Malware Analysis Report

2025-08-06 02:47

Sample ID 241031-cwwrhsxerc
Target 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118
SHA256 e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d
Tags
pykspa defense_evasion discovery persistence privilege_escalation trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e13b8ea286f1d029c16412c194919057eb73732b06b0236516fa3971f493974d

Threat Level: Known bad

The file 8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

Modifies WinLogon for persistence

Pykspa family

UAC bypass

Pykspa

Detect Pykspa worm

Adds policy Run key to start application

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Checks computer location settings

Looks up external IP address via web service

Hijack Execution Flow: Executable Installer File Permissions Weakness

Checks whether UAC is enabled

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 02:26

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 02:26

Reported

2024-10-31 03:29

Platform

win7-20241023-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\irzguwhm = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vbgkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "zriyvgaolytmygmnl.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "gbvooczqqgeapajnoocx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "zriyvgaolytmygmnl.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "sjzokunawicufmrr.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\sjzokunawicufmrr.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "gbvooczqqgeapajnoocx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zriyvgaolytmygmnl.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "vrmghwumnedaqcmrtujfa.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "gbvooczqqgeapajnoocx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "tngyxkgwvkhcqaillkx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kxjumshqiqgu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "zriyvgaolytmygmnl.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "sjzokunawicufmrr.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\zjsapsekz = "sjzokunawicufmrr.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\gntykk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tngyxkgwvkhcqaillkx.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gntykk = "ibtkiupecqmgtcjlki.exe" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "zriyvgaolytmygmnl.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vrmghwumnedaqcmrtujfa.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "tngyxkgwvkhcqaillkx.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "ibtkiupecqmgtcjlki.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sdnwmqdkag = "ibtkiupecqmgtcjlki.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nzkulqemdkz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\tbiobcm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gbvooczqqgeapajnoocx.exe ." C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\xxwuzsuqvqtuoesbhmffe.hac C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File opened for modification C:\Windows\SysWOW64\sdnwmqdkaguglmlfwmqblukobiyesejk.duk C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File created C:\Windows\SysWOW64\sdnwmqdkaguglmlfwmqblukobiyesejk.duk C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File opened for modification C:\Windows\SysWOW64\xxwuzsuqvqtuoesbhmffe.hac C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File created C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File opened for modification C:\Program Files (x86)\sdnwmqdkaguglmlfwmqblukobiyesejk.duk C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File created C:\Program Files (x86)\sdnwmqdkaguglmlfwmqblukobiyesejk.duk C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\xxwuzsuqvqtuoesbhmffe.hac C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File created C:\Windows\xxwuzsuqvqtuoesbhmffe.hac C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File opened for modification C:\Windows\sdnwmqdkaguglmlfwmqblukobiyesejk.duk C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
File created C:\Windows\sdnwmqdkaguglmlfwmqblukobiyesejk.duk C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gntykk.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\gntykk.exe

"C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"

C:\Users\Admin\AppData\Local\Temp\gntykk.exe

"C:\Users\Admin\AppData\Local\Temp\gntykk.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.ebay.com udp
GB 23.192.21.160:80 www.ebay.com tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 nbaiaejk.info udp
US 8.8.8.8:53 gwlmooffz.info udp
US 8.8.8.8:53 acyoecymoo.com udp
US 8.8.8.8:53 uiwyys.com udp
US 8.8.8.8:53 fxblbctqx.net udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 lmklfsc.info udp
US 8.8.8.8:53 ssagiea.net udp
US 8.8.8.8:53 eciiwm.com udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 cykizwu.net udp
US 8.8.8.8:53 zcnnvad.info udp
US 8.8.8.8:53 kpnytctyv.info udp
US 8.8.8.8:53 zwgnqfhdpwlr.net udp
US 8.8.8.8:53 nomacuw.info udp
US 8.8.8.8:53 beduljxc.net udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 hkignkxfrsq.org udp
US 8.8.8.8:53 igxmmap.net udp
US 8.8.8.8:53 pnsdfbklr.com udp
US 8.8.8.8:53 zrzdfl.net udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 prjctfxfnalz.net udp
US 8.8.8.8:53 rulmiuoebex.com udp
US 8.8.8.8:53 ptbfaqx.com udp
US 8.8.8.8:53 siiieg.com udp
US 8.8.8.8:53 ilsuhfnamzie.info udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 nybylwfyr.info udp
US 8.8.8.8:53 kblyjmxqp.info udp
US 8.8.8.8:53 trjalhftkjd.com udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 uylheqvecsf.info udp
US 8.8.8.8:53 emxlsyzmrkh.net udp
US 8.8.8.8:53 lulakfq.info udp
US 8.8.8.8:53 twuwuamyshz.net udp
US 8.8.8.8:53 mrbhwa.info udp
US 8.8.8.8:53 neppotyzwb.net udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 tugybdv.org udp
US 8.8.8.8:53 syakbm.info udp
US 8.8.8.8:53 wiacookkae.org udp
US 8.8.8.8:53 ugeicw.org udp
US 8.8.8.8:53 hyoavqad.net udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 betzxjpx.net udp
US 8.8.8.8:53 smpairrt.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 fuoefjzoo.info udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 kflxpc.info udp
US 8.8.8.8:53 lmixcv.info udp
US 8.8.8.8:53 vydgtseob.net udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 arckxut.info udp
US 8.8.8.8:53 xetlgoslllok.info udp
US 8.8.8.8:53 eikemiiymkem.org udp
US 8.8.8.8:53 nqtodvg.info udp
US 8.8.8.8:53 kadtlbjp.info udp
US 8.8.8.8:53 amacco.com udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 fpusoiz.net udp
US 8.8.8.8:53 fncmhxudak.info udp
US 8.8.8.8:53 hkrkrsjqrq.info udp

Files

\Users\Admin\AppData\Local\Temp\gntykk.exe

MD5 23da8c70234ad82083977a176f7b182b
SHA1 6ec55e256151e2b0e20bfafd3b9c5dfa8a30a831
SHA256 51ecf28c3dfe6429007902f96dc2abb319ff296ae39b492ef9e89f4dc2d32e04
SHA512 614340e77fa26cc9d89ee1aa622a28e50f7baa3fe8a1769760398f2c8f9d58c91d11376f9975e506ca0b55281d65d35fb7082edc51163a4f7385c31ac76568d3

C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac

MD5 d59af82888de7665ca41a85b16bc2fb8
SHA1 c76261fee4f9081ab1e8b8e69b506458143a3ec0
SHA256 71f1ba6620a286e34c686296940935510838b54c25d9a0d81c233b55f38ed1d8
SHA512 b6314aba624ce3f3d68c30053d6d83e69a03b150cf43012bb7324914a16b79fa97d618ed4dfecc92df7cf65b7753c7ee3eb1758b26027f9eeaaa1ceb2fbae3a4

C:\Users\Admin\AppData\Local\sdnwmqdkaguglmlfwmqblukobiyesejk.duk

MD5 1d6c0d0e16bab99e4caea6ea96941e50
SHA1 7bff05a7036caefad80a8f27459ae108561e27c9
SHA256 3194dbf98acdca12cb762156ee650a292cb23b541ac5632aff70ee12f2973ac4
SHA512 78712a27c57ac941d7b137a0d2313c442526a9838f5ad300146f1aed34f9420aae5d1321667e12179a3de9b18cf97de9e1090f20d957144be44bb774ba48d21d

C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

MD5 2361d686cc863f817dd97006fcf2137a
SHA1 f045f6a650fc9e2f44ac072de1c88c080cf73e76
SHA256 348f23df7d8ac548d30541068e9e950a3739bab9008bb1113f4477c3c7836434
SHA512 5e329a1f5f15e6a444ff62062caf34044f74e24d15188c61fc3ea81ca802a441efbea7be3e51a75b456ff268aed23f80a23349ded5901fbe8a6d990143f171be

C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

MD5 edb7fb7176f0e98a66d508e5d12cc3db
SHA1 c31ee5476ff54d4b496ada6f49614a7d0481b2d8
SHA256 abb9203da8d05c5a4dcbbf13752dc4cb971c81ce95ad7a84e69dbb3c40ab60b7
SHA512 7f0b80a63390a78a34dd25738e612d93140cc1feb664c51c2c60511e8090de4230b9506492eeb7c795a21203626ef8adb72346a1efc99faae5d5855787cb0f72

C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac

MD5 72eb2d192442aa4f87d720f94a739bef
SHA1 b6e01dbf4f0cd73c5d7d2907a51297d179f31645
SHA256 e6528ebd23c36be58345c31b71f7d8f66db8b30437d448b822664ee26a032393
SHA512 c46a549bbef7a447b08d9a83595244c469faeb05266e8f9b96b210368c6d29c0f5e6d1243c198696f89e8a02915444dd174c7fd0974e82f33222618135b8766d

C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

MD5 2ff93e17adbef39f5140fd7584782fab
SHA1 0d583f223aa0dc9212ce5921adcac454824130d5
SHA256 d17f03b074275a9fb904b6c96d67f59d4e8da294a70b74c9007697566505f3b7
SHA512 46609c0e4848986ce4c67b33bc249b4179d906a58d08aa226c1dcf3246daefed2b73d00da0f37b3776bc70d49c1eb5653725caa4ea06c0e0dbac77821020de33

C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

MD5 cd20324b24c3a3316dcc9c8a147f451a
SHA1 3d19be4a7ff3aef1dd401bc308573fa98fb87727
SHA256 255a779d72156d8c622ea472ae23b52f9f4974ef1c2055848bc68f546ad6447a
SHA512 9a29adaa3dbd250c0fc07cada4a85ebc71efdf946ce277c54d77bb46c177dc0c3eb40d133df193425a66233732c891ff4323d969d239ca6ab9b2d4c0407ce66f

C:\Program Files (x86)\xxwuzsuqvqtuoesbhmffe.hac

MD5 b5eb3ceb015e29461b685708ee3b0d1f
SHA1 aa08ab133785cff5a06810db1fce2d6555d85d13
SHA256 6314329d3951efe28ac1e910a8ec88bf0010bdc480de4cb2fcda649697bce504
SHA512 67045daaae4839b04bb077832197189ffd3276b22e1d64b9dc6fcc7e53418a25f20948624fe42df504f806df064f07f98f81624cd3e003e608fd6380f0a48b54

C:\Users\Admin\AppData\Local\xxwuzsuqvqtuoesbhmffe.hac

MD5 a64dc1cf41b9c06ea08707fd1170a94e
SHA1 87e8fb1d26b856740d39df1de2c17e4fe99ba900
SHA256 b867fed39402e3ba1114cdb4991fb087882635ea8ed49577b74c359b77be97c9
SHA512 708ef8f57fbd5ece43e0dd32ddff1ccdc7593804abfa3b7deebabd361003b82861133401eb713c575e5a14410aa3bcbc9c24514ca582b95a729248c798c50686

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 02:26

Reported

2024-10-31 03:28

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Pykspa

worm pykspa

Pykspa family

pykspa

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szofmcscpzsyo = "itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bfrfjwjqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "itmhsmgulzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "cpkhuqmcvlkwspqqabg.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "bldxhatgwjfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "itmhsmgulzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "cpkhuqmcvlkwspqqabg.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "pdzxlifwqhhurprsdflz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "bldxhatgwjfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\itmhsmgulzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "pdzxlifwqhhurprsdflz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "pdzxlifwqhhurprsdflz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "cpkhuqmcvlkwspqqabg.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "cpkhuqmcvlkwspqqabg.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\bldxhatgwjfohbzw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pdzxlifwqhhurprsdflz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "rdxtfavkcrpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wbodiwksdlc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqpecasnfgusruwilshe.exe" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tzndjynwirjo = "etqpecasnfgusruwilshe.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\itmhsmgulzwgavusa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bldxhatgwjfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tbrjrizkyjdkbt = "rdxtfavkcrpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wfwpyqiujvqyqjg = "cpkhuqmcvlkwspqqabg.exe ." C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\vtzhfmtuyzjgnvhsnzpntbzgno.tda C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File created C:\Windows\SysWOW64\vtzhfmtuyzjgnvhsnzpntbzgno.tda C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File opened for modification C:\Windows\SysWOW64\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File created C:\Windows\SysWOW64\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File opened for modification C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File created C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File opened for modification C:\Program Files (x86)\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\vtzhfmtuyzjgnvhsnzpntbzgno.tda C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File opened for modification C:\Windows\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File created C:\Windows\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
File opened for modification C:\Windows\vtzhfmtuyzjgnvhsnzpntbzgno.tda C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\edkts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8134e598125e14e6bd192b3bf1a5fa85_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\edkts.exe

"C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"

C:\Users\Admin\AppData\Local\Temp\edkts.exe

"C:\Users\Admin\AppData\Local\Temp\edkts.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.imdb.com udp
GB 13.224.77.40:80 www.imdb.com tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 lrjekrdt.net udp
US 8.8.8.8:53 uslitd.info udp
US 8.8.8.8:53 xiotup.net udp
US 8.8.8.8:53 fxblbctqx.net udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 kwumekgqia.com udp
US 8.8.8.8:53 bzyutxxz.info udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 vypkbavuo.org udp
US 8.8.8.8:53 cwfantxz.info udp
US 8.8.8.8:53 yblhskh.net udp
US 8.8.8.8:53 slfgkrnyo.info udp
US 8.8.8.8:53 lynjnajtllk.com udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 pnsdfbklr.com udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 dobjvwgu.info udp
US 8.8.8.8:53 djhadjdgz.com udp
US 8.8.8.8:53 ptbfaqx.com udp
US 8.8.8.8:53 ayuaamsuiu.com udp
US 8.8.8.8:53 izdsfsmdfd.info udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 zpnmsj.info udp
US 8.8.8.8:53 wqvuzi.net udp
US 8.8.8.8:53 wytqwaxvp.info udp
US 8.8.8.8:53 tilmejkgujt.org udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 mrwymkwmeqn.net udp
US 8.8.8.8:53 tsnmbypuq.org udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 dztikwcfpyq.org udp
US 8.8.8.8:53 usnagwwav.info udp
US 8.8.8.8:53 syakbm.info udp
US 8.8.8.8:53 rolotstxbgxp.net udp
US 8.8.8.8:53 pzjyflnpdt.info udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 uiflvyd.net udp
US 8.8.8.8:53 wpwiddtuz.info udp
US 8.8.8.8:53 bkfjjz.info udp
US 8.8.8.8:53 gwwkgesoos.com udp
US 8.8.8.8:53 ynwkmyevvcby.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 jzjmhydspt.info udp
US 8.8.8.8:53 cagkgacmgy.com udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 vuxqewiexcy.com udp
US 8.8.8.8:53 tdfmzmpohez.net udp
US 8.8.8.8:53 yikmaa.org udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 vxjohqvpcxkz.net udp
US 8.8.8.8:53 yemuko.com udp
US 8.8.8.8:53 ayoeisyw.org udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 hgaylyxar.com udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 irbebixmt.info udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 bwpexfisrlxk.net udp
US 8.8.8.8:53 rqjofoxckmz.com udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 xqyftgnfmn.net udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 rjfshz.net udp
US 8.8.8.8:53 haimrezv.net udp
US 8.8.8.8:53 qkwkeu.org udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 dvpwqozo.info udp
US 8.8.8.8:53 fqpkffged.org udp
US 8.8.8.8:53 miqdvet.info udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 xupglkfya.info udp
US 8.8.8.8:53 kmqykuyaoc.org udp
US 8.8.8.8:53 madxxqmepwdi.net udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 icbcbitpwo.net udp
US 8.8.8.8:53 zcyghg.net udp
US 8.8.8.8:53 gywoomcuskmm.org udp
US 8.8.8.8:53 gzcwnopqd.info udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 ikocwcv.info udp
US 8.8.8.8:53 kswwkwkcyy.org udp
US 8.8.8.8:53 eawcugewukwu.com udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 ociybcn.net udp
US 8.8.8.8:53 zdcuoogt.net udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 dcvqfjgcgcha.net udp
US 8.8.8.8:53 scrsroanu.info udp
US 8.8.8.8:53 dsnqrlvd.net udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 ithaweln.info udp
US 8.8.8.8:53 olxepkirnbgt.net udp
US 8.8.8.8:53 isksiukggo.org udp
US 8.8.8.8:53 pcbxjozyvft.info udp
US 8.8.8.8:53 usiikeyy.org udp
US 8.8.8.8:53 yxjoqhsg.net udp
US 8.8.8.8:53 skdsjmrur.info udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 eoegyqea.com udp
US 8.8.8.8:53 zfxeloistaz.org udp
US 8.8.8.8:53 melldli.info udp
US 8.8.8.8:53 vqnerbhobpn.info udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 muqltofy.net udp
US 8.8.8.8:53 qreifitmc.net udp
US 8.8.8.8:53 yoctvrd.info udp
US 8.8.8.8:53 mukwiqsccq.com udp
US 8.8.8.8:53 oiiuowmoci.org udp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 ymtwnie.info udp
US 8.8.8.8:53 hlfslgfgzax.net udp
US 8.8.8.8:53 oovhaclofch.info udp
US 8.8.8.8:53 bsvtdu.net udp
US 8.8.8.8:53 nldxrnje.info udp
US 8.8.8.8:53 xhisrub.org udp
US 8.8.8.8:53 tgxauf.info udp
US 8.8.8.8:53 octpnmfeveb.net udp
US 8.8.8.8:53 ueorvkndllkl.info udp
US 8.8.8.8:53 mbvjdcw.net udp
US 8.8.8.8:53 fwwaqwlraa.net udp
US 8.8.8.8:53 ykrwhyswx.net udp
US 8.8.8.8:53 gcguwsqukaqa.org udp
US 8.8.8.8:53 dlpacqwzfypv.net udp
US 8.8.8.8:53 cwbobcrni.info udp
US 8.8.8.8:53 swdbmuwabyg.info udp
US 8.8.8.8:53 nydiniprh.net udp
US 8.8.8.8:53 ruksvdctcqr.com udp
US 8.8.8.8:53 aejudfc.net udp
US 8.8.8.8:53 ibfqlkqa.net udp
US 8.8.8.8:53 rajolyvids.net udp
US 8.8.8.8:53 mpdkhtwobgb.info udp
US 8.8.8.8:53 bsrweqh.net udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 vqykjdsal.info udp
US 8.8.8.8:53 ckokse.org udp
US 8.8.8.8:53 wksxzacdg.info udp
US 8.8.8.8:53 kutwpzjci.net udp
US 8.8.8.8:53 pytuhehbua.info udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 vcqzpegbipvo.net udp
US 8.8.8.8:53 sphyyqs.net udp
US 8.8.8.8:53 mvzfupmyik.info udp
US 8.8.8.8:53 cowyqc.com udp
US 8.8.8.8:53 cjqbxmuj.info udp
US 8.8.8.8:53 pyrfgftlhxqp.net udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 oegkwuakgo.com udp
US 8.8.8.8:53 tsvrdkobl.org udp
US 8.8.8.8:53 quudzbuydvd.info udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 sprebwbix.net udp
US 8.8.8.8:53 polsjsrhn.net udp
US 8.8.8.8:53 miqwfwiqw.net udp
US 8.8.8.8:53 qnppws.net udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 ykwkia.com udp
US 8.8.8.8:53 lctlkjdqx.info udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 etqiwj.net udp
US 8.8.8.8:53 hgpydyr.org udp
US 8.8.8.8:53 hppzxxehhl.info udp
US 8.8.8.8:53 zaqzpq.info udp
US 8.8.8.8:53 tqtktklmz.com udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 jnhwdk.net udp
US 8.8.8.8:53 ywqeeyee.com udp
US 8.8.8.8:53 xywkttkauuaw.net udp
US 8.8.8.8:53 mkscaqaagkiq.org udp
US 8.8.8.8:53 gqaiuysqey.com udp
US 8.8.8.8:53 aptavxszku.info udp
US 8.8.8.8:53 cufabqp.info udp
US 8.8.8.8:53 ugiyui.com udp
US 8.8.8.8:53 omakdrgxpzkd.info udp
US 8.8.8.8:53 ovvmeermlar.net udp
US 8.8.8.8:53 iqkoqmoe.com udp
US 8.8.8.8:53 ubyzha.net udp
US 8.8.8.8:53 repfdblfnk.info udp
US 8.8.8.8:53 oesmaemmgi.com udp
US 8.8.8.8:53 iqsosto.net udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 tcryvorurah.net udp
US 8.8.8.8:53 aorgtmo.net udp
US 8.8.8.8:53 xhyirilhl.com udp
US 8.8.8.8:53 lbpvdhzvln.net udp
US 8.8.8.8:53 gqtchqiurvo.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 oajgaevwg.info udp
US 8.8.8.8:53 mulrdidgrt.info udp
US 8.8.8.8:53 oyikuckiuu.org udp
US 8.8.8.8:53 qdaqwtlafa.info udp
US 8.8.8.8:53 hymgxqs.info udp
US 8.8.8.8:53 tesojizevjxy.info udp
US 8.8.8.8:53 vizsvatjt.net udp
US 8.8.8.8:53 oqipihfqzz.info udp
US 8.8.8.8:53 hirultsib.info udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 irvylsdkdul.info udp
US 8.8.8.8:53 nuzbgmrhcaec.net udp
US 8.8.8.8:53 anubtiye.net udp
US 8.8.8.8:53 rwsvyk.net udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 ecwakk.com udp
US 8.8.8.8:53 idjlaq.info udp
US 8.8.8.8:53 bsnecvoxzhhe.net udp
US 8.8.8.8:53 ekysuwaiqs.org udp
US 8.8.8.8:53 qmlmnkvpa.info udp
US 8.8.8.8:53 xwhuost.com udp
US 8.8.8.8:53 qyeizgaudgu.info udp
US 8.8.8.8:53 viocnhvrbl.net udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 xwdqxgxphkv.org udp
US 8.8.8.8:53 nlbahvjmkh.net udp
US 8.8.8.8:53 jhbcxlabiepi.net udp
US 8.8.8.8:53 rqpmbatiw.info udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 emidtypxv.info udp
US 8.8.8.8:53 pldcab.net udp
US 8.8.8.8:53 ymiwoyie.com udp
US 8.8.8.8:53 nvqhtsfzlm.info udp
US 8.8.8.8:53 nvpyks.info udp
US 8.8.8.8:53 ywsuqyqigu.com udp
US 8.8.8.8:53 frakpnhrjl.net udp
US 8.8.8.8:53 qcgwluvqzgl.info udp
US 8.8.8.8:53 ooyuegia.org udp
US 8.8.8.8:53 fqvopkmiayu.org udp
US 8.8.8.8:53 oabojeh.info udp
US 8.8.8.8:53 jcuivq.info udp
US 8.8.8.8:53 rxfrpvbblodg.net udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 eqtemumneyf.info udp
US 8.8.8.8:53 lgphlalcq.org udp
US 8.8.8.8:53 oizmlun.info udp
US 8.8.8.8:53 uqlrrgfksgo.info udp
US 8.8.8.8:53 fqayjauwuwki.net udp
US 8.8.8.8:53 cdxzhhnuxsds.net udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 ewcxxuv.info udp
US 8.8.8.8:53 rreplnac.info udp
US 8.8.8.8:53 deplsmueqaht.info udp
US 8.8.8.8:53 oypkmuaop.info udp
US 8.8.8.8:53 bilxbt.info udp
US 8.8.8.8:53 egkmws.org udp
US 8.8.8.8:53 mekwbmjjy.net udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 tjhjuybds.net udp
US 8.8.8.8:53 tipwbma.org udp
US 8.8.8.8:53 jcrajiersib.org udp
US 8.8.8.8:53 qqksfedvgei.net udp
US 8.8.8.8:53 qxrwrxkgnrd.net udp
US 8.8.8.8:53 kyjfbtbgeqk.net udp
US 8.8.8.8:53 tktpoplyvofk.net udp
US 8.8.8.8:53 wwocfmch.net udp
US 8.8.8.8:53 yoosywpoyq.info udp
US 8.8.8.8:53 qxflylnf.info udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 nwjyjdkebk.info udp
US 8.8.8.8:53 eaoxchywpf.net udp
US 8.8.8.8:53 tvaazk.info udp
US 8.8.8.8:53 gdrzehzm.net udp
US 8.8.8.8:53 cutoprb.net udp
US 8.8.8.8:53 zrfldn.info udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 gicqywqkcoim.com udp
US 8.8.8.8:53 zbifhlqbzq.info udp
US 8.8.8.8:53 eufmpkoyb.info udp
US 8.8.8.8:53 nyswayxgzci.org udp
US 8.8.8.8:53 sgsoagiiccyw.com udp
US 8.8.8.8:53 gmwqadzidaz.net udp
US 8.8.8.8:53 zgxascec.net udp
US 8.8.8.8:53 sgtxzaxwver.net udp
US 8.8.8.8:53 mskyii.com udp
US 8.8.8.8:53 glcbnfqcwf.info udp
US 8.8.8.8:53 owdqaydgrsg.net udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 ruhafmocr.com udp
US 8.8.8.8:53 mwqiog.com udp
US 8.8.8.8:53 mawocsgges.org udp
US 8.8.8.8:53 dzhuxknzcsyd.net udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 vpzobqz.net udp
US 8.8.8.8:53 ykznheipxvr.net udp
US 8.8.8.8:53 kocadusob.info udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 koyoaciymqik.org udp
US 8.8.8.8:53 yanbdy.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 uamsfdlwwt.info udp
US 8.8.8.8:53 bpuclgzgz.org udp
US 8.8.8.8:53 hidatmy.net udp
US 8.8.8.8:53 dfpdvbtrlw.net udp
US 8.8.8.8:53 ikumjvulnq.net udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 iamikuwa.org udp
US 8.8.8.8:53 fnnioigjlfne.net udp
US 8.8.8.8:53 spnqjc.net udp
US 8.8.8.8:53 goueeysuie.org udp
US 8.8.8.8:53 zfeotfr.info udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 cquaqcqy.org udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 gwlaftrtj.info udp
US 8.8.8.8:53 mcaacfuazbfc.net udp
US 8.8.8.8:53 hygqnw.net udp
US 8.8.8.8:53 tmpqpkdyhed.info udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 favyruoahqs.org udp
US 8.8.8.8:53 apkyhy.net udp
US 8.8.8.8:53 mctqrcngxld.net udp
US 8.8.8.8:53 dcpopmtez.com udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 vbguulkzamnl.net udp
US 8.8.8.8:53 audkbiamncc.info udp
US 8.8.8.8:53 uaxcibdzau.info udp
US 8.8.8.8:53 zqcvgx.net udp
US 8.8.8.8:53 ugugmeso.org udp
US 8.8.8.8:53 fnribni.net udp
US 8.8.8.8:53 kqqyayqyseek.com udp
US 8.8.8.8:53 rbpwaopv.info udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 dttwnz.info udp
US 8.8.8.8:53 pmnovgmmi.com udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 uhpfrmiwxfmb.info udp
US 8.8.8.8:53 xtikhexh.info udp
US 8.8.8.8:53 rznejoyw.net udp
US 8.8.8.8:53 yrpebucfcmmy.info udp
US 8.8.8.8:53 benjkycqgtgi.info udp
US 8.8.8.8:53 iptkqwxaxip.net udp
US 8.8.8.8:53 xuzcbseiwj.net udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 oufffbpajxrm.info udp
US 8.8.8.8:53 vhmwlkbloe.info udp
US 8.8.8.8:53 jjluutfrvjjy.net udp
US 8.8.8.8:53 apwkcgfmgf.info udp
US 8.8.8.8:53 yossigegie.org udp
US 8.8.8.8:53 kiojjl.net udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 jfmarejsj.info udp
US 8.8.8.8:53 iccwsyousq.com udp
US 8.8.8.8:53 egbtjszalubd.info udp
US 8.8.8.8:53 jonvxahqjdr.net udp
US 8.8.8.8:53 lipurll.info udp
US 8.8.8.8:53 hllixmp.net udp
US 8.8.8.8:53 jdjllejihxl.net udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 szrffljhsu.info udp
US 8.8.8.8:53 jvgmqjnd.net udp
US 8.8.8.8:53 tfntenujumjp.net udp
US 8.8.8.8:53 ncwinvmbmw.net udp
US 8.8.8.8:53 wtxthacu.net udp
US 8.8.8.8:53 mtpahplbuo.info udp
US 8.8.8.8:53 jthtvhsl.net udp
US 8.8.8.8:53 lqrllmxgjjj.info udp
US 8.8.8.8:53 qweceiiiuo.com udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 uboxmv.net udp
US 8.8.8.8:53 iacwswysqowu.com udp
US 8.8.8.8:53 tficbrfivs.info udp
US 8.8.8.8:53 rojfjj.info udp
US 8.8.8.8:53 jzvilnybsmnm.net udp
US 8.8.8.8:53 qkvkhqzazbb.net udp
US 8.8.8.8:53 lklqdaq.com udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 rtdrjqux.info udp
US 8.8.8.8:53 ymflfmomjrz.net udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 hcjcfkproin.info udp
US 8.8.8.8:53 gcmsyksmqe.org udp
US 8.8.8.8:53 segaqk.com udp
US 8.8.8.8:53 socjvnzh.net udp
US 8.8.8.8:53 mqlssyflfus.net udp
US 8.8.8.8:53 cikgciaceciq.org udp
US 8.8.8.8:53 ccfgjkb.info udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 jmagpwxcx.net udp
US 8.8.8.8:53 ionojeyfxuwx.info udp
US 8.8.8.8:53 lumwsqhoz.net udp
US 8.8.8.8:53 agcqeyaogeek.com udp
US 8.8.8.8:53 gvdohoqeo.info udp
US 8.8.8.8:53 fmhiqazsog.info udp
US 8.8.8.8:53 qubqirdevwh.net udp
US 8.8.8.8:53 mvdksercocl.net udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 mcbpfmljtmv.info udp
US 8.8.8.8:53 ooacagqgmg.org udp
US 8.8.8.8:53 eimuee.org udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 aesogkss.org udp
US 8.8.8.8:53 sumahgtab.net udp
US 8.8.8.8:53 fnfannqvfrh.org udp
US 8.8.8.8:53 bmhydmh.com udp
US 8.8.8.8:53 vrmjjlzsrn.net udp
US 8.8.8.8:53 pgxukyi.com udp
US 8.8.8.8:53 ryrfdcrh.info udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 cytbhiggufu.net udp
US 8.8.8.8:53 tnpsragw.net udp
US 8.8.8.8:53 hshaluj.com udp
US 8.8.8.8:53 wsggaqgaoi.com udp
US 8.8.8.8:53 sebgahhsh.info udp
US 8.8.8.8:53 ajeufitgtoe.info udp
US 8.8.8.8:53 yqqigogwgs.org udp
US 8.8.8.8:53 ebtwtcvwacd.info udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 goegcm.org udp
US 8.8.8.8:53 kgmgmyx.net udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 ftuvbkwe.net udp
US 8.8.8.8:53 zzxueudu.info udp
US 8.8.8.8:53 qgnkcaclr.info udp
US 8.8.8.8:53 iyysmcgaoq.com udp
US 8.8.8.8:53 qeeecquo.org udp
US 8.8.8.8:53 pxsrzfbyrb.net udp
US 8.8.8.8:53 muhkjsldcuj.info udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 acwdhrdtlp.net udp
US 8.8.8.8:53 giziolf.info udp
US 8.8.8.8:53 plfwlpro.info udp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 lrvcjxdsa.info udp
US 8.8.8.8:53 uuegmmsyiwai.com udp
US 8.8.8.8:53 fojyelncx.org udp
US 8.8.8.8:53 vqprbn.net udp
US 8.8.8.8:53 xwqowmqjhuy.info udp
US 8.8.8.8:53 mogbcwb.net udp
US 8.8.8.8:53 ocwxqrlmzrqp.info udp
US 8.8.8.8:53 zskhjbnriv.net udp
US 8.8.8.8:53 kihhfha.info udp
US 8.8.8.8:53 ncrmjafuzox.net udp
US 8.8.8.8:53 qedszti.info udp
US 8.8.8.8:53 pelarcwqs.net udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 ssywwsui.com udp
US 8.8.8.8:53 yokqrnj.info udp
US 8.8.8.8:53 bsqxxa.info udp
US 8.8.8.8:53 qoweledox.info udp
US 8.8.8.8:53 ruqgvfx.org udp
US 8.8.8.8:53 zozgcobcaq.net udp
US 8.8.8.8:53 jsbhtweal.info udp
US 8.8.8.8:53 cywyfnhxhsxe.info udp
US 8.8.8.8:53 cmldxprav.net udp
US 8.8.8.8:53 lvvbnnsi.info udp
US 8.8.8.8:53 gwofpraijm.info udp
US 8.8.8.8:53 hjjakml.com udp
US 8.8.8.8:53 ckqiiwceew.com udp
US 8.8.8.8:53 virnrasrtsb.net udp
US 8.8.8.8:53 jkyejortd.com udp
US 8.8.8.8:53 egmxhgalqdg.net udp
US 8.8.8.8:53 mvrlhhspnj.info udp
US 8.8.8.8:53 rwkhidqqzk.info udp
US 8.8.8.8:53 auhhmqeap.info udp
US 8.8.8.8:53 pubdtrzkyif.com udp
US 8.8.8.8:53 kadqpkblpux.info udp
US 8.8.8.8:53 xezrsm.net udp
US 8.8.8.8:53 emiigsiuqucm.com udp
US 8.8.8.8:53 hiwkhqjlaks.com udp
US 8.8.8.8:53 zcfarupgs.com udp
US 8.8.8.8:53 ladtlpne.net udp
US 8.8.8.8:53 ltzlgs.info udp
US 8.8.8.8:53 rxhxfw.net udp
US 8.8.8.8:53 tusofikpe.com udp
US 8.8.8.8:53 zkykjxrhzafp.net udp
US 8.8.8.8:53 iahinikmcop.info udp
US 8.8.8.8:53 uybmdacpfmv.info udp
US 8.8.8.8:53 qgiqgu.org udp
US 8.8.8.8:53 lmqitul.net udp
US 8.8.8.8:53 loregqo.com udp
US 8.8.8.8:53 boiufieudh.info udp
US 8.8.8.8:53 mexsbsbhjgq.info udp
US 8.8.8.8:53 ueuzss.net udp
US 8.8.8.8:53 pezidjrvpf.net udp
US 8.8.8.8:53 xiorwc.net udp
US 8.8.8.8:53 dyzlhiddzhc.org udp
US 8.8.8.8:53 npnkxcktktuc.info udp
US 8.8.8.8:53 liccme.net udp
US 8.8.8.8:53 uvcodihahbp.net udp
US 8.8.8.8:53 qackawugqsgu.org udp
US 8.8.8.8:53 prrjtbjytutt.info udp
US 8.8.8.8:53 ixehpua.info udp
US 8.8.8.8:53 ylaxujjvpzdt.info udp
US 8.8.8.8:53 xxsywgrsbmt.com udp
US 8.8.8.8:53 veogdsdjx.com udp
US 8.8.8.8:53 hlqltge.net udp
US 8.8.8.8:53 rxdggychgc.info udp
US 8.8.8.8:53 vmvulmrtvml.info udp
US 8.8.8.8:53 wcaugq.com udp
US 8.8.8.8:53 pedxzbrhzb.info udp
US 8.8.8.8:53 ahhvtmpmcwa.net udp
US 8.8.8.8:53 epjhfbjupvt.net udp
US 8.8.8.8:53 vlsqekixshcp.net udp
US 8.8.8.8:53 acrtztoja.net udp
US 8.8.8.8:53 zylazkhtxwul.net udp
US 8.8.8.8:53 wohienuohjxy.info udp
US 8.8.8.8:53 fgnadsuyr.info udp
US 8.8.8.8:53 vjtbergzacvr.net udp
US 8.8.8.8:53 iwwmiiga.org udp
US 8.8.8.8:53 utvahafwbyb.net udp
US 8.8.8.8:53 emunwayp.info udp
US 8.8.8.8:53 feawjoykmt.info udp
US 8.8.8.8:53 djdyjmq.org udp
US 8.8.8.8:53 jgzbxllqdecg.net udp
US 8.8.8.8:53 wtigijfy.info udp
US 8.8.8.8:53 hglapmy.com udp
US 8.8.8.8:53 kwjynf.net udp
US 8.8.8.8:53 iewsuwgismyc.com udp
US 8.8.8.8:53 wejrsgt.info udp
US 8.8.8.8:53 ikukswsqug.com udp
US 8.8.8.8:53 asecuyemymyi.org udp
US 8.8.8.8:53 ivvpsfru.info udp
US 8.8.8.8:53 ovucoarud.net udp
US 8.8.8.8:53 fiywgsvmy.org udp
US 8.8.8.8:53 zmrarczuld.net udp
US 8.8.8.8:53 risqvpksno.info udp
US 8.8.8.8:53 rqvdtqhbrov.net udp
US 8.8.8.8:53 klldkcxt.info udp
US 8.8.8.8:53 petqhqgurso.info udp
US 8.8.8.8:53 rwhmsmd.org udp
US 8.8.8.8:53 dwpkzhv.com udp
US 8.8.8.8:53 dmdszuzox.info udp
US 8.8.8.8:53 rltwexojzn.net udp
US 8.8.8.8:53 uwzhgmzuv.net udp
US 8.8.8.8:53 yidwfxx.net udp
US 8.8.8.8:53 manfclrtps.net udp
US 8.8.8.8:53 yuuiomoyyy.org udp
US 8.8.8.8:53 dayucgzmwkv.net udp
US 8.8.8.8:53 ysyqiatjfqn.net udp
US 8.8.8.8:53 aklwdjw.net udp
US 8.8.8.8:53 awbcmj.info udp
US 8.8.8.8:53 smbxlew.net udp
US 8.8.8.8:53 bjpbnv.info udp
US 8.8.8.8:53 gmcomsscmm.com udp
US 8.8.8.8:53 wuybayvsmwt.info udp
US 8.8.8.8:53 acvijwfis.info udp
US 8.8.8.8:53 mgbwnoz.info udp
US 8.8.8.8:53 zfyhyz.net udp
US 8.8.8.8:53 lexvdclytw.net udp
US 8.8.8.8:53 qisakqeiecqu.org udp
US 8.8.8.8:53 fakqnwtio.info udp
US 8.8.8.8:53 lqxrrchymdd.net udp
US 8.8.8.8:53 iggcfwpytwa.net udp
US 8.8.8.8:53 rhrrzodshs.net udp
US 8.8.8.8:53 zmviuqc.net udp
US 8.8.8.8:53 cjbbfa.info udp
US 8.8.8.8:53 fbuolny.info udp
US 8.8.8.8:53 ubjkxvdyen.info udp
US 8.8.8.8:53 tuaxjj.net udp
US 8.8.8.8:53 vkylhtylchns.net udp
US 8.8.8.8:53 kwldve.net udp
US 8.8.8.8:53 ushkxbyxdgg.net udp
US 8.8.8.8:53 jgsuxu.info udp
US 8.8.8.8:53 biztqcpnbo.info udp
US 8.8.8.8:53 jalkbr.info udp
US 8.8.8.8:53 ywwmui.com udp
US 8.8.8.8:53 icamqekk.com udp
US 8.8.8.8:53 cxffzmlflm.info udp
US 8.8.8.8:53 tzitmdbojg.info udp
US 8.8.8.8:53 jbcvjgvwyjs.com udp
US 8.8.8.8:53 gqcaieqq.com udp
US 8.8.8.8:53 qybzbvijw.net udp
US 8.8.8.8:53 maltyz.net udp
US 8.8.8.8:53 qqaakgik.com udp
US 8.8.8.8:53 geaaww.com udp
US 8.8.8.8:53 jiepvplpp.com udp
US 8.8.8.8:53 nzhiqmukju.net udp
US 8.8.8.8:53 usztsauxtyh.net udp
US 8.8.8.8:53 dwfebekyt.org udp
US 8.8.8.8:53 foxunotgt.info udp
US 8.8.8.8:53 jljmmpkm.info udp
US 8.8.8.8:53 bktpfwsl.net udp
US 8.8.8.8:53 umaisoki.org udp
US 8.8.8.8:53 nkngwelszpw.com udp
US 8.8.8.8:53 iplqdlbmaiyt.info udp
US 8.8.8.8:53 chjexjzkhlkh.net udp
US 8.8.8.8:53 nleosc.info udp
US 8.8.8.8:53 fqnmjmuhxok.com udp
US 8.8.8.8:53 rxwwcoo.info udp
US 8.8.8.8:53 yeseee.com udp
HK 156.237.207.232:80 yeseee.com tcp
US 8.8.8.8:53 nsdczpbuv.org udp
US 8.8.8.8:53 ooqukgac.org udp
US 8.8.8.8:53 jupejihn.info udp
US 8.8.8.8:53 qixixgm.info udp
US 8.8.8.8:53 rglihqg.net udp
US 8.8.8.8:53 xcuoob.net udp
US 8.8.8.8:53 zglmzwrvfqt.net udp
US 8.8.8.8:53 taxsnux.com udp
US 8.8.8.8:53 ctnnvorm.net udp
US 8.8.8.8:53 rwppcksgvpr.info udp
US 8.8.8.8:53 iwlpzasaqq.net udp
US 8.8.8.8:53 xufmbifox.com udp
US 8.8.8.8:53 oltwlpckmgjf.net udp
US 8.8.8.8:53 dqdclqf.org udp
US 8.8.8.8:53 zcqtozpvxqyv.info udp
US 8.8.8.8:53 dhcotdckbsyv.info udp
US 8.8.8.8:53 zgytjbbbat.net udp
US 8.8.8.8:53 ojtqeup.net udp
US 8.8.8.8:53 eeoywock.org udp
US 8.8.8.8:53 bakfznqyjrsl.net udp
US 8.8.8.8:53 logqtj.info udp
US 8.8.8.8:53 tfmcwyiwg.net udp
US 8.8.8.8:53 ogwohcrtdrb.net udp
US 8.8.8.8:53 lsguvuwcdhr.org udp
US 8.8.8.8:53 mgmuaquyaqku.com udp
US 8.8.8.8:53 tsxauoqgjzf.net udp
US 8.8.8.8:53 vccialjax.com udp
US 8.8.8.8:53 zlnsqae.org udp
US 8.8.8.8:53 dgdmerp.com udp
US 8.8.8.8:53 vvtmefthxtnh.info udp
US 8.8.8.8:53 kyxaonsuhep.info udp
US 8.8.8.8:53 qroqqmldjbct.net udp
US 8.8.8.8:53 hudifyjmlqhj.info udp
US 8.8.8.8:53 dqgihaaagkt.net udp
US 8.8.8.8:53 beklnku.com udp
US 8.8.8.8:53 kigkawog.org udp
US 8.8.8.8:53 zojrhyubimxp.info udp
US 8.8.8.8:53 gyjspysibox.net udp
US 8.8.8.8:53 tixevcrizvei.info udp
US 8.8.8.8:53 jzprnhdk.info udp
US 8.8.8.8:53 nicxrmrxya.net udp
US 8.8.8.8:53 dvxstrjqf.org udp
US 8.8.8.8:53 syxplyhsp.info udp
US 8.8.8.8:53 xwpgntks.info udp
US 8.8.8.8:53 lwjpkg.info udp
US 8.8.8.8:53 rhlajjwstnu.info udp
US 8.8.8.8:53 awuswsny.info udp
US 8.8.8.8:53 bjteet.info udp
US 8.8.8.8:53 kcckannujgyh.info udp
US 8.8.8.8:53 pvabwcrw.info udp
US 8.8.8.8:53 qmvygc.net udp
US 8.8.8.8:53 liwertlarxh.info udp
US 8.8.8.8:53 wuaowaqemkyq.com udp
US 8.8.8.8:53 kspgprq.net udp
US 8.8.8.8:53 vdinsezipu.net udp
US 8.8.8.8:53 wkxvpfh.net udp
US 8.8.8.8:53 jyptjre.info udp
US 8.8.8.8:53 yyhhtddubytv.info udp
US 8.8.8.8:53 rvmonfphd.org udp
US 8.8.8.8:53 nuwaragvj.net udp
US 8.8.8.8:53 cgqlzteyzjzc.net udp
US 8.8.8.8:53 mlibuksr.net udp
US 8.8.8.8:53 qeaqigwkksuy.org udp
US 8.8.8.8:53 wcjnfqest.net udp
US 8.8.8.8:53 rbgixyjadaw.org udp
US 8.8.8.8:53 oycopuz.net udp
US 8.8.8.8:53 gkqmmayc.com udp
US 8.8.8.8:53 mfxmirp.net udp
US 8.8.8.8:53 nyzxtwhngyy.net udp
US 8.8.8.8:53 bcksphj.net udp
US 8.8.8.8:53 nawqpqdy.net udp
US 8.8.8.8:53 pazukwh.net udp
US 8.8.8.8:53 fyfeusbapkt.com udp
US 8.8.8.8:53 moyswwkmmo.com udp
US 8.8.8.8:53 lafqxmoqvsn.net udp
US 8.8.8.8:53 kqlhdfowfszv.net udp
US 8.8.8.8:53 egpfexyxtqp.net udp
US 8.8.8.8:53 kmoeky.org udp
US 8.8.8.8:53 xanwqkg.info udp
US 8.8.8.8:53 halaxnxu.net udp
US 8.8.8.8:53 bumwwqyapkv.com udp
US 8.8.8.8:53 acjdjvbb.info udp
US 8.8.8.8:53 xygbdoqlv.org udp
US 8.8.8.8:53 wsxrzltsslvz.net udp
US 8.8.8.8:53 lwoitwgsy.com udp
US 8.8.8.8:53 khxrpyyoc.net udp
US 8.8.8.8:53 pzeasebtsh.net udp
US 8.8.8.8:53 fofcgchur.net udp
US 8.8.8.8:53 kgbgpalkjgb.net udp
US 8.8.8.8:53 curalbjff.info udp
US 8.8.8.8:53 ehzctauwlym.net udp
US 8.8.8.8:53 sbaahgbwakv.info udp
US 8.8.8.8:53 ukjetskkr.net udp
US 8.8.8.8:53 icaijmduf.net udp
US 8.8.8.8:53 yhnfzyj.net udp
US 8.8.8.8:53 ttoezwzmr.info udp
US 8.8.8.8:53 kazyicyavtoq.info udp
US 8.8.8.8:53 bvnbig.net udp
US 8.8.8.8:53 hiqbgazlts.info udp
US 8.8.8.8:53 cfwjbujktq.info udp
US 8.8.8.8:53 fgkxeu.info udp
US 8.8.8.8:53 mcfxtyrct.net udp
US 8.8.8.8:53 qyhssin.net udp
US 8.8.8.8:53 stfhbwifvy.info udp
US 8.8.8.8:53 mdocyfhi.net udp
US 8.8.8.8:53 mogixirmhoe.info udp
US 8.8.8.8:53 fgyojpnggd.info udp
US 8.8.8.8:53 rsuwsvs.com udp
US 8.8.8.8:53 hjjekqeyygjy.info udp
US 8.8.8.8:53 eugibwzdzye.net udp
US 8.8.8.8:53 bltnfskynsdk.info udp
US 8.8.8.8:53 efdlohhy.info udp
US 8.8.8.8:53 wyvslia.info udp
US 8.8.8.8:53 uibqecrungi.info udp
US 8.8.8.8:53 zitiqkxzo.info udp
US 8.8.8.8:53 fvrzjt.net udp
US 8.8.8.8:53 gwgmoe.org udp
US 8.8.8.8:53 wouyskxop.net udp
US 8.8.8.8:53 rzxkndphhhxo.info udp
US 8.8.8.8:53 eyfmzzf.info udp
US 8.8.8.8:53 xihsxopjngf.com udp
US 8.8.8.8:53 pmvwlcgtpsd.com udp
US 8.8.8.8:53 mfxipqvjadb.net udp
US 8.8.8.8:53 xioxbgugln.info udp
US 8.8.8.8:53 pzpoocqcwp.net udp
US 8.8.8.8:53 oyyeygka.org udp
US 8.8.8.8:53 ubiczifp.info udp
US 8.8.8.8:53 bgdqgf.net udp
US 8.8.8.8:53 ntnatkxsyx.info udp
US 8.8.8.8:53 ecdidcfdvek.info udp
US 8.8.8.8:53 jlhwlgwux.info udp
US 8.8.8.8:53 zujpfgswhq.info udp
US 8.8.8.8:53 cgkcui.org udp
US 8.8.8.8:53 encztcna.net udp
US 8.8.8.8:53 upxkhuzkr.info udp
US 8.8.8.8:53 sggoigguci.org udp
US 8.8.8.8:53 ycxvrvto.info udp
US 8.8.8.8:53 uzyrzgnpof.info udp
US 8.8.8.8:53 cuevrsal.net udp
US 8.8.8.8:53 uejsewzctcp.info udp
US 8.8.8.8:53 eqwkxorsw.net udp
US 8.8.8.8:53 holzjirur.net udp
US 8.8.8.8:53 sticcotobh.net udp
US 8.8.8.8:53 amvbrfhisy.info udp
US 8.8.8.8:53 abfumij.net udp
US 8.8.8.8:53 dhdgtd.info udp
US 8.8.8.8:53 zuigfimcq.org udp
US 8.8.8.8:53 rzzqkof.com udp
US 8.8.8.8:53 sbablr.net udp
US 8.8.8.8:53 aeaqis.org udp
US 8.8.8.8:53 oezfxoxed.info udp
US 8.8.8.8:53 qutmlb.net udp
US 8.8.8.8:53 mmmygcbl.info udp
US 8.8.8.8:53 aubgzylblcd.info udp
US 8.8.8.8:53 uuecll.net udp
US 8.8.8.8:53 xbwrfdzo.net udp
US 8.8.8.8:53 uacoqg.org udp
US 8.8.8.8:53 mxdkvut.net udp
US 8.8.8.8:53 okzmqiuyb.net udp
US 8.8.8.8:53 zcydmjuf.net udp
US 8.8.8.8:53 rkayvedtwt.net udp
US 8.8.8.8:53 gemytokeg.info udp
US 8.8.8.8:53 rzvctlgw.info udp
US 8.8.8.8:53 rcrcrbxww.net udp
US 8.8.8.8:53 irxlvbzv.net udp
US 8.8.8.8:53 lzkscytm.net udp
US 8.8.8.8:53 sdhwtkcotcx.info udp
US 8.8.8.8:53 xjxxpnqk.info udp
US 8.8.8.8:53 sxcxdyyo.net udp
US 8.8.8.8:53 ocmwkuug.com udp
US 8.8.8.8:53 pyjuxpj.info udp
US 8.8.8.8:53 lswfftwe.info udp
US 8.8.8.8:53 nqduclfqjcz.net udp
US 8.8.8.8:53 qykiwwas.org udp
US 8.8.8.8:53 kkfbin.net udp
US 8.8.8.8:53 qpdrppjtoy.info udp
US 8.8.8.8:53 pcjldzf.org udp
US 8.8.8.8:53 nflpfx.info udp
US 8.8.8.8:53 oqomegwymogm.com udp
US 8.8.8.8:53 ptbxyixaqem.info udp
US 8.8.8.8:53 hvwyzo.info udp
US 8.8.8.8:53 xoxqgoahhc.info udp
US 8.8.8.8:53 ogicoa.com udp
US 8.8.8.8:53 quaegwsocm.com udp
US 8.8.8.8:53 eiqxdmdcfsb.net udp
US 8.8.8.8:53 hbxffqruv.com udp
US 8.8.8.8:53 geysxeqmhf.net udp
US 8.8.8.8:53 dwsikogj.info udp
US 8.8.8.8:53 xlqwso.info udp
US 8.8.8.8:53 abucqfvhsj.net udp
US 8.8.8.8:53 vbuckblv.net udp
US 8.8.8.8:53 xhfvtqlp.info udp
US 8.8.8.8:53 mwvmlc.info udp
US 8.8.8.8:53 wkgkywec.com udp
US 8.8.8.8:53 tecjjzzorfjw.net udp
US 8.8.8.8:53 dtburqbap.net udp
US 8.8.8.8:53 xgnijggfclh.com udp
US 8.8.8.8:53 wjdqglpu.net udp
US 8.8.8.8:53 yaqyiwwmowiw.org udp
US 8.8.8.8:53 gaicbilffnqm.net udp
US 8.8.8.8:53 mmmwquoi.com udp
US 8.8.8.8:53 sizstixqn.net udp
US 8.8.8.8:53 xykijz.info udp
US 8.8.8.8:53 aesemxraicga.net udp
US 8.8.8.8:53 wsyqzjzsjih.info udp
US 8.8.8.8:53 drzwdoay.info udp
US 8.8.8.8:53 iwddnenj.net udp
US 8.8.8.8:53 iuecpck.info udp
US 8.8.8.8:53 duvprllelwtw.net udp
US 8.8.8.8:53 siamww.com udp
US 8.8.8.8:53 czcanez.net udp
US 8.8.8.8:53 ilbehed.info udp
US 8.8.8.8:53 rggdoixu.net udp
US 8.8.8.8:53 linjuhruei.net udp
US 8.8.8.8:53 ltnavcbkj.com udp
US 8.8.8.8:53 eycowimwak.org udp
US 8.8.8.8:53 hfgkacxqinla.net udp
US 8.8.8.8:53 jflhce.net udp
US 8.8.8.8:53 ggawyeqq.com udp
US 8.8.8.8:53 jdtkmlvyly.info udp
US 8.8.8.8:53 fcpobnvzhvdg.net udp
US 8.8.8.8:53 uwougiow.com udp
US 8.8.8.8:53 xizjfuqnvubh.info udp
US 8.8.8.8:53 mlvgtfdc.info udp
US 8.8.8.8:53 mopvtgceqps.net udp
US 8.8.8.8:53 qbhrzdmj.info udp
US 8.8.8.8:53 iusiogeeos.org udp
US 8.8.8.8:53 gawwocagwamw.com udp
US 8.8.8.8:53 aemnosge.net udp
US 8.8.8.8:53 gzrccmtbj.info udp
US 8.8.8.8:53 zimefilka.info udp
US 8.8.8.8:53 lrowcjkt.net udp
US 8.8.8.8:53 zwmpdvzgykqh.net udp
US 8.8.8.8:53 xflmjpy.org udp
US 8.8.8.8:53 umofvvuzanyj.info udp
US 8.8.8.8:53 bytsckeozwz.info udp
US 8.8.8.8:53 tqroxinv.info udp
US 8.8.8.8:53 wuowykmi.com udp
US 8.8.8.8:53 virzbcbvavzg.net udp
US 8.8.8.8:53 gakqxzuyk.info udp
US 8.8.8.8:53 ovmqtrznf.net udp
US 8.8.8.8:53 jgvrkiyluw.net udp
US 8.8.8.8:53 rvbptt.info udp
US 8.8.8.8:53 yuzaphgs.info udp
US 8.8.8.8:53 wzbpcjdgiy.info udp
US 8.8.8.8:53 fjswfmxs.net udp
US 8.8.8.8:53 edgyzltorwx.net udp
US 8.8.8.8:53 vanjpyu.com udp
US 8.8.8.8:53 aqgmkwgqmowe.com udp
US 8.8.8.8:53 zlhivkfu.info udp
US 8.8.8.8:53 wkfpjufcsit.info udp
US 8.8.8.8:53 rawyyqaqr.info udp
US 8.8.8.8:53 ecgmkrnfvh.net udp
US 8.8.8.8:53 nymmyvhu.net udp
US 8.8.8.8:53 oklwmhsexc.net udp
US 8.8.8.8:53 mqflhpfwc.info udp
US 8.8.8.8:53 iqgeguycas.com udp
US 8.8.8.8:53 bjngfvowdxrl.net udp
US 8.8.8.8:53 ugdmtph.net udp
US 8.8.8.8:53 lupwbwqxxl.info udp
US 8.8.8.8:53 kxzzuvklua.net udp
US 8.8.8.8:53 zublrmoatxm.com udp
US 8.8.8.8:53 ywbmxtjsfezl.info udp
US 8.8.8.8:53 gaagqkyyskeg.com udp
US 8.8.8.8:53 fytqtdparf.net udp
US 8.8.8.8:53 intibfdqg.info udp
US 8.8.8.8:53 qyqciooc.org udp
US 8.8.8.8:53 ygaayqgs.com udp
US 8.8.8.8:53 kzyjussbhp.net udp
US 8.8.8.8:53 uxrmbazwdnqf.net udp
US 8.8.8.8:53 rbcclaud.net udp
US 8.8.8.8:53 raazpygl.net udp
US 8.8.8.8:53 qunsptr.net udp
US 8.8.8.8:53 wqaeamce.org udp
US 8.8.8.8:53 mesoouesiwqo.com udp
US 8.8.8.8:53 lgbyaoeqx.net udp
US 8.8.8.8:53 kalwvvjyo.info udp
US 8.8.8.8:53 ssmxzo.info udp
US 8.8.8.8:53 jzylbwusi.com udp
US 8.8.8.8:53 ingowfhbjs.info udp
US 8.8.8.8:53 tboyrtniuyn.net udp
US 8.8.8.8:53 sgjmtwuolmj.net udp
US 8.8.8.8:53 lomwdbghox.info udp
US 8.8.8.8:53 hjfkrp.net udp
US 8.8.8.8:53 ikyzykqo.net udp
US 8.8.8.8:53 htkinw.net udp
US 8.8.8.8:53 macuaiyeuqqe.org udp
US 8.8.8.8:53 pmfgftl.info udp
US 8.8.8.8:53 trbiuudttbvu.info udp
US 8.8.8.8:53 swckicsmiaiu.com udp
US 8.8.8.8:53 hjzcbeg.net udp
US 8.8.8.8:53 hqjkhqc.net udp
US 8.8.8.8:53 iqjkiytxpcb.net udp
US 8.8.8.8:53 haddjeg.net udp
US 8.8.8.8:53 ldhhdhrsjsoa.net udp
US 8.8.8.8:53 aaugmocmog.org udp
US 8.8.8.8:53 tzhsthey.net udp
US 8.8.8.8:53 zoiozxmw.info udp
US 8.8.8.8:53 mwycqayuwe.com udp
US 8.8.8.8:53 tqpwitfr.info udp
US 8.8.8.8:53 euecceqesg.com udp
US 8.8.8.8:53 lmwekvswnk.net udp
US 8.8.8.8:53 fvljsbupim.net udp
US 8.8.8.8:53 moecfgdk.net udp
US 8.8.8.8:53 yssrraxqr.net udp
US 8.8.8.8:53 atpsjmvhsmb.net udp
US 8.8.8.8:53 whdbraphcsca.info udp
US 8.8.8.8:53 gieczezmf.net udp
US 8.8.8.8:53 emiiuqqoyiiu.org udp
US 8.8.8.8:53 rocoyd.net udp
US 8.8.8.8:53 picviuesvw.info udp
US 8.8.8.8:53 jrjahxhbus.net udp
US 8.8.8.8:53 dewgvrjsbws.org udp
US 8.8.8.8:53 rkhebqt.info udp
US 8.8.8.8:53 syafkh.net udp
US 8.8.8.8:53 wnnzwwddch.net udp
US 8.8.8.8:53 cmhonkuaizv.info udp
US 8.8.8.8:53 pvtzfddc.net udp
US 8.8.8.8:53 lqupeuhfcyok.net udp
US 8.8.8.8:53 lpylljkacr.info udp
US 8.8.8.8:53 rkbupqhgzew.org udp
US 8.8.8.8:53 eazerazey.net udp
US 8.8.8.8:53 gzzyucdpul.info udp
US 8.8.8.8:53 suokgkay.com udp
US 8.8.8.8:53 hgzurkt.org udp
US 8.8.8.8:53 cydnzcjqzgl.net udp
US 8.8.8.8:53 nkpcbsyoral.org udp
US 8.8.8.8:53 gngjjmnlgqx.net udp
US 8.8.8.8:53 vhveha.info udp
US 8.8.8.8:53 qahujyee.net udp
US 8.8.8.8:53 ymbczcvan.net udp
US 8.8.8.8:53 ywtlxud.info udp
US 8.8.8.8:53 sqqumgekumeo.org udp
US 8.8.8.8:53 guafxghoz.info udp
US 8.8.8.8:53 mdggorngtufc.info udp
US 8.8.8.8:53 zkzjhg.net udp
US 8.8.8.8:53 iknxwpo.net udp
US 8.8.8.8:53 ohapibqjc.net udp
US 8.8.8.8:53 oawwfdzrfbxg.info udp
US 8.8.8.8:53 eusaqyog.com udp
US 8.8.8.8:53 najsbktgpy.net udp
US 8.8.8.8:53 utfnxtohvvct.info udp
US 8.8.8.8:53 meumgzpu.info udp
US 8.8.8.8:53 gqpyjyhir.info udp
US 8.8.8.8:53 ymkwwyaiuw.com udp
US 8.8.8.8:53 yufaxxx.net udp
US 8.8.8.8:53 iwrgulkcked.net udp
US 8.8.8.8:53 fshhtxpue.org udp
US 8.8.8.8:53 weiywg.com udp
US 8.8.8.8:53 miywcygc.org udp
US 8.8.8.8:53 qqkoqqcwgg.com udp
US 8.8.8.8:53 nmtwdksat.net udp
US 8.8.8.8:53 lytuefatnbnu.net udp
US 8.8.8.8:53 dnkehnj.org udp
US 8.8.8.8:53 uaoeou.com udp
US 8.8.8.8:53 nufohkpwfij.info udp
US 8.8.8.8:53 swfehohol.info udp
US 8.8.8.8:53 xdjysd.info udp
US 8.8.8.8:53 fygibuxfqjpe.net udp
US 8.8.8.8:53 jwfstmjim.info udp
US 8.8.8.8:53 lnnvbcdyf.com udp
US 8.8.8.8:53 ysmlrwz.net udp
US 8.8.8.8:53 fazfhabzpq.info udp
US 8.8.8.8:53 qyivdl.net udp
US 8.8.8.8:53 ojmudjjzjaxu.info udp
US 8.8.8.8:53 javjpwoegkbc.info udp
US 8.8.8.8:53 acusuqym.com udp
US 8.8.8.8:53 ewouyyek.org udp
US 8.8.8.8:53 mtbwnwkbuc.info udp
US 8.8.8.8:53 pmkpzkckjvqr.net udp
US 8.8.8.8:53 oahzbczz.info udp
US 8.8.8.8:53 yqlalaw.info udp
US 8.8.8.8:53 dqnmpsook.org udp
US 8.8.8.8:53 wellxuagb.net udp
US 8.8.8.8:53 bsxjofye.info udp
US 8.8.8.8:53 fsomzlulxrwz.info udp
US 8.8.8.8:53 sfrqlwcsg.net udp
US 8.8.8.8:53 wxpeyyrsbqz.net udp
US 8.8.8.8:53 llmtynj.com udp
US 8.8.8.8:53 ecszul.net udp
US 8.8.8.8:53 vjwnrutj.info udp
US 8.8.8.8:53 iiywku.com udp
US 8.8.8.8:53 puedry.info udp
US 8.8.8.8:53 dngfrgoifb.info udp
US 8.8.8.8:53 xxhahzprfwqw.info udp
US 8.8.8.8:53 mmmwcejycog.net udp
US 8.8.8.8:53 bicrzc.net udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 huwjxvxnfl.net udp
US 8.8.8.8:53 yqymqm.com udp
US 8.8.8.8:53 siyqvceqj.info udp
US 8.8.8.8:53 dlrcjqvpnkzo.net udp
US 8.8.8.8:53 ourgvo.net udp
US 8.8.8.8:53 kokiqmqoou.com udp
US 8.8.8.8:53 zdfkioe.com udp
US 8.8.8.8:53 zprqlehycmo.net udp
US 8.8.8.8:53 jyknbtfah.com udp
US 8.8.8.8:53 ltmundpr.info udp
US 8.8.8.8:53 ybbwdyx.info udp
US 8.8.8.8:53 awzixgn.net udp
US 8.8.8.8:53 snhrfhtbnnuf.info udp
US 8.8.8.8:53 nwowokqtbgnl.info udp
US 8.8.8.8:53 wucwowkmieme.com udp
US 8.8.8.8:53 efxlkinyt.info udp
US 8.8.8.8:53 baiizeh.com udp
US 8.8.8.8:53 zmpdhstkfdw.org udp
US 8.8.8.8:53 uweqycuwak.org udp
US 8.8.8.8:53 fihanthigbd.net udp
US 8.8.8.8:53 lgyolapflyi.net udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 aaysukyqua.org udp
US 8.8.8.8:53 qvngriouafoz.info udp
US 8.8.8.8:53 lbrulyfyuxtz.net udp
US 8.8.8.8:53 hwzqgmjwpvo.org udp
US 8.8.8.8:53 wglxbeyixsg.info udp
US 8.8.8.8:53 bungmsiqwnt.org udp
US 8.8.8.8:53 leqwbjbs.net udp
US 8.8.8.8:53 cmtpferjx.net udp
US 8.8.8.8:53 gqhmpwnnpxv.net udp
US 8.8.8.8:53 aogobal.info udp
US 8.8.8.8:53 nhwpjsxbjzbj.info udp
US 8.8.8.8:53 rftgfsvkv.info udp
US 8.8.8.8:53 gmysum.org udp
US 8.8.8.8:53 awdtxwiqpqp.info udp
US 8.8.8.8:53 orknjc.net udp
US 8.8.8.8:53 gudechrg.info udp
US 8.8.8.8:53 qoiiswgeag.com udp
US 8.8.8.8:53 sjkbkxjihq.net udp
US 8.8.8.8:53 qetgvlifriyi.info udp
US 8.8.8.8:53 zojarjnadol.net udp
US 8.8.8.8:53 cnfifdr.info udp
US 8.8.8.8:53 esojbeifrcfa.info udp
US 8.8.8.8:53 mkqkgq.org udp
US 8.8.8.8:53 ztqdje.info udp
US 8.8.8.8:53 hctfjyswq.com udp
US 8.8.8.8:53 rbnaasvolkp.net udp
US 8.8.8.8:53 kshulyl.info udp
US 8.8.8.8:53 gkpcqwilto.info udp
US 8.8.8.8:53 kssuqy.org udp
US 8.8.8.8:53 nqldnkf.com udp
US 8.8.8.8:53 tsnohmpsvyf.info udp
US 8.8.8.8:53 wfauslmm.info udp
US 8.8.8.8:53 oniyclvk.info udp
US 8.8.8.8:53 iudcnwtgx.net udp
US 8.8.8.8:53 npaqgz.info udp
US 8.8.8.8:53 psjgnfdmjwx.net udp
US 8.8.8.8:53 wsgrvobrq.net udp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 hnzsaobn.net udp
US 8.8.8.8:53 tcrghsqsf.net udp
US 8.8.8.8:53 wdjgvyhpkmk.info udp
US 8.8.8.8:53 tabgrcxct.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 eslkglxsoxno.info udp
US 8.8.8.8:53 vouqnb.info udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 tnayhhovjm.info udp
US 8.8.8.8:53 wcmoeygiyy.com udp
US 8.8.8.8:53 sywsuc.org udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 exsexqpiyr.net udp
US 8.8.8.8:53 finkrmqeo.info udp
US 8.8.8.8:53 ljtidgakgux.info udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 igrpkspefisa.net udp
US 8.8.8.8:53 ptflij.net udp
US 8.8.8.8:53 xynvncmsla.info udp
US 8.8.8.8:53 uyqvxdvprq.net udp
US 8.8.8.8:53 virlvmcu.info udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 kwbylsjlpb.info udp
US 8.8.8.8:53 dijmjtcge.info udp
US 8.8.8.8:53 xdooerpr.info udp
US 8.8.8.8:53 csauikci.org udp
US 8.8.8.8:53 moxwwvno.info udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 uylheqvecsf.info udp
US 8.8.8.8:53 uktnphod.net udp
US 8.8.8.8:53 fhimhaxsj.com udp
US 8.8.8.8:53 wguumkkaigou.com udp
US 8.8.8.8:53 vwhcjiw.info udp
US 8.8.8.8:53 thmfhw.info udp
US 8.8.8.8:53 ygtojmicykn.info udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 vakgxgz.org udp
US 8.8.8.8:53 islokmhmomj.net udp
US 8.8.8.8:53 rolotstxbgxp.net udp
US 8.8.8.8:53 gaiumgkswc.com udp
US 8.8.8.8:53 hyoavqad.net udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 vjpukxfe.info udp
US 8.8.8.8:53 wwuovmksj.info udp
US 8.8.8.8:53 vwxxpiweubr.net udp
US 8.8.8.8:53 ynwkmyevvcby.info udp
US 8.8.8.8:53 awfidqspp.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 prssjyd.info udp
US 8.8.8.8:53 jzjmhydspt.info udp
US 8.8.8.8:53 gamtbu.net udp
US 8.8.8.8:53 egvhxwm.net udp
US 8.8.8.8:53 cbdiadzf.info udp
US 8.8.8.8:53 buxfgafferff.net udp
US 8.8.8.8:53 jihjxwjzn.info udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 yqgdcsw.info udp
US 8.8.8.8:53 aeicmiaaki.org udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 iiesiukoui.com udp
US 8.8.8.8:53 ueomoagk.com udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 qewsqywq.org udp
US 8.8.8.8:53 frvkvafelo.net udp
US 8.8.8.8:53 ijvjbptwpafc.info udp
US 8.8.8.8:53 vafvnmpv.info udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 akbduq.net udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 uaqoieb.net udp
US 8.8.8.8:53 fkmqnisgu.com udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 ljjhzdjdfbfd.info udp
US 8.8.8.8:53 fuhkxarm.info udp
US 8.8.8.8:53 vupwesfcv.info udp
US 8.8.8.8:53 gomomqss.org udp
US 8.8.8.8:53 lueqsrwvtk.net udp
US 8.8.8.8:53 dcfcdrd.net udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 laolfzvnpn.net udp
US 8.8.8.8:53 xyssqix.info udp
US 8.8.8.8:53 xmnfxzroezye.net udp
US 8.8.8.8:53 wshlmolhd.net udp
US 8.8.8.8:53 ajhiqylf.info udp
US 8.8.8.8:53 pywtdsxnbwp.net udp
US 8.8.8.8:53 rtoanuiluc.info udp
US 8.8.8.8:53 qajczzhplm.net udp
US 8.8.8.8:53 eucsmswe.com udp
US 8.8.8.8:53 esdmzqm.info udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 rlpyiayvh.org udp
US 8.8.8.8:53 lqmphguwauj.net udp
US 8.8.8.8:53 tlavbwn.info udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 nqtmtedff.net udp
US 8.8.8.8:53 skwoieesme.org udp
US 8.8.8.8:53 jafeyelyi.info udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 eiofbhzewyz.net udp
US 8.8.8.8:53 lxotro.net udp
US 8.8.8.8:53 bgdbhuhw.net udp
US 8.8.8.8:53 uhhgaqbqfpv.info udp
US 8.8.8.8:53 ywkobfgqoyt.net udp
US 8.8.8.8:53 vfliva.net udp
US 8.8.8.8:53 cpgtichpddon.net udp
US 8.8.8.8:53 qssseuwikcew.org udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 cwexzpctmgvf.net udp
US 8.8.8.8:53 qqkmtf.net udp
US 8.8.8.8:53 njsnxfwdlrml.info udp
US 8.8.8.8:53 eneeaton.info udp
US 8.8.8.8:53 krkbawjsrlf.net udp
US 8.8.8.8:53 amgemu.org udp
US 8.8.8.8:53 mynatmacm.info udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 mneehleczd.net udp
US 8.8.8.8:53 fotrqtwvyx.net udp
US 8.8.8.8:53 oaoyqiiq.org udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 ltvwftzngl.net udp
US 8.8.8.8:53 uqrxza.net udp
US 8.8.8.8:53 woxgrtnoqu.info udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 gswqsascgeei.com udp
US 8.8.8.8:53 yvhvnbvl.net udp
US 8.8.8.8:53 ildxta.info udp
US 8.8.8.8:53 tafhzl.net udp
US 8.8.8.8:53 tjrwwkdujvu.com udp
US 8.8.8.8:53 uahyhazqex.net udp
US 8.8.8.8:53 usiikeyy.org udp
US 8.8.8.8:53 rmypbgvora.net udp
US 8.8.8.8:53 aunudjnnlfbf.net udp
US 8.8.8.8:53 ncxein.net udp
US 8.8.8.8:53 vasirmd.net udp
US 8.8.8.8:53 lrtlhktcld.info udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 nofgvankyr.net udp
US 8.8.8.8:53 snfdvrpk.info udp
US 8.8.8.8:53 nqmywwuukg.info udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 wovorbeylyd.info udp
US 8.8.8.8:53 zebqvcm.org udp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 fsczualcjk.info udp
US 8.8.8.8:53 tjjzmh.net udp
US 8.8.8.8:53 eyyoscskuu.org udp
US 8.8.8.8:53 hntzlysgnlj.net udp
US 8.8.8.8:53 myqcoasa.com udp
US 8.8.8.8:53 njxwrxma.info udp
US 8.8.8.8:53 sefswvajalzq.net udp
US 8.8.8.8:53 wfltvxfa.net udp
US 8.8.8.8:53 octpnmfeveb.net udp
US 8.8.8.8:53 iueuuewcygka.com udp
US 8.8.8.8:53 owogfvcic.info udp
US 8.8.8.8:53 zfvenyzb.info udp
US 8.8.8.8:53 ruksvdctcqr.com udp
US 8.8.8.8:53 znwjjxvv.net udp
US 8.8.8.8:53 qygsmaii.org udp
US 8.8.8.8:53 bsrweqh.net udp
US 8.8.8.8:53 fcijoshipnl.net udp
US 8.8.8.8:53 rrtfgazwmr.net udp
US 8.8.8.8:53 tijgzafl.info udp
US 8.8.8.8:53 lfnrjahslur.org udp
US 8.8.8.8:53 tyxohrwsgwn.org udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 acaqlxuuzj.net udp
US 8.8.8.8:53 aawlwzswp.net udp
US 8.8.8.8:53 vxdcxapo.info udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 mqgiae.org udp
US 8.8.8.8:53 mmkymmyciouo.com udp
US 8.8.8.8:53 nzzixvjhxgkl.net udp
US 8.8.8.8:53 xubevmxcvct.org udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 vaesksz.info udp
US 8.8.8.8:53 hwkbucjz.info udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 tivqxa.info udp
US 8.8.8.8:53 rsykvwxwwgy.org udp
US 8.8.8.8:53 kyioaoce.com udp
US 8.8.8.8:53 vquhxizndhg.net udp
US 8.8.8.8:53 mkscaqaagkiq.org udp
US 8.8.8.8:53 nszgvcoej.net udp
US 8.8.8.8:53 nyfbzvxcrymk.info udp
US 8.8.8.8:53 hddilmzcv.com udp
US 8.8.8.8:53 oesmaemmgi.com udp
US 8.8.8.8:53 twcqqmr.org udp
US 8.8.8.8:53 zyoxmxebsrys.info udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 dteixmpspgx.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 tipqbetfxac.info udp
US 8.8.8.8:53 myyomoqewe.org udp
US 8.8.8.8:53 jrzadp.net udp
US 8.8.8.8:53 qdaqwtlafa.info udp
US 8.8.8.8:53 hymgxqs.info udp
US 8.8.8.8:53 mbqqzqrwd.net udp
US 8.8.8.8:53 oqipihfqzz.info udp
US 8.8.8.8:53 ybbmhcm.info udp
US 8.8.8.8:53 vupvtfxvsupf.net udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 dqlrehdz.net udp
US 8.8.8.8:53 mqcuosioei.com udp
US 8.8.8.8:53 pdnakhfafspz.info udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 pylczuk.org udp
US 8.8.8.8:53 gsqxvir.net udp
US 8.8.8.8:53 ekysuwaiqs.org udp
US 8.8.8.8:53 edrrfgziz.net udp
US 8.8.8.8:53 iyqyksiioumq.org udp
US 8.8.8.8:53 asuypmj.net udp
US 8.8.8.8:53 vtnzmy.info udp
US 8.8.8.8:53 zwnrokv.info udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 gjjboaieau.info udp
US 8.8.8.8:53 kvtxxrhe.net udp
US 8.8.8.8:53 bdiifm.net udp
US 8.8.8.8:53 vrjepglttk.info udp
US 8.8.8.8:53 rensjsymxwj.org udp
US 8.8.8.8:53 mgpenyluayh.info udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 dozcombyz.net udp
US 8.8.8.8:53 mmjnjuuzqufb.net udp
US 8.8.8.8:53 lszothkejnl.net udp
US 8.8.8.8:53 vmdhdpoe.net udp
US 8.8.8.8:53 iwlzenvqj.info udp
US 8.8.8.8:53 tzqwrzjv.info udp
US 8.8.8.8:53 fqvopkmiayu.org udp
US 8.8.8.8:53 nudhxou.org udp
US 8.8.8.8:53 hpfheyyehz.info udp
US 8.8.8.8:53 nxpqyz.info udp
US 8.8.8.8:53 opulkubj.info udp
US 8.8.8.8:53 ovqldk.info udp
US 8.8.8.8:53 aopqvwd.info udp
US 8.8.8.8:53 aekgyvebddls.net udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 fqdoxzxe.net udp
US 8.8.8.8:53 knsjcjfi.info udp
US 8.8.8.8:53 apmpiqzzgaf.net udp
US 8.8.8.8:53 wvybeh.info udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 gswbzyo.net udp
US 8.8.8.8:53 btoqxilgbeo.info udp
US 8.8.8.8:53 rreplnac.info udp
US 8.8.8.8:53 epzdvhmgd.net udp
US 8.8.8.8:53 nhkypehsyyp.com udp
US 8.8.8.8:53 fqdaag.net udp
US 8.8.8.8:53 tjpuywymtbn.net udp
US 8.8.8.8:53 tklmbt.net udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 vrjezeqhecr.info udp
US 8.8.8.8:53 ouqmae.org udp
US 8.8.8.8:53 rfhlqf.info udp
US 8.8.8.8:53 tipwbma.org udp
US 8.8.8.8:53 pshzdkzmqox.com udp
US 8.8.8.8:53 fhhjaijw.info udp
US 8.8.8.8:53 qxrwrxkgnrd.net udp
US 8.8.8.8:53 aksqcemessqs.com udp
US 8.8.8.8:53 byrqryqwdal.info udp
US 8.8.8.8:53 ipyhkdyc.info udp
US 8.8.8.8:53 jreqfcfcsxz.info udp
US 8.8.8.8:53 zwrwvmpjvqg.com udp
US 8.8.8.8:53 vvnzzbhf.info udp
US 8.8.8.8:53 yoosywpoyq.info udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 eaoxchywpf.net udp
US 8.8.8.8:53 muavqhks.info udp
US 8.8.8.8:53 sauiwicaugce.com udp
US 8.8.8.8:53 wbfifrfkl.net udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 bsocsfj.com udp
US 8.8.8.8:53 kyyyemsu.com udp
US 8.8.8.8:53 xvfdrg.net udp
US 8.8.8.8:53 sgsoagiiccyw.com udp
US 8.8.8.8:53 zerzpjcssj.info udp
US 8.8.8.8:53 kwnthepwauq.net udp
US 8.8.8.8:53 kjvqcas.net udp
US 8.8.8.8:53 hytejid.org udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 lyjqtmwovyk.info udp
US 8.8.8.8:53 jsnshww.org udp
US 8.8.8.8:53 ntfpxlc.info udp
US 8.8.8.8:53 ecddjdwtjx.net udp
US 8.8.8.8:53 pniiuswcyn.info udp
US 8.8.8.8:53 pgjadfjhz.info udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 lgfwgpjh.info udp
US 8.8.8.8:53 vawtblup.info udp
US 8.8.8.8:53 cmoaucco.com udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 aebmraiqfkg.net udp
US 8.8.8.8:53 nkjupcflzcz.net udp
US 8.8.8.8:53 rlmcyd.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 zxexwifiw.com udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 oqbglin.net udp
US 8.8.8.8:53 wrheqaaoxala.info udp
US 8.8.8.8:53 jybqarvxmtwi.net udp
US 8.8.8.8:53 iamikuwa.org udp
US 8.8.8.8:53 zfeotfr.info udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 fxbuhlpkmrp.info udp
US 8.8.8.8:53 uorgdfjypbo.net udp
US 8.8.8.8:53 ganjjhpqh.net udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 xqtiskx.org udp
US 8.8.8.8:53 vyfrzsxwp.com udp
US 8.8.8.8:53 bleygeqeiojn.net udp
US 8.8.8.8:53 cauqakigqmmy.org udp
US 8.8.8.8:53 lnbghiem.net udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 sqoogaaomawi.org udp
US 8.8.8.8:53 kygwckgiqw.org udp
US 8.8.8.8:53 dlfrrizghml.net udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 vkdglooqv.net udp
US 8.8.8.8:53 pteiccedes.info udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 qqmswwes.org udp
US 8.8.8.8:53 kbddptq.net udp
US 8.8.8.8:53 dtstumsd.info udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 iptkqwxaxip.net udp
US 8.8.8.8:53 dhgyqeq.com udp
US 8.8.8.8:53 nerfiob.info udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 rvvgvhudrpzk.info udp
US 8.8.8.8:53 aweggucoqcaq.com udp
US 8.8.8.8:53 wuseguuw.com udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 owumsvhs.info udp
US 8.8.8.8:53 axiieqnyu.info udp
US 8.8.8.8:53 tzzkvgabgkh.com udp
US 8.8.8.8:53 mayjoqxhhnqj.info udp
US 8.8.8.8:53 wobslkgem.info udp
US 8.8.8.8:53 kepjub.net udp
US 8.8.8.8:53 kmgiic.com udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 wovoaa.net udp
US 8.8.8.8:53 zwaoqhbaiyze.net udp
US 8.8.8.8:53 neawedj.net udp
US 8.8.8.8:53 asuyko.com udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 mwocxdfe.info udp
US 8.8.8.8:53 iakdqzhqfnig.net udp
US 8.8.8.8:53 tqjfbnjjvs.info udp
US 8.8.8.8:53 kewimq.com udp
US 8.8.8.8:53 cobzlqabmd.net udp
US 8.8.8.8:53 qkyiqqee.com udp
US 8.8.8.8:53 huvwtwpaf.net udp
US 8.8.8.8:53 oyxbnjvjsriz.net udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 tnysqzbku.net udp
US 8.8.8.8:53 pnhljkwp.info udp
US 8.8.8.8:53 xclkigtmfti.org udp
US 8.8.8.8:53 xmgqhcfky.net udp
US 8.8.8.8:53 pvlvjjmzzp.info udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 ishwimazy.info udp
US 8.8.8.8:53 zvlybsn.net udp
US 8.8.8.8:53 kutsuanaebr.net udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 vbuhppak.net udp
US 8.8.8.8:53 qubqirdevwh.net udp
US 8.8.8.8:53 cjjcde.net udp
US 8.8.8.8:53 fjafurvk.net udp
US 8.8.8.8:53 knvaqvpkjmdc.info udp
US 8.8.8.8:53 hwlsbgdjsg.net udp
US 8.8.8.8:53 cjrqlsgyvrf.net udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 hwfaxnesaqn.com udp
US 8.8.8.8:53 ztvrtsrci.com udp
US 8.8.8.8:53 woipmktcih.info udp
US 8.8.8.8:53 gtlvtg.info udp
US 8.8.8.8:53 todrzzrsrc.info udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 iuisosewuk.org udp
US 8.8.8.8:53 yoqflnpue.info udp
US 8.8.8.8:53 mggokq.com udp
US 8.8.8.8:53 gticzgxparlp.net udp
US 8.8.8.8:53 pgxukyi.com udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 glhixth.net udp
US 8.8.8.8:53 ukazxxl.info udp
US 8.8.8.8:53 pipoto.info udp
US 8.8.8.8:53 vqluaab.info udp
US 8.8.8.8:53 ajeufitgtoe.info udp
US 8.8.8.8:53 mrpgbqlzd.info udp
US 8.8.8.8:53 smpnkub.net udp
US 8.8.8.8:53 xmvrsfpjbd.net udp
US 8.8.8.8:53 iuxcbitgu.info udp
US 8.8.8.8:53 ofcpxecy.net udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 ympqrlpxpmd.info udp
US 8.8.8.8:53 goegcm.org udp
US 8.8.8.8:53 mpnwiwpprlrf.net udp
US 8.8.8.8:53 qylrlrblzyl.net udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 ujaqbfsgqyym.net udp
US 8.8.8.8:53 xnzihqrl.net udp
US 8.8.8.8:53 czsexcrsz.net udp
US 8.8.8.8:53 gfqpricm.info udp
US 8.8.8.8:53 zrjrngatxhkg.info udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 isomkmsuaksc.com udp
US 8.8.8.8:53 bczrpep.com udp
US 8.8.8.8:53 junkjbxeukbw.info udp
US 8.8.8.8:53 zarirqdth.com udp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 kycmiu.com udp
US 8.8.8.8:53 rpepxhegkh.net udp
US 8.8.8.8:53 unirpw.net udp
US 8.8.8.8:53 xwqowmqjhuy.info udp
US 8.8.8.8:53 foopxtqr.info udp
US 8.8.8.8:53 kcdmpzd.info udp
US 8.8.8.8:53 wksamqag.org udp
US 8.8.8.8:53 gymjghenod.info udp
US 8.8.8.8:53 hcckvejyt.org udp
US 8.8.8.8:53 xwxtwf.info udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 ibklxltvzgat.info udp
US 8.8.8.8:53 dmaxuonu.net udp
US 8.8.8.8:53 ssywwsui.com udp
US 8.8.8.8:53 zozgcobcaq.net udp
US 8.8.8.8:53 lwshvoth.net udp
US 8.8.8.8:53 hjjakml.com udp
US 8.8.8.8:53 cuggigam.com udp
US 8.8.8.8:53 tvzrkn.net udp
US 8.8.8.8:53 qaiiww.org udp
US 8.8.8.8:53 myvicvzmjk.net udp
US 8.8.8.8:53 mvrlhhspnj.info udp
US 8.8.8.8:53 nodhuy.info udp
US 8.8.8.8:53 osaycqqk.org udp
US 8.8.8.8:53 pubdtrzkyif.com udp
US 8.8.8.8:53 seghjqrmn.net udp
US 8.8.8.8:53 skvtfml.net udp
US 8.8.8.8:53 qubgtlyf.info udp
US 8.8.8.8:53 ncrxnzg.info udp
US 8.8.8.8:53 royidr.info udp
US 8.8.8.8:53 eybaidoema.info udp
US 8.8.8.8:53 axxkmn.net udp
US 8.8.8.8:53 bifggqrkn.net udp
US 8.8.8.8:53 usiqwg.org udp
US 8.8.8.8:53 hcponxd.info udp
US 8.8.8.8:53 zkykjxrhzafp.net udp
US 8.8.8.8:53 qgjgbaaezar.net udp
US 8.8.8.8:53 plmhhs.net udp
US 8.8.8.8:53 vkcxio.net udp
US 8.8.8.8:53 nvuiwqem.net udp
US 8.8.8.8:53 rmncjn.net udp
US 8.8.8.8:53 mexsbsbhjgq.info udp
US 8.8.8.8:53 qqhgihlt.info udp
US 8.8.8.8:53 ffprjsdwmir.com udp
US 8.8.8.8:53 jlffbn.net udp
US 8.8.8.8:53 qyjtmq.net udp
US 8.8.8.8:53 jgiejumiu.org udp
US 8.8.8.8:53 uvcodihahbp.net udp
US 8.8.8.8:53 alkkabndrdcf.net udp
US 8.8.8.8:53 xedmksb.org udp
US 8.8.8.8:53 egkiyqgycmeq.org udp
US 8.8.8.8:53 prrjtbjytutt.info udp
US 8.8.8.8:53 ylaxujjvpzdt.info udp
US 8.8.8.8:53 yuiyisws.org udp
US 8.8.8.8:53 wuymamuqycua.com udp
US 8.8.8.8:53 zsspoi.net udp
US 8.8.8.8:53 jmxkfifup.com udp
US 8.8.8.8:53 hlqltge.net udp
US 8.8.8.8:53 cuvgecojxm.net udp
US 8.8.8.8:53 vlsqekixshcp.net udp
US 8.8.8.8:53 zepzsaggphf.net udp
US 8.8.8.8:53 xtrylcfjxzdj.net udp
US 8.8.8.8:53 iwwmiiga.org udp
US 8.8.8.8:53 tzhnbqxtxw.net udp
US 8.8.8.8:53 aaxyaxqfil.net udp
US 8.8.8.8:53 ggvzbdp.net udp
US 8.8.8.8:53 jgzbxllqdecg.net udp
US 8.8.8.8:53 jjjhhexogy.info udp
US 8.8.8.8:53 adfstc.info udp
US 8.8.8.8:53 igrcfcs.net udp
US 8.8.8.8:53 qcwovsf.net udp
US 8.8.8.8:53 fiytppt.info udp
US 8.8.8.8:53 asecuyemymyi.org udp
US 8.8.8.8:53 jpjonzpys.net udp
US 8.8.8.8:53 lmpzzissdes.net udp
US 8.8.8.8:53 zmrarczuld.net udp
US 8.8.8.8:53 ucqgqgck.com udp
US 8.8.8.8:53 cutijmn.net udp
US 8.8.8.8:53 vscwznlyx.net udp
US 8.8.8.8:53 emukkc.org udp
US 8.8.8.8:53 dwpkzhv.com udp
US 8.8.8.8:53 dmdszuzox.info udp
US 8.8.8.8:53 lptydccj.info udp
US 8.8.8.8:53 apzsjzd.info udp
US 8.8.8.8:53 mluytpsvvs.net udp
US 8.8.8.8:53 oqgzhgbwtilb.info udp
US 8.8.8.8:53 ffqdpsmrimzw.net udp
US 8.8.8.8:53 fhxgjijs.info udp
US 8.8.8.8:53 aayeieoamcqe.org udp
US 8.8.8.8:53 ktzxxkpjzr.net udp
US 8.8.8.8:53 vjrldfxtlozv.net udp
US 8.8.8.8:53 rltwexojzn.net udp
US 8.8.8.8:53 biijzl.net udp
US 8.8.8.8:53 zwrhzlujfnbm.net udp
US 8.8.8.8:53 gmawgg.com udp
US 8.8.8.8:53 ogkcbud.net udp
US 8.8.8.8:53 dayucgzmwkv.net udp
US 8.8.8.8:53 irsgxcvwi.net udp
US 8.8.8.8:53 nutufbzujxr.net udp
US 8.8.8.8:53 wuybayvsmwt.info udp
US 8.8.8.8:53 zcgctmf.info udp
US 8.8.8.8:53 gbfsui.net udp
US 8.8.8.8:53 ygkiqkicik.org udp
US 8.8.8.8:53 zqkquvavyykf.info udp
US 8.8.8.8:53 wvmbsvngzon.info udp
US 8.8.8.8:53 rydwnkvugx.info udp
US 8.8.8.8:53 uvcxju.net udp
US 8.8.8.8:53 gepsxgopp.net udp
US 8.8.8.8:53 yespxyc.info udp
US 8.8.8.8:53 kuzclqc.net udp
US 8.8.8.8:53 tuaxjj.net udp
US 8.8.8.8:53 mqsebfpkycx.net udp
US 8.8.8.8:53 uyromod.info udp
US 8.8.8.8:53 tunwakrkbdpp.info udp
US 8.8.8.8:53 fwywvldqyvuz.net udp
US 8.8.8.8:53 nrmdvxbmzkzv.net udp
US 8.8.8.8:53 ofvsaojytgx.net udp
US 8.8.8.8:53 qoisqsqu.com udp
US 8.8.8.8:53 jalkbr.info udp
US 8.8.8.8:53 mgwkixummo.net udp
US 8.8.8.8:53 wijwiid.info udp
US 8.8.8.8:53 ouokdcrlfre.info udp
US 8.8.8.8:53 cxffzmlflm.info udp
US 8.8.8.8:53 gqskegqcee.org udp
US 8.8.8.8:53 maltyz.net udp
US 8.8.8.8:53 mcyygosm.com udp
US 8.8.8.8:53 xcyazktir.net udp
US 8.8.8.8:53 usztsauxtyh.net udp
US 8.8.8.8:53 dwfebekyt.org udp
US 8.8.8.8:53 evrupmhif.net udp
US 8.8.8.8:53 vebczah.com udp
US 8.8.8.8:53 ukdpsmsqb.info udp
US 8.8.8.8:53 ceyszipsl.info udp
US 8.8.8.8:53 ouygamskyscq.com udp
US 8.8.8.8:53 bktpfwsl.net udp
US 8.8.8.8:53 gkwwamigcscm.org udp
US 8.8.8.8:53 uiccyyiqqo.org udp
US 8.8.8.8:53 iplqdlbmaiyt.info udp
US 8.8.8.8:53 hxmwygixflnm.info udp
US 8.8.8.8:53 chjexjzkhlkh.net udp
US 8.8.8.8:53 jwrkbjy.net udp
US 8.8.8.8:53 dtzozacei.info udp
US 8.8.8.8:53 rcpyhkwxjinm.info udp
US 8.8.8.8:53 yyuaoeumqmki.com udp
HK 156.237.207.232:80 yeseee.com tcp
US 8.8.8.8:53 islprqc.info udp
US 8.8.8.8:53 ccnadwtihas.info udp
US 8.8.8.8:53 xtjozyspnen.com udp
US 8.8.8.8:53 bebgftfgvufy.info udp
US 8.8.8.8:53 fvzwjj.info udp
US 8.8.8.8:53 dpbmxwhqz.net udp
US 8.8.8.8:53 omwaswaswiyk.org udp
US 8.8.8.8:53 kyiqacma.com udp
US 8.8.8.8:53 cyctrezujql.net udp
US 8.8.8.8:53 sbyihvvwvuuf.info udp
US 8.8.8.8:53 taxsnux.com udp
US 8.8.8.8:53 kmkquol.net udp
US 8.8.8.8:53 xdtdub.net udp
US 8.8.8.8:53 xfxejix.org udp
US 8.8.8.8:53 wqlwsh.info udp
US 8.8.8.8:53 qeuqeywmsuoe.org udp
US 8.8.8.8:53 bakfznqyjrsl.net udp
US 8.8.8.8:53 mcpmajvv.net udp
US 8.8.8.8:53 tsxauoqgjzf.net udp
US 8.8.8.8:53 rulszqn.org udp
US 8.8.8.8:53 beklnku.com udp
US 8.8.8.8:53 fphdgqkfna.net udp
US 8.8.8.8:53 zixkkwdeyysf.info udp
US 8.8.8.8:53 vyslgop.com udp
US 8.8.8.8:53 wobibeblwl.net udp
US 8.8.8.8:53 nicxrmrxya.net udp
US 8.8.8.8:53 rsruaf.info udp
US 8.8.8.8:53 rhlajjwstnu.info udp
US 8.8.8.8:53 lyrkvutvzap.info udp
US 8.8.8.8:53 uzjazabtdknu.info udp
US 8.8.8.8:53 nupybyvsh.com udp
US 8.8.8.8:53 qmvygc.net udp
US 8.8.8.8:53 ldhnyd.net udp
US 8.8.8.8:53 adszpmp.info udp
US 8.8.8.8:53 pfdwrmr.com udp
US 8.8.8.8:53 vdinsezipu.net udp
US 8.8.8.8:53 cksgemke.org udp
US 8.8.8.8:53 nbnsxqviaj.net udp
US 8.8.8.8:53 lphkdsza.net udp
US 8.8.8.8:53 dtsfmugccp.net udp
US 8.8.8.8:53 rvmonfphd.org udp
US 8.8.8.8:53 gsiyksiyyc.com udp
US 8.8.8.8:53 iwucsmcs.com udp
US 8.8.8.8:53 jmiwcuwc.info udp
US 8.8.8.8:53 fyraxtqe.net udp
US 8.8.8.8:53 mfxmirp.net udp
US 8.8.8.8:53 dlrebkump.org udp
US 8.8.8.8:53 fvzprz.net udp
US 8.8.8.8:53 iyoobnqnrj.net udp
US 8.8.8.8:53 ugxzpkqsvwl.net udp
US 8.8.8.8:53 tswuel.info udp
US 8.8.8.8:53 dsimtsnnr.net udp
US 8.8.8.8:53 ngkpnunolvco.info udp
US 8.8.8.8:53 bcksphj.net udp
US 8.8.8.8:53 xofaqjd.net udp
US 8.8.8.8:53 jwwwkkr.com udp
US 8.8.8.8:53 wgequy.org udp
US 8.8.8.8:53 lafqxmoqvsn.net udp
US 8.8.8.8:53 otwgjfw.net udp
US 8.8.8.8:53 ppxkrfexgic.info udp
US 8.8.8.8:53 mifyjiudd.net udp
US 8.8.8.8:53 jptdfc.net udp
US 8.8.8.8:53 ziwcuvbz.info udp
US 8.8.8.8:53 rqdkyeowgcx.net udp
US 8.8.8.8:53 orclfhxvz.net udp
US 8.8.8.8:53 vxlndodwc.info udp
US 8.8.8.8:53 xygbdoqlv.org udp
US 8.8.8.8:53 nylyept.net udp
US 8.8.8.8:53 fofcgchur.net udp
US 8.8.8.8:53 oaseisayei.org udp
US 8.8.8.8:53 kksmegsc.org udp
US 8.8.8.8:53 pyciysmlxsnb.net udp
US 8.8.8.8:53 tiuqaquue.info udp
US 8.8.8.8:53 dxywpyz.net udp
US 8.8.8.8:53 icaijmduf.net udp
US 8.8.8.8:53 bzahdmouucjt.net udp
US 8.8.8.8:53 magorkpcddsb.net udp
US 8.8.8.8:53 cfwjbujktq.info udp
US 8.8.8.8:53 stfhbwifvy.info udp
US 8.8.8.8:53 iikuzurue.info udp
US 8.8.8.8:53 lvnyvv.info udp
US 8.8.8.8:53 meyijo.net udp
US 8.8.8.8:53 ekvplevweg.info udp
US 8.8.8.8:53 hjzixyxmj.net udp
US 8.8.8.8:53 tlbhpd.net udp
US 8.8.8.8:53 cwdsfop.net udp
US 8.8.8.8:53 zoeiyjfk.net udp
US 8.8.8.8:53 afpklezhcsnz.net udp
US 8.8.8.8:53 qgiidcxpjhfo.info udp
US 8.8.8.8:53 efdlohhy.info udp
US 8.8.8.8:53 zitiqkxzo.info udp
US 8.8.8.8:53 fupiwnq.info udp
US 8.8.8.8:53 dndpmsxxqiih.info udp
US 8.8.8.8:53 lejqvol.com udp
US 8.8.8.8:53 vytozklcx.net udp
US 8.8.8.8:53 vuzhhg.net udp
US 8.8.8.8:53 pmvwlcgtpsd.com udp
US 8.8.8.8:53 yrdfxmpiswk.net udp
US 8.8.8.8:53 aqnkbnnftpdf.info udp
US 8.8.8.8:53 bgdqgf.net udp
US 8.8.8.8:53 syfcwmd.net udp
US 8.8.8.8:53 ydesxaw.info udp
US 8.8.8.8:53 szgsjsiqx.net udp
US 8.8.8.8:53 cgkcui.org udp
US 8.8.8.8:53 bgrjiamjyfh.org udp
US 8.8.8.8:53 upxkhuzkr.info udp
US 8.8.8.8:53 ahwnnqflrtza.net udp
US 8.8.8.8:53 lpjxkcqd.info udp
US 8.8.8.8:53 rvuohxku.info udp
US 8.8.8.8:53 nciiiiuzn.org udp
US 8.8.8.8:53 ycxvrvto.info udp
US 8.8.8.8:53 hcrclcu.net udp
US 8.8.8.8:53 golxlbzt.info udp
US 8.8.8.8:53 cfsrwclbqoh.net udp
US 8.8.8.8:53 kdlffj.net udp
US 8.8.8.8:53 eqwkxorsw.net udp
US 8.8.8.8:53 svimmsrwby.info udp
US 8.8.8.8:53 dglxccedkdp.com udp
US 8.8.8.8:53 amvbrfhisy.info udp
US 8.8.8.8:53 hluhnt.info udp
US 8.8.8.8:53 ameaeyuugags.org udp
US 8.8.8.8:53 mioqmq.com udp
US 8.8.8.8:53 kewccc.org udp
US 8.8.8.8:53 sbablr.net udp
US 8.8.8.8:53 bbeajqylxs.net udp
US 8.8.8.8:53 gspcscvkpby.net udp
US 8.8.8.8:53 oezfxoxed.info udp
US 8.8.8.8:53 wscgjiieh.net udp
US 8.8.8.8:53 aubgzylblcd.info udp
US 8.8.8.8:53 xbwrfdzo.net udp
US 8.8.8.8:53 vyjusif.info udp
US 8.8.8.8:53 rzbgiunhta.info udp
US 8.8.8.8:53 uacoqg.org udp
US 8.8.8.8:53 unpudkvtcsmq.info udp
US 8.8.8.8:53 darwnbg.net udp
US 8.8.8.8:53 rcrcrbxww.net udp
US 8.8.8.8:53 kuamvwz.net udp
US 8.8.8.8:53 mmjcfgv.net udp
US 8.8.8.8:53 uymgwc.com udp
US 8.8.8.8:53 nuplzq.info udp
US 8.8.8.8:53 zofgtijpaoh.net udp
US 8.8.8.8:53 ywbuvursjyq.net udp
US 8.8.8.8:53 tsntrdtvcuvf.info udp
US 8.8.8.8:53 tcnoictbpxwr.net udp
US 8.8.8.8:53 vugggrrxv.net udp
US 8.8.8.8:53 mlfcdejcu.net udp
US 8.8.8.8:53 ztxtjwlr.net udp
US 8.8.8.8:53 coruzetyj.info udp
US 8.8.8.8:53 qzgmtdn.net udp
US 8.8.8.8:53 ptbxyixaqem.info udp
US 8.8.8.8:53 dwbmpixhor.info udp
US 8.8.8.8:53 ykjqdatyd.info udp
US 8.8.8.8:53 egoioi.com udp
US 8.8.8.8:53 dwsikogj.info udp
US 8.8.8.8:53 abucqfvhsj.net udp
US 8.8.8.8:53 gekocewsmkey.org udp
US 8.8.8.8:53 eanuqcn.info udp
US 8.8.8.8:53 fyvihcbav.com udp
US 8.8.8.8:53 xgnijggfclh.com udp
US 8.8.8.8:53 lkxmpkc.net udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 osgyoymcci.org udp
US 8.8.8.8:53 nnycbrtaroy.com udp
US 8.8.8.8:53 iwiygmuo.com udp
US 8.8.8.8:53 xykijz.info udp
US 8.8.8.8:53 liwifrxwfia.net udp
US 8.8.8.8:53 zhhifuw.net udp
US 8.8.8.8:53 wsyqzjzsjih.info udp
US 8.8.8.8:53 youcuqaiommc.com udp
US 8.8.8.8:53 tujrgyxyplkw.info udp
US 8.8.8.8:53 sgciwi.org udp
US 8.8.8.8:53 xyjexubj.info udp
US 8.8.8.8:53 xotflcbuuvt.net udp
US 8.8.8.8:53 duvprllelwtw.net udp
US 8.8.8.8:53 imelnaloojvk.info udp
US 8.8.8.8:53 uwmuwg.com udp
US 8.8.8.8:53 uqryzsh.info udp
US 8.8.8.8:53 rucodvypprap.info udp
US 8.8.8.8:53 hfgkacxqinla.net udp
US 8.8.8.8:53 ucoswwqeie.org udp
US 8.8.8.8:53 pkbpbyz.org udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 tgriewchck.net udp
US 8.8.8.8:53 jdtkmlvyly.info udp
US 8.8.8.8:53 pujdtcryo.net udp
US 8.8.8.8:53 yueceequcu.com udp
US 8.8.8.8:53 zumutd.info udp
US 8.8.8.8:53 xizjfuqnvubh.info udp
US 8.8.8.8:53 netmitnmrw.info udp
US 8.8.8.8:53 tywuwr.net udp
US 8.8.8.8:53 xwzkzmvsnbv.info udp
US 8.8.8.8:53 iusiogeeos.org udp
US 8.8.8.8:53 ggeuskuwwk.org udp
US 8.8.8.8:53 aemnosge.net udp
US 8.8.8.8:53 lrowcjkt.net udp
US 8.8.8.8:53 bybptgxz.info udp
US 8.8.8.8:53 mliezefccn.info udp
US 8.8.8.8:53 cycanm.net udp
US 8.8.8.8:53 mbioneboepjc.info udp
US 8.8.8.8:53 glwnhzzmn.net udp
US 8.8.8.8:53 uoucnjgszqbg.info udp
US 8.8.8.8:53 rqtuscv.com udp
US 8.8.8.8:53 jilaeczcnaz.com udp
US 8.8.8.8:53 pffzah.net udp
US 8.8.8.8:53 fjswfmxs.net udp
US 8.8.8.8:53 jjhshwvawlc.org udp
US 8.8.8.8:53 kbhwixrgpk.net udp
US 8.8.8.8:53 fyimvdv.net udp
US 8.8.8.8:53 akcamgacoe.com udp
US 8.8.8.8:53 jaisaez.net udp
US 8.8.8.8:53 wbpgvufi.net udp
US 8.8.8.8:53 mclezuvdv.net udp
US 8.8.8.8:53 iyjlfazy.net udp
US 8.8.8.8:53 rawyyqaqr.info udp
US 8.8.8.8:53 tmgitgnmr.info udp
US 8.8.8.8:53 cerzsio.info udp
US 8.8.8.8:53 oklwmhsexc.net udp
US 8.8.8.8:53 saxraaxnn.net udp
US 8.8.8.8:53 ugdmtph.net udp
US 8.8.8.8:53 dxjwlzdpbd.info udp
US 8.8.8.8:53 haqhkwrmyttv.net udp
US 8.8.8.8:53 hitgpy.net udp
US 8.8.8.8:53 ywbmxtjsfezl.info udp
US 8.8.8.8:53 tommnif.com udp
US 8.8.8.8:53 ilbmdexfoxje.info udp
US 8.8.8.8:53 nhbxvbyi.net udp
US 8.8.8.8:53 hsbdjmzcgeh.org udp
US 8.8.8.8:53 osjqxa.info udp
US 8.8.8.8:53 intibfdqg.info udp
US 8.8.8.8:53 wwmook.org udp
US 8.8.8.8:53 ygaayqgs.com udp
US 8.8.8.8:53 debgfcf.org udp
US 8.8.8.8:53 kuozxaqwv.info udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\edkts.exe

MD5 f196c33bc700545ced4f24c4dd321fc9
SHA1 c8e46a70920d93e6fd24aec624610828fd4a1ef3
SHA256 c095994da53e13dcffb50fd33a6a6de4a6dc7c3b5c5213c77344da8446c69f01
SHA512 2952019338d8ba004101e3822bba235835cdab1d3d5db78c5c47d86087a500a21178a22d488042e463dd4fd0201f238c3db545268bdfa1daa107d9b77c83d274

C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 79cfa24a7b1f0b182deed9c7ade2fb76
SHA1 5cc271e703d245116b6814db44244e6730dd98ab
SHA256 e4f999a8fe21085ec68762812cbbb94107adbd84d887ad1f2e9ca32b69b2bf86
SHA512 8bf63a9b84016acaea800ffa789bc23624eb9a2332a71b67b08f204c81693a11a6c0e4cde27b59ced03ade19aa6e2d0f5ae770c0e75319fb96a353934cdb7dc6

C:\Users\Admin\AppData\Local\wfwpyqiujvqyqjgcifgpgziasetfaiatqmspq.qjs

MD5 9f289e2923206c04b8cfe855492c5986
SHA1 75d22b34af6a17983563291514565aa8f4068359
SHA256 1b8a16abf586d253f66d51e65c891859fe8d6ae796df7f1b5658d5b330d31a98
SHA512 dc6cefb509eab43f5bcffddb45991692db3f99acd96aedc99bb772b9a4d012d0a9b8b0f77e5d78ac82c67f01f81a7bdcf3168a074c4804b2d558f4af0079ac45

C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 417b61f8ec53265751c09f28d4831da6
SHA1 710d83c09b490eb54d4a8af8521d0feb898f13ea
SHA256 fb562cad74df0b40fd96eb7a574b98f70e7f8bb826e1200c86dd406d63ffa084
SHA512 2c655b8c69bdfac1681e8d44c51cfb7739a242be6c0d4a9b1484202f9df3cafedcbb70cc3b649c62ea8b9eb511cdf2528125e1ac3f31972d655ff1abfb355c07

C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 ede15df8e32ac3d9d648c215c0551dc2
SHA1 82f3b51dbd202ddc515d62742ff24bd6585ad360
SHA256 79bff2fc93df0100c0ff8ff5ed5a17ddb72d58ecbac8d9d41b9ffd428b7c6fba
SHA512 fbeb60ec43bd76c374e64183cf3e050f0965d7592b85bc5697ad72abb4fa20e4c9554f94b8233479293684b3b63b849f8cba1b401c9ea1ff654e82e52248e491

C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 6f3f2406a2f139059ea9e840f0348804
SHA1 a5eba04f60365f00c1e21585c80900f5dbc567ca
SHA256 260e320b38132150343efb19b6c93a910190b4bdaeaeec4129857b840f44f5f4
SHA512 4ac5826d45bd403c71a45032f8de19351e1a3af4fe34e1c8fb6fef32dbe464c75219919194d2712ab11118ebf8eabb9a07a635087f2770bb1f53fff482eb82c7

C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 28ae0d37ef6f445447a2f0b593086a7b
SHA1 2e8e747ec765b6032e0f0c77402d898f2ebe3dc4
SHA256 42aedf2680a724681de7d605a8480f1e2b32f1002625ccd2f54a2efb69638249
SHA512 2dff23be05f6aaa8f18984ae9b47ba587f8506ef368c89802205e3c45ec2c6fd1019e86686c13d283392e7530b97c2dbb0aa3295a4b88b6cbcc8602f10fea44d

C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 b3a7136ba28b4549925db353b2dc875f
SHA1 961ce8cc0adfdfc93125383b90f026d9a3c2fee0
SHA256 97a338dedc4f622a5f0cb3733320cc8f478a805a5964448727864678b9543ec7
SHA512 2ee8b37b4b51d71154c55102c2daedd87253cc62e5bc1cbd89b741b140cbc0bf8003d8ab6057ee58d6fef3750ecb6b93a565297e61051d4fd87988dbde6f9e62

C:\Program Files (x86)\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 9cbab60847526b36b3a5434056207392
SHA1 7ed9cc5e65e867f317369817887377a0f183dd25
SHA256 06343f6e79c92fa841387c172b5857e596476d302ac2bed7556a2fa3bd02552b
SHA512 0e8814a2ef435bb5700d3132eccf837843fba25a11bab6366c0930857dce4f937656c580b56e774f125c5113fcddcd2cd966b182f2c27a3c1b1e62d00fe27546

C:\Users\Admin\AppData\Local\vtzhfmtuyzjgnvhsnzpntbzgno.tda

MD5 b926bbc95b52747d2768e466b8eaa9f2
SHA1 2e10a49dd17ff285a6d88eb29671535449ac2826
SHA256 38eeeb834fe4d4470440d7c4871c5af91d68a9f6c391f83a3d90119d0821c48e
SHA512 24484ed7c60cf80f57c0a1ebb01702210ac2262e0466d01e178070df7c6cb6928f5299f2608f333ecd594e1bdfdec6cba8de340699bf1ece79a26745da089998