0b593086a7b |
| SHA1 | 2e8e747ec765b6032e0f0c77402d898f2ebe3dc4 |
| SHA256 | 42aedf2680a724681de7d605a8480f1e2b32f1002625ccd2f54a2efb69638249 |
| SHA512 | 2dff23be05f6aaa8f18984ae9b47ba587f8506ef368c89802205e3c45ec2c6fd1019e86686c13d283392e7530b97c2dbb0aa3295a4b88b6cbcc8602f10fea44d |
C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | b3a7136ba28b4549925db353b2dc875f |
| SHA1 | 961ce8cc0adfdfc93125383b90f026d9a3c2fee0 |
| SHA256 | 97a338dedc4f622a5f0cb3733320cc8f478a805a5964448727864678b9543ec7 |
| SHA512 | 2ee8b37b4b51d71154c55102c2daedd87253cc62e5bc1cbd89b741b140cbc0bf8003d8ab6057ee58d6fef3750ecb6b93a565297e61051d4fd87988dbde6f9e62 |
C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | 9cbab60847526b36b3a5434056207392 |
| SHA1 | 7ed9cc5e65e867f317369817887377a0f183dd25 |
| SHA256 | 06343f6e79c92fa841387c172b5857e596476d302ac2bed7556a2fa3bd02552b |
| SHA512 | 0e8814a2ef435bb5700d3132eccf837843fba25a11bab6366c0930857dce4f937656c580b56e774f125c5113fcddcd2cd966b182f2c27a3c1b1e62d00fe27546 |
C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda
| MD5 | b926bbc95b52747d2768e466b8eaa9f2 |
| SHA1 | 2e10a49dd17ff285a6d88eb29671535449ac2826 |
| SHA256 | 38eeeb834fe4d4470440d7c4871c5af91d68a9f6c391f83a3d90119d0821c48e |
| SHA512 | 24484ed7c60cf80f57c0a1ebb01702210ac2262e0466d01e178070df7c6cb6928f5299f2608f333ecd594e1bdfdec6cba8de340699bf1ece79a26745da089998 |