Malware Analysis Report

2025-06-16 06:55

Sample ID 241104-b8vjjs1bml
Target 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118
SHA256 b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24
Tags
defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24

Threat Level: Known bad

The file 8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence privilege_escalation trojan

Modifies WinLogon for persistence

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Looks up external IP address via web service

Hijack Execution Flow: Executable Installer File Permissions Weakness

Adds Run key to start application

Checks whether UAC is enabled

Drops autorun.inf file

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-04 01:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-04 01:49

Reported

2024-11-04 04:10

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oqfgrcnp = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bamks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "yifohatdtkbbduqf.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "maboliftnidhniibdocd.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "zmmyuqmzsmgjoihzakx.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "yifohatdtkbbduqf.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "fqoysmgriastwolba.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "maboliftnidhniibdocd.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "fqoysmgriastwolba.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "zmmyuqmzsmgjoihzakx.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "fqoysmgriastwolba.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "zmmyuqmzsmgjoihzakx.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "yifohatdtkbbduqf.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\yctwjwjnxi = "oazkfavhzslnrkizzi.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qwpujyntfsfb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "maboliftnidhniibdocd.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yifohatdtkbbduqf.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\maboliftnidhniibdocd.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "oazkfavhzslnrkizzi.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "zmmyuqmzsmgjoihzakx.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zmmyuqmzsmgjoihzakx.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "fqoysmgriastwolba.exe ." C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oazkfavhzslnrkizzi.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "yifohatdtkbbduqf.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fiyamyknw = "fqoysmgriastwolba.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tyquiwkpamy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mmzyhq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bqsgecapkgchoklfiujlz.exe" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zaooyis = "fqoysmgriastwolba.exe ." C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created C:\Windows\SysWOW64\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\dygaeimhikmxkmttcupxrvz.yzb C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created C:\Windows\SysWOW64\dygaeimhikmxkmttcupxrvz.yzb C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\SysWOW64\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\SysWOW64\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Program Files (x86)\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created C:\Program Files (x86)\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File created C:\Windows\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\zmmyuqmzsmgjoihzakx.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\yifohatdtkbbduqf.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\oazkfavhzslnrkizzi.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\fqoysmgriastwolba.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File created C:\Windows\dygaeimhikmxkmttcupxrvz.yzb C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\silazyxnjgdjroqlpcsvkj.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
File opened for modification C:\Windows\maboliftnidhniibdocd.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\bqsgecapkgchoklfiujlz.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
File opened for modification C:\Windows\dygaeimhikmxkmttcupxrvz.yzb C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
PID 1920 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
PID 1452 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
PID 1452 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
PID 1452 wrote to memory of 4256 N/A C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
PID 1452 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
PID 1452 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
PID 1452 wrote to memory of 2088 N/A C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe
PID 1920 wrote to memory of 1968 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe

"C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe

"C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe" "-C:\Users\Admin\AppData\Local\Temp\yifohatdtkbbduqf.exe"

C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe

"C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe" "-C:\Users\Admin\AppData\Local\Temp\yifohatdtkbbduqf.exe"

C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe

"C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.bbc.co.uk udp
US 151.101.128.81:80 www.bbc.co.uk tcp
BG 93.155.151.91:34894 tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 jvptjnty.net udp
US 8.8.8.8:53 qeumlfa.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 81.128.101.151.in-addr.arpa udp
US 8.8.8.8:53 bhvhbe.info udp
US 8.8.8.8:53 zibebhlkraht.info udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 ierplo.info udp
US 8.8.8.8:53 tgdkwbdaxmv.org udp
US 8.8.8.8:53 gcloddtv.net udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 qewcqmsk.com udp
US 8.8.8.8:53 fqpovwteh.org udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 hcxckqvel.info udp
US 8.8.8.8:53 dgrosevol.net udp
US 8.8.8.8:53 olhlrzrio.info udp
US 8.8.8.8:53 jehceytil.com udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 nwrupajut.info udp
US 8.8.8.8:53 rcqtcp.net udp
US 8.8.8.8:53 rlwqukwa.info udp
US 8.8.8.8:53 ljbwbkk.org udp
US 8.8.8.8:53 rzmmecqethzf.net udp
US 8.8.8.8:53 zesbssz.info udp
US 8.8.8.8:53 aewqus.org udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 gsjojkbmxpdc.info udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 mqtahxnejldg.info udp
US 8.8.8.8:53 sypwnuv.info udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 fwfsvpot.info udp
US 8.8.8.8:53 rzsbhj.net udp
US 8.8.8.8:53 tefqfep.com udp
US 8.8.8.8:53 oknkzinhu.net udp
US 8.8.8.8:53 wkvbhisocfzh.net udp
US 8.8.8.8:53 eshqlrz.net udp
US 8.8.8.8:53 jkkgpztelop.info udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 etdnrcup.net udp
US 8.8.8.8:53 mfuykhwkmi.info udp
US 8.8.8.8:53 lpxsddr.org udp
US 8.8.8.8:53 jjljlss.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 wohkbqx.net udp
US 8.8.8.8:53 cmseayag.info udp
US 8.8.8.8:53 xdhnthdc.net udp
US 8.8.8.8:53 agoeuoqioe.org udp
US 8.8.8.8:53 fdawfvcbhzgv.net udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 aiqakccc.com udp
US 8.8.8.8:53 xhwheg.info udp
US 8.8.8.8:53 jsxbakz.com udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 jkfmwx.net udp
US 8.8.8.8:53 kcesou.com udp
US 8.8.8.8:53 zdauljodbipa.info udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 uycagumomc.com udp
US 8.8.8.8:53 uofetabwgeo.info udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 zvhjdmqt.info udp
US 8.8.8.8:53 skcjfgnuekp.net udp
US 8.8.8.8:53 ljufra.info udp
US 8.8.8.8:53 ojzuadnwvyi.info udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 zmdsjmv.info udp
US 8.8.8.8:53 iarbjyo.net udp
US 8.8.8.8:53 kmsqawowou.com udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 gatlekzac.info udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 qqsssy.org udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 gukvsfghoa.net udp
US 8.8.8.8:53 oonipcpkg.info udp
US 8.8.8.8:53 llzmqgpxgg.info udp
US 8.8.8.8:53 umlvfu.info udp
US 8.8.8.8:53 uwyowmyswq.org udp
US 8.8.8.8:53 xessbopljbw.com udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 qcsqfmd.info udp
US 8.8.8.8:53 gzgajvrzamkn.info udp
US 8.8.8.8:53 tqpvxvathx.net udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 blshwn.info udp
US 8.8.8.8:53 ioiwzaynbgy.info udp
US 8.8.8.8:53 tqlcfcpeb.com udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 kgvcldhgdqf.net udp
US 8.8.8.8:53 ddwerq.info udp
US 8.8.8.8:53 kobhbxtgivem.info udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 cihwjuw.info udp
US 8.8.8.8:53 actajjjwzil.net udp
US 8.8.8.8:53 kowciice.org udp
US 8.8.8.8:53 yisgcwmw.org udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 xzlutppi.info udp
US 8.8.8.8:53 iwibxdnxmi.net udp
US 8.8.8.8:53 cyqhhcqlktah.info udp
US 8.8.8.8:53 lzlrrtbl.info udp
US 8.8.8.8:53 wqbqqhaifqs.net udp
US 8.8.8.8:53 kejezaluwmr.info udp
US 8.8.8.8:53 txlcwgpz.info udp
US 8.8.8.8:53 usiikeyy.org udp
US 8.8.8.8:53 rozxbwm.com udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 ojfyorvwmhz.net udp
US 8.8.8.8:53 lavkhqxglte.net udp
US 8.8.8.8:53 lftjqi.net udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 klfimasblv.net udp
US 8.8.8.8:53 qscmuoze.info udp
BG 95.87.12.145:44765 tcp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 upjpuayinxt.net udp
US 8.8.8.8:53 byvrzihyjof.info udp
US 8.8.8.8:53 qskwemmmys.org udp
US 8.8.8.8:53 dznklgmted.net udp
US 8.8.8.8:53 xhisrub.org udp
US 8.8.8.8:53 wahodla.info udp
US 8.8.8.8:53 zegbmlgicvim.info udp
US 8.8.8.8:53 cyukacieskqq.com udp
US 8.8.8.8:53 njfyhw.net udp
US 8.8.8.8:53 taohdyakjwtm.net udp
US 8.8.8.8:53 octpnmfeveb.net udp
US 8.8.8.8:53 zqtgfcnl.info udp
US 8.8.8.8:53 rvzbcw.net udp
US 8.8.8.8:53 ruksvdctcqr.com udp
US 8.8.8.8:53 rposbmjenqfq.net udp
US 8.8.8.8:53 mmoyygokmu.org udp
US 8.8.8.8:53 egmyym.org udp
US 8.8.8.8:53 bsrweqh.net udp
US 8.8.8.8:53 bxvmtyhlupuy.info udp
US 8.8.8.8:53 qndvxpvkqg.net udp
US 8.8.8.8:53 hupmymr.info udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 lnxqpendn.info udp
US 8.8.8.8:53 iojclrdgb.net udp
US 8.8.8.8:53 qwggqmgaogau.com udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 ufewjhje.net udp
US 8.8.8.8:53 njnrsijmqyx.com udp
US 8.8.8.8:53 tihpuq.net udp
US 8.8.8.8:53 qoksye.com udp
US 8.8.8.8:53 jsbqtrotieem.net udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 zgybfqraa.net udp
US 8.8.8.8:53 kpvitcqqt.info udp
US 8.8.8.8:53 ofqyzkwfttvv.net udp
US 8.8.8.8:53 oqlmnogdse.info udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 xxrylwu.info udp
US 8.8.8.8:53 bnxgviz.info udp
US 8.8.8.8:53 cedgaat.info udp
US 8.8.8.8:53 ykumoaao.org udp
US 8.8.8.8:53 aptavxszku.info udp
US 8.8.8.8:53 xgrcwkhxljv.info udp
US 8.8.8.8:53 qhqqnb.info udp
US 8.8.8.8:53 nlfpdhafhbro.info udp
US 8.8.8.8:53 skuggzfjfqdp.info udp
US 8.8.8.8:53 fvhrfg.net udp
US 8.8.8.8:53 oesmaemmgi.com udp
US 8.8.8.8:53 kpxupwszqz.info udp
US 8.8.8.8:53 dqsqlsaqcgf.com udp
US 8.8.8.8:53 ssoowu.org udp
US 8.8.8.8:53 mslilefyzw.net udp
US 8.8.8.8:53 pxnyvqrxx.info udp
US 8.8.8.8:53 suquowiiqg.org udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 oejxvcplmedu.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 hebreh.net udp
US 8.8.8.8:53 kycqwmn.net udp
US 8.8.8.8:53 bscctglfuae.info udp
US 8.8.8.8:53 qdaqwtlafa.info udp
US 8.8.8.8:53 gweoaocu.com udp
US 8.8.8.8:53 docbqspqbe.net udp
US 8.8.8.8:53 ltkolby.com udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 zsbwjrlqas.info udp
US 8.8.8.8:53 uxkxpbvaxq.net udp
US 8.8.8.8:53 brdmjwrvfx.net udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 yomyem.com udp
US 8.8.8.8:53 qicaaacagcmc.com udp
US 8.8.8.8:53 ekysuwaiqs.org udp
US 8.8.8.8:53 lyesaavpybh.info udp
US 8.8.8.8:53 znagrsgm.info udp
US 8.8.8.8:53 vcfsuorinou.net udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 uqcsycycie.com udp
US 8.8.8.8:53 iffkruzakup.info udp
US 8.8.8.8:53 zmgudafcb.org udp
US 8.8.8.8:53 oggayuwc.org udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 nyzwvetcpcz.org udp
US 8.8.8.8:53 kkoazsjsrut.info udp
US 8.8.8.8:53 udkrkeibod.info udp
US 8.8.8.8:53 phfvmjwvbt.info udp
US 8.8.8.8:53 oiwfrsd.info udp
US 8.8.8.8:53 bwdqfoh.info udp
US 8.8.8.8:53 nvqhtsfzlm.info udp
US 8.8.8.8:53 qcgohphg.info udp
US 8.8.8.8:53 vaxjcaw.org udp
US 8.8.8.8:53 lszrvnyezbbk.net udp
US 8.8.8.8:53 qyoccsigickm.org udp
US 8.8.8.8:53 wihaqyhbr.net udp
US 8.8.8.8:53 wudcbzqgq.info udp
US 8.8.8.8:53 laxnyxdr.net udp
US 8.8.8.8:53 fqvopkmiayu.org udp
US 8.8.8.8:53 vzkhrntivj.net udp
US 8.8.8.8:53 rbzdforeqip.org udp
US 8.8.8.8:53 qgcagg.com udp
US 8.8.8.8:53 cuyeos.org udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 qakwayoiwg.org udp
US 8.8.8.8:53 jlnvhp.net udp
US 8.8.8.8:53 mgnnlttb.info udp
US 8.8.8.8:53 epliekjwixe.info udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 wzfeivqb.net udp
US 8.8.8.8:53 knhxtw.info udp
US 8.8.8.8:53 ykiswqiy.com udp
US 8.8.8.8:53 qwqixrv.net udp
US 8.8.8.8:53 yuuusu.org udp
US 8.8.8.8:53 uwokgu.org udp
US 8.8.8.8:53 rreplnac.info udp
US 8.8.8.8:53 qqwwmaugki.com udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 pbrghqtzh.com udp
US 8.8.8.8:53 kcoqscuy.com udp
US 8.8.8.8:53 bojutgj.org udp
US 8.8.8.8:53 qxrwrxkgnrd.net udp
US 8.8.8.8:53 brskaapvrsor.net udp
US 8.8.8.8:53 wkdutcxkj.net udp
US 8.8.8.8:53 cvnixbdjusq.info udp
US 8.8.8.8:53 woogwiukgu.com udp
US 8.8.8.8:53 oqlglirqdmz.info udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 royttjbz.info udp
US 8.8.8.8:53 sxpwulihoitd.net udp
US 8.8.8.8:53 ltnucaxcs.com udp
US 8.8.8.8:53 osrwzajgbij.net udp
US 8.8.8.8:53 vjorjt.net udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 vxsewyhggmd.org udp
US 8.8.8.8:53 vhsnmdzy.net udp
US 8.8.8.8:53 nmvyasbkw.org udp
US 8.8.8.8:53 wofwjcada.info udp
US 8.8.8.8:53 aasgceynhjmf.net udp
US 8.8.8.8:53 iihiop.info udp
US 8.8.8.8:53 akdxbpu.net udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 ftvflbsv.net udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 soyqyoyyewia.org udp
US 8.8.8.8:53 majazub.info udp
US 8.8.8.8:53 hkgalquzn.com udp
US 8.8.8.8:53 fblfme.net udp
US 8.8.8.8:53 aokmgeqksc.org udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 rakehurfqh.info udp
US 8.8.8.8:53 xoqguyrt.info udp
US 8.8.8.8:53 wycacmmaca.com udp
US 8.8.8.8:53 kimafhidcsub.info udp
US 8.8.8.8:53 qoqrljvuh.info udp
US 8.8.8.8:53 fyoxviovoyzq.info udp
US 8.8.8.8:53 rhvhzmim.info udp
US 8.8.8.8:53 gqgysunwqgo.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 zkjhrehmp.com udp
US 8.8.8.8:53 gtdbmdlyvn.net udp
US 8.8.8.8:53 feakvgj.com udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 oaxejotyhxqv.info udp
US 8.8.8.8:53 wkzqzab.info udp
US 8.8.8.8:53 vfzyxmacbmh.net udp
US 8.8.8.8:53 qcvqrojbvsyw.info udp
US 8.8.8.8:53 ubsrgizu.info udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 nnfbjqa.com udp
US 8.8.8.8:53 nqcxtkbyver.info udp
US 8.8.8.8:53 fobyjuw.info udp
US 8.8.8.8:53 ggkuiorql.net udp
US 8.8.8.8:53 rrxsrtdja.net udp
US 8.8.8.8:53 scvelns.info udp
US 8.8.8.8:53 svymktrkoq.net udp
US 8.8.8.8:53 aiwoyqei.com udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 bcitly.info udp
US 8.8.8.8:53 kmqqimks.com udp
US 8.8.8.8:53 nxlsol.info udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 guykkoaaqukq.org udp
US 8.8.8.8:53 eakqqkss.org udp
US 8.8.8.8:53 baxgymj.com udp
US 8.8.8.8:53 zrrwdtvowir.net udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 xegtgw.net udp
US 8.8.8.8:53 toxuvapx.net udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 quvnbuqhe.net udp
US 8.8.8.8:53 usvglcpczosh.info udp
US 8.8.8.8:53 sydtxituqgi.net udp
BG 77.71.16.138:30711 tcp
US 8.8.8.8:53 lvvadkc.org udp
US 8.8.8.8:53 erjaraq.info udp
US 8.8.8.8:53 wuqnvsfc.info udp
US 8.8.8.8:53 pctsaevsu.info udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 fofgmkmv.net udp
US 8.8.8.8:53 frzjryvctoy.net udp
US 8.8.8.8:53 kedpnc.info udp
US 8.8.8.8:53 ymkomm.org udp
US 8.8.8.8:53 igkiseequs.org udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 cerjhfvteb.info udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 phgxftmiyimk.net udp
US 8.8.8.8:53 ascbvuvgkpmi.net udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 xmejsn.net udp
US 8.8.8.8:53 okhapkd.net udp
US 8.8.8.8:53 eckkgewgcw.com udp
US 8.8.8.8:53 iymgeqcmaeue.org udp
US 8.8.8.8:53 oujjvx.net udp
US 8.8.8.8:53 uzszsobef.info udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 djjnnxegyrdb.net udp
US 8.8.8.8:53 kmtrnjzqayax.net udp
US 8.8.8.8:53 fqpiujlip.com udp
US 8.8.8.8:53 fakvjfiets.net udp
US 8.8.8.8:53 dolyxmxonvd.com udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 mpnqjigb.info udp
US 8.8.8.8:53 hifehij.net udp
US 8.8.8.8:53 nqvulqocbon.org udp
US 8.8.8.8:53 zluntm.net udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 bpfggma.com udp
US 8.8.8.8:53 acjuiyxksux.info udp
US 8.8.8.8:53 ehfstubmz.info udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 bprejkfznem.info udp
US 8.8.8.8:53 qubqirdevwh.net udp
US 8.8.8.8:53 owfkvav.info udp
US 8.8.8.8:53 qqyiwgwiuq.org udp
US 8.8.8.8:53 yqhezndol.net udp
US 8.8.8.8:53 dojnzcvsnx.info udp
US 8.8.8.8:53 ugeoks.com udp
US 8.8.8.8:53 sknexdv.info udp
US 8.8.8.8:53 jtwogtx.com udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 rsfymwftf.com udp
US 8.8.8.8:53 fmfmlt.info udp
US 8.8.8.8:53 ecyseaugcw.com udp
US 8.8.8.8:53 xerjgqfnqtap.info udp
US 8.8.8.8:53 vycytp.info udp
US 8.8.8.8:53 gqdcpxf.net udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 yarcvvjucsq.info udp
US 8.8.8.8:53 xlpvpm.net udp
US 8.8.8.8:53 mjdqfnmiyj.net udp
US 8.8.8.8:53 iwgkcvacgrbf.info udp
US 8.8.8.8:53 tvvgrdt.info udp
US 8.8.8.8:53 qplanhzstim.net udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 qsymycm.info udp
US 8.8.8.8:53 zehpzyljh.com udp
US 8.8.8.8:53 rwgyakbzhsy.org udp
US 8.8.8.8:53 hhsurs.info udp
US 8.8.8.8:53 dubpppn.org udp
US 8.8.8.8:53 mshzgeikwz.net udp
US 8.8.8.8:53 ajeufitgtoe.info udp
US 8.8.8.8:53 mkcftxy.net udp
US 8.8.8.8:53 qljywekokjqr.info udp
US 8.8.8.8:53 puhqgij.com udp
US 8.8.8.8:53 jkdyhhqbrxvw.net udp
US 8.8.8.8:53 ditynqlth.com udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 timyhevd.net udp
US 8.8.8.8:53 xvydueqdgnk.org udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 qynpzsyhoj.info udp
US 8.8.8.8:53 mumqpsj.info udp
US 8.8.8.8:53 sgfjuemgbwx.info udp
US 8.8.8.8:53 metnpnh.net udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 jnfdzykbt.org udp
US 8.8.8.8:53 fdjcbspqz.net udp
US 8.8.8.8:53 guzqubh.net udp
US 8.8.8.8:53 dmwxdehfcst.net udp
US 8.8.8.8:53 zvbflq.net udp
US 8.8.8.8:53 slskdgn.net udp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 tyqubpdqnuh.org udp
US 8.8.8.8:53 bcvkhnx.info udp
US 8.8.8.8:53 wmdmaahttsz.net udp
US 8.8.8.8:53 tkghfgfob.org udp
US 8.8.8.8:53 tgezcimdsujg.net udp
US 8.8.8.8:53 zilyrjvuskt.com udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 juurvqnmpp.net udp
US 8.8.8.8:53 guzhtaa.info udp
US 8.8.8.8:53 hzjclxpbejhd.info udp
US 8.8.8.8:53 ssywwsui.com udp
US 8.8.8.8:53 hllqrgvanbf.org udp
US 8.8.8.8:53 xgjjsggrrkxb.net udp
US 8.8.8.8:53 kcpgxb.info udp
US 8.8.8.8:53 pkwxpl.net udp
US 8.8.8.8:53 mmdmxymcmr.info udp
US 8.8.8.8:53 aewknyxgpqu.net udp
US 8.8.8.8:53 zozgcobcaq.net udp
US 8.8.8.8:53 tksyyev.info udp
US 8.8.8.8:53 nuyqhm.net udp
US 8.8.8.8:53 xqltjcj.com udp
US 8.8.8.8:53 hjjakml.com udp
US 8.8.8.8:53 niompldgvdq.info udp
US 8.8.8.8:53 pntkebfrddv.org udp
US 8.8.8.8:53 mvrlhhspnj.info udp
US 8.8.8.8:53 syndjvyqs.net udp
US 8.8.8.8:53 joeutivqlgl.org udp
US 8.8.8.8:53 pubdtrzkyif.com udp
US 8.8.8.8:53 ngpgccpqya.net udp
US 8.8.8.8:53 zerfia.info udp
US 8.8.8.8:53 zvrujdej.net udp
US 8.8.8.8:53 scxinem.info udp
US 8.8.8.8:53 zitaawsahxtz.net udp
US 8.8.8.8:53 zdnpdktlco.info udp
US 8.8.8.8:53 rxhxfw.net udp
US 8.8.8.8:53 yeukuk.com udp
US 8.8.8.8:53 fxvojez.com udp
US 8.8.8.8:53 gktkrk.net udp
HK 156.244.121.142:80 gktkrk.net tcp
GB 89.116.101.9:45613 tcp
US 8.8.8.8:53 uhhireljv.info udp
US 8.8.8.8:53 qckkwe.com udp
US 8.8.8.8:53 zkykjxrhzafp.net udp
US 8.8.8.8:53 cuhgslo.net udp
US 8.8.8.8:53 bfvzpptceko.com udp
US 8.8.8.8:53 ctdbtypyi.info udp
US 8.8.8.8:53 qswswwoycc.org udp
US 8.8.8.8:53 mexsbsbhjgq.info udp
US 8.8.8.8:53 jmdmtub.info udp
US 8.8.8.8:53 xocwpj.net udp
US 8.8.8.8:53 xyaspkq.org udp
US 8.8.8.8:53 yxlppdfp.net udp
US 8.8.8.8:53 uvcodihahbp.net udp
US 8.8.8.8:53 uysuiuqaycwy.org udp
US 8.8.8.8:53 lnvwoqghfcz.info udp
US 8.8.8.8:53 tismdach.info udp
US 8.8.8.8:53 pcmstpku.info udp
US 8.8.8.8:53 fulkophhwa.info udp
US 8.8.8.8:53 pdofzkk.com udp
US 8.8.8.8:53 hlqltge.net udp
US 8.8.8.8:53 kmbsmklhlo.info udp
US 8.8.8.8:53 duxjsit.com udp
US 8.8.8.8:53 uuueieukoagm.com udp
US 8.8.8.8:53 142.121.244.156.in-addr.arpa udp
US 8.8.8.8:53 cuiqskkecewa.org udp
US 8.8.8.8:53 vlsqekixshcp.net udp
US 8.8.8.8:53 xufgdjjl.info udp
US 8.8.8.8:53 muhrxvkmz.info udp
US 8.8.8.8:53 oskwykgwkkmo.org udp
US 8.8.8.8:53 xohwxxafqrta.info udp
US 8.8.8.8:53 iwwmiiga.org udp
US 8.8.8.8:53 dsfbefnpvdij.info udp
US 8.8.8.8:53 ycjnwotyn.net udp
US 8.8.8.8:53 jgzbxllqdecg.net udp
US 8.8.8.8:53 kshhluzk.net udp
US 8.8.8.8:53 brbieci.net udp
US 8.8.8.8:53 asecuyemymyi.org udp
US 8.8.8.8:53 kzugkyh.info udp
US 8.8.8.8:53 ndqlju.info udp
US 8.8.8.8:53 iydedutix.net udp
US 8.8.8.8:53 ucmkoy.org udp
US 8.8.8.8:53 yqiyuo.org udp
US 8.8.8.8:53 zmrarczuld.net udp
US 8.8.8.8:53 gkhevhjp.info udp
US 8.8.8.8:53 kgxtxpykvw.info udp
US 8.8.8.8:53 wkqsuksa.com udp
US 8.8.8.8:53 fnqcwe.info udp
US 8.8.8.8:53 uwioiygqoi.org udp
US 8.8.8.8:53 lzggxgeon.org udp
US 8.8.8.8:53 dwpkzhv.com udp
US 8.8.8.8:53 nptrubve.info udp
US 8.8.8.8:53 ewgucgkw.com udp
US 8.8.8.8:53 tixwdlqmrrs.com udp
US 8.8.8.8:53 rltwexojzn.net udp
US 8.8.8.8:53 dghirhnfajwp.net udp
US 8.8.8.8:53 cammok.org udp
US 8.8.8.8:53 xyknowh.net udp
US 8.8.8.8:53 aeyeygaysmaw.com udp
US 8.8.8.8:53 dayucgzmwkv.net udp
US 8.8.8.8:53 qifnppqjswa.info udp
US 8.8.8.8:53 fymdmebkrt.info udp
US 8.8.8.8:53 yzfrncfgc.info udp
US 8.8.8.8:53 scciekyi.org udp
US 8.8.8.8:53 vsfweif.info udp
US 8.8.8.8:53 azimre.info udp
US 8.8.8.8:53 nfgwdmdyi.info udp
US 8.8.8.8:53 acosua.com udp
US 8.8.8.8:53 wuybayvsmwt.info udp
US 8.8.8.8:53 gofsrfhjzxdl.net udp
US 8.8.8.8:53 urcuvtrvmrsh.info udp
US 8.8.8.8:53 gclflneiu.net udp
US 8.8.8.8:53 zzyakmiatsdd.net udp
US 8.8.8.8:53 qisakqeiecqu.org udp
US 8.8.8.8:53 xxdddqp.net udp
US 8.8.8.8:53 zgnsodxksa.info udp
US 8.8.8.8:53 rfxtnv.net udp
US 8.8.8.8:53 aajultxoq.info udp
US 8.8.8.8:53 iggcfwpytwa.net udp
US 8.8.8.8:53 wvvpdnviqbr.info udp
US 8.8.8.8:53 wkgcyasasy.com udp
US 8.8.8.8:53 tuaxjj.net udp
US 8.8.8.8:53 nxvccohqni.net udp
US 8.8.8.8:53 dnffyhkf.net udp
US 8.8.8.8:53 dbtymsgtno.info udp
US 8.8.8.8:53 nydkabxcr.com udp
US 8.8.8.8:53 mokmcwyoawaa.com udp
US 8.8.8.8:53 asuoww.com udp
US 8.8.8.8:53 hdaukbcmhi.info udp
US 8.8.8.8:53 emouxorlte.net udp
US 8.8.8.8:53 awaieu.com udp
US 8.8.8.8:53 nrfirwn.com udp
US 8.8.8.8:53 oyqivyzel.info udp
US 8.8.8.8:53 ushkxbyxdgg.net udp
US 8.8.8.8:53 wwikekf.info udp
US 8.8.8.8:53 istshedof.info udp
US 8.8.8.8:53 vuvxhzoraw.info udp
US 8.8.8.8:53 jalkbr.info udp
US 8.8.8.8:53 bonehnrstljv.info udp
US 8.8.8.8:53 istmbnpgbal.info udp
US 8.8.8.8:53 ccfhrkclkf.net udp
US 8.8.8.8:53 cxffzmlflm.info udp
US 8.8.8.8:53 ssjyzivargf.info udp
US 8.8.8.8:53 qsvfnqlmnyp.info udp
US 8.8.8.8:53 wakgxtzc.net udp
US 8.8.8.8:53 iokgeoyqkiia.org udp
US 8.8.8.8:53 yinrzik.net udp
US 8.8.8.8:53 maltyz.net udp
US 8.8.8.8:53 uanpdav.net udp
US 8.8.8.8:53 zgnqtmtkv.info udp
US 8.8.8.8:53 uktwxdlsj.info udp
US 8.8.8.8:53 pepnfeegluf.info udp
US 8.8.8.8:53 nypamyjbjw.info udp
US 8.8.8.8:53 usztsauxtyh.net udp
US 8.8.8.8:53 ntdcrcfszsx.com udp
US 8.8.8.8:53 dzxhxuy.net udp
US 8.8.8.8:53 cqtwskhmu.net udp
US 8.8.8.8:53 zpdzlruk.info udp
US 8.8.8.8:53 bktpfwsl.net udp
US 8.8.8.8:53 qmqipjp.info udp
US 8.8.8.8:53 gkyeieqq.com udp
US 8.8.8.8:53 wkhyvwxnikc.info udp
US 8.8.8.8:53 uerbwwbfwr.net udp
US 8.8.8.8:53 rzskrijhptkd.info udp
US 8.8.8.8:53 syyaqwugyuys.org udp
US 8.8.8.8:53 drjwdgjed.info udp
US 8.8.8.8:53 uupetlqtlq.info udp
US 8.8.8.8:53 meaocm.org udp
US 8.8.8.8:53 ceuhzwneubbq.net udp
US 8.8.8.8:53 yeseee.com udp
HK 156.237.207.232:80 yeseee.com tcp
US 8.8.8.8:53 aeecseyu.org udp
US 8.8.8.8:53 yarmphvupzqy.info udp
LT 88.222.145.117:40213 tcp
US 8.8.8.8:53 xgtduz.info udp
US 8.8.8.8:53 rhpvbghin.org udp
US 8.8.8.8:53 jupejihn.info udp
US 8.8.8.8:53 cthmumbav.net udp
US 8.8.8.8:53 dptriplgppqi.net udp
US 8.8.8.8:53 bzgaawwmgr.info udp
US 8.8.8.8:53 nybltwljfa.info udp
US 8.8.8.8:53 xbpgnqb.org udp
US 8.8.8.8:53 uuwdgvd.net udp
US 8.8.8.8:53 oybijmw.info udp
US 8.8.8.8:53 xmtxzsvwpmh.info udp
US 8.8.8.8:53 taxsnux.com udp
US 8.8.8.8:53 jbrareb.org udp
US 8.8.8.8:53 232.207.237.156.in-addr.arpa udp
US 8.8.8.8:53 cmngfobehch.info udp
US 8.8.8.8:53 dkkcdd.net udp
US 8.8.8.8:53 gvrguoprn.info udp
US 8.8.8.8:53 iqpwmks.net udp
US 8.8.8.8:53 vkqcrwpvliw.org udp
US 8.8.8.8:53 iwlpzasaqq.net udp
US 8.8.8.8:53 bakfznqyjrsl.net udp
US 8.8.8.8:53 swnhquq.info udp
US 8.8.8.8:53 vpliiujwmqd.net udp
US 8.8.8.8:53 tsxauoqgjzf.net udp
US 8.8.8.8:53 uupyyufruex.info udp
US 8.8.8.8:53 mazmxoi.net udp
US 8.8.8.8:53 nusnxezpzkdu.net udp
US 8.8.8.8:53 beklnku.com udp
US 8.8.8.8:53 bghtvymy.net udp
US 8.8.8.8:53 eayyqoqqouig.com udp
US 8.8.8.8:53 nicxrmrxya.net udp
US 8.8.8.8:53 rbrrvtddzotj.info udp
US 8.8.8.8:53 bnkzvy.info udp
US 8.8.8.8:53 qmvygc.net udp
US 8.8.8.8:53 dewtra.net udp
US 8.8.8.8:53 zvcufbuav.info udp
US 8.8.8.8:53 cqaikgawsc.org udp
US 8.8.8.8:53 vdinsezipu.net udp
US 8.8.8.8:53 yuqcyygeck.org udp
US 8.8.8.8:53 gqmcyw.com udp
US 8.8.8.8:53 sglmhyxkd.info udp
US 8.8.8.8:53 rvmonfphd.org udp
US 8.8.8.8:53 wisyekoi.org udp
US 8.8.8.8:53 snnmznnzepnp.info udp
US 8.8.8.8:53 mfxmirp.net udp
US 8.8.8.8:53 jlxjhjvb.net udp
US 8.8.8.8:53 dnhpfyzwlkln.net udp
US 8.8.8.8:53 obkbuajsbddu.net udp
US 8.8.8.8:53 bcksphj.net udp
US 8.8.8.8:53 prpbjuyelick.info udp
US 8.8.8.8:53 kblemvt.net udp
US 8.8.8.8:53 zwdqyej.info udp
US 8.8.8.8:53 xanwqkg.info udp
US 8.8.8.8:53 binayqzmn.info udp
US 8.8.8.8:53 ckzmhe.net udp
US 8.8.8.8:53 ayemumkeys.org udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 asgttdjqux.info udp
US 8.8.8.8:53 vppxof.net udp
US 8.8.8.8:53 zrcibwtpoer.info udp
US 8.8.8.8:53 fofcgchur.net udp
US 8.8.8.8:53 jsakoyhilhm.net udp
US 8.8.8.8:53 dzxuzlujtv.net udp
US 8.8.8.8:53 uphxqtbb.net udp
US 8.8.8.8:53 apdqzazgabc.net udp
US 8.8.8.8:53 vnliyftihhx.info udp
US 8.8.8.8:53 icaijmduf.net udp
US 8.8.8.8:53 czlmpgkaosoz.net udp
US 8.8.8.8:53 scswom.com udp
US 8.8.8.8:53 xbksrjpkjmd.info udp
US 8.8.8.8:53 uczpngw.info udp
US 8.8.8.8:53 xsofzoznkq.info udp
US 8.8.8.8:53 muqekogm.org udp
US 8.8.8.8:53 wenwbipos.info udp
US 8.8.8.8:53 cfwjbujktq.info udp
US 8.8.8.8:53 patdhmamvsr.info udp
US 8.8.8.8:53 tcvzmrpxvtuc.info udp
US 8.8.8.8:53 gkspoijdzjfz.info udp
US 8.8.8.8:53 secsckss.org udp
US 8.8.8.8:53 stfhbwifvy.info udp
US 8.8.8.8:53 gvlwemjtdqp.info udp
US 8.8.8.8:53 dhfuawbmlx.net udp
US 8.8.8.8:53 fgyojpnggd.info udp
US 8.8.8.8:53 xhhmbwwa.info udp
US 8.8.8.8:53 wimkatn.net udp
US 8.8.8.8:53 ggcwrov.info udp
US 8.8.8.8:53 efdlohhy.info udp
US 8.8.8.8:53 mwiyyuwceouq.com udp
US 8.8.8.8:53 ywfuybm.info udp
US 8.8.8.8:53 pvauutznnmts.net udp
US 8.8.8.8:53 znrwknnzxrjh.info udp
US 8.8.8.8:53 zitiqkxzo.info udp
US 8.8.8.8:53 rkdqxahvk.com udp
US 8.8.8.8:53 bcnfahqmravu.net udp
US 8.8.8.8:53 pmvwlcgtpsd.com udp
US 8.8.8.8:53 kvwxvb.net udp
US 8.8.8.8:53 ixbajeahxdwv.info udp
US 8.8.8.8:53 oppxcmj.info udp
US 8.8.8.8:53 bgdqgf.net udp
US 8.8.8.8:53 fmwcpwok.net udp
US 8.8.8.8:53 gibofqrqsmz.info udp
US 8.8.8.8:53 uhsxmkbsra.net udp
US 8.8.8.8:53 dqhiohizmsxx.net udp
US 8.8.8.8:53 qfykzed.info udp
US 8.8.8.8:53 cgkcui.org udp
US 8.8.8.8:53 dkuhttdv.net udp
US 8.8.8.8:53 gszsphni.info udp
US 8.8.8.8:53 lywfpqyw.net udp
US 8.8.8.8:53 ycxvrvto.info udp
US 8.8.8.8:53 vugapghkq.net udp
US 8.8.8.8:53 hzjbnnkzoqux.net udp
US 8.8.8.8:53 wkwgrahwlpkc.info udp
US 8.8.8.8:53 zzxqxwhd.net udp
US 8.8.8.8:53 vwhuipt.info udp
US 8.8.8.8:53 bcylgke.info udp
US 8.8.8.8:53 ciwemwysqqgg.org udp
US 8.8.8.8:53 eqwkxorsw.net udp
US 8.8.8.8:53 mumqawqwma.org udp
US 8.8.8.8:53 jqlalend.info udp
US 8.8.8.8:53 amvbrfhisy.info udp
US 8.8.8.8:53 uksjhmkkqk.net udp
US 8.8.8.8:53 sqoiuikkcgkg.com udp
US 8.8.8.8:53 petxyw.info udp
US 8.8.8.8:53 htrttwqkj.org udp
US 8.8.8.8:53 sbablr.net udp
US 8.8.8.8:53 ayubix.net udp
US 8.8.8.8:53 talwpvcyzu.info udp
US 8.8.8.8:53 lsrgrotffyl.info udp
US 8.8.8.8:53 aubgzylblcd.info udp
US 8.8.8.8:53 rlogjsm.info udp
US 8.8.8.8:53 bvrcqwsoxwp.org udp
US 8.8.8.8:53 xyzjjqgqwzyb.info udp
US 8.8.8.8:53 uacoqg.org udp
US 8.8.8.8:53 lvldjuz.info udp
US 8.8.8.8:53 htluvwdedqj.net udp
LT 78.60.212.169:13548 tcp
US 8.8.8.8:53 khrruuls.net udp
US 8.8.8.8:53 uagwflmr.info udp
US 8.8.8.8:53 haprfabjrusx.net udp
US 8.8.8.8:53 oszktctlpjts.info udp
US 8.8.8.8:53 rcrcrbxww.net udp
US 8.8.8.8:53 rmjjigfs.net udp
US 8.8.8.8:53 qjggrtqdjp.net udp
US 8.8.8.8:53 egmqqmqwgy.org udp
US 8.8.8.8:53 ostfvi.info udp
US 8.8.8.8:53 whoefvasqbju.info udp
US 8.8.8.8:53 ocmwkuug.com udp
US 8.8.8.8:53 vnpctoz.info udp
US 8.8.8.8:53 nwbwekr.com udp
US 8.8.8.8:53 dbhzrynuehwz.info udp
US 8.8.8.8:53 cypapqnhvag.info udp
US 8.8.8.8:53 mlfcdejcu.net udp
US 8.8.8.8:53 szemvhix.net udp
US 8.8.8.8:53 nsvpprmkdjil.info udp
US 8.8.8.8:53 ndvenixqpoi.org udp
US 8.8.8.8:53 jgbqzufyr.net udp
US 8.8.8.8:53 ptbxyixaqem.info udp
US 8.8.8.8:53 jjujha.info udp
US 8.8.8.8:53 kastemrs.net udp
US 8.8.8.8:53 kxtshb.info udp
US 8.8.8.8:53 xefdxc.net udp
US 8.8.8.8:53 dwsikogj.info udp
US 8.8.8.8:53 xjcfda.info udp
US 8.8.8.8:53 xsedpl.net udp
US 8.8.8.8:53 eunaqlbjnntx.net udp
US 8.8.8.8:53 xgnijggfclh.com udp
US 8.8.8.8:53 goaabnunvu.net udp
US 8.8.8.8:53 zqvcvyxmhap.com udp
US 8.8.8.8:53 xykijz.info udp
US 8.8.8.8:53 fqiyvdbd.net udp
US 8.8.8.8:53 lyssmcrmzbt.info udp
US 8.8.8.8:53 qudcskmtgv.net udp
US 8.8.8.8:53 unqeconkkck.net udp
US 8.8.8.8:53 cosnjshcp.info udp
US 8.8.8.8:53 wsyqzjzsjih.info udp
US 8.8.8.8:53 fcxrfneuzoe.net udp
US 8.8.8.8:53 iefklejecnp.net udp
US 8.8.8.8:53 unpeic.info udp
US 8.8.8.8:53 iuecpck.info udp
US 8.8.8.8:53 jodbfhvn.info udp
US 8.8.8.8:53 nmlgrwfkuijs.net udp
US 8.8.8.8:53 eegciwieiuqq.com udp
US 8.8.8.8:53 xkdopy.net udp
US 8.8.8.8:53 eqzvzdsmom.net udp
US 8.8.8.8:53 oyyeas.org udp
US 8.8.8.8:53 vairzyznr.net udp
US 8.8.8.8:53 hfgkacxqinla.net udp
US 8.8.8.8:53 iinmbipgfqt.info udp
US 8.8.8.8:53 miowkk.com udp
US 8.8.8.8:53 huvkpee.net udp
US 8.8.8.8:53 fsnzoy.net udp
US 8.8.8.8:53 mxvvcalsljs.net udp
US 8.8.8.8:53 iusiogeeos.org udp
US 8.8.8.8:53 wkvytsvxjf.info udp
US 8.8.8.8:53 riviuaiqduu.info udp
US 8.8.8.8:53 lrowcjkt.net udp
US 8.8.8.8:53 haromy.net udp
US 8.8.8.8:53 ubjsthoidv.info udp
US 8.8.8.8:53 rqtuscv.com udp
US 8.8.8.8:53 topxsiki.net udp
US 8.8.8.8:53 rakdvp.net udp
US 8.8.8.8:53 rctecqj.info udp
US 8.8.8.8:53 tinyjzn.net udp
US 8.8.8.8:53 fjswfmxs.net udp
US 8.8.8.8:53 pwhjteldkqxk.info udp
US 8.8.8.8:53 yciaiwb.net udp
US 8.8.8.8:53 vanjpyu.com udp
US 8.8.8.8:53 zcjinora.info udp
US 8.8.8.8:53 oklwmhsexc.net udp
US 8.8.8.8:53 itdpty.info udp
US 8.8.8.8:53 eqbknchkt.info udp
US 8.8.8.8:53 ugdmtph.net udp
US 8.8.8.8:53 gkmwjoeseqh.net udp
US 8.8.8.8:53 udrmzqjtq.net udp
US 8.8.8.8:53 ygaueoxtiwt.net udp
US 8.8.8.8:53 ywbmxtjsfezl.info udp
US 8.8.8.8:53 hwuswwkejph.info udp
US 8.8.8.8:53 mtufshmchfis.net udp
US 8.8.8.8:53 oourkpfpxx.info udp
US 8.8.8.8:53 xcjoaismx.org udp
US 8.8.8.8:53 akbhbbj.net udp
US 8.8.8.8:53 krbgpwc.net udp
US 8.8.8.8:53 eaouwg.org udp
US 8.8.8.8:53 exavicrgjv.net udp
US 8.8.8.8:53 oqqiwi.org udp
US 8.8.8.8:53 ygaayqgs.com udp
US 8.8.8.8:53 jsdukwmyoam.org udp
US 8.8.8.8:53 mwmomxnujgyg.net udp
US 8.8.8.8:53 osiukecg.org udp
US 8.8.8.8:53 rwvatwp.org udp
US 8.8.8.8:53 dqdgwgvkvvy.org udp
US 8.8.8.8:53 edsmtgyw.net udp
US 8.8.8.8:53 qunsptr.net udp
US 8.8.8.8:53 rqdmvohgkwm.org udp
US 8.8.8.8:53 upzuxuvucjk.net udp
US 8.8.8.8:53 ssmxzo.info udp
US 8.8.8.8:53 jenulrvkb.net udp
US 8.8.8.8:53 ccqcmhpuqtd.info udp
US 8.8.8.8:53 kemsjcz.net udp
US 8.8.8.8:53 xqdlhxfsjrir.net udp
US 8.8.8.8:53 tboyrtniuyn.net udp
US 8.8.8.8:53 ggasci.com udp
US 8.8.8.8:53 rxgkikqf.net udp
US 8.8.8.8:53 macuaiyeuqqe.org udp
US 8.8.8.8:53 auzwwim.info udp
US 8.8.8.8:53 luusrqjkdey.com udp
US 8.8.8.8:53 nkfyqzd.org udp
US 8.8.8.8:53 iqjkiytxpcb.net udp
US 8.8.8.8:53 ytzyzhxrzs.info udp
US 8.8.8.8:53 ieholmils.net udp
US 8.8.8.8:53 qynatqek.net udp
US 8.8.8.8:53 mwycqayuwe.com udp
US 8.8.8.8:53 eiggmwpbpjnd.info udp
US 8.8.8.8:53 wrbsnlazv.net udp
US 8.8.8.8:53 oupski.net udp
US 8.8.8.8:53 pwxqqupgjin.net udp
US 8.8.8.8:53 fvljsbupim.net udp
US 8.8.8.8:53 giiauw.info udp
US 8.8.8.8:53 jdywje.net udp
US 8.8.8.8:53 skeslejeaah.net udp
US 8.8.8.8:53 yuamcsuooiik.com udp
US 8.8.8.8:53 atpsjmvhsmb.net udp
US 8.8.8.8:53 rcatzr.net udp
US 8.8.8.8:53 djzqlh.info udp
US 8.8.8.8:53 hcrtuez.org udp
US 8.8.8.8:53 uhrpfkam.net udp
US 8.8.8.8:53 egzunqk.info udp
US 8.8.8.8:53 hmzuogpis.info udp
US 8.8.8.8:53 jctcjcnqd.org udp
US 8.8.8.8:53 myhmvomcc.info udp
US 8.8.8.8:53 rjufna.info udp
US 8.8.8.8:53 dewgvrjsbws.org udp
US 8.8.8.8:53 soecksuukeqw.org udp
US 8.8.8.8:53 adgifnnyp.net udp
US 8.8.8.8:53 sjwcqzzu.info udp
US 8.8.8.8:53 cgkakoog.org udp
US 8.8.8.8:53 khhklxsj.net udp
US 8.8.8.8:53 eazerazey.net udp
US 8.8.8.8:53 kimkquamak.org udp
US 8.8.8.8:53 dibhvcd.net udp
US 8.8.8.8:53 bogepgnd.net udp
BG 109.199.138.63:35651 tcp
US 8.8.8.8:53 nmsbjz.info udp
US 8.8.8.8:53 cydnzcjqzgl.net udp
US 8.8.8.8:53 bmycuy.info udp
US 8.8.8.8:53 sufbwf.net udp
US 8.8.8.8:53 vhveha.info udp
US 8.8.8.8:53 rqvfriatlxjf.net udp
US 8.8.8.8:53 xurbnsm.com udp
US 8.8.8.8:53 uodknlj.net udp
US 8.8.8.8:53 zdughyxizk.net udp
US 8.8.8.8:53 sqqumgekumeo.org udp
US 8.8.8.8:53 amscyqguqu.org udp
US 8.8.8.8:53 medadkkyv.net udp
US 8.8.8.8:53 qxbczpcohl.net udp
US 8.8.8.8:53 meumgzpu.info udp
US 8.8.8.8:53 fvpeuobkktfb.net udp
US 8.8.8.8:53 sigquupenj.net udp
US 8.8.8.8:53 gwqkqa.org udp
US 8.8.8.8:53 euuosyia.org udp
US 8.8.8.8:53 jorxjhdvfeym.info udp
US 8.8.8.8:53 fshhtxpue.org udp
US 8.8.8.8:53 meajisaiz.net udp
US 8.8.8.8:53 rkmjxtigtca.com udp
US 8.8.8.8:53 qywguyugeees.com udp
US 8.8.8.8:53 okxafppsld.net udp
US 8.8.8.8:53 lytuefatnbnu.net udp
US 8.8.8.8:53 kzduhntwmafs.info udp
US 8.8.8.8:53 xauefwr.info udp
US 8.8.8.8:53 erfjsttclx.net udp
US 8.8.8.8:53 lnnvbcdyf.com udp
US 8.8.8.8:53 pzzhln.net udp
US 8.8.8.8:53 vylknimffsb.org udp
US 8.8.8.8:53 nttbndx.net udp
US 8.8.8.8:53 wggqsyyuwq.org udp
US 8.8.8.8:53 jmbupatrt.net udp
US 8.8.8.8:53 nqovxbzezd.net udp
US 8.8.8.8:53 javjpwoegkbc.info udp
US 8.8.8.8:53 zsvvkxvi.info udp
US 8.8.8.8:53 rojwzffvsi.info udp
US 8.8.8.8:53 oahzbczz.info udp
US 8.8.8.8:53 snksihzmpvot.info udp
US 8.8.8.8:53 bsxjofye.info udp
US 8.8.8.8:53 fjqapxnskek.com udp
US 8.8.8.8:53 muwassaasg.com udp
US 8.8.8.8:53 oeuyxonktff.info udp
US 8.8.8.8:53 llmtynj.com udp
US 8.8.8.8:53 pthooogkklgc.net udp
US 8.8.8.8:53 fskxdhbf.info udp
US 8.8.8.8:53 unsnbu.net udp
US 8.8.8.8:53 oqemuukg.com udp
US 8.8.8.8:53 gestcigcjqo.net udp
US 8.8.8.8:53 dngfrgoifb.info udp
US 8.8.8.8:53 smvgvexsryy.net udp
US 8.8.8.8:53 gpdwfcvwqqt.net udp
US 8.8.8.8:53 osikuiuyuy.com udp
US 8.8.8.8:53 umkooyusqi.com udp
US 8.8.8.8:53 siyqvceqj.info udp
US 8.8.8.8:53 sewcocqe.org udp
US 8.8.8.8:53 iyecsugicu.com udp
US 8.8.8.8:53 ltmundpr.info udp
US 8.8.8.8:53 imqqjqcndyl.info udp
US 8.8.8.8:53 iusdldvq.info udp
US 8.8.8.8:53 uozhkftddcp.net udp
US 8.8.8.8:53 baiizeh.com udp
US 8.8.8.8:53 hurocdunscxh.net udp
US 8.8.8.8:53 neyqyhnvxylj.info udp
US 8.8.8.8:53 wglxbeyixsg.info udp
US 8.8.8.8:53 eizctcsqv.info udp
US 8.8.8.8:53 tjgkvcxgez.net udp
US 8.8.8.8:53 vhecdzzdfj.info udp
US 8.8.8.8:53 leqwbjbs.net udp
US 8.8.8.8:53 pinxnd.info udp
US 8.8.8.8:53 aogobal.info udp
US 8.8.8.8:53 yrnhih.net udp
US 8.8.8.8:53 gndmoqgzms.net udp
US 8.8.8.8:53 qfgthkb.info udp
US 8.8.8.8:53 gudechrg.info udp
US 8.8.8.8:53 cclwysb.net udp
US 8.8.8.8:53 egwzmexpemvl.info udp
US 8.8.8.8:53 ntthxe.net udp
US 8.8.8.8:53 ztqdje.info udp
US 8.8.8.8:53 mmmagd.info udp
US 8.8.8.8:53 nqldnkf.com udp
US 8.8.8.8:53 uecmddncual.net udp
US 8.8.8.8:53 iwwmuoakem.com udp
US 8.8.8.8:53 icekegiksg.org udp
US 8.8.8.8:53 psjgnfdmjwx.net udp
US 8.8.8.8:53 kwtdqoeixpno.net udp
US 8.8.8.8:53 berczsf.info udp
US 8.8.8.8:53 zvtznvac.net udp
US 8.8.8.8:53 uiwietxwrhcy.info udp
US 8.8.8.8:53 vmvafgn.org udp
US 8.8.8.8:53 yfvenmhkkcm.info udp
US 8.8.8.8:53 xtccfwsulsde.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 tenaqcakluy.com udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 dshgjgtat.info udp
US 8.8.8.8:53 uoridip.net udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 hgokjvawhkv.net udp
US 8.8.8.8:53 fxxhvedq.info udp
US 8.8.8.8:53 xlcpdyodnw.info udp
US 8.8.8.8:53 hqocflgevk.info udp
US 8.8.8.8:53 ctbzik.net udp
US 8.8.8.8:53 ecgosoki.org udp
US 8.8.8.8:53 aqiisqco.com udp
US 8.8.8.8:53 nwxohgp.org udp
US 8.8.8.8:53 qyfweutwbky.info udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 uyjytes.net udp
US 8.8.8.8:53 kjujyvxu.info udp
US 8.8.8.8:53 fcdcntrsngsb.net udp
US 8.8.8.8:53 lvktngsvyjim.net udp
US 8.8.8.8:53 kylywvwynlnd.info udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 qchbdojgp.info udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 zwgfehzxdh.info udp
US 8.8.8.8:53 jrqstcnvak.info udp
US 8.8.8.8:53 imauaqqi.com udp
US 8.8.8.8:53 kcikociw.com udp
US 8.8.8.8:53 fukkllhamqd.info udp
US 8.8.8.8:53 twjqoibxeu.net udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 ccdijlo.net udp
US 8.8.8.8:53 ukuoygqkaoeu.org udp
US 8.8.8.8:53 okwicocu.com udp
US 8.8.8.8:53 ioyhxid.net udp
US 8.8.8.8:53 xkmyyoncc.net udp
US 8.8.8.8:53 neesbvxitkx.info udp
US 8.8.8.8:53 xscfjj.info udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 lkooqxfoo.info udp
US 8.8.8.8:53 zdauljodbipa.info udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 uzsypdyp.info udp
US 8.8.8.8:53 bbziyafywct.net udp
US 8.8.8.8:53 acnglnjfiwf.net udp
US 8.8.8.8:53 gkouokkg.com udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 sooceomsek.com udp
US 8.8.8.8:53 fxsxxr.net udp
US 8.8.8.8:53 dzrlgmvhljzb.info udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 nulqril.net udp
US 8.8.8.8:53 ilbwsfzmptj.net udp
US 8.8.8.8:53 qqpgkonsesd.info udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 qswbtulxrc.net udp
US 8.8.8.8:53 wkdmngmqq.info udp
US 8.8.8.8:53 uuqgcg.org udp
US 8.8.8.8:53 ljjdqm.info udp
US 8.8.8.8:53 stomdlb.net udp
US 8.8.8.8:53 meljvbkie.net udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 biiergctgak.info udp
US 8.8.8.8:53 efjpkeykqt.info udp
US 8.8.8.8:53 gqnygwlee.net udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 owcctxlizcq.info udp
US 8.8.8.8:53 vzjqrcncwbd.com udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 jegnubyuplln.net udp
US 8.8.8.8:53 dadsvly.com udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 hrrwvonsvmc.net udp
US 8.8.8.8:53 cswksy.com udp
US 8.8.8.8:53 tbaclryvrdaw.net udp
US 8.8.8.8:53 bgxotaaplv.info udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 qemawyamwgwa.org udp
US 8.8.8.8:53 ddwerq.info udp
US 8.8.8.8:53 skgcgm.com udp
US 8.8.8.8:53 hehffihi.info udp
US 8.8.8.8:53 qcjypmlkz.info udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 wyllzw.info udp
US 8.8.8.8:53 ntfjkltu.info udp
US 8.8.8.8:53 rmsrfjrc.net udp
US 8.8.8.8:53 hjzgaiqz.net udp
US 8.8.8.8:53 siwgwwgameau.com udp
US 8.8.8.8:53 vjphcyaorl.net udp
US 8.8.8.8:53 fxguda.info udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 nsskdyw.com udp
US 8.8.8.8:53 kikgsgyqgaos.com udp
US 8.8.8.8:53 fuliriegxes.com udp
US 8.8.8.8:53 guijhin.info udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 fltyepso.info udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 rfhabyw.info udp
US 8.8.8.8:53 ghmcbx.net udp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 fwzmfdwa.net udp
US 8.8.8.8:53 rgxgprj.net udp
US 8.8.8.8:53 hcvhrevmt.com udp
US 8.8.8.8:53 qelnxqxq.net udp
US 8.8.8.8:53 wmlwnfxul.net udp
US 8.8.8.8:53 octpnmfeveb.net udp
US 8.8.8.8:53 stkmld.net udp
US 8.8.8.8:53 htoobdilro.info udp
US 8.8.8.8:53 eahahipclfk.net udp
US 8.8.8.8:53 ruksvdctcqr.com udp
US 8.8.8.8:53 nejapsjqnupo.net udp
US 8.8.8.8:53 ybpcjev.info udp
US 8.8.8.8:53 biyyicbpv.info udp
US 8.8.8.8:53 pvlmwmv.net udp
US 8.8.8.8:53 egmyym.org udp
US 8.8.8.8:53 oywhfgrc.info udp
US 8.8.8.8:53 bsrweqh.net udp
US 8.8.8.8:53 hbfwtoxnsndk.info udp
US 8.8.8.8:53 lrsfuqpkxj.info udp
US 8.8.8.8:53 ewssdnmpxiz.info udp
US 8.8.8.8:53 kbcbkhde.net udp
US 8.8.8.8:53 lcnsotnp.net udp
US 8.8.8.8:53 eslqdnhpxa.net udp
US 8.8.8.8:53 xahqzn.net udp
US 8.8.8.8:53 yvqerp.info udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 bslamujijah.com udp
US 8.8.8.8:53 opdegzxyx.info udp
US 8.8.8.8:53 zwrtterox.org udp
US 8.8.8.8:53 ltnmtwgf.info udp
US 8.8.8.8:53 csvwjspndnq.info udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 dusssofoz.org udp
US 8.8.8.8:53 uuequk.com udp
US 8.8.8.8:53 mcszjsw.net udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 nrjmdetmv.info udp
US 8.8.8.8:53 qewcvdx.info udp
US 8.8.8.8:53 pekbydmcd.com udp
US 8.8.8.8:53 yoskua.org udp
US 8.8.8.8:53 iqsgcmioew.com udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 ebtqhpvvpd.info udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 cedgaat.info udp
US 8.8.8.8:53 prhtdrab.info udp
US 8.8.8.8:53 aptavxszku.info udp
US 8.8.8.8:53 whouoiq.info udp
US 8.8.8.8:53 jnwrggtgxl.info udp
US 8.8.8.8:53 fizwtyn.org udp
US 8.8.8.8:53 wmmsbag.info udp
US 8.8.8.8:53 oesmaemmgi.com udp
US 8.8.8.8:53 kpxupwszqz.info udp
US 8.8.8.8:53 wbtonypio.net udp
US 8.8.8.8:53 wavqwalul.info udp
US 8.8.8.8:53 dbpnqjoo.info udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 embpcdqtnwx.info udp
US 8.8.8.8:53 qqmgiqukucac.com udp
US 8.8.8.8:53 rtkkjtts.net udp
US 8.8.8.8:53 oajcnl.net udp
US 8.8.8.8:53 ovsgpskb.info udp
US 8.8.8.8:53 tqcgkeeu.info udp
US 8.8.8.8:53 vmbelrpp.net udp
US 8.8.8.8:53 xwdooadwcj.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 jdlsjd.info udp
US 8.8.8.8:53 ejzlccsvzn.info udp
US 8.8.8.8:53 kupiaccip.info udp
US 8.8.8.8:53 qdaqwtlafa.info udp
US 8.8.8.8:53 ihfvsiykwtcp.net udp
US 8.8.8.8:53 vppjzgfzfigd.info udp
US 8.8.8.8:53 julotdrew.com udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 fwbyjvh.info udp
US 8.8.8.8:53 wyirluzizor.info udp
US 8.8.8.8:53 fbhuvmh.info udp
US 8.8.8.8:53 rfvszdvmmw.net udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 lkorukptqtkn.info udp
US 8.8.8.8:53 cprwgqzsq.info udp
US 8.8.8.8:53 ddzumm.net udp
US 8.8.8.8:53 sbziuuwqzok.info udp
US 8.8.8.8:53 vcfsuorinou.net udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 kyekey.com udp
US 8.8.8.8:53 ehdnhu.info udp
US 8.8.8.8:53 qcrdzkn.net udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 ewvewopwn.net udp
US 8.8.8.8:53 swccfoiouxom.net udp
US 8.8.8.8:53 nvqhtsfzlm.info udp
US 8.8.8.8:53 rfuhzwhcx.com udp
US 8.8.8.8:53 befmgly.com udp
US 8.8.8.8:53 qeqccmewssmq.org udp
US 8.8.8.8:53 kprijwvcpiq.net udp
US 8.8.8.8:53 danfxzx.info udp
US 8.8.8.8:53 laxnyxdr.net udp
US 8.8.8.8:53 owjlhzlydoz.net udp
US 8.8.8.8:53 fkfkmbucpi.info udp
US 8.8.8.8:53 wqcioymuyqey.com udp
US 8.8.8.8:53 vwrsabk.info udp
US 8.8.8.8:53 usnsuev.info udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 iyioppfap.net udp
US 8.8.8.8:53 mkosuw.com udp
SG 43.134.113.12:80 mkosuw.com tcp
BG 89.215.166.51:44448 tcp
FR 80.243.28.224:13659 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
BG 85.14.48.134:39100 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 rqfdrupmm.net udp
US 8.8.8.8:53 tihtdj.net udp
US 8.8.8.8:53 xrfidgjmfm.net udp
US 8.8.8.8:53 huklyo.net udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 ssfojevmrmi.net udp
US 8.8.8.8:53 kouucm.org udp
US 8.8.8.8:53 qabsnyrwr.info udp
US 8.8.8.8:53 aiyacugsyamg.com udp
US 8.8.8.8:53 xdvylbbrdcn.org udp
US 8.8.8.8:53 dedfgm.info udp
US 8.8.8.8:53 yfzflzqpzv.info udp
US 8.8.8.8:53 lmzaxmtkq.com udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 ggcsci.com udp
US 8.8.8.8:53 jyaotcpctq.info udp
US 8.8.8.8:53 qxrwrxkgnrd.net udp
US 8.8.8.8:53 kmciagqyqo.com udp
US 8.8.8.8:53 gtlcjvcuebw.info udp
US 8.8.8.8:53 kmxanyxlyah.net udp
US 8.8.8.8:53 esnghaigj.info udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 pbbnco.info udp
US 8.8.8.8:53 nzvcpdymnyh.net udp
US 8.8.8.8:53 utuwdb.info udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 aekuysquuiyq.org udp
US 8.8.8.8:53 xmuqjgp.com udp
US 8.8.8.8:53 qcptdeej.info udp
LT 81.29.25.60:32550 tcp
US 8.8.8.8:53 sgsoagiiccyw.com udp
US 8.8.8.8:53 wuduaueqg.net udp
US 8.8.8.8:53 ykbsjsnebof.net udp
US 8.8.8.8:53 sqkwegauueec.org udp
US 8.8.8.8:53 zkppdyl.net udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 qjwljnfbkq.net udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 vgfrryv.net udp
US 8.8.8.8:53 txqjtydlden.info udp
US 8.8.8.8:53 xntwhrl.com udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 wugikfso.net udp
US 8.8.8.8:53 mlldlwjp.info udp
US 8.8.8.8:53 antyhcv.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 qeoumoos.com udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 zozfvssqd.net udp
US 8.8.8.8:53 oieamaacgseu.com udp
US 8.8.8.8:53 iluonc.net udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 nqcxtkbyver.info udp
US 8.8.8.8:53 brpljbxb.net udp
US 8.8.8.8:53 jpeodevsdku.info udp
US 8.8.8.8:53 hfwcbwvqpo.info udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 caqrmaj.info udp
US 8.8.8.8:53 hmnprhuy.net udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 ekopipwgtq.info udp
US 8.8.8.8:53 qsgmtnpkbwg.net udp
US 8.8.8.8:53 baxgymj.com udp
US 8.8.8.8:53 lketlps.org udp
US 8.8.8.8:53 zvxikox.net udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 evakvcj.info udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 uujovqxul.info udp
US 8.8.8.8:53 lvvadkc.org udp
US 8.8.8.8:53 qeooaucuccao.org udp
US 8.8.8.8:53 wuqnvsfc.info udp
US 8.8.8.8:53 dnokfey.info udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 rgtgggvsmmn.com udp
US 8.8.8.8:53 yysiqeokew.org udp
US 8.8.8.8:53 jkzkeo.net udp
US 8.8.8.8:53 bmmvbzkexr.net udp
US 8.8.8.8:53 qgmwweumwg.com udp
US 8.8.8.8:53 wtheheoejmd.info udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 ykvehuzgjxdr.net udp
US 8.8.8.8:53 tnnnacmynn.info udp
US 8.8.8.8:53 sgdrbhfajvnt.net udp
US 8.8.8.8:53 htoxadmmobxi.net udp
US 8.8.8.8:53 hglwxixl.info udp
US 8.8.8.8:53 nenfkecw.net udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 rukiaid.info udp
US 8.8.8.8:53 vttceet.net udp
US 8.8.8.8:53 jiuasyhgs.net udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 ismymdyah.info udp
US 8.8.8.8:53 xydpzvtgqc.net udp
US 8.8.8.8:53 caewonhpf.info udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 omuaheut.info udp
US 8.8.8.8:53 sqdxbct.info udp
US 8.8.8.8:53 fnekqj.info udp
US 8.8.8.8:53 ahpkedygf.net udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 icrsnwvjjcw.net udp
US 8.8.8.8:53 lsxmlrx.info udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 bmbpromqlsr.org udp
US 8.8.8.8:53 pjhjwatons.net udp
US 8.8.8.8:53 kqcbrg.info udp
US 8.8.8.8:53 bazrzqjfqr.info udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 xunmdom.net udp
US 8.8.8.8:53 xetqrqn.org udp
US 8.8.8.8:53 wijqwfsztg.info udp
US 8.8.8.8:53 dhepek.net udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 xdhxnfhn.info udp
US 8.8.8.8:53 rgzhhuezesz.com udp
US 8.8.8.8:53 hsapniz.org udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 nupsrelixel.com udp
US 8.8.8.8:53 ipphzmsgpcvs.info udp
US 8.8.8.8:53 jvkbtwoms.info udp
US 8.8.8.8:53 xcrkgs.info udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 fddojiokamm.org udp
US 8.8.8.8:53 xkvchqtezqb.net udp
US 8.8.8.8:53 qyxkhcp.info udp
US 8.8.8.8:53 jkdyhhqbrxvw.net udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 vyvddsymlbh.com udp
US 8.8.8.8:53 xbxwjzxmqogo.info udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 gwdqihr.info udp
US 8.8.8.8:53 vrhmemdczwd.info udp
US 8.8.8.8:53 biogrvfyqb.net udp
US 8.8.8.8:53 metnpnh.net udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 ukxalhnii.info udp
US 8.8.8.8:53 swyqcwwomy.com udp
US 8.8.8.8:53 cjzshjrwr.net udp
US 8.8.8.8:53 gwiwucg.info udp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 bulwakbiw.info udp
US 8.8.8.8:53 iudxoixiu.net udp
US 8.8.8.8:53 ssnkococu.info udp
US 8.8.8.8:53 ikpirrh.info udp
US 8.8.8.8:53 hfgjrvzhhx.net udp
US 8.8.8.8:53 boyvrklsui.info udp
US 8.8.8.8:53 fthwhgf.net udp
US 8.8.8.8:53 tgezcimdsujg.net udp
US 8.8.8.8:53 ryidhz.net udp
US 8.8.8.8:53 dsrchnmv.net udp
US 8.8.8.8:53 gvvzaphxckt.net udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 nulqeiz.info udp
ES 81.202.3.163:27333 tcp
US 8.8.8.8:53 nqavnanh.net udp
US 8.8.8.8:53 okggsoicmggw.com udp
US 8.8.8.8:53 tooinonsl.com udp
US 8.8.8.8:53 uosevevexqf.net udp
US 8.8.8.8:53 oysmewuk.com udp
US 8.8.8.8:53 vjzadwgkhsq.org udp
US 8.8.8.8:53 lkfqiedsxhy.org udp
US 8.8.8.8:53 dkrmjufyuad.org udp
US 8.8.8.8:53 zozgcobcaq.net udp
US 8.8.8.8:53 nuzshdptjip.info udp
US 8.8.8.8:53 faivhxfp.net udp
US 8.8.8.8:53 usgiyissuseu.org udp
US 8.8.8.8:53 hjjakml.com udp
US 8.8.8.8:53 uqrltwr.info udp
US 8.8.8.8:53 pcpbtvbtop.net udp
US 8.8.8.8:53 mvrlhhspnj.info udp
US 8.8.8.8:53 mgxipcvkxkf.net udp
US 8.8.8.8:53 pubdtrzkyif.com udp
US 8.8.8.8:53 ovsqzayw.info udp
US 8.8.8.8:53 mljwhintolpn.net udp
US 8.8.8.8:53 pfazcm.net udp
US 8.8.8.8:53 ydtsbd.net udp
US 8.8.8.8:53 rxhxfw.net udp
US 8.8.8.8:53 cwqooweoyi.com udp
US 8.8.8.8:53 srbggev.info udp
US 8.8.8.8:53 ceqhpfrsjiqa.info udp
US 8.8.8.8:53 yeeqdgews.net udp
US 8.8.8.8:53 jkrneqt.org udp
US 8.8.8.8:53 mhrtxn.info udp
US 8.8.8.8:53 zkykjxrhzafp.net udp
US 8.8.8.8:53 oeaukk.org udp
US 8.8.8.8:53 oceuqusk.org udp
US 8.8.8.8:53 mexsbsbhjgq.info udp
US 8.8.8.8:53 jlioiuq.net udp
US 8.8.8.8:53 gkyokeoi.org udp
US 8.8.8.8:53 uvcodihahbp.net udp
US 8.8.8.8:53 zrkxdpeqpmrg.net udp
US 8.8.8.8:53 bwxsleytvwn.info udp
US 8.8.8.8:53 budklucmbbro.net udp
US 8.8.8.8:53 jmlidnngazyw.net udp
US 8.8.8.8:53 pfnqqyhvw.net udp
US 8.8.8.8:53 lurddnmdthsq.info udp
US 8.8.8.8:53 hlqltge.net udp
US 8.8.8.8:53 aijekuf.info udp
US 8.8.8.8:53 suhexgbbhxj.info udp
US 8.8.8.8:53 xoicvj.net udp
US 8.8.8.8:53 ommoqu.com udp
US 8.8.8.8:53 hcyxqogm.info udp
US 8.8.8.8:53 etuerbjfvlbh.info udp
US 8.8.8.8:53 nttgegv.com udp
US 8.8.8.8:53 vlsqekixshcp.net udp
US 8.8.8.8:53 rvfdlopfwt.info udp
US 8.8.8.8:53 gfxgjdynlp.info udp
US 8.8.8.8:53 iwwmiiga.org udp
US 8.8.8.8:53 hwsjasd.com udp
US 8.8.8.8:53 zedffnjjrftp.net udp
US 8.8.8.8:53 fadovmuxat.info udp
US 8.8.8.8:53 ycjnwotyn.net udp
US 8.8.8.8:53 rywuhcwkljz.net udp
US 8.8.8.8:53 wijltsqjd.info udp
US 8.8.8.8:53 bhmlcf.info udp
US 8.8.8.8:53 lblmbcsnctbz.info udp
US 8.8.8.8:53 gilbzat.net udp
US 8.8.8.8:53 jgzbxllqdecg.net udp
US 8.8.8.8:53 bpcerengexg.org udp
US 8.8.8.8:53 owitngg.info udp
US 8.8.8.8:53 vuoohjnpij.net udp
US 8.8.8.8:53 cgwwkkewsugy.org udp
US 8.8.8.8:53 asecuyemymyi.org udp
US 8.8.8.8:53 errepqnpjvhb.net udp
US 8.8.8.8:53 xyokrc.info udp
US 8.8.8.8:53 qksigokmky.com udp
US 8.8.8.8:53 riporybyubb.net udp
US 8.8.8.8:53 wsqieqkogwqk.org udp
US 8.8.8.8:53 zmrarczuld.net udp
US 8.8.8.8:53 lylbzjjm.net udp
US 8.8.8.8:53 evzovywtr.net udp
US 8.8.8.8:53 ybevcsvz.net udp
US 8.8.8.8:53 htyaxz.net udp
US 8.8.8.8:53 hqdsnxiwvyt.info udp
US 8.8.8.8:53 dwpkzhv.com udp
US 8.8.8.8:53 frveqk.net udp
US 8.8.8.8:53 qaogec.org udp
US 8.8.8.8:53 iqawnjomrgv.info udp
US 8.8.8.8:53 hstyfgmw.info udp
US 8.8.8.8:53 pmcqdgh.com udp
US 8.8.8.8:53 jufnld.net udp
US 8.8.8.8:53 igaeig.com udp
US 8.8.8.8:53 iucislba.net udp
US 8.8.8.8:53 dayucgzmwkv.net udp
US 8.8.8.8:53 hwunsgx.org udp
US 8.8.8.8:53 bqxiojvmjqc.org udp
US 8.8.8.8:53 xytggorep.com udp
US 8.8.8.8:53 lwuwkt.net udp
US 8.8.8.8:53 wuybayvsmwt.info udp
US 8.8.8.8:53 fjunougg.info udp
US 8.8.8.8:53 uxzlnqrvk.info udp
US 8.8.8.8:53 uubfjmrez.info udp
US 8.8.8.8:53 vafyrpjm.net udp
US 8.8.8.8:53 tgjtzrq.org udp
US 8.8.8.8:53 qisakqeiecqu.org udp
US 8.8.8.8:53 vpvkkv.net udp
US 8.8.8.8:53 aayeua.org udp
US 8.8.8.8:53 mgyyquugmkgg.org udp
US 8.8.8.8:53 owyemqgs.com udp
US 8.8.8.8:53 iggcfwpytwa.net udp
US 8.8.8.8:53 wxfdlooa.info udp
US 8.8.8.8:53 jwqzfuf.net udp
US 8.8.8.8:53 fgtejlzrcgb.org udp
US 8.8.8.8:53 pujosa.net udp
US 8.8.8.8:53 dnffyhkf.net udp
US 8.8.8.8:53 zusydeuuc.info udp
US 8.8.8.8:53 ugqyasse.com udp
US 8.8.8.8:53 omauuu.com udp
US 8.8.8.8:53 gyzpnynmrudz.net udp
US 8.8.8.8:53 zwdjvq.info udp
US 8.8.8.8:53 ushkxbyxdgg.net udp
US 8.8.8.8:53 yspntfrarkf.net udp
US 8.8.8.8:53 befofvoeata.org udp
US 8.8.8.8:53 vsrzlwbtt.org udp
LT 88.222.196.34:37018 tcp
US 8.8.8.8:53 jalkbr.info udp
US 8.8.8.8:53 dxzyfmuejch.info udp
US 8.8.8.8:53 kmnnjnzip.info udp
US 8.8.8.8:53 cxffzmlflm.info udp
US 8.8.8.8:53 eenclwvqkqv.info udp
US 8.8.8.8:53 yaiwjgn.info udp
US 8.8.8.8:53 ooxoqjzol.net udp
US 8.8.8.8:53 hyvueuxex.info udp
US 8.8.8.8:53 voryjoh.info udp
US 8.8.8.8:53 maltyz.net udp
US 8.8.8.8:53 uktwxdlsj.info udp
US 8.8.8.8:53 usztsauxtyh.net udp
US 8.8.8.8:53 fbmehwgtk.com udp
US 8.8.8.8:53 zsdfwqdutr.net udp
US 8.8.8.8:53 uocmysem.org udp
US 8.8.8.8:53 raidiulngce.info udp
US 8.8.8.8:53 avntak.info udp
US 8.8.8.8:53 zpdzlruk.info udp
US 8.8.8.8:53 bktpfwsl.net udp
US 8.8.8.8:53 kghclugdxhd.info udp
US 8.8.8.8:53 vvztzt.net udp
US 8.8.8.8:53 bygyvgzsxan.org udp
US 8.8.8.8:53 iplqdlbmaiyt.info udp
US 8.8.8.8:53 lafyfbyrzs.info udp
US 8.8.8.8:53 fydkxsf.info udp
US 8.8.8.8:53 uupetlqtlq.info udp
US 8.8.8.8:53 fohsbj.info udp
US 8.8.8.8:53 uuaocufwcl.info udp
HK 156.237.207.232:80 yeseee.com tcp
US 8.8.8.8:53 gochjck.net udp
US 8.8.8.8:53 pyrefi.net udp
US 8.8.8.8:53 axyondcy.info udp
US 8.8.8.8:53 jjjklehihwt.com udp
US 8.8.8.8:53 adorryiutuzf.net udp
US 8.8.8.8:53 geooqk.org udp
US 8.8.8.8:53 mangddw.info udp
US 8.8.8.8:53 perzsi.info udp
US 108.163.242.106:80 perzsi.info tcp
US 8.8.8.8:53 acofhxisomc.net udp
US 8.8.8.8:53 taxsnux.com udp
US 8.8.8.8:53 pkimbmv.net udp
US 8.8.8.8:53 ckabiapoqy.info udp
US 8.8.8.8:53 auakai.com udp
US 8.8.8.8:53 lpitsboh.info udp
US 8.8.8.8:53 gjsuzv.net udp
US 8.8.8.8:53 meowqg.com udp
US 8.8.8.8:53 iwlpzasaqq.net udp
US 8.8.8.8:53 vodibarqb.net udp
US 8.8.8.8:53 wyemaceq.com udp
US 8.8.8.8:53 106.242.163.108.in-addr.arpa udp
US 8.8.8.8:53 bakfznqyjrsl.net udp
US 8.8.8.8:53 vxornflefopi.net udp
US 8.8.8.8:53 tsxauoqgjzf.net udp
US 8.8.8.8:53 wggugm.com udp
US 8.8.8.8:53 kjdwlejiewx.net udp
US 8.8.8.8:53 leardaxrdxjq.net udp
US 8.8.8.8:53 iyluyuiuz.info udp
US 8.8.8.8:53 beklnku.com udp
US 8.8.8.8:53 lemewfdrxi.net udp
US 8.8.8.8:53 ugrrja.net udp
US 8.8.8.8:53 nayjumatzof.info udp
US 8.8.8.8:53 eyhkkpxyywm.info udp
US 8.8.8.8:53 agczvn.info udp
US 8.8.8.8:53 nicxrmrxya.net udp
US 8.8.8.8:53 vctofcnsnjj.com udp
US 8.8.8.8:53 gsfutshsjyu.info udp
US 8.8.8.8:53 cuamiuuaks.com udp
US 8.8.8.8:53 pufkudlh.net udp
US 8.8.8.8:53 kprkjbqfld.info udp
US 8.8.8.8:53 kgguqwscoe.org udp
US 8.8.8.8:53 daagxzjgfyx.net udp
US 8.8.8.8:53 gqnzlowbjur.info udp
US 8.8.8.8:53 tflotvuqbcf.com udp
US 8.8.8.8:53 vdinsezipu.net udp
US 8.8.8.8:53 saakgigoyssk.com udp
US 8.8.8.8:53 csceoyeuma.org udp
US 8.8.8.8:53 ialplkxcbyb.info udp
US 8.8.8.8:53 rwfktlvh.info udp
US 8.8.8.8:53 rvmonfphd.org udp
US 8.8.8.8:53 ayvjhies.info udp
US 8.8.8.8:53 mnzmxmoonbs.net udp
US 8.8.8.8:53 xytojkd.net udp
US 8.8.8.8:53 gqmakiac.org udp
US 8.8.8.8:53 rwiskguvjftt.net udp
US 8.8.8.8:53 mfxmirp.net udp
US 8.8.8.8:53 iupuvudcl.info udp
US 8.8.8.8:53 qkttndwy.info udp
US 8.8.8.8:53 wmscqyigueci.com udp
US 8.8.8.8:53 iqugyues.com udp
US 8.8.8.8:53 nufiueo.info udp
US 8.8.8.8:53 wmiwkyooog.com udp
US 8.8.8.8:53 egsuagwkaimw.org udp
US 8.8.8.8:53 xanwqkg.info udp
US 8.8.8.8:53 qozwdfhoz.net udp
US 8.8.8.8:53 hkrhsetmvvpu.net udp
US 8.8.8.8:53 ivyldldklwgg.info udp
US 8.8.8.8:53 abjeqpkpmetx.info udp
BG 95.43.4.202:34314 tcp
US 8.8.8.8:53 dqpzaqnenvf.org udp
US 8.8.8.8:53 xygbdoqlv.org udp
US 8.8.8.8:53 patgfynakkh.org udp
US 8.8.8.8:53 jipsvaoqu.com udp
US 8.8.8.8:53 lzwcbcd.com udp
US 8.8.8.8:53 zphkxle.net udp
US 8.8.8.8:53 fofcgchur.net udp
US 8.8.8.8:53 nbtsiyiyzol.net udp
US 8.8.8.8:53 icaijmduf.net udp
US 8.8.8.8:53 dapvcrzylum.org udp
US 8.8.8.8:53 kjnlkrii.net udp
US 8.8.8.8:53 xrdxgalgps.info udp
US 8.8.8.8:53 kcnorszffqi.net udp
US 8.8.8.8:53 dnldzgosht.info udp
US 8.8.8.8:53 qqksawioyw.org udp
US 8.8.8.8:53 bsdwvjgot.org udp
US 8.8.8.8:53 xuggpqlmtcll.net udp
US 8.8.8.8:53 stfhbwifvy.info udp
US 8.8.8.8:53 hnkypqf.info udp
US 8.8.8.8:53 skcoyu.com udp
US 8.8.8.8:53 dhfuawbmlx.net udp
US 8.8.8.8:53 pwdeavbwi.net udp
US 8.8.8.8:53 fgyojpnggd.info udp
US 8.8.8.8:53 lubynyr.net udp
US 8.8.8.8:53 pslwrbzyaian.info udp
US 8.8.8.8:53 efdlohhy.info udp
US 8.8.8.8:53 manlwksodmu.net udp
US 8.8.8.8:53 fblyeqmkoulu.net udp
US 8.8.8.8:53 ssgdeqxk.net udp
US 8.8.8.8:53 lbmcjav.net udp
US 8.8.8.8:53 suxthmwdyvb.net udp
US 8.8.8.8:53 zitiqkxzo.info udp
US 8.8.8.8:53 rxlepv.info udp
US 8.8.8.8:53 iwitykcs.info udp
US 8.8.8.8:53 pmvwlcgtpsd.com udp
US 8.8.8.8:53 agoguu.com udp
US 8.8.8.8:53 qlsshwoh.net udp
US 8.8.8.8:53 pvebfevi.net udp
US 8.8.8.8:53 bgdqgf.net udp
US 8.8.8.8:53 cgkcui.org udp
US 8.8.8.8:53 iekoosokwosc.org udp
US 8.8.8.8:53 ycxvrvto.info udp
US 8.8.8.8:53 lcosned.net udp
US 8.8.8.8:53 eqwkxorsw.net udp
US 8.8.8.8:53 uxlqxblxi.info udp
US 8.8.8.8:53 tvwyod.info udp
US 8.8.8.8:53 fdusfprgpcc.com udp
US 8.8.8.8:53 amgyoj.net udp
US 8.8.8.8:53 moybhwwszd.net udp
US 8.8.8.8:53 amvbrfhisy.info udp
US 8.8.8.8:53 rtkodt.net udp
US 8.8.8.8:53 etxxyy.info udp
US 8.8.8.8:53 lczknqjijnr.net udp
US 8.8.8.8:53 fmdicw.info udp
US 8.8.8.8:53 sbablr.net udp
US 8.8.8.8:53 mvwkvmrol.net udp
US 8.8.8.8:53 xehdpowkosi.net udp
US 8.8.8.8:53 auogaewwmueg.org udp
US 8.8.8.8:53 aubgzylblcd.info udp
US 8.8.8.8:53 bgbgrltvv.org udp
US 8.8.8.8:53 zawicn.net udp
US 8.8.8.8:53 xyzjjqgqwzyb.info udp
US 8.8.8.8:53 uacoqg.org udp
US 8.8.8.8:53 bheyevonrxwq.info udp
US 8.8.8.8:53 vtxkiqn.info udp
US 8.8.8.8:53 hufulqlqjfv.info udp
US 8.8.8.8:53 pekahw.net udp
US 8.8.8.8:53 haprfabjrusx.net udp
US 8.8.8.8:53 fcugppnzi.info udp
US 8.8.8.8:53 wyseff.info udp
US 8.8.8.8:53 rcrcrbxww.net udp
US 8.8.8.8:53 medeqkuucy.net udp
US 8.8.8.8:53 hotjmuouxjx.org udp
US 8.8.8.8:53 ocmwkuug.com udp
US 8.8.8.8:53 fslcrcvsr.info udp
US 8.8.8.8:53 nwbwekr.com udp
US 8.8.8.8:53 jslxpafvz.com udp
US 8.8.8.8:53 geyjelxqn.net udp
US 8.8.8.8:53 irnwppvwl.net udp
US 8.8.8.8:53 zvzkvqqcpcb.com udp
US 8.8.8.8:53 lzxrjt.info udp
US 8.8.8.8:53 mlfcdejcu.net udp
US 8.8.8.8:53 syloqtjlxi.info udp
US 8.8.8.8:53 qsokqqwi.org udp
US 8.8.8.8:53 qzwlrogclep.info udp
US 8.8.8.8:53 muvcfxhmi.info udp
US 8.8.8.8:53 ptbxyixaqem.info udp
US 8.8.8.8:53 yqtolfc.info udp
US 8.8.8.8:53 ltlvhlsh.info udp
US 8.8.8.8:53 pmupmh.info udp
US 8.8.8.8:53 lrgujhbf.net udp
US 8.8.8.8:53 wenioqphvgv.info udp
US 8.8.8.8:53 ytmirxzwjgfh.info udp
US 8.8.8.8:53 fnnnaj.info udp
US 8.8.8.8:53 acvmqkd.net udp
US 8.8.8.8:53 xgnijggfclh.com udp
US 8.8.8.8:53 rfxbbsjqmea.com udp
US 8.8.8.8:53 dymhzf.net udp
US 8.8.8.8:53 hxhwah.net udp
US 8.8.8.8:53 wvctjeatkftp.net udp
US 8.8.8.8:53 kghwmwret.info udp
US 8.8.8.8:53 dpseva.net udp
US 8.8.8.8:53 xykijz.info udp
US 8.8.8.8:53 daatjbtpjwtj.net udp
US 8.8.8.8:53 cosnjshcp.info udp
US 8.8.8.8:53 wsyqzjzsjih.info udp
US 8.8.8.8:53 mzhjdurilpt.net udp
US 8.8.8.8:53 fcxrfneuzoe.net udp
US 8.8.8.8:53 pgzxnocgs.org udp
US 8.8.8.8:53 iuecpck.info udp
US 8.8.8.8:53 fityza.net udp
US 8.8.8.8:53 ehnkvbn.net udp
US 8.8.8.8:53 gajvfkq.info udp
US 8.8.8.8:53 lbgkni.net udp
US 8.8.8.8:53 vywsjbm.org udp
US 8.8.8.8:53 zujiqwrkjht.info udp
US 8.8.8.8:53 oxoeoagynsj.net udp
US 8.8.8.8:53 vucoraihsg.net udp
BG 79.100.101.240:35478 tcp
US 8.8.8.8:53 mtprtzejpt.info udp
US 8.8.8.8:53 xqwcbnlsoacc.info udp
US 8.8.8.8:53 iusiogeeos.org udp
US 8.8.8.8:53 hxfoydwgldum.info udp
US 8.8.8.8:53 ssywvma.net udp
US 8.8.8.8:53 zunutxlge.info udp
US 8.8.8.8:53 lrowcjkt.net udp
US 8.8.8.8:53 pljhyybf.net udp
US 8.8.8.8:53 pknwluqmrwn.org udp
US 8.8.8.8:53 ztfevnbfgtkp.info udp
US 8.8.8.8:53 rqtuscv.com udp
US 8.8.8.8:53 jeuqhcdktpm.info udp
US 8.8.8.8:53 lotmagbepwh.info udp
US 8.8.8.8:53 slayyy.info udp
US 8.8.8.8:53 fjswfmxs.net udp
US 8.8.8.8:53 maickdqk.net udp
US 8.8.8.8:53 vanjpyu.com udp
US 8.8.8.8:53 vcuolqniy.org udp
US 8.8.8.8:53 oklwmhsexc.net udp
US 8.8.8.8:53 usltycpqmpc.info udp
US 8.8.8.8:53 jepdqzaw.net udp
US 8.8.8.8:53 mugigk.org udp
US 8.8.8.8:53 knvfyjwejz.net udp
US 8.8.8.8:53 ugdmtph.net udp
US 8.8.8.8:53 rflcbi.info udp
US 8.8.8.8:53 sauugyyiaqum.org udp
US 8.8.8.8:53 ywbmxtjsfezl.info udp
US 8.8.8.8:53 arghdtwg.info udp
US 8.8.8.8:53 fobecelwgggc.info udp
US 8.8.8.8:53 frmqtkv.net udp
US 8.8.8.8:53 ygaayqgs.com udp
US 8.8.8.8:53 osiukecg.org udp
US 8.8.8.8:53 stujacrl.net udp
US 8.8.8.8:53 zkjonsd.org udp
US 8.8.8.8:53 brzvrwjdxetk.info udp
US 8.8.8.8:53 rwfkxgeitawp.info udp
US 8.8.8.8:53 rhsqzgrch.info udp
US 8.8.8.8:53 qunsptr.net udp
US 8.8.8.8:53 rqdmvohgkwm.org udp
US 8.8.8.8:53 tepcdxtkrgn.org udp
US 8.8.8.8:53 iwyweoc.info udp
US 8.8.8.8:53 ossecgycmygu.com udp
US 8.8.8.8:53 zvbwne.info udp
US 8.8.8.8:53 vquygbg.org udp
US 8.8.8.8:53 kfdywcqrda.net udp
US 8.8.8.8:53 ssmxzo.info udp
US 8.8.8.8:53 palivwtweir.com udp
US 8.8.8.8:53 rkkfmdln.net udp
US 8.8.8.8:53 tboyrtniuyn.net udp
US 8.8.8.8:53 oqydvqf.net udp
US 8.8.8.8:53 macuaiyeuqqe.org udp
US 8.8.8.8:53 nkfyqzd.org udp
US 8.8.8.8:53 gnntvdqopc.info udp
US 8.8.8.8:53 oyaymu.org udp
US 8.8.8.8:53 iqjkiytxpcb.net udp
US 8.8.8.8:53 zpfvgkjefd.info udp
US 8.8.8.8:53 hncweijtpb.info udp
US 8.8.8.8:53 nhfjfafaz.org udp
US 8.8.8.8:53 gaaqoymoei.org udp
US 8.8.8.8:53 mwycqayuwe.com udp
US 8.8.8.8:53 uwceecuusk.com udp
US 8.8.8.8:53 xhvgyqtl.net udp
US 8.8.8.8:53 ftjivug.org udp
US 8.8.8.8:53 baxiyghelmb.org udp
US 8.8.8.8:53 zynopmxefcw.org udp
US 8.8.8.8:53 kqfejqf.info udp
US 8.8.8.8:53 damidcjcikr.com udp
US 8.8.8.8:53 mpurvwesq.info udp
US 8.8.8.8:53 qpdcwoxjrf.info udp
US 8.8.8.8:53 atpsjmvhsmb.net udp
US 8.8.8.8:53 aeuiiw.org udp
US 8.8.8.8:53 djzqlh.info udp
US 8.8.8.8:53 rkctbjca.info udp
US 8.8.8.8:53 jkjexga.org udp
US 8.8.8.8:53 zxauxpnh.info udp
US 8.8.8.8:53 lieqocaad.org udp
US 8.8.8.8:53 blmyhxleh.info udp
US 8.8.8.8:53 iaaagqxwf.net udp
US 8.8.8.8:53 jgyidi.net udp
US 8.8.8.8:53 gkgwhquv.info udp
US 8.8.8.8:53 paybki.net udp
US 8.8.8.8:53 eazerazey.net udp
US 8.8.8.8:53 gnaoackhra.info udp
US 8.8.8.8:53 ruvtfyxn.info udp
US 8.8.8.8:53 cydnzcjqzgl.net udp
US 8.8.8.8:53 wjgzojkwqoze.info udp
US 8.8.8.8:53 ohandnkp.net udp
US 8.8.8.8:53 vuasowgw.net udp
US 8.8.8.8:53 nvonbvbshfgq.info udp
BG 77.85.73.254:40497 tcp
US 8.8.8.8:53 rvewvc.info udp
US 8.8.8.8:53 cxyjmpcprupx.net udp
US 8.8.8.8:53 vhveha.info udp
US 8.8.8.8:53 skiqff.info udp
US 8.8.8.8:53 pzvrtbewak.info udp
US 8.8.8.8:53 dapgezl.net udp
US 8.8.8.8:53 pergbmmwzlmf.net udp
US 8.8.8.8:53 qdngrxsxgw.net udp
US 8.8.8.8:53 sqqumgekumeo.org udp
US 8.8.8.8:53 jsmebfkf.info udp
US 8.8.8.8:53 acppyjcged.info udp
US 8.8.8.8:53 hfmlwcgfjh.net udp
US 8.8.8.8:53 sddsymh.info udp
US 8.8.8.8:53 meumgzpu.info udp
US 8.8.8.8:53 navtgo.net udp
US 8.8.8.8:53 hmhkfkkdbqns.info udp
US 8.8.8.8:53 gkwaccwquamg.org udp
US 8.8.8.8:53 ryihxzqmms.info udp
US 8.8.8.8:53 owhaxyftjz.net udp
US 8.8.8.8:53 rslorux.org udp
US 8.8.8.8:53 fshhtxpue.org udp
US 8.8.8.8:53 tirwnevmz.net udp
US 8.8.8.8:53 mqczgmynd.info udp
US 8.8.8.8:53 yxntfmtbpftw.info udp
US 8.8.8.8:53 oibcjpxzbm.net udp
US 8.8.8.8:53 aceyztqsourr.net udp
US 8.8.8.8:53 jwfjfkked.info udp
US 8.8.8.8:53 lytuefatnbnu.net udp
US 8.8.8.8:53 sggirnmhiyuj.info udp
US 8.8.8.8:53 rystbexujie.net udp
US 8.8.8.8:53 vlicxohgjzfd.net udp
US 8.8.8.8:53 gurqfvtsl.info udp
US 8.8.8.8:53 qmsapgt.net udp
US 8.8.8.8:53 lnnvbcdyf.com udp
US 8.8.8.8:53 yereeexdbcp.info udp
US 8.8.8.8:53 hwlrdmv.org udp
US 8.8.8.8:53 xqpkeij.org udp
US 8.8.8.8:53 ylzgncyyewoh.info udp
US 8.8.8.8:53 javjpwoegkbc.info udp
US 8.8.8.8:53 icxwgivof.info udp
US 8.8.8.8:53 gmnoicl.info udp
US 8.8.8.8:53 wudcfxgcnmt.net udp
US 8.8.8.8:53 ekrebrosoad.net udp
US 8.8.8.8:53 oahzbczz.info udp
US 8.8.8.8:53 scjzpjnvzwpk.net udp
US 8.8.8.8:53 odqolj.net udp
US 8.8.8.8:53 gwwizyrvh.info udp
US 8.8.8.8:53 bldeafyrw.info udp
US 8.8.8.8:53 levjfcpvledd.net udp
US 8.8.8.8:53 bsxjofye.info udp
US 8.8.8.8:53 nxxfthwphnlh.net udp
US 8.8.8.8:53 ocekea.com udp
US 8.8.8.8:53 llmtynj.com udp
US 8.8.8.8:53 byzgzzwy.net udp
US 8.8.8.8:53 jidpfeanrap.net udp
US 8.8.8.8:53 dlcuamqbcw.info udp
US 8.8.8.8:53 onmrvpctfe.info udp
US 8.8.8.8:53 tjxbwwce.info udp
US 8.8.8.8:53 dngfrgoifb.info udp
US 8.8.8.8:53 ogcsfcfswoc.net udp
US 8.8.8.8:53 czmgejeanm.info udp
US 8.8.8.8:53 bfjceqzjn.info udp
US 8.8.8.8:53 riporilmb.info udp
US 8.8.8.8:53 siyqvceqj.info udp
US 8.8.8.8:53 erotbvautp.net udp
US 8.8.8.8:53 bimixykrh.net udp
US 8.8.8.8:53 linhhz.net udp
US 8.8.8.8:53 umsrdwtqsob.net udp
US 8.8.8.8:53 ltmundpr.info udp
US 8.8.8.8:53 fofougtfo.net udp
US 8.8.8.8:53 ezagtcuxtrdo.info udp
US 8.8.8.8:53 ukscwe.org udp
US 8.8.8.8:53 bizoawm.info udp
US 8.8.8.8:53 baiizeh.com udp
US 8.8.8.8:53 yctexcy.net udp
US 8.8.8.8:53 gkukseim.org udp
US 8.8.8.8:53 uczinzwgkz.info udp
US 8.8.8.8:53 mizyhezyx.net udp
US 8.8.8.8:53 wglxbeyixsg.info udp
US 8.8.8.8:53 leqwbjbs.net udp
US 8.8.8.8:53 parzpqzvg.info udp
US 8.8.8.8:53 mzeijx.info udp
US 8.8.8.8:53 hmdahmb.com udp
US 8.8.8.8:53 ktdgjyn.info udp
US 8.8.8.8:53 rtzgob.net udp
US 8.8.8.8:53 aogobal.info udp
US 8.8.8.8:53 otdghrxzna.info udp
US 8.8.8.8:53 hgyzqwvcz.info udp
US 8.8.8.8:53 uynavccki.net udp
US 8.8.8.8:53 gudechrg.info udp
US 8.8.8.8:53 banvsbxbauwd.info udp
US 8.8.8.8:53 cxjprfyiyi.info udp
US 8.8.8.8:53 vmninobml.org udp
US 8.8.8.8:53 erfknkqmo.net udp
US 8.8.8.8:53 xibyilbyny.net udp
US 8.8.8.8:53 raqzxajxp.info udp
US 8.8.8.8:53 qkoogiuwkkwo.org udp
US 8.8.8.8:53 ztqdje.info udp
US 8.8.8.8:53 uwxgvvxtnnig.net udp
US 8.8.8.8:53 nqldnkf.com udp
US 8.8.8.8:53 nvgkvkmeh.net udp
US 8.8.8.8:53 mcwiare.net udp
US 8.8.8.8:53 xcmqic.net udp
US 8.8.8.8:53 cscgygysqsoi.org udp
US 8.8.8.8:53 yqbtujb.info udp
US 8.8.8.8:53 psjgnfdmjwx.net udp
US 8.8.8.8:53 tslytw.info udp
US 8.8.8.8:53 berczsf.info udp
US 8.8.8.8:53 jvaifw.info udp
US 8.8.8.8:53 gsplyynqy.info udp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 yankitjivuz.net udp
US 8.8.8.8:53 eelrjsy.net udp
US 8.8.8.8:53 qqfmhohaz.net udp
US 8.8.8.8:53 tmhdhiu.net udp
US 8.8.8.8:53 qeumlfa.net udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 yuccleiwutg.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
LT 212.122.81.55:38712 tcp
US 8.8.8.8:53 bvlugon.org udp
US 8.8.8.8:53 fhfhjhdcmsw.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 xdxnwkwy.info udp
US 8.8.8.8:53 pxdovj.net udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 zadanm.info udp
US 8.8.8.8:53 wejgcsnvr.net udp
US 8.8.8.8:53 cxhsbejnd.net udp
US 8.8.8.8:53 fsegwutospr.info udp
US 8.8.8.8:53 eyzfqvlh.info udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 kkysiu.com udp
US 8.8.8.8:53 rwwflaxw.info udp
US 8.8.8.8:53 azxgvktktwt.info udp
US 8.8.8.8:53 utrmvwlfg.info udp
US 8.8.8.8:53 tabctyyquc.net udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 volfungwvq.net udp
US 8.8.8.8:53 pjoxtpqa.net udp
US 8.8.8.8:53 jixbxok.info udp
US 8.8.8.8:53 kqzyvjovph.net udp
US 8.8.8.8:53 tixrohvo.info udp
US 8.8.8.8:53 vurmzvnuz.net udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 rzsbhj.net udp
US 8.8.8.8:53 lpfpuqprtl.info udp
US 8.8.8.8:53 qtkpsaqgey.info udp
US 8.8.8.8:53 ysoiymcgakki.com udp
US 8.8.8.8:53 qarivkh.info udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 gyavjufahcj.info udp
US 8.8.8.8:53 waskgcymoeaq.com udp
US 8.8.8.8:53 vwflvvlprfgd.net udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 derolt.net udp
US 8.8.8.8:53 yryykwpaw.net udp
US 8.8.8.8:53 cbxuqetyjkm.info udp
US 8.8.8.8:53 yuwewkmsgi.com udp
US 8.8.8.8:53 xmkazyplr.net udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 dptqdez.info udp
US 8.8.8.8:53 yiceyysmyu.org udp
US 8.8.8.8:53 jgufct.net udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 eppftadkb.net udp
US 8.8.8.8:53 xigoculsi.net udp
US 8.8.8.8:53 bpzkdhdlwrxd.info udp
US 8.8.8.8:53 fvftho.net udp
US 8.8.8.8:53 cnopvoxbucre.net udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 vsydupfxzmmn.info udp
US 8.8.8.8:53 enwtmurjjnnj.net udp
US 8.8.8.8:53 aglmndgtotkc.net udp
US 8.8.8.8:53 usqrozagywto.net udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 xczbftm.org udp
US 8.8.8.8:53 kwtapbz.info udp
US 8.8.8.8:53 ugoyumka.com udp
US 8.8.8.8:53 gqasukiksy.com udp
US 8.8.8.8:53 dwaovctms.net udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 uiyqsmyaka.org udp
US 8.8.8.8:53 owussgyw.com udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 kwlunn.info udp
US 8.8.8.8:53 nulqril.net udp
US 8.8.8.8:53 klrrbrtent.info udp
US 8.8.8.8:53 uqtmbiyk.info udp
US 8.8.8.8:53 nxdpicaqxl.net udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 ljjdqm.info udp
US 8.8.8.8:53 ggackugkmm.org udp
US 8.8.8.8:53 zgfejcg.net udp
US 8.8.8.8:53 glkwumicvb.info udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 xqjkoaimijx.net udp
US 8.8.8.8:53 kxlzwiim.net udp
US 8.8.8.8:53 asaegk.com udp
US 8.8.8.8:53 rhkfblzx.net udp
US 8.8.8.8:53 bxbutyo.net udp
US 8.8.8.8:53 umlvfu.info udp
US 8.8.8.8:53 ekqxtpjakk.info udp
US 8.8.8.8:53 menfdudihpi.info udp
US 8.8.8.8:53 kojuqc.info udp
US 8.8.8.8:53 gdkvoful.info udp
US 8.8.8.8:53 foycqbsgtu.info udp
US 8.8.8.8:53 kkrorjnoz.info udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 qqrydab.net udp
LT 78.62.64.39:38101 tcp
US 8.8.8.8:53 satnshe.net udp
US 8.8.8.8:53 hofilylwf.info udp
US 8.8.8.8:53 etrzcm.info udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 vvuxlt.net udp
US 8.8.8.8:53 dgputtou.net udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 wsuuuaaa.com udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\rdyvhyibbni.exe

MD5 89ec3461ef4a893428c32f89de78b396
SHA1 8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA256 1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA512 7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

C:\Windows\SysWOW64\oazkfavhzslnrkizzi.exe

MD5 8e8d8dd457411eaf96c3e5f1cf646ec5
SHA1 b03b741382822e3f012bc8d1c87331aaefeff1a4
SHA256 b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24
SHA512 e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c

C:\Users\Admin\AppData\Local\Temp\mmzyhq.exe

MD5 9427724fbec4c66729e704d4b0a10e7e
SHA1 b08d9b608e9d36a0d7f9e895e2b191a9b879cf8b
SHA256 ca1861c8eccbcbc9fe74d2b0ce8eab88f6119cd2ce18d89eec5204961a996c25
SHA512 5616761f8d2398148d7970d2071137692d8feb7271d15d79cacdc32ac0f7abd0e219a4255d5ce4b7c00c179e568d9c069c3f60669a4ea5bcc37249873a53284b

C:\Users\Admin\AppData\Local\dygaeimhikmxkmttcupxrvz.yzb

MD5 05190f09ee38a61772bb23e86c5be4a0
SHA1 240c1b4963ab189b6b5f4782958cc61b99fef669
SHA256 e572ee95628466ef878889dc10af8f16d221eede47bc31fa890da94d13836947
SHA512 75b25cf204118a8bb3935b826424aa1b8b4f243b380e66f2ae3edb6528534d89e3cb3da53467949454aa5fcd09dc9a2d14d8c9ae0949ddcdb34110d24be2e486

C:\Users\Admin\AppData\Local\qwpujyntfsfbzmepjmslqfujpbobxvialf.ohm

MD5 a3cebc39acf1b5b58d65c58da405dd75
SHA1 2d491a1e3cfe8901f9f935a7dcd743f010512003
SHA256 fc4635cd23f148139340f9f18d2b376fc1114f88fb14cd6907799d62a097a450
SHA512 fb82f12c4b83b556629808035c60a50d8b7f0f4f35906d630e0463c3ddcf1973af30cf8018c9382ec0bcda7c5e08792e09ae5d3bbaf0a77b6d5d46aacfd66354

C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

MD5 061b0dcb3060d6ca66f10ccce7ab61be
SHA1 1153d1abe74369829ad1e7bd47af925db4e359ae
SHA256 309ee03438e0163a9e74641168c2f52aad0212d59fd113da0d866d12f99b2e88
SHA512 abcdfc97c5b271ef096aa5db38141edf267263ae6eba3d0d6fe1968362edc8963a6383135d55208510347e54febb505b922ad471a87a8640bf8b0a71885c174f

C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

MD5 090933cb1b985003f97868500747aef0
SHA1 7f9477a2d53eff62f6a372521bbbcca6c4a4dd4d
SHA256 11ca72a0d2aa6f1d5bf3c48929d560643bf0daf538737920267b258a2d1604f8
SHA512 6b5feed19871a7ee66cb821f9d57fb4b3dba4360358f154c87714994f9fea61e637c08fd9d9e586bf25c8d64a6d37c21f15cd7172af54b7a2acbe4ab9d6ce39b

C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

MD5 c360240777510807942609591f7898df
SHA1 371be61eb3c76ad30bf089a8cf5de0907fc0ff8b
SHA256 3631ffe7906d9cf7bfa7dacf3dee1d1ca889266d1da3b6437a8de3793f533332
SHA512 da8beaa0703ca360d7e943e449c38bd4a8169a296b7236906942c796b5b360b697e6c5b0dd8c8ec216d68d0913faed41964b8b7c8c78f11d6ef04352a5e80e96

C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

MD5 6e0e2d3217412caec52ea2c72bbe6c89
SHA1 0a507501387046e565ae2f5958cd02d37d1d9e1e
SHA256 7fa81602da215a8836f11b3dd1b57a0d1a0dff7e9adc641eea420a55692e0644
SHA512 661666bac8d46d08759216dcbb355039008d6e75b6b8118ea94e41fd59f708af1a3907930112fd73141973d24a17cc4f5999bf243e6ca07ae77feca824ce2fe4

C:\Users\Admin\AppData\Local\dygaeimhikmxkmttcupxrvz.yzb

MD5 fc5d0ecde43e2d21db42ab95d4329073
SHA1 e1f3856c0ddf8738626f40f9dce852410bab7aaa
SHA256 2ab7ed12d4b9748ffb1b56be1d5c56183299138b86903ece2f07cab5ebfa3b46
SHA512 7cb612f9c80619df2c80d9d138d6e5e6bf8d008d38c62c465cc98e708d1f409855a2aef9cf12f35c2cf3b6e652d9472d1f9dace1494bf09eefa23fe182a0beae

C:\Program Files (x86)\dygaeimhikmxkmttcupxrvz.yzb

MD5 5ab2d671d5424fe84386eaa59176c574
SHA1 78698bbf4c8abc06830ee09ee5001232c2293b5c
SHA256 c988d04e54a3510aedc4a357a5354ffb12e2a1632d7c6fb0cb32d8114120b9f3
SHA512 33e8029479b29729f6acaa8a089808042b8e8c5f28c8babe68447adfa78373dcf9891c7b8743f769f006c5de2ec9583ab508d21ef2eb0c485e06b8bb8fdcfbeb

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-04 01:49

Reported

2024-11-04 04:17

Platform

win7-20240903-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\hmtahm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\aiscmufla = "umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwjwjuirjgre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwjwjuirjgre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwjwjuirjgre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "havqlearrwpkseizajcx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "jatmfwqfdgxqwgixwd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "havqlearrwpkseizajcx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwjwjuirjgre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umgaumhxwasmtehxxfx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwjwjuirjgre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "wqmieyvnouoktgldfpjfb.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "wqmieyvnouoktgldfpjfb.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "tizqhwobxyneiqqd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\lwjwjuirjgre = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umgaumhxwasmtehxxfx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "umgaumhxwasmtehxxfx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "umgaumhxwasmtehxxfx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jatmfwqfdgxqwgixwd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oykwisfneak = "tizqhwobxyneiqqd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "wqmieyvnouoktgldfpjfb.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "havqlearrwpkseizajcx.exe ." C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe ." C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "umgaumhxwasmtehxxfx.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqiasibpmoewbklzx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\uaiqyen = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\havqlearrwpkseizajcx.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kwkymynxqoaop = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tizqhwobxyneiqqd.exe" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "C:\\Users\\Admin\\AppData\\Local\\Temp\\umgaumhxwasmtehxxfx.exe ." C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\jqziryin = "tizqhwobxyneiqqd.exe ." C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\tcnyjselbw = "jatmfwqfdgxqwgixwd.exe" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\nqvafiopzorwokyzkdglqvyefp.hme C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\Windows\SysWOW64\nqvafiopzorwokyzkdglqvyefp.hme C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\Windows\SysWOW64\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\SysWOW64\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\SysWOW64\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Program Files (x86)\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\Program Files (x86)\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\Windows\nqvafiopzorwokyzkdglqvyefp.hme C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\nqvafiopzorwokyzkdglqvyefp.hme C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\aqiasibpmoewbklzx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\umgaumhxwasmtehxxfx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File created C:\Windows\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\havqlearrwpkseizajcx.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\wqmieyvnouoktgldfpjfb.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\tizqhwobxyneiqqd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
File opened for modification C:\Windows\jatmfwqfdgxqwgixwd.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
File opened for modification C:\Windows\nifczuslnupmwkqjmxspmj.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 3020 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 2368 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 2368 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe
PID 3020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 3020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 3020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe
PID 3020 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e8d8dd457411eaf96c3e5f1cf646ec5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe

"C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe*"

C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe

"C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe" "-C:\Users\Admin\AppData\Local\Temp\tizqhwobxyneiqqd.exe"

C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe

"C:\Users\Admin\AppData\Local\Temp\uaiqyen.exe" "-C:\Users\Admin\AppData\Local\Temp\tizqhwobxyneiqqd.exe"

C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe

"C:\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe" "c:\users\admin\appdata\local\temp\8e8d8dd457411eaf96c3e5f1cf646ec5_jaffacakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
US 8.8.8.8:53 kmeggs.org udp
BG 91.139.235.151:45253 tcp
US 8.8.8.8:53 swxfrax.info udp
US 8.8.8.8:53 hqskwog.info udp
US 8.8.8.8:53 atfofeasdsh.info udp
US 8.8.8.8:53 tovbpkqghpxh.net udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 fjehqon.net udp
ES 81.202.3.163:27333 tcp
US 8.8.8.8:53 ksfmlrecn.info udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 bbumjwvohpyx.info udp
US 8.8.8.8:53 lkxazuyfkpw.info udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 ixxazgbktota.info udp
US 8.8.8.8:53 gwpxeilh.net udp
LT 78.60.212.169:13548 tcp
US 8.8.8.8:53 hephbhd.info udp
US 8.8.8.8:53 oqawgqymcu.org udp
LT 79.132.175.237:41358 tcp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 uukawqqgieyk.org udp
US 8.8.8.8:53 dhjzbyqgtc.net udp
US 8.8.8.8:53 cmjknlt.net udp
US 8.8.8.8:53 cmsgmoxcx.info udp
LT 86.100.211.161:43347 tcp
US 8.8.8.8:53 zesbssz.info udp
US 8.8.8.8:53 wclkqrqe.net udp
BG 95.111.67.251:37592 tcp
US 8.8.8.8:53 oczwxytpncf.net udp
US 8.8.8.8:53 aefulae.net udp
US 8.8.8.8:53 hypihookz.net udp
LT 78.60.144.114:34845 tcp
US 8.8.8.8:53 dhkezspards.com udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 rccsdyl.org udp
DK 83.89.51.15:15274 tcp
US 8.8.8.8:53 mqwqrcr.net udp
US 8.8.8.8:53 eghabmyctmz.info udp
US 8.8.8.8:53 cfqsdg.info udp
US 8.8.8.8:53 vurmzvnuz.net udp
BG 212.50.77.87:32588 tcp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 ezsdlyartkrv.net udp
US 8.8.8.8:53 zicslnwr.info udp
US 8.8.8.8:53 wkvbhisocfzh.net udp
US 8.8.8.8:53 qukiwsoswuyw.com udp
US 8.8.8.8:53 hafjwytftik.net udp
LT 85.232.129.77:18038 tcp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 olnajwtqnpvu.net udp
US 8.8.8.8:53 tcjonipxgvdd.info udp
US 8.8.8.8:53 zmxsnulavke.org udp
US 8.8.8.8:53 mfuykhwkmi.info udp
LT 89.117.133.49:27891 tcp
US 8.8.8.8:53 grpydukbf.net udp
US 8.8.8.8:53 ikvswcn.net udp
US 8.8.8.8:53 ofqewcdq.net udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 yryykwpaw.net udp
US 8.8.8.8:53 chptrvqb.net udp
US 8.8.8.8:53 bgfmmki.info udp
US 8.8.8.8:53 lyzpttnfjjuv.info udp
US 8.8.8.8:53 ioyhxid.net udp
US 8.8.8.8:53 rnjwdd.info udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 xlaplpmm.net udp
BG 46.237.86.79:14192 tcp
US 8.8.8.8:53 dptqdez.info udp
US 8.8.8.8:53 rmkdmrwdtd.net udp
FR 85.239.144.254:44998 tcp
US 8.8.8.8:53 wpinquo.info udp
US 8.8.8.8:53 byyhnmowp.net udp
US 8.8.8.8:53 csnqkwv.net udp
US 8.8.8.8:53 vytarafaz.info udp
US 8.8.8.8:53 gmiwoe.com udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 hfercfcaaq.info udp
US 8.8.8.8:53 ffqimu.info udp
US 8.8.8.8:53 yoxqxslulpk.net udp
US 8.8.8.8:53 cnopvoxbucre.net udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 mqnknacue.info udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 78.159.143.31:32315 tcp
US 8.8.8.8:53 fowjzztackc.org udp

Files

\Users\Admin\AppData\Local\Temp\fpbadygypzl.exe

MD5 89ec3461ef4a893428c32f89de78b396
SHA1 8067cdc0901f0dc5bc1bb67a1c9037f502ea85f9
SHA256 1849989ee704cda3b552b5021f3165012978d26d0daf7d22a09805deb6be2d0b
SHA512 7804fa36e1f050115b00d21a9a94cf92436260a385da67106b0c73eb350abafca53f2dec42d377d4eccc095dd75ac92e841fb66e874e656e412cd71ed7909fe8

C:\Windows\SysWOW64\jatmfwqfdgxqwgixwd.exe

MD5 8e8d8dd457411eaf96c3e5f1cf646ec5
SHA1 b03b741382822e3f012bc8d1c87331aaefeff1a4
SHA256 b6b2b9e959b52d90742beac4f6b23a72e4c2cb5e802bbb9e7da138098d30cd24
SHA512 e6cf6ea96fbc9befaf59e1b0a876e7afadc5439918ee294dbe584d474310cc79db4ff7091645e29e0f367561a7a3a71cd80ec4200ebbd7809fd5e738bc58878c

\Users\Admin\AppData\Local\Temp\uaiqyen.exe

MD5 fc013097dbb4c255478016b15df67f97
SHA1 5b48b446353bb1df09b143e07901442cf18c0662
SHA256 4e6799862185f6bd77a9715a3748b0cc6a7594d730fecedd5e3736bbf58b7f61
SHA512 c366f94fcd5340cc6308c535c19dd470eb7b79a3909de8daacd8ac1fc67f3c1ea38c6fdeee750046ced6ecfb552a934088585f1bcc3e6772185205c1be873013

C:\Users\Admin\AppData\Local\nqvafiopzorwokyzkdglqvyefp.hme

MD5 1b87b226dcd3c7aff0bdad467faa0d18
SHA1 4d22da62b305839fe384af9b6cc0578b004f5f91
SHA256 be256f4662ad980ffa475ab489785ca70cfbfbff3cdb0df554fd316a7e5cf560
SHA512 6b265d736f94ecfe0ab3245e3aa4721015ba5c5dc9c21b1893ce2f6e4809324a9b5880feb6fe8cc882569f2dca7a074f99d5996d3deb70a696cab7fe5230d757

C:\Users\Admin\AppData\Local\ocsiymdpkkyoryxjfjxndthykfftjmtseaesi.oct

MD5 fdb045e2e1dcc48616e29bc3025ce190
SHA1 0fc9224af1fcedd19e0148449e764fded354f4eb
SHA256 11ce6bb298e9cb10b90438860c781a2f7c505f698c9fd44ad660c6d376bf3338
SHA512 d61382f07e34bc2234001ab4fbcfa85ed3a158c3ef3764e8a01e3e5c69edc82e044a5b030839760d44f1bcfbc80a13fa375da7763c7264e73fa67e0425ff92e6

C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

MD5 bd39d78d7257cad3b57b0cf6852d2459
SHA1 b756bf07bf0fcc0cb8ddf7b6737df9141167e011
SHA256 fcb7a2258f089d9f5e46c4d3bceb4f5b35fcc16f59bed7dbcc41c6e5d34bd122
SHA512 80c6ee23826c6dbf5e00295656e0f355f96f742b8a73a85a334e0b6e9ac504ee44e923239d7c739b656827db66b201b18ac221275c045b663759343026302793

C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

MD5 3fc0a394b24744c76b7b91a1c10d8216
SHA1 c5fda7b3b22e94d0cac838f81140fbf1bed64de2
SHA256 97be1d6f4501cccdd73226f047d64184481dd20916d9835d0ea42f728db8f42b
SHA512 5899959af2c785ea64b04f6a26627bcbd3cf9756fdf514de4f15ba9affe0917faa0f0851ede9d825929c3c7637a437779019e5d6e0293552b6f879637357edb8

C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

MD5 866fe1afe131d8c1261d54666cf4461e
SHA1 ae9496f14e1c5125f19b972c69740a4fd99e92b5
SHA256 35eaf9bfc1f7baa4f54feec2ed0bf94f920d41499d87e60cee387f651f7549d1
SHA512 250726839b7acb471f24e96eea8b69682daeda1eb94c1d9f574877c947b0671938553a1716c7ec627d009438b71fde5ddd493ea465dd591c6ab0a51d5db9da77

C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

MD5 afcfeda83189dface8078661956399f0
SHA1 70216e651ac58ca32855d7a361e2528a7663824f
SHA256 8562896a03298191bfae64441e7a7b9d1eb6b8fca82b9e56b056eaf6606ef789
SHA512 ebb646251eabe7345a4f26330f22914f064ccb9104384b6ddf71ce3dc45e0d08f9bec464b420ca3b55c4672708dc36c58c66e2a3100d422e7daf9e0cb57bec1f

C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

MD5 1899d28db807e607993661504212d169
SHA1 e9c8ac80b89d14963ec923fb8aa71c667a5154e6
SHA256 36f0306064b4a8debcee15fe9cb1a936aafa2168c31362433caf71e610b7be8b
SHA512 39e8864d1a28b5ec8637569d18426261f8ad3a5aa9f389f0af73e9897a437a919d84aba5dc92b0a3998a7be7f7893ff53fcf7258d0b2f596a3f2b0b957c66f55

C:\Program Files (x86)\nqvafiopzorwokyzkdglqvyefp.hme

MD5 44acbf916ee6657437ea243c6157ae69
SHA1 0dce3dc316cfd0ad192a81e70f1b987616389203
SHA256 102d6d89480a5555a0102ca85dd3b3a24a8fbcdf947f0b3c2c76dffc1da614c3
SHA512 eeead8db0c51d0b9ccdccddc218ac83b65852045c352f8567ae225e34bf4af16ebaf997b21862492dc62d28cb972fbe0f308ff0a946dc0bfc9fc9a73a44ab5e2