Malware Analysis Report

2025-08-10 16:32

Sample ID 250419-b5drmazygz
Target JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc
SHA256 1218003efc6c2b220d924d207b0d83fd5d20f3a13102f4495c0ad1e86f5e5bbd
Tags
worm pykspa defense_evasion discovery persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1218003efc6c2b220d924d207b0d83fd5d20f3a13102f4495c0ad1e86f5e5bbd

Threat Level: Known bad

The file JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc was found to be: Known bad.

Malicious Activity Summary

worm pykspa defense_evasion discovery persistence privilege_escalation trojan

Modifies WinLogon for persistence

Detect Pykspa worm

Pykspa family

UAC bypass

Adds policy Run key to start application

Disables RegEdit via registry modification

Executes dropped EXE

Impair Defenses: Safe Mode Boot

Checks computer location settings

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Hijack Execution Flow: Executable Installer File Permissions Weakness

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-04-19 01:43

Signatures

Detect Pykspa worm

worm
Description Indicator Process Target
N/A N/A N/A N/A

Pykspa family

pykspa

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-04-19 01:43

Reported

2025-04-19 01:45

Platform

win10v2004-20250410-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sbsamygtblc = "xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nthmvejt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "ndbqjcrlarpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "lddupkbxohhwbozbebhz.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "etqewocvjzwikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "ypoeysidtlkycoyzbxc.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "ndbqjcrlarpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "etqewocvjzwikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\etqewocvjzwikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "ndbqjcrlarpcfqzzav.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ypoeysidtlkycoyzbxc.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\xfvcnyfryh = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atumiewtlfgwcqcfjhohi.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfamcsevhvqaaio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "ndbqjcrlarpcfqzzav.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "ypoeysidtlkycoyzbxc.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lddupkbxohhwbozbebhz.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "xlhulcphujfqrahf.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pzranajxgrjq = "etqewocvjzwikucbb.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "etqewocvjzwikucbb.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pbvgvkvlwjdmls = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xlhulcphujfqrahf.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\elagqagrx = "atumiewtlfgwcqcfjhohi.exe" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ozscqeodnzsay = "lddupkbxohhwbozbebhz.exe ." C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\bzfcdebdazfalevdmpbzfc.ebd C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File created C:\Windows\SysWOW64\bzfcdebdazfalevdmpbzfc.ebd C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File opened for modification C:\Windows\SysWOW64\sbsamygtblcieikdxliriqcowjrbsyuya.nby C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File created C:\Windows\SysWOW64\sbsamygtblcieikdxliriqcowjrbsyuya.nby C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File created C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File opened for modification C:\Program Files (x86)\sbsamygtblcieikdxliriqcowjrbsyuya.nby C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File created C:\Program Files (x86)\sbsamygtblcieikdxliriqcowjrbsyuya.nby C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\bzfcdebdazfalevdmpbzfc.ebd C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File created C:\Windows\bzfcdebdazfalevdmpbzfc.ebd C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File opened for modification C:\Windows\sbsamygtblcieikdxliriqcowjrbsyuya.nby C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
File created C:\Windows\sbsamygtblcieikdxliriqcowjrbsyuya.nby C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ydqucko.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Users\Admin\AppData\Local\Temp\ydqucko.exe

"C:\Users\Admin\AppData\Local\Temp\ydqucko.exe" "-"

C:\Users\Admin\AppData\Local\Temp\ydqucko.exe

"C:\Users\Admin\AppData\Local\Temp\ydqucko.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c lddupkbxohhwbozbebhz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ypoeysidtlkycoyzbxc.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ndbqjcrlarpcfqzzav.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\xlhulcphujfqrahf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\etqewocvjzwikucbb.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\atumiewtlfgwcqcfjhohi.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.66.43.169:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.66.43.169:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.imdb.com udp
FR 3.164.174.207:80 www.imdb.com tcp
US 8.8.8.8:53 gyuuym.org udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 xbxogb.net udp
US 8.8.8.8:53 giiuxvodjfx.net udp
US 8.8.8.8:53 wiudsfovgkqk.info udp
US 8.8.8.8:53 ghikng.net udp
US 8.8.8.8:53 unxfuild.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 dsotomvxvscs.net udp
US 8.8.8.8:53 iyqwqcag.com udp
US 8.8.8.8:53 qwqsaiys.org udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 qsxthy.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 akdenvtorif.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 bnnzpe.info udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 tqbuzqk.info udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 huxkjap.info udp
US 8.8.8.8:53 ciuaiqgqoo.com udp
US 8.8.8.8:53 ikwcmm.org udp
US 8.8.8.8:53 buvxshbo.net udp
US 8.8.8.8:53 henbjebapjxc.info udp
US 8.8.8.8:53 cydlrge.info udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 wjwjmedgbs.net udp
US 8.8.8.8:53 cefokssgnlm.net udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 qkfyvu.info udp
US 8.8.8.8:53 jkzzkfsyxc.net udp
US 8.8.8.8:53 oqayyqsg.com udp
US 8.8.8.8:53 umsiqkwowe.org udp
US 8.8.8.8:53 tzmyxhbgtz.info udp
US 8.8.8.8:53 voqtak.net udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 wqjwlqq.info udp
US 8.8.8.8:53 dryulffbzshh.net udp
US 8.8.8.8:53 oaiewk.org udp
US 8.8.8.8:53 osvejotmh.info udp
US 8.8.8.8:53 jgtqvwv.org udp
US 8.8.8.8:53 dbnholny.net udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 smhcuepep.net udp
US 8.8.8.8:53 eizgzajkn.info udp
US 8.8.8.8:53 iovmhgx.net udp
US 8.8.8.8:53 smqivhb.info udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 ygdaqdxzuo.info udp
US 8.8.8.8:53 yasesgquiy.com udp
US 8.8.8.8:53 csigiycg.com udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 mqnvbr.net udp
US 8.8.8.8:53 faadeogkz.net udp
US 8.8.8.8:53 ztvotvpuhr.net udp
US 8.8.8.8:53 zihnrvf.org udp
US 8.8.8.8:53 umjmnapsm.info udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 cwdhncb.info udp
US 8.8.8.8:53 cmcaimkgas.org udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 ksucuu.org udp
US 8.8.8.8:53 xmxvwzzzxr.info udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 gycuym.org udp
US 8.8.8.8:53 nkzxoo.net udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 nnbgxbhi.net udp
US 8.8.8.8:53 dyewgkc.info udp
US 8.8.8.8:53 hchtlp.info udp
US 8.8.8.8:53 ayuyoo.com udp
US 8.8.8.8:53 wepqlkn.info udp
US 8.8.8.8:53 mqkopgljr.net udp
US 8.8.8.8:53 lwkezgi.info udp
US 8.8.8.8:53 eznabol.net udp
US 8.8.8.8:53 jceoikhue.info udp
US 8.8.8.8:53 bmtrcgq.info udp
US 8.8.8.8:53 rmgivtzad.com udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 qwqcqkcg.org udp
US 8.8.8.8:53 onswtlsspd.net udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 mvnyxndmz.info udp
US 8.8.8.8:53 qovucsh.info udp
US 8.8.8.8:53 iyxmphrvaqwc.net udp
US 8.8.8.8:53 ayyduvnu.info udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 jqhkbur.info udp
US 8.8.8.8:53 oquoyin.net udp
US 8.8.8.8:53 halfokdixit.info udp
US 8.8.8.8:53 fypeuj.info udp
US 8.8.8.8:53 aesygqqmag.com udp
US 8.8.8.8:53 sgpsxsdetlv.net udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 cgcopkhrb.net udp
US 8.8.8.8:53 lynsaib.com udp
US 8.8.8.8:53 zqtmbvreln.net udp
US 8.8.8.8:53 wagkyowuoguq.org udp
US 8.8.8.8:53 mnldaurgdy.net udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 ecmmgk.org udp
US 8.8.8.8:53 aaxmxel.info udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 exlmljregib.net udp
US 8.8.8.8:53 ooeiaygokecw.org udp
US 8.8.8.8:53 tgtwxtd.info udp
US 8.8.8.8:53 vwjuwkxhc.net udp
US 8.8.8.8:53 mdnunlzkey.net udp
US 8.8.8.8:53 lmphxcept.org udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 nacyfjvrxo.net udp
US 8.8.8.8:53 xxtzzqhoclt.info udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 cmqekwqu.com udp
US 8.8.8.8:53 ombydet.info udp
US 8.8.8.8:53 qtzqlp.info udp
US 8.8.8.8:53 kwodeonmxch.net udp
US 8.8.8.8:53 efcovfrt.info udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 bxxbydec.info udp
US 8.8.8.8:53 mtwxtk.net udp
US 8.8.8.8:53 oynjjaloa.info udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 zczpgfz.net udp
US 8.8.8.8:53 vffidgtnx.info udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 ryxqnsapbp.info udp
US 8.8.8.8:53 vhdtsydlqhkq.info udp
US 8.8.8.8:53 qkgeoygwwycy.org udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 hupsnrasx.org udp
US 8.8.8.8:53 dlzktcuugp.info udp
US 8.8.8.8:53 ekqoau.com udp
US 8.8.8.8:53 qgskaiwkegue.com udp
US 8.8.8.8:53 ghogvydeuj.info udp
US 8.8.8.8:53 hgsitoou.net udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 vpigru.info udp
US 8.8.8.8:53 sumwkuisqs.org udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 ruszyh.info udp
US 8.8.8.8:53 habbbyhsh.net udp
US 8.8.8.8:53 eqfdri.info udp
US 8.8.8.8:53 ggwqxujos.net udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 vvxusvvd.info udp
US 8.8.8.8:53 kcbmgiagqc.info udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 ecyksqag.com udp
US 8.8.8.8:53 jlvszr.net udp
US 8.8.8.8:53 skrdzabgvgk.net udp
US 8.8.8.8:53 rwvyir.net udp
US 8.8.8.8:53 oitqdie.info udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 mikckosqwwca.com udp
US 8.8.8.8:53 zrnifctkmmd.info udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 ssoqscaq.com udp
US 8.8.8.8:53 eojitdx.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 eemockysmm.org udp
US 8.8.8.8:53 wgnqxeteomd.net udp
US 8.8.8.8:53 pfbmdcgyal.info udp
US 8.8.8.8:53 aszpdoy.net udp
US 8.8.8.8:53 dzrjxsrc.net udp
US 8.8.8.8:53 khngfgv.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 omywekigieuo.com udp
US 8.8.8.8:53 sqhwwjcanqx.net udp
US 8.8.8.8:53 txtydqlsz.org udp
US 8.8.8.8:53 ufwnwmgk.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 xybdjtiwb.net udp
US 8.8.8.8:53 xtvzdz.net udp
US 8.8.8.8:53 gynfzacr.net udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 djllucahbi.net udp
US 8.8.8.8:53 gkswkowuaw.org udp
US 8.8.8.8:53 lgtrtfzu.info udp
US 8.8.8.8:53 szzalksmzqb.net udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 cbihbapv.info udp
US 8.8.8.8:53 ylsaau.info udp
US 8.8.8.8:53 eseqkyigauus.com udp
US 8.8.8.8:53 yykqqocecm.org udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 cmmwasyi.org udp
US 8.8.8.8:53 wqakaass.com udp
US 8.8.8.8:53 frueixqi.info udp
US 8.8.8.8:53 fpybcqttiiie.net udp
US 8.8.8.8:53 agdsrgm.net udp
US 8.8.8.8:53 wgvnrxwcpn.net udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 ccgcqa.com udp
US 8.8.8.8:53 xzhbvyvj.net udp
US 8.8.8.8:53 kuswbc.info udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 kjxsfgzlcl.net udp
US 8.8.8.8:53 qablhjykj.net udp
US 8.8.8.8:53 orohrr.info udp
US 8.8.8.8:53 ijnowubt.info udp
US 8.8.8.8:53 ehxjfyzwaxr.net udp
US 8.8.8.8:53 uazshup.net udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 kjmbrxbwfpte.info udp
US 8.8.8.8:53 nxzvphly.net udp
US 8.8.8.8:53 jivgmmxfkqfs.net udp
US 8.8.8.8:53 vcmfrufqvcn.org udp
US 8.8.8.8:53 ekjevpjxdbcy.net udp
US 8.8.8.8:53 cmeaaksmiksg.com udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 yoykeaascyag.org udp
US 8.8.8.8:53 nbjshjjst.info udp
US 8.8.8.8:53 xhcfuoii.info udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 gyokuiussu.org udp
US 8.8.8.8:53 eywgcwsomeaw.org udp
US 8.8.8.8:53 xamobgt.info udp
US 8.8.8.8:53 wuycmwus.org udp
US 8.8.8.8:53 jchyqcf.info udp
US 8.8.8.8:53 afrphwfcvpsx.info udp
US 8.8.8.8:53 fsyczawoha.info udp
US 8.8.8.8:53 iebdoeijlfl.info udp
US 8.8.8.8:53 yqmhlybghlx.info udp
US 8.8.8.8:53 mlygoqjok.net udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 bdvmjs.info udp
US 8.8.8.8:53 jkavoichm.info udp
US 8.8.8.8:53 cgdadfe.info udp
US 8.8.8.8:53 kfcnyh.net udp
US 8.8.8.8:53 dfigkg.info udp
US 8.8.8.8:53 chjkbkjwfxq.info udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 vrhenqmnuegg.net udp
US 8.8.8.8:53 gyuavtn.net udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 vzdwpvpdnb.net udp
US 8.8.8.8:53 rukwjyewv.info udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 mglldgdupixw.info udp
US 8.8.8.8:53 aplasslzubo.info udp
US 8.8.8.8:53 kptgfigixa.net udp
US 8.8.8.8:53 djkrzt.info udp
US 8.8.8.8:53 zyfoalls.net udp
US 8.8.8.8:53 cwnepln.net udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 dvlqrhn.org udp
US 8.8.8.8:53 yydqkhzz.net udp
US 8.8.8.8:53 mfxpnon.info udp
US 8.8.8.8:53 caamceiescak.org udp
US 8.8.8.8:53 qdrzekvn.net udp
US 8.8.8.8:53 qpoolvhcf.info udp
US 8.8.8.8:53 kyilnx.net udp
US 8.8.8.8:53 ekywmeqweg.org udp
US 8.8.8.8:53 tbnvbb.net udp
US 8.8.8.8:53 ibcszmpqfa.net udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 pwhcjwybfgp.com udp
US 8.8.8.8:53 vozchklwf.com udp
US 8.8.8.8:53 haqpbn.info udp
US 8.8.8.8:53 tcqybxs.info udp
US 8.8.8.8:53 ncrgvkzod.net udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 chdurgrhygmb.info udp
US 8.8.8.8:53 yxwnbolejpip.info udp
US 8.8.8.8:53 gocqkmmegk.com udp
US 8.8.8.8:53 ofecfqzsd.net udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 vulafgqevkrp.net udp
US 8.8.8.8:53 dapvewa.info udp
US 8.8.8.8:53 hodvmc.info udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 ogdjil.info udp
US 8.8.8.8:53 myiemwvrhjvw.net udp
US 8.8.8.8:53 oupozkt.info udp
US 8.8.8.8:53 evoxkegpefmj.net udp
US 8.8.8.8:53 fjpsfzavvnmn.net udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 stntorwdyq.info udp
US 8.8.8.8:53 sggqne.info udp
US 8.8.8.8:53 rzloqxddfkh.net udp
US 8.8.8.8:53 dgnfswnoi.net udp
US 8.8.8.8:53 vwhuvse.org udp
US 8.8.8.8:53 dykwknvmdfdj.info udp
US 8.8.8.8:53 vcfmbitwxpe.info udp
US 8.8.8.8:53 douspcxsdmt.org udp
US 8.8.8.8:53 oejyiyfoxqn.net udp
US 8.8.8.8:53 ksbaervaqo.net udp
US 8.8.8.8:53 pvoatb.net udp
US 8.8.8.8:53 dpggihpbqhzz.net udp
US 8.8.8.8:53 qnpxmiqrxvcg.info udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 hpzvsgmjvb.info udp
US 8.8.8.8:53 zkyzevld.info udp
US 8.8.8.8:53 yewemaiyks.com udp
US 8.8.8.8:53 mgmemioyokmm.org udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 ygqqicakyoia.org udp
US 8.8.8.8:53 dofunwwk.net udp
US 8.8.8.8:53 bllmcutgb.org udp
US 8.8.8.8:53 pflelm.net udp
US 8.8.8.8:53 qvfqwz.net udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 qkuiwc.org udp
US 8.8.8.8:53 sokcfdmp.info udp
US 8.8.8.8:53 cwoigbrbvpp.net udp
US 8.8.8.8:53 pqrorkh.com udp
US 8.8.8.8:53 svxrdoe.net udp
US 8.8.8.8:53 isdfxvlogthx.net udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 lnhciarot.org udp
US 8.8.8.8:53 gzlfqw.net udp
US 8.8.8.8:53 rlvfuyisq.org udp
US 8.8.8.8:53 yuzhfklcvyh.net udp
US 8.8.8.8:53 duxyrsn.net udp
US 8.8.8.8:53 yupylj.info udp
US 8.8.8.8:53 hzjdryw.org udp
US 8.8.8.8:53 fjusznt.com udp
US 8.8.8.8:53 dhrzbjzthfer.net udp
US 8.8.8.8:53 uessuu.com udp
US 8.8.8.8:53 gsqwqicq.com udp
US 8.8.8.8:53 tkhavciq.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 lsgbvxtock.net udp
US 8.8.8.8:53 fwlscw.info udp
US 8.8.8.8:53 lvtgxuo.org udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 gweztzvr.info udp
US 8.8.8.8:53 qmrvxbdq.info udp
US 8.8.8.8:53 hrydtt.info udp
US 8.8.8.8:53 zgtqpdpifo.net udp
US 8.8.8.8:53 hzfelzhmie.net udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 eeqkgctvf.net udp
US 8.8.8.8:53 uwzkncm.info udp
US 8.8.8.8:53 jifyzwfdz.info udp
US 8.8.8.8:53 vkruqgmed.info udp
US 8.8.8.8:53 bvmvbtnzaz.net udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 qwuowyoi.com udp
US 8.8.8.8:53 dkxcgipyb.net udp
US 8.8.8.8:53 rsahypna.net udp
US 8.8.8.8:53 vdudjuko.net udp
US 8.8.8.8:53 aewmgyii.com udp
US 8.8.8.8:53 ogvqnextfup.net udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 szcdbgls.info udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 pfwmwn.info udp
US 8.8.8.8:53 xiawwwbdy.org udp
US 8.8.8.8:53 jdpnajialv.net udp
US 8.8.8.8:53 xkhfxe.info udp
US 8.8.8.8:53 fjlrxebizh.net udp
US 8.8.8.8:53 nwtphb.info udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 gkqueasswoeq.com udp
US 8.8.8.8:53 mpgnfjriwx.info udp
US 8.8.8.8:53 aavdzi.net udp
US 8.8.8.8:53 nyjkyejom.net udp
US 8.8.8.8:53 ciicyy.org udp
US 8.8.8.8:53 amxmpcocy.info udp
US 8.8.8.8:53 zfrybafaduu.net udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 lhhcbsiibk.net udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 sxavryplb.net udp
US 8.8.8.8:53 ftursk.info udp
US 8.8.8.8:53 dkqenvaci.net udp
US 8.8.8.8:53 deqvcaxgj.net udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 uspngdvr.info udp
US 8.8.8.8:53 aatgrynghhv.net udp
US 8.8.8.8:53 fuzatgwalkn.net udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 llecucnloq.net udp
US 8.8.8.8:53 jyiglt.info udp
US 8.8.8.8:53 icsalagkdrv.net udp
US 8.8.8.8:53 lmaydmx.net udp
US 8.8.8.8:53 vplcoxbjoo.net udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 jmlmcuyegm.info udp
US 8.8.8.8:53 mkzvhmaf.net udp
US 8.8.8.8:53 cgzgxyn.info udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 ikaewxbrion.net udp
US 8.8.8.8:53 hupydqh.org udp
US 8.8.8.8:53 tlqbjhdzjucu.net udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 eozyvxkarmv.net udp
US 8.8.8.8:53 vzgtnmkwvc.info udp
US 8.8.8.8:53 gybjjyzaoiq.net udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 vagpcdyfemjz.net udp
US 8.8.8.8:53 nvouhv.info udp
US 8.8.8.8:53 aiqqya.org udp
US 8.8.8.8:53 rdrmeanni.org udp
US 8.8.8.8:53 qimkkaac.com udp
US 8.8.8.8:53 vipbvvmp.info udp
US 8.8.8.8:53 sizofdv.info udp
US 8.8.8.8:53 hdjuivrrizdt.info udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 qqmsvcpqfb.net udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 ktfsmw.net udp
US 8.8.8.8:53 tghyeiv.com udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 wwksim.org udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 zqpqzwweroe.net udp
US 8.8.8.8:53 frajrads.info udp
US 8.8.8.8:53 baqzjg.net udp
US 8.8.8.8:53 jchaegpsg.net udp
US 8.8.8.8:53 bexcqvtyfaz.net udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 ucewugswkccy.org udp
US 8.8.8.8:53 iutntu.net udp
US 8.8.8.8:53 tahcxpomgnzy.net udp
US 8.8.8.8:53 nohirozut.com udp
US 8.8.8.8:53 fgnkbuya.net udp
US 8.8.8.8:53 xyusdjiql.com udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 skzcbacpsfrv.net udp
US 8.8.8.8:53 c.pki.goog udp
US 8.8.8.8:53 mwtuzofgsigq.net udp
NL 173.194.69.94:80 c.pki.goog tcp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 ogfwzjwac.net udp
US 8.8.8.8:53 sabtlgbwb.info udp
US 8.8.8.8:53 qivstxgoq.net udp
US 8.8.8.8:53 kiklygssjol.net udp
US 8.8.8.8:53 ibuxzw.net udp
US 8.8.8.8:53 lsywtguqdhn.org udp
US 8.8.8.8:53 vilorm.info udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 imywawycku.com udp
US 8.8.8.8:53 tyzkrdhyl.info udp
US 8.8.8.8:53 dbikrlvteomi.net udp
US 8.8.8.8:53 jgqejexp.info udp
US 8.8.8.8:53 zovoxknmx.com udp
US 8.8.8.8:53 ektkfoxevmt.net udp
US 8.8.8.8:53 tgjabcy.com udp
US 8.8.8.8:53 jekdpjsfjj.info udp
US 8.8.8.8:53 mgkwci.com udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 uiatfomwcewg.info udp
US 8.8.8.8:53 psdecgcsd.com udp
US 8.8.8.8:53 zyhtotnln.com udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 nzfiem.net udp
US 8.8.8.8:53 cmkqskhfzloh.net udp
US 8.8.8.8:53 kstjmutdffff.net udp
US 8.8.8.8:53 pcovxhzepa.info udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 kuxglb.info udp
US 8.8.8.8:53 dahukqx.com udp
US 8.8.8.8:53 qgqxes.info udp
US 8.8.8.8:53 xijtfofuxlp.org udp
US 8.8.8.8:53 fjrkfiparix.info udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 jakrlk.net udp
US 8.8.8.8:53 zqqgsru.info udp
US 8.8.8.8:53 ddajfxjpbn.net udp
US 8.8.8.8:53 fzqqksnzg.net udp
US 8.8.8.8:53 xmpyzssnrvt.com udp
US 8.8.8.8:53 winbwfphhq.net udp
US 8.8.8.8:53 wcoextfkvcpd.info udp
US 8.8.8.8:53 bldaskg.info udp
US 8.8.8.8:53 ledolojnfwx.org udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 ialqwiryfxgi.net udp
US 8.8.8.8:53 zavotdnwn.info udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 gqfylojal.info udp
US 8.8.8.8:53 nuarsh.info udp
US 8.8.8.8:53 rydsrsh.org udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 mwvmghdqlsng.net udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 blrpbjjkroox.info udp
US 8.8.8.8:53 pkdyaedczjy.info udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 vupqsguwfwr.net udp
US 8.8.8.8:53 imqjqwsjaj.info udp
US 8.8.8.8:53 zodhnswmh.org udp
US 8.8.8.8:53 brsbntvv.net udp
US 8.8.8.8:53 lkqyrgwn.info udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 gkqkagewqekc.com udp
US 8.8.8.8:53 fopilgbhdx.net udp
US 8.8.8.8:53 sgmfte.net udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 rxzuembko.org udp
US 8.8.8.8:53 qxpfyxv.net udp
US 8.8.8.8:53 kwscgo.com udp
US 8.8.8.8:53 bybqhgkgp.com udp
US 8.8.8.8:53 jgrnqhjoj.info udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 rzdurlnb.net udp
US 8.8.8.8:53 mwgkuyee.org udp
US 8.8.8.8:53 ensexan.net udp
US 8.8.8.8:53 cmjulbjrdwq.net udp
US 8.8.8.8:53 jioirlb.org udp
US 8.8.8.8:53 yyajoxclqzi.net udp
US 8.8.8.8:53 byhobii.org udp
US 8.8.8.8:53 wvkhmszov.info udp
US 8.8.8.8:53 pavqoek.org udp
US 8.8.8.8:53 uiiktjymger.info udp
US 8.8.8.8:53 dfbkvaa.info udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 eylfenmsfbd.info udp
US 8.8.8.8:53 vbozpeoyhw.net udp
US 8.8.8.8:53 bzaydhbkyko.info udp
US 8.8.8.8:53 isymsouk.org udp
US 8.8.8.8:53 sgccdep.net udp
US 8.8.8.8:53 ssfopuf.net udp
US 8.8.8.8:53 sgygcsqu.net udp
US 8.8.8.8:53 rslkccjb.info udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 lvzlyejx.net udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 icropaxpf.info udp
US 8.8.8.8:53 umoggk.org udp
US 8.8.8.8:53 ugbuzwtqn.net udp
US 8.8.8.8:53 gwwosskg.org udp
US 8.8.8.8:53 vzufkf.info udp
US 8.8.8.8:53 awemrcwjd.net udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 zoctsqsvnl.info udp
US 8.8.8.8:53 mhdqxw.info udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 ibyjdm.info udp
US 8.8.8.8:53 lprkehotusaa.net udp
US 8.8.8.8:53 ylbgbkv.net udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 ykvlqejqk.info udp
US 8.8.8.8:53 gwxpzmuutkb.info udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 bxpdplai.net udp
US 8.8.8.8:53 fabneqlptqyg.net udp
US 8.8.8.8:53 molgnxvilmn.net udp
US 8.8.8.8:53 bfmwdknuzxyx.info udp
US 8.8.8.8:53 ostwrslks.info udp
US 8.8.8.8:53 podivek.net udp
US 8.8.8.8:53 nwxywq.info udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 iqvnlxtmhdbx.info udp
US 8.8.8.8:53 hgylgap.org udp
US 8.8.8.8:53 rvvsdszdtt.net udp
US 8.8.8.8:53 ozuranwz.net udp
US 8.8.8.8:53 ttyjvzykbx.info udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 qcgzrp.net udp
US 8.8.8.8:53 dskgnxx.net udp
US 8.8.8.8:53 gqgpmyom.net udp
US 8.8.8.8:53 xyzsdxin.info udp
US 8.8.8.8:53 sdsvkghqdfqa.info udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 kuohgniha.info udp
US 8.8.8.8:53 mbjkkjdv.info udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 jqtobgsav.org udp
US 8.8.8.8:53 okdgfmeyh.net udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 xxbuvavqnao.net udp
US 8.8.8.8:53 relnjxpotuf.info udp
US 8.8.8.8:53 auowmc.org udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 hngzogqsfjjp.net udp
US 8.8.8.8:53 ggzodqt.net udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 sgaiqqugkg.org udp
US 8.8.8.8:53 qbtgxdepyudp.info udp
US 8.8.8.8:53 cazcbocgfpm.info udp
US 8.8.8.8:53 ogtxdepgt.info udp
US 8.8.8.8:53 guhyeoyhr.info udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 pyhqodw.org udp
US 8.8.8.8:53 qrdruyitlz.net udp
US 8.8.8.8:53 dgncdtlqsyg.info udp
US 8.8.8.8:53 xknetvnv.net udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 myomrqa.net udp
US 8.8.8.8:53 cikozahcbgt.info udp
US 8.8.8.8:53 hghpgzrkooz.net udp
US 8.8.8.8:53 rappttsgd.com udp
US 8.8.8.8:53 lzwgpqnxhy.net udp
US 8.8.8.8:53 zksplmxg.net udp
US 8.8.8.8:53 boltdkdunrir.net udp
US 8.8.8.8:53 jehyhpbob.com udp
US 8.8.8.8:53 aiqvtoz.info udp
US 8.8.8.8:53 tizdowrqc.info udp
US 8.8.8.8:53 pqmgxex.info udp
US 8.8.8.8:53 luaiurlae.info udp
US 8.8.8.8:53 gubjte.info udp
US 8.8.8.8:53 ywzoxda.net udp
US 8.8.8.8:53 vmmfucbp.info udp
US 8.8.8.8:53 woeildoixs.net udp
US 8.8.8.8:53 bfxmpbiyfh.net udp
US 8.8.8.8:53 hsfspwfirsr.org udp
US 8.8.8.8:53 rrrhnrkmxx.info udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 zgzkhtu.net udp
US 8.8.8.8:53 ngtetbb.net udp
US 8.8.8.8:53 jvlgvddn.net udp
US 8.8.8.8:53 dnyidwf.info udp
US 8.8.8.8:53 ckeyqgqogeim.com udp
US 8.8.8.8:53 yadxtkefpqdf.net udp
US 8.8.8.8:53 mccecx.net udp
US 8.8.8.8:53 wezipnlptwp.info udp
US 8.8.8.8:53 wnfyiq.net udp
US 8.8.8.8:53 duxsjco.com udp
US 8.8.8.8:53 waztfdrabjho.net udp
US 8.8.8.8:53 qngitmingp.net udp
US 8.8.8.8:53 zfsazedsb.com udp
US 8.8.8.8:53 jabqomvnc.com udp
US 8.8.8.8:53 dwiezrhfvtdl.net udp
US 8.8.8.8:53 vdnvvmuct.org udp
US 8.8.8.8:53 zmthbnuwhfb.info udp
US 8.8.8.8:53 xamvwzfsfsvg.info udp
US 8.8.8.8:53 usqexhkswvb.net udp
US 8.8.8.8:53 ulwprsdpevsj.info udp
US 8.8.8.8:53 uqxntmfrc.info udp
US 8.8.8.8:53 vbvhcmsut.com udp
US 8.8.8.8:53 zrzgrocscm.net udp
US 8.8.8.8:53 ihhsjs.info udp
US 8.8.8.8:53 qyjxvcif.net udp
US 8.8.8.8:53 zubepeb.info udp
US 8.8.8.8:53 eferdlxndv.info udp
US 8.8.8.8:53 kymesskuge.org udp
US 8.8.8.8:53 laxxvcd.net udp
US 8.8.8.8:53 genflzv.net udp
US 8.8.8.8:53 rkwlhccy.info udp
US 8.8.8.8:53 wpneowfsfevj.info udp
US 8.8.8.8:53 hcwafkg.net udp
US 8.8.8.8:53 aizbpvowiuf.net udp
US 8.8.8.8:53 nthafgeqx.org udp
US 8.8.8.8:53 tloglxhvvwf.info udp
US 8.8.8.8:53 opqfthqbrbpw.info udp
US 8.8.8.8:53 gemagjigd.net udp
US 8.8.8.8:53 ovwyhvyrdw.info udp
US 8.8.8.8:53 giiqomnvnlpz.info udp
US 8.8.8.8:53 xwluvtyrcgv.info udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 wirjbvrz.net udp
US 8.8.8.8:53 grtzvzhz.info udp
US 8.8.8.8:53 tbganvwcmq.net udp
US 8.8.8.8:53 lnevby.net udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 kgyguyawsq.org udp
US 8.8.8.8:53 qafpdi.net udp
US 8.8.8.8:53 urkcltobhpwf.net udp
US 8.8.8.8:53 qafzjm.info udp
US 8.8.8.8:53 tgjeyse.com udp
US 8.8.8.8:53 eqztcnucln.net udp
US 8.8.8.8:53 nxhjvixx.info udp
US 8.8.8.8:53 xvhfyvyg.info udp
US 8.8.8.8:53 rydifzf.org udp
US 8.8.8.8:53 ikhwjyh.net udp
US 8.8.8.8:53 oismai.com udp
US 8.8.8.8:53 pflwetarnv.net udp
US 8.8.8.8:53 yyuahg.info udp
US 8.8.8.8:53 pszdborrrg.net udp
US 8.8.8.8:53 eheflhppvg.net udp
US 8.8.8.8:53 zuxwjcss.net udp
US 8.8.8.8:53 eccycmmkeikk.com udp
US 8.8.8.8:53 xazbrjje.net udp
US 8.8.8.8:53 fljapeh.org udp
US 8.8.8.8:53 xqyixk.net udp
US 8.8.8.8:53 hgxsnwtmc.info udp
US 8.8.8.8:53 rlbydywmnpf.net udp
US 8.8.8.8:53 zcnlvwhlxro.org udp
US 8.8.8.8:53 wyfehnr.info udp
US 8.8.8.8:53 cykogcgqqcuu.com udp
US 8.8.8.8:53 kfikluwxow.info udp
US 8.8.8.8:53 wibprwtck.info udp
US 8.8.8.8:53 dqnvlkumb.org udp
US 8.8.8.8:53 yoendedyaq.net udp
US 8.8.8.8:53 ugjyfpgfl.net udp
US 8.8.8.8:53 ycvhwv.net udp
US 8.8.8.8:53 bdrrbhlyshrl.info udp
US 8.8.8.8:53 whstfoy.net udp
US 8.8.8.8:53 dgzjxof.com udp
US 8.8.8.8:53 myrwjqkrwpbk.info udp
US 8.8.8.8:53 dqziykf.com udp
US 8.8.8.8:53 mpkbfsgyp.info udp
US 8.8.8.8:53 edewsrgpkyrb.info udp
US 8.8.8.8:53 iohzvepmfghv.net udp
US 8.8.8.8:53 hrsyexwl.net udp
US 8.8.8.8:53 zhlicbmh.net udp
US 8.8.8.8:53 sugqmm.org udp
US 8.8.8.8:53 qseoumkkca.org udp
US 8.8.8.8:53 hsqkbqf.info udp
US 8.8.8.8:53 kmwaykcq.com udp
US 8.8.8.8:53 hmgymbjxggss.net udp
US 8.8.8.8:53 xuwzsbrs.net udp
US 8.8.8.8:53 pkdvwyvohv.net udp
US 8.8.8.8:53 zezorkz.org udp
US 8.8.8.8:53 uofybqz.net udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 rlyotqoevyr.net udp
US 8.8.8.8:53 sanqtmsdeq.info udp
US 8.8.8.8:53 zyagbkxa.net udp
US 8.8.8.8:53 csywmywweykq.com udp
US 8.8.8.8:53 bgprtlwltyh.net udp
US 8.8.8.8:53 vadjjurmv.net udp
US 8.8.8.8:53 kjnabadqnrp.info udp
US 8.8.8.8:53 rspkxgbz.info udp
US 8.8.8.8:53 uklevyv.info udp
US 8.8.8.8:53 fyaylmbcb.net udp
US 8.8.8.8:53 bsulvit.info udp
US 8.8.8.8:53 sjzonex.net udp
US 8.8.8.8:53 oitolnzedjt.info udp
US 8.8.8.8:53 pqudsql.info udp
US 8.8.8.8:53 ufouzxinj.info udp
US 8.8.8.8:53 iamyys.org udp
US 8.8.8.8:53 tcexqiwic.info udp
US 8.8.8.8:53 ympmpsvit.net udp
US 8.8.8.8:53 ekqaao.com udp
US 8.8.8.8:53 vwpmakltloci.net udp
US 8.8.8.8:53 lxfkrptzp.org udp
US 8.8.8.8:53 uxywhdmg.net udp
US 8.8.8.8:53 yqvhkwmev.info udp
US 8.8.8.8:53 rkjyfrxybqd.net udp
US 8.8.8.8:53 jgmwhjqcvebb.info udp
US 8.8.8.8:53 ehwmiafn.info udp
US 8.8.8.8:53 lzfyvax.org udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 idplikihupbq.net udp
US 8.8.8.8:53 iiewyg.org udp
US 8.8.8.8:53 rjbifug.net udp
US 8.8.8.8:53 yqdindvszcl.info udp
US 8.8.8.8:53 ldlrgk.info udp
US 8.8.8.8:53 gfxzpycjb.info udp
US 8.8.8.8:53 ecyyio.org udp
US 8.8.8.8:53 csikmiue.com udp
US 8.8.8.8:53 bweyrkrd.info udp
US 8.8.8.8:53 tusqxslyt.net udp
US 8.8.8.8:53 bbncgi.net udp
US 8.8.8.8:53 owtumceqt.info udp
US 8.8.8.8:53 zxunfi.info udp
US 8.8.8.8:53 sgdzhklkvfso.info udp
US 8.8.8.8:53 kayccoka.org udp
US 8.8.8.8:53 oxczvoj.net udp
US 8.8.8.8:53 zyesfyhsean.net udp
US 8.8.8.8:53 ogqqeigu.com udp
US 8.8.8.8:53 skqsiiae.org udp
US 8.8.8.8:53 kgtjxkd.net udp
US 8.8.8.8:53 civdqb.net udp
US 8.8.8.8:53 bnrsjsdepoh.net udp
US 8.8.8.8:53 jqnibpanex.net udp
US 8.8.8.8:53 iolbex.net udp
US 8.8.8.8:53 alyypvemovoc.net udp
US 8.8.8.8:53 vblsvov.info udp
US 8.8.8.8:53 pjbabjjm.info udp
US 8.8.8.8:53 qkqgsewkmc.org udp
US 8.8.8.8:53 cioyiiukmwmk.com udp
US 8.8.8.8:53 qlstpgkhcjbu.net udp
US 8.8.8.8:53 nzitfaav.info udp
US 8.8.8.8:53 yojucrpja.net udp
US 8.8.8.8:53 bzptng.info udp
US 8.8.8.8:53 lktcrbw.com udp
US 8.8.8.8:53 kamykg.org udp
US 8.8.8.8:53 gweemfqkrphm.info udp
US 8.8.8.8:53 zqwkpmdiwut.com udp
US 8.8.8.8:53 mkmvbcpebsuu.net udp
US 8.8.8.8:53 wmxlxnofqrtg.net udp
US 8.8.8.8:53 jmosvwp.org udp
US 8.8.8.8:53 hyjodgw.info udp
US 8.8.8.8:53 oycaomqoak.org udp
US 8.8.8.8:53 dznjbbsm.net udp
US 8.8.8.8:53 anhzatlu.net udp
US 8.8.8.8:53 curmcyfia.net udp
US 8.8.8.8:53 erdoqo.net udp
US 8.8.8.8:53 dorczmyud.net udp
US 8.8.8.8:53 dkdczgl.info udp
US 8.8.8.8:53 wwjklefkfsz.info udp
US 8.8.8.8:53 hftefxb.info udp
US 8.8.8.8:53 duhyymbxu.com udp
US 8.8.8.8:53 wemuisjmr.net udp
US 8.8.8.8:53 kchkrrt.info udp
US 8.8.8.8:53 dwglaeby.info udp
US 8.8.8.8:53 gmuwhpvmp.info udp
US 8.8.8.8:53 naxejol.net udp
US 8.8.8.8:53 nhjifczd.net udp
US 8.8.8.8:53 vgqxvqngngx.info udp
US 8.8.8.8:53 bdlzvgc.org udp
US 8.8.8.8:53 yyswgucwes.org udp
US 8.8.8.8:53 cgzqtowog.info udp
US 8.8.8.8:53 gintvzbqfasy.net udp
US 8.8.8.8:53 ewvgtgtcz.net udp
US 8.8.8.8:53 vebnoq.info udp
US 8.8.8.8:53 izedxl.info udp
US 8.8.8.8:53 vpnztjfy.net udp
US 8.8.8.8:53 qeasooggkkye.org udp
US 8.8.8.8:53 brluhjqcemil.net udp
US 8.8.8.8:53 amockgpp.info udp
US 8.8.8.8:53 pmhvpupghjjy.info udp
US 8.8.8.8:53 zwxtlvjvvjw.net udp
US 8.8.8.8:53 rohdhw.info udp
US 8.8.8.8:53 gdiecndz.net udp
US 8.8.8.8:53 ncangjcgrd.info udp
US 8.8.8.8:53 kopknpqch.net udp
US 8.8.8.8:53 gsdcfctunwig.info udp
US 8.8.8.8:53 wvfsbpfcfl.info udp
US 8.8.8.8:53 sqryaliih.info udp
US 8.8.8.8:53 eplowtawrfxz.net udp
US 8.8.8.8:53 dyihravas.info udp
US 8.8.8.8:53 hqrgmensj.net udp
US 8.8.8.8:53 jmgxytmd.net udp
US 8.8.8.8:53 fevpfshvp.org udp
US 8.8.8.8:53 kcryxrris.info udp
US 8.8.8.8:53 gavjdundpeh.info udp
US 8.8.8.8:53 peqivsrf.net udp
US 8.8.8.8:53 ziiyzw.info udp
US 8.8.8.8:53 giekgyskeiik.org udp
US 8.8.8.8:53 farnsv.info udp
US 8.8.8.8:53 pexslnirqx.net udp
US 8.8.8.8:53 fcrvdyhtl.com udp
US 8.8.8.8:53 jwblfj.info udp
US 8.8.8.8:53 sumoeyoaec.com udp
US 8.8.8.8:53 vwfevaz.com udp
US 8.8.8.8:53 fkgritslx.org udp
US 8.8.8.8:53 ldzcjplr.info udp
US 8.8.8.8:53 hfpzntjjbadf.net udp
US 8.8.8.8:53 ptpwnlreeaxo.net udp
US 8.8.8.8:53 uijiczi.info udp
US 8.8.8.8:53 xhlcvabnuh.net udp
US 8.8.8.8:53 qpyxuijode.info udp
US 8.8.8.8:53 qincgi.net udp
US 8.8.8.8:53 wufwlmjywzv.net udp
US 8.8.8.8:53 druisxvuycrh.info udp
US 8.8.8.8:53 qhzgvhpfen.net udp
US 8.8.8.8:53 ueiwkw.org udp
US 8.8.8.8:53 dtstyn.net udp
US 8.8.8.8:53 quuwqcessmqq.org udp
US 8.8.8.8:53 lttlhzaiisgc.net udp
US 8.8.8.8:53 fdwmcomth.info udp
US 8.8.8.8:53 zskmbgb.org udp
US 8.8.8.8:53 zbqtpeerkb.net udp
US 8.8.8.8:53 iawrmopmffvf.info udp
US 8.8.8.8:53 gmiacqqk.org udp
US 8.8.8.8:53 iwoiymyk.com udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 supshcr.info udp
US 8.8.8.8:53 wsbmtowdn.info udp
US 8.8.8.8:53 oahnjeibvxtw.net udp
US 8.8.8.8:53 msaeugqyakco.org udp
US 8.8.8.8:53 zunxrwpwle.info udp
US 8.8.8.8:53 satcdd.net udp
US 8.8.8.8:53 rexanw.net udp
US 8.8.8.8:53 tmrxnmjrkb.net udp
US 8.8.8.8:53 spykhhuwhaz.info udp
US 8.8.8.8:53 smotbzehkc.net udp
US 8.8.8.8:53 yxjldhni.info udp
US 8.8.8.8:53 hifwaj.net udp
US 8.8.8.8:53 vdtuuhtm.net udp
US 8.8.8.8:53 siqsos.com udp
US 8.8.8.8:53 uomieuwsgywa.com udp
US 8.8.8.8:53 wxdcfvjum.net udp
US 8.8.8.8:53 awqmkw.com udp
US 8.8.8.8:53 hsmrubdm.net udp
US 8.8.8.8:53 gdhecqmgsb.net udp
US 8.8.8.8:53 dacezd.info udp
US 8.8.8.8:53 qhxcicpwk.info udp
US 8.8.8.8:53 fzkrxmam.info udp
US 8.8.8.8:53 rtvtxgt.com udp
US 8.8.8.8:53 pyrosxlf.net udp
US 8.8.8.8:53 jadrzal.net udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 ggkuci.org udp
US 8.8.8.8:53 vsxzdlahsc.net udp
US 8.8.8.8:53 qoryciielgw.net udp
US 8.8.8.8:53 rlswtvwwi.info udp
US 8.8.8.8:53 tczojkdmt.com udp
US 8.8.8.8:53 oiqwzo.info udp
US 8.8.8.8:53 natgocajd.net udp
US 8.8.8.8:53 tssyjnlgjmv.org udp
US 8.8.8.8:53 bujydax.net udp
US 8.8.8.8:53 ultwrasysvh.info udp
US 8.8.8.8:53 tlmjmxucwgp.org udp
US 8.8.8.8:53 wiceaimuakoq.com udp
US 8.8.8.8:53 sxsydftugfl.net udp
US 8.8.8.8:53 razrhgzrfb.net udp
US 8.8.8.8:53 dwvhzx.info udp
US 8.8.8.8:53 vlglyxutkrkb.net udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 gvtdycynqg.info udp
US 8.8.8.8:53 oqqobf.info udp
US 8.8.8.8:53 gsueieqvkrjn.net udp
US 8.8.8.8:53 flzjekh.com udp
US 8.8.8.8:53 xsdbkumegu.info udp
US 8.8.8.8:53 jntxuexoq.net udp
US 8.8.8.8:53 tfhvbcb.net udp
US 8.8.8.8:53 wyyeeuou.com udp
US 8.8.8.8:53 bfedtcfrri.net udp
US 8.8.8.8:53 lqguughfrfg.org udp
US 8.8.8.8:53 twrqhmcopkz.com udp
US 8.8.8.8:53 awtrjqbmv.net udp
US 8.8.8.8:53 jpookb.net udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 qezkvov.info udp
US 8.8.8.8:53 nkpkjyr.net udp
US 8.8.8.8:53 fwhucmggrugm.info udp
US 8.8.8.8:53 tdryvh.net udp
US 8.8.8.8:53 ssgqsckw.com udp
US 8.8.8.8:53 fmkplsjq.net udp
US 8.8.8.8:53 ytxukmaq.info udp
US 8.8.8.8:53 feunojjm.info udp
US 8.8.8.8:53 xgghnsoon.net udp
US 8.8.8.8:53 cxritgbkwiqj.net udp
US 8.8.8.8:53 sybmdmxmguj.info udp
US 8.8.8.8:53 uacsgg.org udp
US 8.8.8.8:53 bliiyegakbjf.net udp
US 8.8.8.8:53 xflrdxdu.net udp
US 8.8.8.8:53 oummcaukkm.org udp
US 8.8.8.8:53 yabgjuiyvpj.net udp
US 8.8.8.8:53 zvylhp.info udp
US 8.8.8.8:53 jabxlbkymq.net udp
US 8.8.8.8:53 wjbbxjzhjax.net udp
US 8.8.8.8:53 eksuhdhcl.net udp
US 8.8.8.8:53 yqtafgfohsp.net udp
US 8.8.8.8:53 lgzklrnwe.org udp
US 8.8.8.8:53 nrpqjt.info udp
US 8.8.8.8:53 iummkgkams.com udp
US 8.8.8.8:53 tltdeqcmjo.info udp
US 8.8.8.8:53 amgsuceusq.org udp
US 8.8.8.8:53 uunmbx.info udp
US 8.8.8.8:53 kkcqmmamea.com udp
US 8.8.8.8:53 lkngjoezjnq.com udp
US 8.8.8.8:53 oyqkenfgiah.info udp
US 8.8.8.8:53 jczksrtveits.info udp
US 8.8.8.8:53 wrbgtg.info udp
US 8.8.8.8:53 knwdqfzpbh.net udp
US 8.8.8.8:53 nthgluf.com udp
US 8.8.8.8:53 xbfhtyff.info udp
US 8.8.8.8:53 tamkewp.org udp
US 8.8.8.8:53 nsflxjfnkwv.net udp
US 8.8.8.8:53 qkveyb.info udp
US 8.8.8.8:53 dihvgvfkhyb.net udp
US 8.8.8.8:53 vsswekgnat.info udp
US 8.8.8.8:53 nvdngnikdpdn.info udp
US 8.8.8.8:53 zumyixzyford.net udp
US 8.8.8.8:53 kktyzavkfid.info udp
DE 85.214.228.140:80 gyuuym.org tcp
US 8.8.8.8:53 cswccq.org udp
US 8.8.8.8:53 qcdymgtiotjc.info udp
US 8.8.8.8:53 pkjhvsjyc.info udp
US 8.8.8.8:53 usnpplxpvsq.info udp
US 8.8.8.8:53 qjmktqvv.net udp
US 8.8.8.8:53 tyfxgqn.info udp
SG 18.142.91.111:80 unxfuild.info tcp
US 8.8.8.8:53 dcjytqaclap.org udp
US 8.8.8.8:53 mmpktkdc.info udp
US 8.8.8.8:53 favsvpw.info udp
US 8.8.8.8:53 fetortx.net udp
US 8.8.8.8:53 yqgcwsiq.com udp
US 8.8.8.8:53 huruleppzcwk.net udp
US 8.8.8.8:53 ggoiukqgsikq.org udp
US 8.8.8.8:53 xlwgvn.net udp
US 8.8.8.8:53 gamzvrz.info udp
US 8.8.8.8:53 udzdjiddn.net udp
US 8.8.8.8:53 llyfpzwtxa.info udp
US 8.8.8.8:53 wfntvv.net udp
US 8.8.8.8:53 iwaxhxcz.info udp
US 8.8.8.8:53 lgtysqfop.info udp
US 8.8.8.8:53 ijbaxabeu.info udp
US 8.8.8.8:53 zekmkkgldznj.net udp
US 8.8.8.8:53 wclfmcwabet.info udp
US 8.8.8.8:53 ygoukmwg.org udp
US 8.8.8.8:53 ooskzihz.info udp
US 8.8.8.8:53 buvxshbo.net udp
US 8.8.8.8:53 osyuwgoqkw.com udp
US 8.8.8.8:53 gcioqiywocao.org udp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 oqjwrexl.net udp
US 8.8.8.8:53 kybbhfsmx.net udp
US 8.8.8.8:53 mjotpzfbosdh.info udp
US 8.8.8.8:53 ygbaritsibt.info udp
US 8.8.8.8:53 luvehemiri.info udp
US 8.8.8.8:53 dczfawngdur.org udp
US 8.8.8.8:53 dbnholny.net udp
US 8.8.8.8:53 jxgaoxoduxoy.info udp
US 8.8.8.8:53 jmjntmjiswdy.info udp
US 8.8.8.8:53 lalckpw.org udp
US 8.8.8.8:53 fxfqpuhjz.com udp
US 8.8.8.8:53 gwxlxucpecnm.net udp
US 8.8.8.8:53 qfstctpnrd.info udp
US 8.8.8.8:53 hmfurcniz.info udp
US 8.8.8.8:53 qeporpepmjms.net udp
US 8.8.8.8:53 cowkeosqz.net udp
US 8.8.8.8:53 ddpobim.org udp
US 8.8.8.8:53 hkvmqxzwsa.net udp
US 8.8.8.8:53 vubrryjtlu.net udp
US 8.8.8.8:53 aonybit.info udp
US 8.8.8.8:53 wesikqaquoko.org udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 yoaoooewyeeo.com udp
US 8.8.8.8:53 cshxxytsnmc.info udp
US 8.8.8.8:53 odfkmdb.info udp
US 8.8.8.8:53 kmdoyvakp.net udp
US 8.8.8.8:53 uuekcscgcw.com udp
US 8.8.8.8:53 zrnjwthqjvzj.net udp
US 8.8.8.8:53 mdhpuesj.net udp
US 8.8.8.8:53 gjyqvdupr.info udp
US 8.8.8.8:53 ryiynopn.info udp
US 8.8.8.8:53 cguwzgdgzbt.net udp
US 8.8.8.8:53 dqjrswwie.com udp
US 8.8.8.8:53 qdxkopz.net udp
US 8.8.8.8:53 ttpcdqllybrv.net udp
US 8.8.8.8:53 qilipnzii.info udp
US 8.8.8.8:53 polscr.net udp
US 8.8.8.8:53 wczqgiw.info udp
US 8.8.8.8:53 nipqdslewhbn.info udp
US 8.8.8.8:53 vrxmprngmlhk.net udp
US 8.8.8.8:53 zbgijwtqs.info udp
US 8.8.8.8:53 yuzivct.info udp
US 8.8.8.8:53 oclyxabqdbz.info udp
US 8.8.8.8:53 klqmnybibg.net udp
US 8.8.8.8:53 umllqwe.net udp
US 8.8.8.8:53 ykigigss.com udp
US 8.8.8.8:53 dkebosimtc.info udp
US 8.8.8.8:53 lyxmnybibg.info udp
US 8.8.8.8:53 qeqcciigmyqa.com udp
US 8.8.8.8:53 qivfbrx.net udp
US 8.8.8.8:53 dkurufuc.info udp
US 8.8.8.8:53 ehlmgx.info udp
US 8.8.8.8:53 bfrcjpa.net udp
US 8.8.8.8:53 ywugsqwk.org udp
US 8.8.8.8:53 dkouvubcpovf.info udp
US 8.8.8.8:53 usmkyk.com udp
US 8.8.8.8:53 xqqijypyahb.com udp
US 8.8.8.8:53 gizmdazqesg.info udp
US 8.8.8.8:53 bflugs.net udp
US 8.8.8.8:53 yyzjrrnqip.net udp
US 8.8.8.8:53 xugrbqoij.net udp
US 8.8.8.8:53 halfokdixit.info udp
US 8.8.8.8:53 ffzxdl.info udp
US 8.8.8.8:53 uiovockpotph.info udp
US 8.8.8.8:53 ghwsbaasah.net udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 skzronguf.net udp
US 8.8.8.8:53 zyfitez.info udp
US 8.8.8.8:53 ucqrrojzxnkq.net udp
US 8.8.8.8:53 vhxuabmoh.org udp
US 8.8.8.8:53 qirbrxpmkd.info udp
US 8.8.8.8:53 dtwyjqcqiq.info udp
US 8.8.8.8:53 kkuwguyysc.org udp
US 8.8.8.8:53 leqdurjb.net udp
US 8.8.8.8:53 jqpjcp.net udp
US 8.8.8.8:53 zbtyhlp.info udp
US 8.8.8.8:53 dxikspgshgbk.info udp
US 8.8.8.8:53 owueksem.org udp
US 8.8.8.8:53 qttadukdir.net udp
US 8.8.8.8:53 hrphslzidist.net udp
US 8.8.8.8:53 lgmwshpwdp.net udp
US 8.8.8.8:53 iqtokyjgd.info udp
US 8.8.8.8:53 bulemyztm.com udp
US 8.8.8.8:53 zgrjrexb.net udp
US 8.8.8.8:53 farvromuo.org udp
US 8.8.8.8:53 jkzsxzzx.info udp
US 8.8.8.8:53 jzwupux.com udp
US 8.8.8.8:53 tdovwkocdxom.info udp
US 8.8.8.8:53 qosqcoam.org udp
US 8.8.8.8:53 doruxevf.info udp
US 8.8.8.8:53 eeueccewmeem.com udp
US 8.8.8.8:53 knjxphwz.info udp
US 8.8.8.8:53 sgujcau.net udp
US 8.8.8.8:53 ciauozh.net udp
US 8.8.8.8:53 hazbpezbbwj.org udp
US 8.8.8.8:53 woklix.info udp
US 8.8.8.8:53 gthoprfe.net udp
US 8.8.8.8:53 bkrlju.net udp
US 8.8.8.8:53 wgewpkbwo.net udp
US 8.8.8.8:53 zebmremkt.com udp
US 8.8.8.8:53 vlpxze.info udp
US 8.8.8.8:53 rnncfwk.com udp
US 8.8.8.8:53 skywyumxq.net udp
US 8.8.8.8:53 mclohnzured.net udp
US 8.8.8.8:53 kwdabfp.info udp
US 8.8.8.8:53 bcxapao.net udp
US 8.8.8.8:53 nwjkjch.org udp
US 8.8.8.8:53 egsmyysc.org udp
US 8.8.8.8:53 alfwckezdwea.info udp
US 8.8.8.8:53 ugkkcqqs.com udp
US 8.8.8.8:53 irvuvwtdq.net udp
US 8.8.8.8:53 kuiekkegsc.com udp
US 8.8.8.8:53 nshdioh.net udp
US 8.8.8.8:53 qftfrynjot.info udp
US 8.8.8.8:53 rzqtyav.org udp
US 8.8.8.8:53 hcgihmqlikh.net udp
US 8.8.8.8:53 fcrhrox.com udp
US 8.8.8.8:53 ypoiekdvjuj.net udp
US 8.8.8.8:53 ekqqcc.org udp
US 8.8.8.8:53 hdxixovzbq.net udp
US 8.8.8.8:53 xnhmir.net udp
US 8.8.8.8:53 dwfkeogzvhjn.info udp
US 8.8.8.8:53 xljiuneq.info udp
US 8.8.8.8:53 kdrgyw.net udp
US 8.8.8.8:53 tyrgbzxwy.info udp
US 8.8.8.8:53 bhaecgtmco.net udp
US 8.8.8.8:53 dflqknsl.net udp
US 8.8.8.8:53 cksumqkikg.org udp
US 8.8.8.8:53 lyxgpj.info udp
US 8.8.8.8:53 ueyeyimyiw.com udp
US 8.8.8.8:53 ukmaskukswwa.com udp
US 8.8.8.8:53 sayewk.org udp
US 8.8.8.8:53 tsronkfan.net udp
US 8.8.8.8:53 qtgqqinahbp.info udp
US 8.8.8.8:53 wgusbysefuf.info udp
US 8.8.8.8:53 hcixkfjzxude.net udp
US 8.8.8.8:53 roqjur.info udp
US 8.8.8.8:53 htrerkivfv.net udp
US 8.8.8.8:53 ywejaghevtsi.net udp
US 8.8.8.8:53 wbhedxm.info udp
US 8.8.8.8:53 tcvuvhjwh.info udp
US 8.8.8.8:53 fvrhpkjtjaz.org udp
US 8.8.8.8:53 nqtctqn.com udp
US 8.8.8.8:53 raoifwhka.org udp
US 8.8.8.8:53 aczsnsljl.info udp
US 8.8.8.8:53 twfbqoysp.info udp
US 8.8.8.8:53 sbusnkikn.info udp
US 8.8.8.8:53 jubvpax.info udp
US 8.8.8.8:53 iaomdsn.info udp
US 8.8.8.8:53 xbtfto.net udp
US 8.8.8.8:53 sysmpdbmyqc.net udp
US 8.8.8.8:53 tsnfuljiz.info udp
US 8.8.8.8:53 jdgmlq.net udp
US 8.8.8.8:53 aknsgwkcl.net udp
US 8.8.8.8:53 bclawmo.com udp
US 8.8.8.8:53 zyfsbsinegb.org udp
US 8.8.8.8:53 uuqcsesa.org udp
US 8.8.8.8:53 wsvcvcbwn.info udp
US 8.8.8.8:53 ecbwysbz.info udp
US 8.8.8.8:53 wwmntpxdya.net udp
US 8.8.8.8:53 vbrrmyxe.net udp
US 8.8.8.8:53 oouigmkaeg.org udp
US 8.8.8.8:53 iuqhsvwbvgm.net udp
US 8.8.8.8:53 tsuupcevjc.info udp
US 8.8.8.8:53 qqdalunkgmb.info udp
US 8.8.8.8:53 eidbmodtu.info udp
US 8.8.8.8:53 eqcuqgasyk.org udp
US 8.8.8.8:53 njmyupro.net udp
US 8.8.8.8:53 xrpwmsl.info udp
US 8.8.8.8:53 yodlhss.info udp
US 8.8.8.8:53 hgagfhztkn.net udp
US 8.8.8.8:53 tnshbwvysabv.info udp
US 8.8.8.8:53 lewonzqpbzfr.net udp
US 8.8.8.8:53 iusioomq.org udp
US 8.8.8.8:53 ocvyjetaz.info udp
US 8.8.8.8:53 wcsbrpz.net udp
US 8.8.8.8:53 nwiinxxadxh.info udp
US 8.8.8.8:53 maueuewscq.com udp
US 8.8.8.8:53 tcfhbmxb.info udp
US 8.8.8.8:53 azlfou.info udp
US 8.8.8.8:53 jivgmmxfkqfs.net udp
US 8.8.8.8:53 ngvhjc.info udp
US 8.8.8.8:53 hbxgvnf.org udp
US 8.8.8.8:53 kuoeizpxtygu.info udp
US 8.8.8.8:53 umyicieyee.org udp
US 8.8.8.8:53 xieqsqxxlmnu.info udp
US 8.8.8.8:53 iwgsaosaqi.org udp
US 8.8.8.8:53 vfwmtsxqbif.info udp
US 8.8.8.8:53 trymmtsmhuk.org udp
US 8.8.8.8:53 lmstju.info udp
US 8.8.8.8:53 nbjshjjst.info udp
US 8.8.8.8:53 owfyrxy.info udp
US 8.8.8.8:53 vcsuct.net udp
US 8.8.8.8:53 uczkmur.net udp
US 8.8.8.8:53 qrpvucqdde.net udp
US 8.8.8.8:53 yfcqlqba.net udp
US 8.8.8.8:53 gxpozyonn.info udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 vhnebfuiqo.net udp
US 8.8.8.8:53 wueysyqiyg.org udp
US 8.8.8.8:53 rodkdkkgd.org udp
US 8.8.8.8:53 ylswjvlce.net udp
US 8.8.8.8:53 hshshue.info udp
US 8.8.8.8:53 jjrefkv.net udp
US 8.8.8.8:53 fkvsqgdijuk.com udp
US 8.8.8.8:53 iiyyzjfjta.net udp
US 8.8.8.8:53 xksrej.info udp
US 8.8.8.8:53 imxstztifepe.info udp
US 8.8.8.8:53 bwqksqe.info udp
US 8.8.8.8:53 egsmywku.org udp
US 8.8.8.8:53 xrnqxkr.org udp
US 8.8.8.8:53 jjjuwgon.net udp
US 8.8.8.8:53 qdhjhcbtd.info udp
US 8.8.8.8:53 kjskvzf.info udp
US 8.8.8.8:53 fctgwmdm.net udp
US 8.8.8.8:53 boxglq.net udp
US 8.8.8.8:53 roncpfd.org udp
US 8.8.8.8:53 jpzuvpbao.info udp
US 8.8.8.8:53 qctxhj.net udp
US 8.8.8.8:53 lzbjkx.info udp
US 8.8.8.8:53 mvmovylbb.net udp
US 8.8.8.8:53 evubkexlhg.info udp
US 8.8.8.8:53 ecbuiwng.info udp
US 8.8.8.8:53 kptgfigixa.net udp
US 8.8.8.8:53 bjjogvwnivqw.info udp
US 8.8.8.8:53 yelewy.info udp
US 8.8.8.8:53 blriytvijot.com udp
US 8.8.8.8:53 zkpsnbdqkt.net udp
US 8.8.8.8:53 rebsleojdjf.org udp
US 8.8.8.8:53 qpoolvhcf.info udp
US 8.8.8.8:53 hcnclth.info udp
US 8.8.8.8:53 fanetbt.org udp
US 8.8.8.8:53 znliza.net udp
US 8.8.8.8:53 arhhvb.info udp
US 8.8.8.8:53 gaqkygwq.org udp
US 8.8.8.8:53 twsveagzjney.info udp
US 8.8.8.8:53 vikzczbicati.net udp
US 8.8.8.8:53 vqdkeaj.net udp
US 8.8.8.8:53 jrbulad.info udp
US 8.8.8.8:53 oibcauzid.info udp
US 8.8.8.8:53 xmdapusuyn.net udp
US 8.8.8.8:53 gekiteeqd.net udp
US 8.8.8.8:53 ofecfqzsd.net udp
US 8.8.8.8:53 bpzorpfuhtf.org udp
US 8.8.8.8:53 mqoawomckwiy.org udp
US 8.8.8.8:53 vtohri.info udp
US 8.8.8.8:53 hnzuuixwfez.info udp
US 8.8.8.8:53 gpxhygjxuf.net udp
US 8.8.8.8:53 znqgvpvvlxna.net udp
US 8.8.8.8:53 bkngmvgi.net udp
US 8.8.8.8:53 lczmjltd.net udp
US 8.8.8.8:53 vuhcbx.net udp
US 8.8.8.8:53 syxrzgz.info udp
US 8.8.8.8:53 zzhepkuct.info udp
US 8.8.8.8:53 hchqdkty.info udp
US 8.8.8.8:53 bqdindvszcl.com udp
US 8.8.8.8:53 arhvrracp.info udp
US 8.8.8.8:53 vmdozghku.info udp
US 8.8.8.8:53 uifjnehat.info udp
US 8.8.8.8:53 wawaoiyk.com udp
US 8.8.8.8:53 letsuvpch.com udp
US 8.8.8.8:53 gajjuoug.net udp
US 8.8.8.8:53 ogewrcwf.info udp
US 8.8.8.8:53 qcicieqe.com udp
US 8.8.8.8:53 lczoradauoz.net udp
US 8.8.8.8:53 dwncwyjudqc.info udp
US 8.8.8.8:53 jbnulqn.com udp
US 8.8.8.8:53 kgvmnxwqctzv.net udp
US 8.8.8.8:53 owvnud.net udp
US 8.8.8.8:53 dnxmoutgr.com udp
US 8.8.8.8:53 eoipxjfwwll.net udp
US 8.8.8.8:53 vmtbnha.info udp
US 8.8.8.8:53 dazulnj.org udp
US 8.8.8.8:53 divkaifudom.info udp
US 8.8.8.8:53 peauhd.info udp
US 8.8.8.8:53 qasayo.org udp
US 8.8.8.8:53 tvjyxazeqyg.info udp
US 8.8.8.8:53 iiuuvkxqnln.info udp
US 8.8.8.8:53 vwflrmpepkpl.info udp
US 8.8.8.8:53 gwwyoauy.com udp
US 8.8.8.8:53 upbtbuplqe.net udp
US 8.8.8.8:53 jzthxr.net udp
US 8.8.8.8:53 xhdredghzi.info udp
US 8.8.8.8:53 lbvevlbqzaxz.net udp
US 8.8.8.8:53 zuhmapbot.net udp
US 8.8.8.8:53 rbosaw.info udp
US 8.8.8.8:53 xsumvvjhlugq.info udp
US 8.8.8.8:53 gavkrub.info udp
US 8.8.8.8:53 bjapdckb.net udp
US 8.8.8.8:53 vjvlnnztmb.net udp
US 8.8.8.8:53 gweztzvr.info udp
US 8.8.8.8:53 neqkhwppzu.net udp
US 8.8.8.8:53 mstfoi.info udp
US 8.8.8.8:53 pfduohvqd.com udp
US 8.8.8.8:53 omcugaasuiqs.com udp
US 8.8.8.8:53 yojkaljecqs.info udp
US 8.8.8.8:53 vboijriuxhyp.net udp
US 8.8.8.8:53 cyljxwxlfhxj.net udp
US 8.8.8.8:53 oyggueye.org udp
US 8.8.8.8:53 ecegeakc.org udp
US 8.8.8.8:53 jqpmfnbmiqsl.info udp
US 8.8.8.8:53 dlaqxkzamb.info udp
US 8.8.8.8:53 ogvqnextfup.net udp
US 8.8.8.8:53 jqdbwmbsfgpf.info udp
US 8.8.8.8:53 vytajgsilgq.info udp
US 8.8.8.8:53 ootkjdzphd.net udp
US 8.8.8.8:53 immussouoaqm.com udp
US 8.8.8.8:53 zlvlqx.info udp
US 8.8.8.8:53 pdesch.net udp
US 8.8.8.8:53 aararuzmj.info udp
US 8.8.8.8:53 oqcamiue.org udp
US 8.8.8.8:53 vkhdjgl.net udp
US 8.8.8.8:53 zlvgdxp.com udp
US 8.8.8.8:53 vopoispy.net udp
US 8.8.8.8:53 fotsdwz.net udp
US 8.8.8.8:53 gskiqciu.com udp
US 8.8.8.8:53 zrizzt.net udp
US 8.8.8.8:53 hmjxjkbbsdpl.net udp
US 8.8.8.8:53 loptyhuqml.net udp
US 8.8.8.8:53 kfgpbyircq.info udp
US 8.8.8.8:53 nsjnpn.net udp
US 8.8.8.8:53 ngfcrkqvi.net udp
US 8.8.8.8:53 jzhjvqvuh.com udp
US 8.8.8.8:53 jehgfyntp.org udp
US 8.8.8.8:53 pkkusmsszws.info udp
US 8.8.8.8:53 zyrhqollagv.com udp
US 8.8.8.8:53 ivewnr.info udp
US 8.8.8.8:53 wixuovsoemq.net udp
US 8.8.8.8:53 sxavryplb.net udp
US 8.8.8.8:53 meujkdao.info udp
US 8.8.8.8:53 vrqwfkhgp.com udp
US 8.8.8.8:53 nqxijbihvn.info udp
US 8.8.8.8:53 bkhykmzs.info udp
US 8.8.8.8:53 ruxesym.net udp
US 8.8.8.8:53 fjtrzgoa.info udp
US 8.8.8.8:53 qisqma.org udp
US 8.8.8.8:53 yspynbdonzn.net udp
US 8.8.8.8:53 movilal.info udp
US 8.8.8.8:53 cujgjqhmjlo.net udp
US 8.8.8.8:53 vplcoxbjoo.net udp
US 8.8.8.8:53 tcpohrodahgi.info udp
US 8.8.8.8:53 xrctizgjhu.net udp
US 8.8.8.8:53 uknjtebpr.net udp
US 8.8.8.8:53 omueemu.net udp
US 8.8.8.8:53 mkzvhmaf.net udp
US 8.8.8.8:53 fobsybx.org udp
US 8.8.8.8:53 ncrmbitil.com udp
US 8.8.8.8:53 azuubqvojm.net udp
US 8.8.8.8:53 rfcqjgcwrllk.info udp
US 8.8.8.8:53 dijzuhueuq.net udp
US 8.8.8.8:53 qwuyewogpct.net udp
US 8.8.8.8:53 ooewwc.org udp
US 8.8.8.8:53 jkefxko.info udp
US 8.8.8.8:53 kjhjdn.info udp
US 8.8.8.8:53 mbvejgnmkqj.info udp
US 8.8.8.8:53 uczzersy.net udp
US 8.8.8.8:53 jypigkw.net udp
US 8.8.8.8:53 lenwnzall.com udp
US 8.8.8.8:53 jvgrgb.info udp
US 8.8.8.8:53 aiqqya.org udp
US 8.8.8.8:53 vilvteb.net udp
US 8.8.8.8:53 hiikjndga.net udp
US 8.8.8.8:53 jphhtgd.com udp
US 8.8.8.8:53 guwaimmgucsu.com udp
US 8.8.8.8:53 xofextv.net udp
US 8.8.8.8:53 omierhazkhgw.net udp
US 8.8.8.8:53 smucisiookqm.com udp
US 8.8.8.8:53 geebmbsqneds.net udp
US 8.8.8.8:53 goemui.org udp
US 8.8.8.8:53 kwdrqyzrhd.net udp
US 8.8.8.8:53 iaxiuwn.net udp
US 8.8.8.8:53 nbsbcnvx.info udp
US 8.8.8.8:53 csiokimo.org udp
US 8.8.8.8:53 zbalvclk.net udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 kyqecyckyq.com udp
US 8.8.8.8:53 vincfib.net udp
US 8.8.8.8:53 asqqkuscv.net udp
US 8.8.8.8:53 jqtenkdayoy.org udp
US 8.8.8.8:53 fibdahmb.info udp
US 8.8.8.8:53 dkjzkmhmj.org udp
US 8.8.8.8:53 ctxqdaswz.info udp
US 8.8.8.8:53 lvliwxsju.net udp
US 8.8.8.8:53 sciesckqmcyo.com udp
US 8.8.8.8:53 drysdrd.com udp
US 8.8.8.8:53 xfpajnjs.info udp
US 8.8.8.8:53 wcgcuuiu.org udp
US 8.8.8.8:53 vzlwgqhlqbcp.info udp
US 8.8.8.8:53 debqvadou.com udp
US 8.8.8.8:53 jidxkqx.org udp
US 8.8.8.8:53 nhmyomxjv.info udp
US 8.8.8.8:53 jrmcxrvelga.net udp
US 8.8.8.8:53 rzxyzaxrkyf.com udp
US 8.8.8.8:53 uingpelupzt.net udp
US 8.8.8.8:53 cqvoqmlyk.net udp
US 8.8.8.8:53 hajuzzellkx.net udp
US 8.8.8.8:53 wkmqiyocumwo.com udp
US 8.8.8.8:53 nppixueby.com udp
US 8.8.8.8:53 gcgwymyaiusa.org udp
US 8.8.8.8:53 hwxzpjcsqy.info udp
US 8.8.8.8:53 yhkyid.info udp
US 8.8.8.8:53 qsmwkkoeiu.org udp
US 8.8.8.8:53 lkxofmakimh.net udp
US 8.8.8.8:53 vyvijbihvn.info udp
US 8.8.8.8:53 uiatfomwcewg.info udp
US 8.8.8.8:53 rbldrynb.net udp
US 8.8.8.8:53 uaxcyav.info udp
US 8.8.8.8:53 kbkcahwtppde.net udp
US 8.8.8.8:53 hsrofavrq.net udp
US 8.8.8.8:53 jrhonas.org udp
US 8.8.8.8:53 cmkqskhfzloh.net udp
US 8.8.8.8:53 camquy.org udp
US 8.8.8.8:53 llpwlrlwpx.net udp
US 8.8.8.8:53 psfshzikdi.info udp
US 8.8.8.8:53 bctwfgikb.org udp
US 8.8.8.8:53 xytufhhmmuz.net udp
US 8.8.8.8:53 zdhjexgtfl.net udp
US 8.8.8.8:53 owhbxwix.info udp
US 8.8.8.8:53 fgbcmcz.org udp
US 8.8.8.8:53 lrzlxiv.info udp
US 8.8.8.8:53 qrpasuf.net udp
US 8.8.8.8:53 ketgaqr.info udp
US 8.8.8.8:53 poxfxqn.org udp
US 8.8.8.8:53 xmlymtnez.org udp
US 8.8.8.8:53 bzcgppblqzez.net udp
US 8.8.8.8:53 dttgfphehyn.org udp
US 8.8.8.8:53 jarfzxf.com udp
US 8.8.8.8:53 qaowim.org udp
US 8.8.8.8:53 cugdaeeegid.net udp
US 8.8.8.8:53 odzbrjqoy.info udp
US 8.8.8.8:53 jryyhsxn.net udp
US 8.8.8.8:53 ggmuioag.com udp
US 8.8.8.8:53 acyqaoscco.org udp
US 8.8.8.8:53 ahjpvthe.net udp
US 8.8.8.8:53 aalijqi.info udp
US 8.8.8.8:53 eyskokmwwqmw.org udp
US 8.8.8.8:53 wohwiydctdr.net udp
US 8.8.8.8:53 qsrexaeqj.net udp
US 8.8.8.8:53 vediowtkf.com udp
US 8.8.8.8:53 bgjihql.net udp
US 8.8.8.8:53 ahvyymxkbsm.info udp
US 8.8.8.8:53 vlzhhgru.info udp
US 8.8.8.8:53 odqisf.info udp
US 8.8.8.8:53 wrbsff.info udp
US 8.8.8.8:53 ncpmyszzt.info udp
US 8.8.8.8:53 pwonqcpvwjj.org udp
US 8.8.8.8:53 jeumutmotqx.org udp
US 8.8.8.8:53 cuyaywai.org udp
US 8.8.8.8:53 fmpktqpifyd.net udp
US 8.8.8.8:53 meypnhxmicgr.net udp
US 8.8.8.8:53 ybxsqlwexbnh.info udp
US 8.8.8.8:53 qqhrpojhx.info udp
US 8.8.8.8:53 zlvgnqn.info udp
US 8.8.8.8:53 kkiamiym.com udp
US 8.8.8.8:53 nkzzgitebms.net udp
US 8.8.8.8:53 uqlfloteori.net udp
US 8.8.8.8:53 zssalus.net udp
US 8.8.8.8:53 zywmnyn.info udp
US 8.8.8.8:53 jatdaajehomt.net udp
US 8.8.8.8:53 akmyik.org udp
US 8.8.8.8:53 qehujyf.info udp
US 8.8.8.8:53 cmjulbjrdwq.net udp
US 8.8.8.8:53 urfhja.info udp
US 8.8.8.8:53 wvkhmszov.info udp
US 8.8.8.8:53 pqnodstzv.com udp
US 8.8.8.8:53 kexuozfhb.net udp
US 8.8.8.8:53 qyocsmscuqca.com udp
US 8.8.8.8:53 mykmgemmwk.org udp
US 8.8.8.8:53 qqawqn.info udp
US 8.8.8.8:53 uiceesz.info udp
US 8.8.8.8:53 htbonnlrlhvk.info udp
US 8.8.8.8:53 wmemmqee.com udp
US 8.8.8.8:53 yffcunihlgd.info udp
US 8.8.8.8:53 yzhdwejyh.info udp
US 8.8.8.8:53 uyqgmg.org udp
US 8.8.8.8:53 sgccdep.net udp
US 8.8.8.8:53 tfzobzizac.info udp
US 8.8.8.8:53 eibqqet.info udp
US 8.8.8.8:53 cqpuoatdqg.net udp
US 8.8.8.8:53 argopolqn.info udp
US 8.8.8.8:53 uoxjsmld.info udp
US 8.8.8.8:53 suuimc.org udp
US 8.8.8.8:53 djiqjmvin.info udp
US 8.8.8.8:53 osgcwaec.org udp
US 8.8.8.8:53 dkpuezc.org udp
US 8.8.8.8:53 ctvsirr.info udp
US 8.8.8.8:53 cbinhybhze.net udp
US 8.8.8.8:53 uwparkj.info udp
US 8.8.8.8:53 ewiuauieao.com udp
US 8.8.8.8:53 votzeqfkhpev.info udp
US 8.8.8.8:53 kcdlaxhpftpz.info udp
US 8.8.8.8:53 hpddtcltqu.info udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 akfuol.info udp
US 8.8.8.8:53 bxbajiiaqjeh.info udp
US 8.8.8.8:53 imwkkoik.com udp
US 8.8.8.8:53 sewuvwb.net udp
US 8.8.8.8:53 sqdvvvfiv.info udp
US 8.8.8.8:53 hrnzrmgv.info udp
US 8.8.8.8:53 gouuqauy.org udp
US 8.8.8.8:53 oaewcmmi.com udp
US 8.8.8.8:53 ihiixcc.info udp
US 8.8.8.8:53 kuuykgkk.com udp
US 8.8.8.8:53 njnokh.net udp
US 8.8.8.8:53 xavofysujln.com udp
US 8.8.8.8:53 oalwpcngx.info udp
US 8.8.8.8:53 njfyhbuihkvr.net udp
US 8.8.8.8:53 xcrfxbihvn.info udp
US 8.8.8.8:53 ihthnouuevbo.info udp
US 8.8.8.8:53 rwnotdd.com udp
US 8.8.8.8:53 gacqbj.net udp
US 8.8.8.8:53 hqdagqqc.info udp
US 8.8.8.8:53 pvesxitaordl.info udp
US 8.8.8.8:53 eewgawauisgc.com udp
US 8.8.8.8:53 acfknel.net udp
US 8.8.8.8:53 tqhxhutwnxsg.net udp
US 8.8.8.8:53 wohdxoaib.net udp
US 8.8.8.8:53 hmdppleab.com udp
US 8.8.8.8:53 wympggf.net udp
US 8.8.8.8:53 qudsngxotcl.info udp
US 8.8.8.8:53 dzrmxez.com udp
US 8.8.8.8:53 gdatspldxr.info udp
US 8.8.8.8:53 xgzrdemnr.org udp
US 8.8.8.8:53 fsrwfsl.com udp
US 8.8.8.8:53 kxldwaoqfn.info udp
US 8.8.8.8:53 qkzwtzqkjao.net udp
US 8.8.8.8:53 rmxoaigpz.com udp
US 8.8.8.8:53 dctilnifxo.net udp
US 8.8.8.8:53 acwyhtazg.net udp
US 8.8.8.8:53 ttcofrprroht.net udp
US 8.8.8.8:53 vsoboojmbxrz.info udp
US 8.8.8.8:53 tgzzsilpuoyu.info udp
US 8.8.8.8:53 jhyitchedn.net udp
US 8.8.8.8:53 kncuzirbmrnu.info udp
US 8.8.8.8:53 myoghme.info udp
US 8.8.8.8:53 rejwrwpoa.info udp
US 8.8.8.8:53 icptpquof.net udp
US 8.8.8.8:53 ykceqzb.info udp
US 8.8.8.8:53 rkjrikpkadl.com udp
US 8.8.8.8:53 maqwqc.org udp
US 8.8.8.8:53 jmuyzwjxj.net udp
US 8.8.8.8:53 rgzhxwp.net udp
US 8.8.8.8:53 sawhnadqv.info udp
US 8.8.8.8:53 qrdruyitlz.net udp
US 8.8.8.8:53 wkuuugow.org udp
US 8.8.8.8:53 sgescokcmo.org udp
US 8.8.8.8:53 hgdzvbxfh.net udp
US 8.8.8.8:53 rbribehe.info udp
US 8.8.8.8:53 xqlulgck.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\ydqucko.exe

MD5 97a292f9f8ab884148ca535660707d9b
SHA1 b97f8c7661613a2aad65490a008f95b68fc49217
SHA256 4fdbe250a3d787e852ce69cc196fb3107b4c7226d57053fdea841a8ab9fa39c8
SHA512 2522133031bd1529b36e9ea63e8876c2366c4b81fc3b7f8286d200b9d89d9a03915f13ab24bb6704f15fe6c5825e273538c8ec0b4b64acba75c6ae14faeddc0e

C:\Users\Admin\AppData\Local\bzfcdebdazfalevdmpbzfc.ebd

MD5 ab7a5bddba1a1194e7240f2e054b28d0
SHA1 543cf651f1522b34cbd41fbf23fc26be115a994d
SHA256 23d64e2aee729286c1d082e77a389a476bc7464b3e4b94ed651c3fbc689b4bac
SHA512 7fa9c7b7822495e5326dae7d7e0c7124b39e257c497c37801604e5b42bcc501312e449af3bff1d11a66a6b0c9bf41b1f6e9d689851b024f506bfaa6a44d555e8

C:\Users\Admin\AppData\Local\sbsamygtblcieikdxliriqcowjrbsyuya.nby

MD5 60bbedf213d2c8125fca5a9f916d2fa9
SHA1 023cb9ce7b9ed7f42f87118fdfdcc482d6d05dde
SHA256 693c6100869c0b29a8883835a0f60dced8dea1d6a6a509178fd4306c585b9195
SHA512 5524efe361e595f4e62fdac06823e4b87c279598a0f94396a90c27140a784b478d48c9c5df3adc263941c28ef98fb50e7e31d2e8fb9c85b37cfa423799ca0ebd

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 a97255467e87f5f9b505923706965cbf
SHA1 9c5560f59b99243e488b2898e2ef932cd019af95
SHA256 c1bdaeca0a119aa353414a93f7c855cb4782b68d0bfedb66d4131f617534704f
SHA512 e2c063149554879432f98319291f248dae780176612e50d5455c6bcb6d326ada4cb6a1ce0733ffdd774ccaaf49a8af2e41799e483d90c9fe644a679f91be9924

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 6c095cbe6a2a5b8b3e8d125f1bf8a8a3
SHA1 e71c2d3f1da28950de4b8b80c5e400c88fc94a96
SHA256 5f8c3b9d8f2a50d74bc24965974f7269d006b6ff783b0ab5ac153824a33aeee9
SHA512 dd286f26c0e7882ad1e4554913f8f9a5fe80bc23356e55f37decfcc105ef85e8815403b9a87cd6a864bc04e1fbf873874a690ec929a99be3595191f1bcb8b55c

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 c3944a427cd240d06f17d9f62c6169ee
SHA1 d247e309889fd7a96e6b6a1ca3d0f341affb5b19
SHA256 ba19de70f61798373c3d69a002aa10fe4ab6681c5ddfc41cbb812b6af467b566
SHA512 c0e8c786b8683b0a198a98724d6ba0cb6d8050a91f968bc4589790e830aa9099c2c82b938e060dd7bd6108264c7d73878532782e60645c46d4df800f213d9e6f

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 eda2da70e8d8d8b16dedee6f62c43b96
SHA1 599c1e608d8bc636d716d1b87cadc1552bad95de
SHA256 c9c98384da218acb625a7f907077b0127cc8a9581518df5741d2971f6cdaed9b
SHA512 46763c7de62c0c04acbd711b6fced0b3fda615ad5a165c6952e6c4d99ccb077d661f2b688d51bb4083176ee59cd281e9849971c5d5725fdf4e1ff866e38f71f3

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 378623d0ba4fd558ff45c92237a34b7b
SHA1 e589ee77ba9fb68c5aa5d0db3b0f5891bd2fc27f
SHA256 b634a8c4bdb1cbd0dfa9c7282f6190037246e8e6199ad50cb824eecb11dfacd0
SHA512 df939f620c44814487481f8cd1b3d63ca522b7374a21f8c9b6067b380c6200eb020f10387210cd3451d41183e5d72b8740b4059a522fc6944716609af286e20e

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 341935bb603ff4ce270a12ca29ee89de
SHA1 afb15050a7d6e2f71c7f80b67153b319d3521a07
SHA256 a087e557a2c4bc03e421b107546a204adc8afa52f6b35c35501c6ac10cfb3208
SHA512 ed7d67c2003673213604d3e369ad0b148685374388eb40f21cfd658559795734bedfab341ab5e8abf9283e8daa491c9ed92e4b83f4c97baad1c64010760fecda

C:\Program Files (x86)\bzfcdebdazfalevdmpbzfc.ebd

MD5 d510431ef1464949c8e0ab65d84ab567
SHA1 b3186f9b1fbd06a4f6d692fcc5ea73ad140bdce3
SHA256 ddfd39c530a34b88140df793f67f035308306ac7c86ab111a73a04f2bd04034c
SHA512 c5e32a43aa03615bb4e205b5a7de872db7466ec1ddcacdea845307fa15d144c610c43c69f7c4265811850fabd655f1fe489fdbe2ebe08c38e4c16affd3499d45

Analysis: behavioral2

Detonation Overview

Submitted

2025-04-19 01:43

Reported

2025-04-19 01:45

Platform

win11-20250410-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zryflycqz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\kfpziyfwirin = "ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "srftgalgwjentjmz.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "tvmdtqecvljvexdtqpx.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "ijzpeankcrozhzetpn.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "srftgalgwjentjmz.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ijzpeankcrozhzetpn.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tvmdtqecvljvexdtqpx.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zzodrmyulzvfmdhvq.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "vzsldcssnfftezhzyzjng.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "ijzpeankcrozhzetpn.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe ." C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Run\jfqblckcpzrxa = "zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "ijzpeankcrozhzetpn.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nlylxqaujvpxcrt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sltbiwbqah = "zzodrmyulzvfmdhvq.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gjbtkixwqhgtdxevttcf.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\srftgalgwjentjmz = "C:\\Users\\Admin\\AppData\\Local\\Temp\\srftgalgwjentjmz.exe" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\khtfqirkyjcjnb = "vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nhqzhwcsdlb = "vzsldcssnfftezhzyzjng.exe ." C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\wfdbycxcczexnnaxbhwfdb.cxc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File created C:\Windows\SysWOW64\wfdbycxcczexnnaxbhwfdb.cxc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File opened for modification C:\Windows\SysWOW64\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File created C:\Windows\SysWOW64\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File created C:\Program Files (x86)\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File opened for modification C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File created C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\wfdbycxcczexnnaxbhwfdb.cxc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File created C:\Windows\wfdbycxcczexnnaxbhwfdb.cxc C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File opened for modification C:\Windows\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
File created C:\Windows\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b20d90d346511b654c08a7a94a9dbc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe

"C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe" "-"

C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe

"C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe" "-"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ijzpeankcrozhzetpn.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\srftgalgwjentjmz.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\tvmdtqecvljvexdtqpx.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ijzpeankcrozhzetpn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c vzsldcssnfftezhzyzjng.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c gjbtkixwqhgtdxevttcf.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c srftgalgwjentjmz.exe .

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\zzodrmyulzvfmdhvq.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\vzsldcssnfftezhzyzjng.exe .

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 172.66.40.87:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
NL 142.250.153.104:80 www.google.com tcp
DE 85.214.228.140:80 gyuuym.org tcp
SG 18.142.91.111:80 unxfuild.info tcp
US 104.156.155.94:80 cydlrge.info tcp
US 8.8.8.8:53 leuboug.org udp
US 8.8.8.8:53 ewhqxezcwwc.net udp
US 8.8.8.8:53 kgucribs.info udp
US 8.8.8.8:53 loipjdgufxkg.net udp
US 8.8.8.8:53 bwsseltaosw.org udp
US 8.8.8.8:53 bxxbydec.info udp
US 8.8.8.8:53 kixhdrxe.info udp
US 8.8.8.8:53 iqkomm.com udp
US 8.8.8.8:53 fgmzsxmilqdn.net udp
US 8.8.8.8:53 uwcuws.org udp
US 8.8.8.8:53 wikqmscacige.org udp
US 8.8.8.8:53 bftmjcxmz.org udp
US 8.8.8.8:53 zfhqjcnvot.net udp
US 8.8.8.8:53 atkzfclhbift.info udp
US 8.8.8.8:53 piufhthprapz.info udp
US 8.8.8.8:53 xnbnbshshynq.info udp
US 8.8.8.8:53 pgrivkl.com udp
US 8.8.8.8:53 xrjmbmgmisvh.info udp
US 8.8.8.8:53 loikfiyj.info udp
US 8.8.8.8:53 xczmbyhtx.com udp
US 8.8.8.8:53 qpctqq.info udp
US 8.8.8.8:53 fqzmnwyzzwu.org udp
US 8.8.8.8:53 gwimgc.org udp
US 8.8.8.8:53 gmddlipn.net udp
US 8.8.8.8:53 bjpwlrlwpx.net udp
US 8.8.8.8:53 mwewmgai.com udp
US 8.8.8.8:53 maqwqc.org udp
US 8.8.8.8:53 fumvct.net udp
US 8.8.8.8:53 fopnrswmyrsr.net udp
US 8.8.8.8:53 ardhjogsp.net udp
US 8.8.8.8:53 vibshiiel.net udp
US 8.8.8.8:53 jjqtpeerkb.net udp
US 8.8.8.8:53 vtdaqnhgtkiq.info udp
US 8.8.8.8:53 ovnutmokbmh.info udp
US 8.8.8.8:53 yqzernlf.info udp
US 8.8.8.8:53 hobedgvsj.info udp
US 8.8.8.8:53 wwiifuegq.net udp
US 8.8.8.8:53 qdnmhgdyrit.net udp
US 8.8.8.8:53 hjfdpmp.org udp
US 8.8.8.8:53 idplikihupbq.net udp
US 8.8.8.8:53 vemehvuwqy.info udp
US 8.8.8.8:53 aukwchygrqll.net udp
US 8.8.8.8:53 zgakruh.com udp
US 8.8.8.8:53 eaictyqxc.info udp
US 8.8.8.8:53 wmcwkmegkeiw.org udp
US 8.8.8.8:53 nnntztdz.info udp
US 8.8.8.8:53 ytriyjzzehkc.net udp
US 8.8.8.8:53 bsrzdmzwp.com udp
US 8.8.8.8:53 gutwjkfihqn.info udp
US 8.8.8.8:53 hocplcc.info udp
US 8.8.8.8:53 rqzenox.com udp
US 8.8.8.8:53 sigkoemc.com udp
US 8.8.8.8:53 bavppixu.net udp
US 8.8.8.8:53 swutvfgfac.net udp
US 8.8.8.8:53 pqmmeg.info udp
US 8.8.8.8:53 gbkoknhoo.info udp
US 8.8.8.8:53 lutsycv.info udp
US 8.8.8.8:53 ptpwnlreeaxo.net udp
US 8.8.8.8:53 lyubkefppkd.info udp
US 8.8.8.8:53 eeeiusoc.com udp
US 8.8.8.8:53 hxvvbsjqypv.net udp
US 8.8.8.8:53 dtstyn.net udp
US 8.8.8.8:53 sltjoxtl.net udp
US 8.8.8.8:53 eowaugwyag.org udp
US 8.8.8.8:53 zuwrljtqss.net udp
US 8.8.8.8:53 msaeugqyakco.org udp
US 8.8.8.8:53 yypensxal.info udp
US 8.8.8.8:53 batxxesx.net udp
US 8.8.8.8:53 xdvktnhshul.com udp
US 8.8.8.8:53 vrrhnttibl.info udp
US 8.8.8.8:53 hifwaj.net udp
US 8.8.8.8:53 rmjiksd.info udp
US 8.8.8.8:53 sscgqg.com udp
US 8.8.8.8:53 auvaewrqp.net udp
US 8.8.8.8:53 fixijml.org udp
US 8.8.8.8:53 rrdarhnyj.com udp
US 8.8.8.8:53 nhpczxe.org udp
US 8.8.8.8:53 bgniuut.info udp
US 8.8.8.8:53 wxxuaadore.net udp
US 8.8.8.8:53 jlpcytnpld.info udp
US 8.8.8.8:53 vabsvv.info udp
US 8.8.8.8:53 sfgnpq.info udp
US 8.8.8.8:53 egnjxgggpp.info udp
US 8.8.8.8:53 kwmgocz.info udp
US 8.8.8.8:53 msoiygcw.org udp
US 8.8.8.8:53 lpgjvz.net udp
US 8.8.8.8:53 jherrhxq.info udp
US 8.8.8.8:53 uwzmquphbig.info udp
US 8.8.8.8:53 idvlzkp.info udp
US 8.8.8.8:53 flzjekh.com udp
US 8.8.8.8:53 tmomlmuw.info udp
US 8.8.8.8:53 rynhlv.net udp
US 8.8.8.8:53 jnfokyaj.net udp
US 8.8.8.8:53 eyrodbloteod.net udp
US 8.8.8.8:53 ejpdqikairvo.info udp
US 8.8.8.8:53 cskomm.org udp
US 8.8.8.8:53 huduhl.net udp
US 8.8.8.8:53 nqjisyg.com udp
US 8.8.8.8:53 bqrfwpiekd.info udp
US 8.8.8.8:53 hgmuukd.info udp
US 8.8.8.8:53 cxritgbkwiqj.net udp
US 8.8.8.8:53 yhzazqbtdm.info udp
US 8.8.8.8:53 ssdybcyfr.info udp
US 8.8.8.8:53 xvbivorcwqn.org udp
US 8.8.8.8:53 cawoes.org udp
US 8.8.8.8:53 xflrdxdu.net udp
US 8.8.8.8:53 myvkntip.info udp
US 8.8.8.8:53 blvxnxmfemta.info udp
US 8.8.8.8:53 yabgjuiyvpj.net udp
US 8.8.8.8:53 uwugvstmbqv.info udp
US 8.8.8.8:53 wjbbxjzhjax.net udp
US 8.8.8.8:53 miuasil.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\gvzdgq.exe

MD5 1ca589c6c91403015ecfb93a13ad3480
SHA1 7f573677d5228d3accb0b8c365d685c049456bb6
SHA256 ad7a64eadd76e4a6f77a9c25f82e009b7b332321764adb809df6f9798818f4c7
SHA512 8eb67f23affb419c06e96529ff06774238ae4249c960b08dcd8bab3490a7913168daac58fc0ae6e23acec979460445d75dd7dd2dbef2f9882d81793c26cdf460

C:\Users\Admin\AppData\Local\wfdbycxcczexnnaxbhwfdb.cxc

MD5 f817c1522ca58fdc6336b0270dee6599
SHA1 9f769d4c16a95cff30f76fbebd456077c94e704f
SHA256 68fec1bfd73fae27fcdaa70669549f67db7c3acf925c95a3d2ccd65a5bb90247
SHA512 340cd98c62ea1eab6729fa2bd1ec6cc983024590679536028e6b251f221c66ac3fa5a7868f005c58e876426c4e6154d19e3d09228a80fd552b0548aaf5666b96

C:\Users\Admin\AppData\Local\nhqzhwcsdlbfgrpxmddxgpxmsitbrvwhf.ctt

MD5 8745ea2476e114d3bb643a0bb8d9a6d9
SHA1 15e018ff78dc7ac90913fc99d4089696c07f95c6
SHA256 e2a7feda5d03482c82059d29d6dbdb2a0908f199d23e7f09e9f099d693dc5bd4
SHA512 c02193214407125b4992b0016b57d19d1e4f30baff3fdfd16a6094dd564970d874992e0a4f61d3e7fe37d0ce4c9d7dfa15f721030c266a219e32181c42864067

C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc

MD5 5e05600cc42163f742cd62a45fd1f4d5
SHA1 aecb9f870d45b432912d8ee872874d3b3185cd80
SHA256 edd0f863665f904f4287f8cab4fec204c1229f06de7e3d5e6994202b7658db96
SHA512 56c769797d320370f265a8afe72d7cb298f626f76f595278bb14e510ce87f5012a86fdfa3ff8d60a31441f1860b347fa1318e32e655b986e98459cf7614e2b49

C:\Users\Admin\AppData\Local\wfdbycxcczexnnaxbhwfdb.cxc

MD5 ff3d377770f67ba349d4f55a81d810b6
SHA1 6c66c4cb700079d2ec4d329f00e8d9648852aaf3
SHA256 d9dcfc6f9485f55cab5b45a3ab9a0e074dadd6d7d61a10543746567e508da63d
SHA512 3adfd308f45883d702aad698b394160dd6ea0f18f417351e98c5eb82531942d58e5a8c9a50bd1ac2eccc18b83b17680d24b3e93ef97c4996f18aaf97ec4bd57e

C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc

MD5 8f7f8c0934064d12dfc96bbe526a46e5
SHA1 3e8eb3e1301280a8451f163024f81ae00f9f82c0
SHA256 82b6fa3c83c521580a42105d964eb9ef904903956474abda7a5cb9e61fa83ae4
SHA512 9908a9be2daadbd91608e1b956a165fb602e4f1df067288a9a52886ed7da748b2100d8c262ec2a5a0c36b1687f575cb78647baa583d9f466fa18d2d210ede663

C:\Users\Admin\AppData\Local\wfdbycxcczexnnaxbhwfdb.cxc

MD5 86bbb18040bc8efde0d6cd0bb5372145
SHA1 80251cff2ebb66e0bea136e924aa0ea6e5963627
SHA256 6cebffa452cc3676b237999d0ab4906e005186492a96c1563fc679a60f01c1c1
SHA512 20d958440ade18da3778f54891202cb433a212af50324cf490d891af22fbe047f833d75f1507cb4d5f3d55b318082b472e70c47d8a8745b0b2cf52d177ddfcac

C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc

MD5 e3591b3fb824103704e75bfe202ef611
SHA1 bf937491e58fd838ca22c428fbd6c4e2748d0a33
SHA256 5d34b59050af5b6fd23a635967062f2306ebeb6428a39fe696e26ab011eac5a1
SHA512 5120964da57fa10b6391e8b2ca64dd9e438ec4b4b4c0b75414aafee4c1ab027cde8054ac158467c99201e8f2198ecdf4b14d0796960de9362a58cf06ff206882

C:\Program Files (x86)\wfdbycxcczexnnaxbhwfdb.cxc

MD5 3014fd37f6ea84b5c3279a04f8fc10a5
SHA1 d1ec94a89a904740aefadb6c2a602c043be55f5a
SHA256 5b641be4d4bb95b3b07edff82644a3025e18bf67421e5c98b546cdd8bc0fe923
SHA512 a8f1446d95add390632ef4c5469c86229db11f3f13b7b89a0d538ecdc4a15d7bdc9b03e9f16ef290701da3d469cda62fb0372def4bdd43866349667d16c7bf7f

C:\Windows\SysWOW64\wfdbycxcczexnnaxbhwfdb.cxc

MD5 de26d537a075a38b0f223ee7e64eb31c
SHA1 15fd6b614fa2a11f7fc0563df54fdceddc8c71a5
SHA256 0d50003d4a8090280638a681423a6935eb5373594e284a3ee0176e3628930ffb
SHA512 bad1a666348c85c9316493b28e38433f54142b3251cf45b2c3f3ffd9ed5577bee2f92df33ec1440ca2607b9c8d67b3944f0c72c1569bfd9852742c1e131ccbd7