Analysis Overview
SHA256
5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785
Threat Level: Known bad
The file 5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Adds policy Run key to start application
Executes dropped EXE
Loads dropped DLL
Impair Defenses: Safe Mode Boot
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 06:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 06:18
Reported
2024-06-26 06:21
Platform
win7-20240508-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "xizxgwsdsjeqmazb.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "aqmpdyzpjffwxqubeuoea.exe ." | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "aqmpdyzpjffwxqubeuoea.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "eqihrifrhzvifuuxw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "eqihrifrhzvifuuxw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "ymghtmlzrljyxoqvwkc.exe ." | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "xizxgwsdsjeqmazb.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "lavxkeetmhgwworxzohw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "nattewuhyrocaqrvvi.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "xizxgwsdsjeqmazb.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "ymghtmlzrljyxoqvwkc.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "ymghtmlzrljyxoqvwkc.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "xizxgwsdsjeqmazb.exe ." | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "nattewuhyrocaqrvvi.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "lavxkeetmhgwworxzohw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "nattewuhyrocaqrvvi.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "lavxkeetmhgwworxzohw.exe ." | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "aqmpdyzpjffwxqubeuoea.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\cyajdelhhjpmtscpyuuqsbv.dzz | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File created | C:\Windows\SysWOW64\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cyajdelhhjpmtscpyuuqsbv.dzz | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\cyajdelhhjpmtscpyuuqsbv.dzz | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File created | C:\Program Files (x86)\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\cyajdelhhjpmtscpyuuqsbv.dzz | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File created | C:\Windows\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File opened for modification | C:\Windows\cyajdelhhjpmtscpyuuqsbv.dzz | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| File created | C:\Windows\cyajdelhhjpmtscpyuuqsbv.dzz | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\aagtr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\aagtr.exe
"C:\Users\Admin\AppData\Local\Temp\aagtr.exe" "-"
C:\Users\Admin\AppData\Local\Temp\aagtr.exe
"C:\Users\Admin\AppData\Local\Temp\aagtr.exe" "-"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
Files
\Users\Admin\AppData\Local\Temp\aagtr.exe
| MD5 | aa9e9cc5b776b54cf314f610d45773e9 |
| SHA1 | 3590a9b76ffc46d5a8a6438d0dee2b720ff85b9b |
| SHA256 | 6c73a28dedfd1b5792c601f29dc020fd480e161b5f9449fd09ededcf1087d194 |
| SHA512 | c085e52b1c9647b7e558f76273aa603337402e0d1f9f67c0d65e2c2d191166717191823b02935e156a02cac456c919f730a874dafdfd54bb5805f73ca1b95697 |
C:\Users\Admin\AppData\Local\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm
| MD5 | 5746b0caa45aba69ad1e4629e1561c70 |
| SHA1 | 9f77f50f17b4c0da4343ce1300998e9812c4692f |
| SHA256 | d8c21aa2528889d2e080e6100da3d9bd243b769d40c24c3ed44380d42e31397a |
| SHA512 | 75564c2255ac1bd42b34155674eb399d631850ca3ab8517c37090b65e58dcaf967597608c11f4efd1fca18414e7a81076f0de213561c75af93f8c53252af90f3 |
C:\Users\Admin\AppData\Local\cyajdelhhjpmtscpyuuqsbv.dzz
| MD5 | 26715693e8e833139915cb3365413a41 |
| SHA1 | 6b6427ebad35eb2ba3ded2ff2692a1471ce3e2d9 |
| SHA256 | d44d1e81b05e7985129d69ad32096a2169259c67f2abafedda4f75a8a789be96 |
| SHA512 | 887749a3806328adb4753eb0352851c1636a95385381310bbb4516e2cbfd9a45ce0f970b0ead1373fbb6957bfc62204119045f5ae5472940fccac8b97600ad0f |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 06:18
Reported
2024-06-26 06:21
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "gcbtjcbtlgzwgzwpodcy.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "vsslcwwpieywhbzttjjgg.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "skftfupdrixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "gcbtjcbtlgzwgzwpodcy.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "skftfupdrixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "iczpdurhxqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "iczpdurhxqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "tomdskizqkcyhzvnlzx.exe ." | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "gcbtjcbtlgzwgzwpodcy.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "vsslcwwpieywhbzttjjgg.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "tomdskizqkcyhzvnlzx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "iczpdurhxqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "vsslcwwpieywhbzttjjgg.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "zsodqgcrgyoipfzpl.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "gcbtjcbtlgzwgzwpodcy.exe ." | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "vsslcwwpieywhbzttjjgg.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "gcbtjcbtlgzwgzwpodcy.exe" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe ." | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\msbddgprtybicfmpyxgmvxxajl.svc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File created | C:\Windows\SysWOW64\msbddgprtybicfmpyxgmvxxajl.svc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File created | C:\Windows\SysWOW64\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File created | C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File created | C:\Program Files (x86)\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\msbddgprtybicfmpyxgmvxxajl.svc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File opened for modification | C:\Windows\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File created | C:\Windows\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| File opened for modification | C:\Windows\msbddgprtybicfmpyxgmvxxajl.svc | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\vcmpq.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe"
C:\Users\Admin\AppData\Local\Temp\vcmpq.exe
"C:\Users\Admin\AppData\Local\Temp\vcmpq.exe" "-"
C:\Users\Admin\AppData\Local\Temp\vcmpq.exe
"C:\Users\Admin\AppData\Local\Temp\vcmpq.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 52.182.143.211:443 | tcp | |
| US | 8.8.8.8:53 | www.imdb.com | udp |
| FR | 52.222.167.201:80 | www.imdb.com | tcp |
| US | 8.8.8.8:53 | vsdgddzap.org | udp |
| US | 162.249.65.164:80 | vsdgddzap.org | tcp |
| US | 8.8.8.8:53 | 201.167.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xywnxsb.org | udp |
| US | 8.8.8.8:53 | kwhfqnnejec.info | udp |
| US | 34.211.97.45:80 | kwhfqnnejec.info | tcp |
| US | 8.8.8.8:53 | bigmrsg.net | udp |
| US | 8.8.8.8:53 | yaecmm.com | udp |
| US | 8.8.8.8:53 | eeschahcf.net | udp |
| US | 8.8.8.8:53 | xmltddpax.info | udp |
| US | 8.8.8.8:53 | eomqiyui.org | udp |
| US | 162.249.65.164:80 | eomqiyui.org | tcp |
| US | 8.8.8.8:53 | 45.97.211.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hazzthxrziyh.net | udp |
| US | 8.8.8.8:53 | nwiwhbflbslf.info | udp |
| US | 8.8.8.8:53 | natdhz.info | udp |
| US | 8.8.8.8:53 | jawzfnq.org | udp |
| US | 162.249.65.164:80 | jawzfnq.org | tcp |
| US | 8.8.8.8:53 | zfbfplygzg.net | udp |
| US | 8.8.8.8:53 | nqmsvc.net | udp |
| US | 8.8.8.8:53 | sddwslteldjj.net | udp |
| US | 8.8.8.8:53 | ibafxyhcljt.net | udp |
| US | 8.8.8.8:53 | yzunrn.net | udp |
| US | 8.8.8.8:53 | miokoi.org | udp |
| US | 8.8.8.8:53 | ikzszjxmq.info | udp |
| US | 208.100.26.245:80 | ikzszjxmq.info | tcp |
| US | 8.8.8.8:53 | nibgvqqbg.net | udp |
| US | 8.8.8.8:53 | xcbstas.info | udp |
| US | 8.8.8.8:53 | bcnxdfnqjbh.info | udp |
| US | 8.8.8.8:53 | igeuycoawe.org | udp |
| US | 8.8.8.8:53 | mskiumkecmce.org | udp |
| US | 8.8.8.8:53 | bfnkdfbtnuch.info | udp |
| US | 8.8.8.8:53 | vvdqqei.net | udp |
| US | 8.8.8.8:53 | rfdrzkhqh.com | udp |
| US | 8.8.8.8:53 | atpgrejalrl.net | udp |
| US | 8.8.8.8:53 | lyhtor.info | udp |
| US | 8.8.8.8:53 | vvnyfkdnjb.net | udp |
| US | 8.8.8.8:53 | hswepwt.com | udp |
| US | 8.8.8.8:53 | sicssakc.org | udp |
| US | 8.8.8.8:53 | ocmywwiy.com | udp |
| US | 8.8.8.8:53 | eikaeweguw.org | udp |
| US | 8.8.8.8:53 | nzxugtv.org | udp |
| US | 8.8.8.8:53 | bkjahm.info | udp |
| US | 8.8.8.8:53 | kuvgoefcz.info | udp |
| US | 8.8.8.8:53 | uqmmeguw.com | udp |
| US | 8.8.8.8:53 | oanuvegufez.net | udp |
| US | 8.8.8.8:53 | uxxemyqar.net | udp |
| US | 8.8.8.8:53 | yvrnagjc.info | udp |
| US | 8.8.8.8:53 | atierp.info | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | rrkrbx.net | udp |
| US | 8.8.8.8:53 | kidrmkwxqbba.info | udp |
| US | 8.8.8.8:53 | ioqchmdfdod.net | udp |
| US | 8.8.8.8:53 | jydnupwk.net | udp |
| US | 8.8.8.8:53 | zvyxohnch.com | udp |
| US | 8.8.8.8:53 | xwtadyhqm.net | udp |
| US | 8.8.8.8:53 | fmypvadav.info | udp |
| US | 8.8.8.8:53 | lzzqgigv.info | udp |
| US | 8.8.8.8:53 | snbgwtjx.info | udp |
| US | 8.8.8.8:53 | xbptoctu.net | udp |
| US | 8.8.8.8:53 | ostdxxh.info | udp |
| US | 8.8.8.8:53 | xaleewrmhb.info | udp |
| US | 8.8.8.8:53 | eyomuq.org | udp |
| US | 8.8.8.8:53 | mupsdagsd.info | udp |
| US | 8.8.8.8:53 | cgeqrpjejzug.info | udp |
| US | 8.8.8.8:53 | jwdiiuxpmd.info | udp |
| US | 8.8.8.8:53 | yagvfmkvlik.net | udp |
| US | 8.8.8.8:53 | wyrczwwyzdv.net | udp |
| US | 8.8.8.8:53 | oocgwu.org | udp |
| US | 162.249.65.164:80 | oocgwu.org | tcp |
| US | 8.8.8.8:53 | hxgxjgpgxugv.info | udp |
| US | 8.8.8.8:53 | fxvwgkda.net | udp |
| US | 8.8.8.8:53 | vivuws.net | udp |
| US | 8.8.8.8:53 | nxyebckfpje.net | udp |
| US | 8.8.8.8:53 | mebzfgl.net | udp |
| US | 8.8.8.8:53 | pdsfrq.info | udp |
| US | 8.8.8.8:53 | zqsumcz.net | udp |
| US | 8.8.8.8:53 | zjxedey.org | udp |
| US | 8.8.8.8:53 | ztuuvewk.info | udp |
| US | 8.8.8.8:53 | tanuxkhcugs.net | udp |
| US | 8.8.8.8:53 | xknruirqxxr.info | udp |
| US | 8.8.8.8:53 | pjhkhcf.org | udp |
| US | 8.8.8.8:53 | wrurbikhe.net | udp |
| US | 8.8.8.8:53 | nedqvlayv.org | udp |
| US | 8.8.8.8:53 | exlkxnhr.info | udp |
| US | 8.8.8.8:53 | dbctsw.info | udp |
| US | 8.8.8.8:53 | qeoufsq.info | udp |
| US | 8.8.8.8:53 | qehybax.net | udp |
| US | 8.8.8.8:53 | twvyrobjhur.org | udp |
| US | 162.249.65.164:80 | twvyrobjhur.org | tcp |
| US | 8.8.8.8:53 | uvmopjqhsbvt.info | udp |
| US | 8.8.8.8:53 | eoxxtgbjfwp.info | udp |
| US | 8.8.8.8:53 | mvndtylzwo.net | udp |
| US | 8.8.8.8:53 | nomvmt.net | udp |
| US | 8.8.8.8:53 | hxpzoscrmfeg.net | udp |
| US | 8.8.8.8:53 | gossiagocogo.com | udp |
| US | 8.8.8.8:53 | uggascemos.org | udp |
| US | 162.249.65.164:80 | uggascemos.org | tcp |
| US | 8.8.8.8:53 | pfnndcwyocr.com | udp |
| US | 8.8.8.8:53 | ksntlwnenqk.net | udp |
| US | 8.8.8.8:53 | kpncts.net | udp |
| US | 8.8.8.8:53 | jdpyxlk.info | udp |
| US | 8.8.8.8:53 | jemmtsfcs.info | udp |
| US | 8.8.8.8:53 | fmvjnanjyb.info | udp |
| US | 8.8.8.8:53 | caciay.org | udp |
| US | 8.8.8.8:53 | qahdxtmcddb.info | udp |
| US | 8.8.8.8:53 | hqxchhh.com | udp |
| US | 8.8.8.8:53 | igpojblq.info | udp |
| US | 8.8.8.8:53 | actnbsqbnad.info | udp |
| US | 8.8.8.8:53 | hpfwskhidyp.org | udp |
| US | 8.8.8.8:53 | zzrduz.net | udp |
| US | 8.8.8.8:53 | nyfrtlzhbdsv.info | udp |
| US | 8.8.8.8:53 | jedbqqewoif.org | udp |
| US | 8.8.8.8:53 | fionle.net | udp |
| US | 8.8.8.8:53 | xpustd.info | udp |
| US | 8.8.8.8:53 | bgbtfyrujy.net | udp |
| US | 8.8.8.8:53 | cfoqzyogcute.net | udp |
| US | 8.8.8.8:53 | ggakymgo.com | udp |
| US | 8.8.8.8:53 | zxtntmkai.org | udp |
| US | 8.8.8.8:53 | oqztlmkcw.net | udp |
| US | 8.8.8.8:53 | nqfozsnnji.info | udp |
| US | 8.8.8.8:53 | lflwqwvdsn.info | udp |
| US | 8.8.8.8:53 | kojxtgf.net | udp |
| US | 8.8.8.8:53 | rnwxnrvlej.net | udp |
| US | 8.8.8.8:53 | omskhihwcv.net | udp |
| US | 8.8.8.8:53 | lzfkraf.info | udp |
| US | 8.8.8.8:53 | deqqqufxz.org | udp |
| US | 8.8.8.8:53 | tcnswhzsiqt.org | udp |
| US | 8.8.8.8:53 | mqxovzhirrp.net | udp |
| US | 8.8.8.8:53 | xuvsjinhp.com | udp |
| US | 8.8.8.8:53 | yuxgzfjlql.info | udp |
| US | 8.8.8.8:53 | dppkkhyq.net | udp |
| US | 8.8.8.8:53 | kositdtnau.info | udp |
| US | 8.8.8.8:53 | hsolelxe.net | udp |
| US | 8.8.8.8:53 | gsvixgkco.net | udp |
| US | 8.8.8.8:53 | awaqgy.com | udp |
| US | 8.8.8.8:53 | qgbfhmwddluf.info | udp |
| US | 8.8.8.8:53 | lwkgzaxwa.com | udp |
| US | 8.8.8.8:53 | lkcenos.org | udp |
| US | 8.8.8.8:53 | hunngurrkj.net | udp |
| US | 8.8.8.8:53 | scyssywk.org | udp |
| US | 162.249.65.164:80 | scyssywk.org | tcp |
| US | 8.8.8.8:53 | mmsgbehenil.info | udp |
| US | 8.8.8.8:53 | tljohdld.net | udp |
| US | 8.8.8.8:53 | kmxwusnxdap.net | udp |
| US | 8.8.8.8:53 | hupytxy.net | udp |
| US | 8.8.8.8:53 | xdyczuzcjph.org | udp |
| US | 8.8.8.8:53 | vutipnlltpz.info | udp |
| US | 8.8.8.8:53 | owaceg.com | udp |
| US | 8.8.8.8:53 | lvpicxnk.info | udp |
| US | 8.8.8.8:53 | rlofyortapuf.net | udp |
| US | 8.8.8.8:53 | wqugyoiime.org | udp |
| US | 8.8.8.8:53 | ywpfhwxczvlc.info | udp |
| US | 8.8.8.8:53 | euinkmsa.net | udp |
| US | 8.8.8.8:53 | jynrzkxhni.net | udp |
| US | 8.8.8.8:53 | xqpptyhlxpwz.info | udp |
| US | 8.8.8.8:53 | nyexzeu.net | udp |
| US | 8.8.8.8:53 | rqialyc.net | udp |
| US | 8.8.8.8:53 | iueyaacs.com | udp |
| US | 8.8.8.8:53 | pxbwsrnxa.com | udp |
| US | 8.8.8.8:53 | hrzypddipjy.com | udp |
| US | 8.8.8.8:53 | iamwpdfuvsf.info | udp |
| US | 8.8.8.8:53 | twldsvwufp.info | udp |
| US | 8.8.8.8:53 | kwgcyk.com | udp |
| US | 8.8.8.8:53 | kefnoyimx.info | udp |
| US | 8.8.8.8:53 | tayddxqraiej.net | udp |
| US | 8.8.8.8:53 | pmdacdzcfkd.com | udp |
| US | 8.8.8.8:53 | nejddo.info | udp |
| US | 8.8.8.8:53 | zswpbpbmna.net | udp |
| US | 8.8.8.8:53 | pbxpuuk.com | udp |
| PL | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | ljrjsmnoxsfr.net | udp |
| US | 8.8.8.8:53 | udhmlbuqpa.info | udp |
| US | 8.8.8.8:53 | mizvmc.info | udp |
| US | 8.8.8.8:53 | bizkbqamxllw.net | udp |
| US | 8.8.8.8:53 | lyidvwncp.net | udp |
| US | 8.8.8.8:53 | boduqn.info | udp |
| US | 8.8.8.8:53 | pqlknm.info | udp |
| US | 8.8.8.8:53 | efochgzyukl.net | udp |
| US | 8.8.8.8:53 | epodgb.net | udp |
| US | 8.8.8.8:53 | kffvvzdg.info | udp |
| US | 8.8.8.8:53 | wizrbog.info | udp |
| US | 8.8.8.8:53 | ypyuoitqoa.info | udp |
| US | 8.8.8.8:53 | fsuhsbzkpmzv.info | udp |
| US | 8.8.8.8:53 | kecctlh.net | udp |
| US | 8.8.8.8:53 | kvjmpkyo.net | udp |
| US | 8.8.8.8:53 | acpmpgvckov.net | udp |
| US | 8.8.8.8:53 | gilaiixumtdm.info | udp |
| US | 8.8.8.8:53 | ukkybsbyb.info | udp |
| US | 8.8.8.8:53 | jkudqejzfc.net | udp |
| US | 8.8.8.8:53 | dplkjpeuzog.org | udp |
| US | 8.8.8.8:53 | meeergp.info | udp |
| US | 8.8.8.8:53 | zjzbeqyt.info | udp |
| US | 8.8.8.8:53 | zmaquu.net | udp |
| US | 8.8.8.8:53 | qdeocjjcnhkb.info | udp |
| US | 8.8.8.8:53 | swthasg.net | udp |
| US | 8.8.8.8:53 | rcerfcdqvdrj.info | udp |
| US | 8.8.8.8:53 | bqnqljllbyn.com | udp |
| US | 8.8.8.8:53 | asxblsbai.info | udp |
| US | 8.8.8.8:53 | vzrawxycib.info | udp |
| US | 8.8.8.8:53 | hedmzgrfliux.net | udp |
| US | 8.8.8.8:53 | eentliv.net | udp |
| US | 8.8.8.8:53 | kyyvpjph.net | udp |
| US | 8.8.8.8:53 | jojcpqbg.net | udp |
| US | 8.8.8.8:53 | wyvxmzbg.info | udp |
| US | 8.8.8.8:53 | yeiiow.com | udp |
| US | 8.8.8.8:53 | wuihibpv.net | udp |
| US | 8.8.8.8:53 | yuwemy.org | udp |
| US | 8.8.8.8:53 | obcsuc.info | udp |
| US | 8.8.8.8:53 | woilsbpt.info | udp |
| US | 8.8.8.8:53 | ozdbxljg.info | udp |
| US | 8.8.8.8:53 | akridp.info | udp |
| US | 8.8.8.8:53 | tugghpuyzgj.org | udp |
| US | 8.8.8.8:53 | dkthecjthti.com | udp |
| US | 8.8.8.8:53 | hkudak.net | udp |
| US | 8.8.8.8:53 | hmskewbfw.net | udp |
| US | 8.8.8.8:53 | kyiwsjqob.net | udp |
| US | 8.8.8.8:53 | jcfavurdlf.info | udp |
| US | 8.8.8.8:53 | kgumucoa.com | udp |
| US | 8.8.8.8:53 | nnkapwjgdgw.com | udp |
| US | 8.8.8.8:53 | jqowtofcr.org | udp |
| US | 8.8.8.8:53 | wqxmfwhkleb.info | udp |
| US | 8.8.8.8:53 | acdmuqqgd.net | udp |
| US | 8.8.8.8:53 | bjnfrkcekktj.net | udp |
| US | 8.8.8.8:53 | vmxqzithpbz.org | udp |
| US | 8.8.8.8:53 | cjrsdgmijgn.net | udp |
| US | 8.8.8.8:53 | cnlubrwctose.net | udp |
| US | 8.8.8.8:53 | xutjfhnilv.info | udp |
| US | 8.8.8.8:53 | bbvqvapdqw.net | udp |
| US | 8.8.8.8:53 | jzfiblfy.net | udp |
| US | 8.8.8.8:53 | ijxoidecbii.info | udp |
| US | 8.8.8.8:53 | lshwdaj.info | udp |
| US | 8.8.8.8:53 | zztqhglqa.info | udp |
| US | 8.8.8.8:53 | kexythjteun.info | udp |
| US | 8.8.8.8:53 | xjlpbt.net | udp |
| US | 8.8.8.8:53 | tglikq.net | udp |
| US | 8.8.8.8:53 | uczhzpnr.net | udp |
| US | 8.8.8.8:53 | yqbhlbl.info | udp |
| US | 8.8.8.8:53 | bgqvnupg.net | udp |
| US | 8.8.8.8:53 | qmenegzxfmih.net | udp |
| US | 8.8.8.8:53 | tsjlatxlzhn.info | udp |
| US | 8.8.8.8:53 | ywqgfsxcr.info | udp |
| US | 8.8.8.8:53 | zftavh.info | udp |
| US | 8.8.8.8:53 | iuejasqyl.info | udp |
| US | 8.8.8.8:53 | yqvgpzbxro.net | udp |
| US | 8.8.8.8:53 | xizgvuz.com | udp |
| US | 8.8.8.8:53 | kyrmbot.net | udp |
| US | 8.8.8.8:53 | uzfnber.info | udp |
| US | 8.8.8.8:53 | shvehdrsc.net | udp |
| US | 8.8.8.8:53 | dzwwlg.info | udp |
| US | 8.8.8.8:53 | jndkwwyxbs.info | udp |
| US | 8.8.8.8:53 | jcxcwolq.info | udp |
| US | 8.8.8.8:53 | zezqyob.net | udp |
| US | 8.8.8.8:53 | jrbvuwneayxd.info | udp |
| US | 8.8.8.8:53 | hyndhm.info | udp |
| US | 8.8.8.8:53 | dfsxyyifghdm.net | udp |
| US | 8.8.8.8:53 | urdgrv.info | udp |
| US | 8.8.8.8:53 | bshorya.net | udp |
| US | 8.8.8.8:53 | kbsaiirr.info | udp |
| US | 8.8.8.8:53 | rgtytol.net | udp |
| US | 8.8.8.8:53 | pwwuxkcsdms.info | udp |
| US | 8.8.8.8:53 | qsvebrdyx.info | udp |
| US | 8.8.8.8:53 | iegkceci.org | udp |
| US | 8.8.8.8:53 | wobxezdp.info | udp |
| US | 8.8.8.8:53 | vzzivev.org | udp |
| US | 8.8.8.8:53 | vdqmxytepgk.com | udp |
| US | 8.8.8.8:53 | auowmaggsumq.org | udp |
| US | 162.249.65.164:80 | auowmaggsumq.org | tcp |
| US | 8.8.8.8:53 | jeldscsql.info | udp |
| US | 8.8.8.8:53 | gqmegmwimiyk.com | udp |
| US | 8.8.8.8:53 | odbyecuvyc.net | udp |
| US | 8.8.8.8:53 | tnlmhupput.net | udp |
| US | 8.8.8.8:53 | nqjfwuadxx.net | udp |
| US | 8.8.8.8:53 | ubmkhc.info | udp |
| US | 8.8.8.8:53 | fwbqrqrej.org | udp |
| US | 8.8.8.8:53 | swvytsb.net | udp |
| US | 8.8.8.8:53 | slonyk.net | udp |
| US | 8.8.8.8:53 | mguyyaokiu.org | udp |
| US | 8.8.8.8:53 | gkewsmyo.org | udp |
| US | 8.8.8.8:53 | tcpcbgjjfyh.com | udp |
| US | 8.8.8.8:53 | zsbetsfudis.net | udp |
| US | 8.8.8.8:53 | bwsextlslip.net | udp |
| US | 8.8.8.8:53 | luryrzlbw.info | udp |
| US | 8.8.8.8:53 | mwbhbki.info | udp |
| US | 8.8.8.8:53 | oiqajiyuvqb.net | udp |
| US | 8.8.8.8:53 | fnqeru.net | udp |
| US | 8.8.8.8:53 | wxrookvymwl.net | udp |
| US | 8.8.8.8:53 | pjbtan.net | udp |
| US | 8.8.8.8:53 | tzpixn.info | udp |
| US | 8.8.8.8:53 | yykkaa.org | udp |
| US | 8.8.8.8:53 | vwwmxlvmw.com | udp |
| US | 8.8.8.8:53 | bmrjlm.net | udp |
| US | 8.8.8.8:53 | yysknzzav.info | udp |
| US | 8.8.8.8:53 | gmoekft.net | udp |
| US | 8.8.8.8:53 | cesofhkucqaz.net | udp |
| US | 8.8.8.8:53 | mixxrlpevw.info | udp |
| US | 8.8.8.8:53 | kiixvivcp.net | udp |
| US | 8.8.8.8:53 | ewwmosoaaskg.org | udp |
| US | 8.8.8.8:53 | rknytaxaj.com | udp |
| US | 8.8.8.8:53 | swscsu.com | udp |
| US | 8.8.8.8:53 | padqvlbq.net | udp |
| US | 8.8.8.8:53 | asuiik.com | udp |
| US | 8.8.8.8:53 | xwswqor.org | udp |
| US | 8.8.8.8:53 | dgekmtp.info | udp |
| US | 8.8.8.8:53 | oqyegm.org | udp |
| US | 162.249.65.164:80 | oqyegm.org | tcp |
| US | 8.8.8.8:53 | btencvvlfzic.info | udp |
| US | 8.8.8.8:53 | fmczrhqh.net | udp |
| US | 8.8.8.8:53 | fgnmhy.net | udp |
| US | 8.8.8.8:53 | bkbqhxwa.net | udp |
| US | 8.8.8.8:53 | iugtnhteopkr.net | udp |
| US | 8.8.8.8:53 | jdpuvcpsropt.info | udp |
| US | 8.8.8.8:53 | oykyxrz.info | udp |
| US | 8.8.8.8:53 | osuqasmwkega.com | udp |
| US | 8.8.8.8:53 | ejusptc.info | udp |
| US | 8.8.8.8:53 | fysqbgfw.info | udp |
| US | 8.8.8.8:53 | eaouymasiykg.org | udp |
| US | 8.8.8.8:53 | dmbqkvswfk.info | udp |
| US | 8.8.8.8:53 | isbvzdvimgmj.info | udp |
| US | 8.8.8.8:53 | ekouzqeif.net | udp |
| US | 8.8.8.8:53 | hmqlyvayxwe.net | udp |
| US | 8.8.8.8:53 | jqredmyeb.net | udp |
| US | 8.8.8.8:53 | cgorvkif.net | udp |
| US | 8.8.8.8:53 | dyrrlkpgb.net | udp |
| US | 8.8.8.8:53 | wsvqduxyfgp.net | udp |
| US | 8.8.8.8:53 | aghitst.net | udp |
| US | 8.8.8.8:53 | mwkyisww.com | udp |
| US | 8.8.8.8:53 | jtjkqpygzy.net | udp |
| US | 8.8.8.8:53 | cmaqegqw.com | udp |
| US | 8.8.8.8:53 | olkwto.info | udp |
| US | 8.8.8.8:53 | zcbepvztirpy.net | udp |
| US | 8.8.8.8:53 | mtnykydxqd.net | udp |
| US | 8.8.8.8:53 | fjrdep.net | udp |
| US | 8.8.8.8:53 | rylygidzr.com | udp |
| US | 8.8.8.8:53 | ukgkumgcko.com | udp |
| US | 8.8.8.8:53 | swwufwv.net | udp |
| US | 8.8.8.8:53 | sqyanldsrrk.net | udp |
| US | 8.8.8.8:53 | ygmauaki.org | udp |
| US | 8.8.8.8:53 | rihfigppyj.info | udp |
| US | 8.8.8.8:53 | vvtpgopw.net | udp |
| US | 8.8.8.8:53 | xazwpufumgl.org | udp |
| US | 8.8.8.8:53 | jqoysilxy.net | udp |
| US | 8.8.8.8:53 | drhdjqvr.info | udp |
| US | 8.8.8.8:53 | ddvanmqovoh.org | udp |
| US | 8.8.8.8:53 | faslpqgx.info | udp |
| US | 8.8.8.8:53 | osguuuamaqyq.org | udp |
| US | 8.8.8.8:53 | urbalgldojie.net | udp |
| US | 8.8.8.8:53 | dshanojktdcl.info | udp |
| US | 8.8.8.8:53 | btibdgnz.net | udp |
| US | 8.8.8.8:53 | dmiiag.info | udp |
| US | 8.8.8.8:53 | qgibxcbtfa.info | udp |
| US | 8.8.8.8:53 | qqanntumbzoa.net | udp |
| US | 8.8.8.8:53 | aasnrhqpji.info | udp |
| US | 8.8.8.8:53 | ninflensmcsr.net | udp |
| US | 8.8.8.8:53 | zwslnruqxia.info | udp |
| US | 8.8.8.8:53 | andacygtfi.net | udp |
| US | 8.8.8.8:53 | agyauq.org | udp |
| US | 8.8.8.8:53 | lwldae.net | udp |
| US | 8.8.8.8:53 | wyqcaxiaddji.net | udp |
| US | 8.8.8.8:53 | baoapr.net | udp |
| US | 8.8.8.8:53 | fapmez.net | udp |
| US | 8.8.8.8:53 | xgeyhjl.com | udp |
| US | 8.8.8.8:53 | kikseiuooceu.com | udp |
| US | 8.8.8.8:53 | rcsigemqchf.net | udp |
| US | 8.8.8.8:53 | dwvohi.info | udp |
| US | 8.8.8.8:53 | oeuqlkdeh.info | udp |
| US | 8.8.8.8:53 | mwxvqtfcj.net | udp |
| US | 8.8.8.8:53 | ecymkuuqey.org | udp |
| US | 8.8.8.8:53 | hmompwowdd.net | udp |
| US | 8.8.8.8:53 | gkwuccsw.com | udp |
| US | 8.8.8.8:53 | qcgiceycma.org | udp |
| US | 8.8.8.8:53 | hnytjshsft.info | udp |
| US | 8.8.8.8:53 | jkshpd.info | udp |
| US | 8.8.8.8:53 | psgthebjdaf.info | udp |
| US | 8.8.8.8:53 | tvektbtohe.info | udp |
| US | 8.8.8.8:53 | tjhabtt.info | udp |
| US | 8.8.8.8:53 | xpwbmqdl.info | udp |
| US | 8.8.8.8:53 | kszclst.info | udp |
| US | 8.8.8.8:53 | ngvczopf.info | udp |
| US | 8.8.8.8:53 | jjutpcseyf.net | udp |
| US | 8.8.8.8:53 | ougixybel.info | udp |
| US | 8.8.8.8:53 | pfveuyfezshg.info | udp |
| US | 8.8.8.8:53 | naiyhchqbgz.net | udp |
| US | 8.8.8.8:53 | kuowyawqie.com | udp |
| US | 8.8.8.8:53 | aakiwimkmq.org | udp |
| US | 8.8.8.8:53 | wythfceiu.net | udp |
| US | 8.8.8.8:53 | valkehh.info | udp |
| US | 8.8.8.8:53 | avhorwnwh.net | udp |
| US | 8.8.8.8:53 | jcnjwtauqhrf.info | udp |
| US | 8.8.8.8:53 | vkhuow.net | udp |
| US | 8.8.8.8:53 | pizibejpn.net | udp |
| US | 8.8.8.8:53 | gfdceuwh.net | udp |
| US | 8.8.8.8:53 | wmvwweu.info | udp |
| US | 8.8.8.8:53 | bkfbvngppr.info | udp |
| US | 8.8.8.8:53 | jdccsrfyfqo.net | udp |
| US | 8.8.8.8:53 | qqqcoscyie.com | udp |
| US | 8.8.8.8:53 | rdpytbusquja.info | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hivxir.net | udp |
| US | 8.8.8.8:53 | ctmahojgx.net | udp |
| US | 8.8.8.8:53 | uvcxbxmz.info | udp |
| US | 8.8.8.8:53 | vltfvwtkf.com | udp |
| US | 8.8.8.8:53 | dpzepnwnudlt.net | udp |
| US | 8.8.8.8:53 | uewqvzpoasx.info | udp |
| US | 8.8.8.8:53 | qanlrh.net | udp |
| US | 8.8.8.8:53 | nyncnhtblcds.info | udp |
| US | 8.8.8.8:53 | ozopntzb.net | udp |
| US | 8.8.8.8:53 | piuizhqklib.net | udp |
| US | 8.8.8.8:53 | loftqx.info | udp |
| US | 8.8.8.8:53 | dudplt.net | udp |
| US | 8.8.8.8:53 | inagoxllds.net | udp |
| US | 8.8.8.8:53 | cjleudnxfzvs.info | udp |
| US | 8.8.8.8:53 | kjvudodlbt.info | udp |
| US | 8.8.8.8:53 | uoykqq.com | udp |
| US | 8.8.8.8:53 | dimymlzczx.net | udp |
| US | 8.8.8.8:53 | lcntttebwj.net | udp |
| US | 8.8.8.8:53 | pdzqpjfbf.info | udp |
| US | 8.8.8.8:53 | kqbcnxjeliba.net | udp |
| US | 8.8.8.8:53 | sbnwmhdd.info | udp |
| US | 8.8.8.8:53 | qywogqaokw.org | udp |
| US | 8.8.8.8:53 | ptxtvcjnhqc.info | udp |
| US | 8.8.8.8:53 | gegacoci.org | udp |
| US | 8.8.8.8:53 | tnfdpusr.net | udp |
| US | 8.8.8.8:53 | thvipkbramui.info | udp |
| US | 8.8.8.8:53 | xvbgtqtzdv.net | udp |
| US | 8.8.8.8:53 | zqgctaon.info | udp |
| US | 8.8.8.8:53 | bvhflq.info | udp |
| US | 8.8.8.8:53 | eygqmyae.com | udp |
| US | 8.8.8.8:53 | ncpgvox.net | udp |
| US | 8.8.8.8:53 | vesyuca.net | udp |
| US | 8.8.8.8:53 | oknmxgaxdkf.net | udp |
| US | 8.8.8.8:53 | cyltuqrr.net | udp |
| US | 8.8.8.8:53 | hvothij.info | udp |
| US | 8.8.8.8:53 | jbjfnsfegev.net | udp |
| US | 8.8.8.8:53 | lkdqkorpnev.com | udp |
| US | 8.8.8.8:53 | jlkxbpfz.info | udp |
| US | 8.8.8.8:53 | unmorfx.info | udp |
| US | 8.8.8.8:53 | bdvwwu.info | udp |
| US | 8.8.8.8:53 | nvmxprrsrzcw.info | udp |
| US | 8.8.8.8:53 | bnbjfb.info | udp |
| US | 8.8.8.8:53 | okblnqbmyu.net | udp |
| US | 8.8.8.8:53 | mwaylqhpmgfm.info | udp |
| US | 8.8.8.8:53 | nmtalyx.org | udp |
| US | 8.8.8.8:53 | gkllimd.info | udp |
| US | 8.8.8.8:53 | zjbsoklmx.net | udp |
| US | 8.8.8.8:53 | tapcprxcbck.com | udp |
| US | 8.8.8.8:53 | yfqwhib.net | udp |
| US | 8.8.8.8:53 | mejacwxplz.info | udp |
| US | 8.8.8.8:53 | kefujkm.net | udp |
| US | 8.8.8.8:53 | ycvlyc.net | udp |
| US | 8.8.8.8:53 | wvnxwtgs.info | udp |
| US | 8.8.8.8:53 | lbxklt.info | udp |
| US | 8.8.8.8:53 | fzhgzcvmbvj.net | udp |
| US | 8.8.8.8:53 | wopkjbimodrl.net | udp |
| US | 8.8.8.8:53 | nogsnytsc.net | udp |
| US | 8.8.8.8:53 | seaueuemgaem.com | udp |
| US | 8.8.8.8:53 | hujnckw.info | udp |
| US | 8.8.8.8:53 | uckmkewakoos.org | udp |
| US | 8.8.8.8:53 | fotabqldheyn.info | udp |
| US | 8.8.8.8:53 | lwcpjkog.info | udp |
| US | 8.8.8.8:53 | vxyettrklkij.info | udp |
| US | 8.8.8.8:53 | yvcbvi.info | udp |
| US | 8.8.8.8:53 | czxtpuafgqbr.info | udp |
| US | 8.8.8.8:53 | teywtwk.com | udp |
| US | 8.8.8.8:53 | esptjthv.info | udp |
| US | 8.8.8.8:53 | tqvzkzco.info | udp |
| US | 8.8.8.8:53 | eqmwwwsw.com | udp |
| US | 8.8.8.8:53 | oiylvyioqt.info | udp |
| US | 8.8.8.8:53 | ziiwdb.info | udp |
| US | 8.8.8.8:53 | smozzlz.info | udp |
| US | 8.8.8.8:53 | tmysvsm.com | udp |
| US | 8.8.8.8:53 | zamsbstunhp.com | udp |
| US | 8.8.8.8:53 | qbkmkfhqr.net | udp |
| US | 8.8.8.8:53 | uybfjppqbwi.net | udp |
| US | 8.8.8.8:53 | egowbukwd.info | udp |
| US | 8.8.8.8:53 | baizalia.net | udp |
| US | 8.8.8.8:53 | hyxyegbtfb.net | udp |
| US | 8.8.8.8:53 | yqsulei.info | udp |
| US | 8.8.8.8:53 | dgbcaun.net | udp |
| US | 8.8.8.8:53 | lsfgofca.net | udp |
| US | 8.8.8.8:53 | guntby.net | udp |
| US | 8.8.8.8:53 | yazupsk.info | udp |
| US | 8.8.8.8:53 | tzyaexc.info | udp |
| US | 8.8.8.8:53 | gwumgkswsk.com | udp |
| US | 8.8.8.8:53 | qsdmyqtub.net | udp |
| US | 8.8.8.8:53 | pmubsrdczgb.net | udp |
| US | 8.8.8.8:53 | wgexcijk.net | udp |
| US | 8.8.8.8:53 | eismrmu.net | udp |
| US | 8.8.8.8:53 | hbalfcbztj.info | udp |
| US | 8.8.8.8:53 | vhhrrylpmb.net | udp |
| US | 8.8.8.8:53 | zwxewzlyrqh.com | udp |
| US | 8.8.8.8:53 | wrrpqs.net | udp |
| US | 8.8.8.8:53 | kyiuqkemso.org | udp |
| US | 8.8.8.8:53 | gulcbgcwted.info | udp |
| US | 8.8.8.8:53 | ejjltdlmpejs.net | udp |
| US | 8.8.8.8:53 | kimgimsioiai.org | udp |
| US | 8.8.8.8:53 | nyvixexmh.info | udp |
| US | 8.8.8.8:53 | wmmmnnvsb.net | udp |
| US | 8.8.8.8:53 | uealvp.info | udp |
| US | 8.8.8.8:53 | lipxzjhkop.net | udp |
| US | 8.8.8.8:53 | bttqrqrpxsjv.info | udp |
| US | 8.8.8.8:53 | mmcwdiwt.info | udp |
| US | 8.8.8.8:53 | tfldcopk.net | udp |
| US | 8.8.8.8:53 | fsgnbqhqscf.org | udp |
| US | 8.8.8.8:53 | syqcoscyie.com | udp |
| US | 8.8.8.8:53 | rqgmhpveajwl.info | udp |
| US | 8.8.8.8:53 | thfcjvbjjgyn.net | udp |
| US | 8.8.8.8:53 | zkbuiqprluk.net | udp |
| US | 8.8.8.8:53 | uvlvqxyijddu.net | udp |
| US | 8.8.8.8:53 | qwigcgykyo.com | udp |
| US | 8.8.8.8:53 | xmlficz.net | udp |
| US | 8.8.8.8:53 | suekgiym.com | udp |
| US | 8.8.8.8:53 | wdxhaicsckn.info | udp |
| US | 8.8.8.8:53 | egisqlbjdstv.info | udp |
| US | 8.8.8.8:53 | uejxrnwt.net | udp |
| US | 8.8.8.8:53 | vcponhpsj.org | udp |
| US | 8.8.8.8:53 | kogkmgecau.com | udp |
| US | 8.8.8.8:53 | iuoacmcs.org | udp |
| US | 8.8.8.8:53 | dqctbyqccix.net | udp |
| US | 8.8.8.8:53 | xrbklm.info | udp |
| US | 8.8.8.8:53 | anoczmgryx.info | udp |
| US | 8.8.8.8:53 | imemam.com | udp |
| US | 8.8.8.8:53 | acqsuqyuea.org | udp |
| US | 8.8.8.8:53 | lptsdmvyjii.org | udp |
| US | 8.8.8.8:53 | qfbpefnz.info | udp |
| US | 8.8.8.8:53 | jvunsxaneq.info | udp |
| US | 8.8.8.8:53 | suicwlhzdsrh.net | udp |
| US | 8.8.8.8:53 | uglodye.net | udp |
| US | 8.8.8.8:53 | kamaoeccsq.org | udp |
| US | 8.8.8.8:53 | icczging.info | udp |
| US | 8.8.8.8:53 | uwcwqqgkyyak.org | udp |
| US | 8.8.8.8:53 | nujjjhwmtcyu.info | udp |
| US | 8.8.8.8:53 | gskeciqake.com | udp |
| US | 8.8.8.8:53 | eiqurqxebnen.net | udp |
| US | 8.8.8.8:53 | tiravstadc.net | udp |
| US | 8.8.8.8:53 | diintjzv.info | udp |
| US | 8.8.8.8:53 | osfirsowmqo.info | udp |
| US | 8.8.8.8:53 | ladegcamm.info | udp |
| US | 8.8.8.8:53 | patwxrpycrac.net | udp |
| US | 8.8.8.8:53 | aujzhqu.net | udp |
| US | 8.8.8.8:53 | fnqpsvux.info | udp |
| US | 8.8.8.8:53 | ysywsegiqm.org | udp |
| US | 8.8.8.8:53 | pgspkfxgla.info | udp |
| US | 8.8.8.8:53 | aomkcqaa.com | udp |
| US | 8.8.8.8:53 | pvqlykfq.net | udp |
| US | 8.8.8.8:53 | drdglop.com | udp |
| US | 8.8.8.8:53 | rdjnva.net | udp |
| US | 8.8.8.8:53 | jvcuyszjq.com | udp |
| US | 8.8.8.8:53 | prvddfje.net | udp |
| US | 8.8.8.8:53 | kdvmcluywgdv.info | udp |
| US | 8.8.8.8:53 | vmihlahazqo.net | udp |
| US | 8.8.8.8:53 | ajjzfemivc.net | udp |
| US | 8.8.8.8:53 | equhrhl.net | udp |
| US | 8.8.8.8:53 | cofqgl.info | udp |
| US | 8.8.8.8:53 | ffrdbxtq.net | udp |
| US | 8.8.8.8:53 | egkokkimaaei.com | udp |
| US | 8.8.8.8:53 | kylfjgffwk.net | udp |
| US | 8.8.8.8:53 | nxkwbqnpaoj.info | udp |
| US | 8.8.8.8:53 | nsfkeafrtjn.info | udp |
| US | 8.8.8.8:53 | kdhfoco.net | udp |
| US | 8.8.8.8:53 | nsrybgduhqm.info | udp |
| US | 8.8.8.8:53 | nyvdmij.com | udp |
| US | 8.8.8.8:53 | aowsiuke.com | udp |
| US | 8.8.8.8:53 | pvbhwkylhb.info | udp |
| US | 8.8.8.8:53 | jtpdhst.org | udp |
| US | 162.249.65.164:80 | jtpdhst.org | tcp |
| US | 8.8.8.8:53 | bergxszkm.com | udp |
| US | 8.8.8.8:53 | uqwiwgie.com | udp |
| US | 8.8.8.8:53 | tjhgonruler.net | udp |
| US | 8.8.8.8:53 | oyxpnufu.info | udp |
| US | 8.8.8.8:53 | bfvbpfllrewl.net | udp |
| US | 8.8.8.8:53 | gpkwdv.net | udp |
| US | 8.8.8.8:53 | nnzeuedwnl.net | udp |
| US | 8.8.8.8:53 | kwlxazgum.net | udp |
| US | 8.8.8.8:53 | btzqttbivkpu.net | udp |
| US | 8.8.8.8:53 | tbrpvoic.net | udp |
| US | 8.8.8.8:53 | oortuswiyyhz.info | udp |
| US | 8.8.8.8:53 | jcjanwp.info | udp |
| US | 8.8.8.8:53 | lngqglyz.info | udp |
| US | 8.8.8.8:53 | oexcjzj.net | udp |
| US | 8.8.8.8:53 | yvvwtcdubbd.net | udp |
| US | 8.8.8.8:53 | xnfkwib.info | udp |
| US | 8.8.8.8:53 | qnxsyozse.info | udp |
| US | 8.8.8.8:53 | nvnijvcsb.net | udp |
| US | 8.8.8.8:53 | iwjaigphvmz.info | udp |
| US | 8.8.8.8:53 | kasuiyek.com | udp |
| US | 8.8.8.8:53 | ayaquoqyaw.com | udp |
| US | 8.8.8.8:53 | eqfijd.info | udp |
| US | 8.8.8.8:53 | rqsmlao.net | udp |
| US | 8.8.8.8:53 | igehpw.net | udp |
| US | 8.8.8.8:53 | yaiwwqauqmom.com | udp |
| US | 8.8.8.8:53 | pbwkpxldr.org | udp |
| US | 8.8.8.8:53 | ilotakteky.net | udp |
| US | 8.8.8.8:53 | pnvtzoaqcxld.info | udp |
| US | 8.8.8.8:53 | razbluvsqqa.net | udp |
| US | 8.8.8.8:53 | wrvhnypcpi.net | udp |
| US | 8.8.8.8:53 | hkfnasy.org | udp |
| US | 8.8.8.8:53 | pabbidcpwndg.net | udp |
| US | 8.8.8.8:53 | oamefufinsp.info | udp |
| US | 8.8.8.8:53 | xwyisqvuf.org | udp |
| US | 8.8.8.8:53 | mbpwcqlboe.info | udp |
| US | 8.8.8.8:53 | hmvcozfilo.info | udp |
| US | 8.8.8.8:53 | nvkegmombev.info | udp |
| US | 8.8.8.8:53 | rsjbotkem.info | udp |
| US | 8.8.8.8:53 | xqxwooj.info | udp |
| US | 8.8.8.8:53 | zdfqxmraf.org | udp |
| US | 162.249.65.164:80 | zdfqxmraf.org | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | epfvqsmidj.info | udp |
| US | 8.8.8.8:53 | bixsou.info | udp |
| US | 8.8.8.8:53 | mivsfcbdusk.net | udp |
| US | 8.8.8.8:53 | dwyylx.net | udp |
| US | 8.8.8.8:53 | wcrozxs.net | udp |
| US | 8.8.8.8:53 | omuejyvdsq.info | udp |
| US | 8.8.8.8:53 | klkphat.info | udp |
| US | 8.8.8.8:53 | yrudwj.info | udp |
| US | 8.8.8.8:53 | wewypqp.info | udp |
| US | 8.8.8.8:53 | famdhrjmvh.net | udp |
| US | 8.8.8.8:53 | owewgkuogg.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | iuucwa.org | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ocnxbvt.info | udp |
| US | 8.8.8.8:53 | ofqdimldvyj.net | udp |
| US | 8.8.8.8:53 | hsbqnqd.info | udp |
| US | 8.8.8.8:53 | jvmkdb.info | udp |
| US | 8.8.8.8:53 | reynaufj.net | udp |
| US | 8.8.8.8:53 | begljodzgofd.info | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kyqugqywge.com | udp |
| US | 8.8.8.8:53 | waictgkiv.net | udp |
| US | 8.8.8.8:53 | amkoxbpqmsz.net | udp |
| US | 8.8.8.8:53 | uhzkxav.info | udp |
| US | 8.8.8.8:53 | gefgtkx.net | udp |
| US | 8.8.8.8:53 | jrnzxalqzcnu.net | udp |
| US | 8.8.8.8:53 | gounbviz.info | udp |
| US | 8.8.8.8:53 | fhnvfh.net | udp |
| US | 8.8.8.8:53 | jhevjz.net | udp |
| US | 8.8.8.8:53 | caaaigqkmiae.org | udp |
| US | 162.249.65.164:80 | caaaigqkmiae.org | tcp |
| US | 8.8.8.8:53 | fhfoxidsrkd.net | udp |
| US | 8.8.8.8:53 | iocsqoyceyge.org | udp |
| US | 8.8.8.8:53 | xszzpiu.info | udp |
| US | 8.8.8.8:53 | jhtoyqf.net | udp |
| US | 8.8.8.8:53 | didllg.net | udp |
| US | 8.8.8.8:53 | tuyuforrawr.org | udp |
| US | 8.8.8.8:53 | weyrtj.net | udp |
| US | 8.8.8.8:53 | dvranxamb.net | udp |
| US | 8.8.8.8:53 | vcraxpzeeu.net | udp |
| US | 8.8.8.8:53 | pcnxhmngxez.com | udp |
| US | 8.8.8.8:53 | gdnezqmkx.info | udp |
| US | 8.8.8.8:53 | kzxjhgaeni.net | udp |
| US | 8.8.8.8:53 | pwzqhieopbd.info | udp |
| US | 8.8.8.8:53 | zscuzunaj.net | udp |
| US | 8.8.8.8:53 | ycigdusnl.net | udp |
| US | 8.8.8.8:53 | yijytqjuk.net | udp |
| US | 8.8.8.8:53 | nndxyx.info | udp |
| US | 8.8.8.8:53 | jfzciyx.org | udp |
| US | 162.249.65.164:80 | jfzciyx.org | tcp |
| US | 8.8.8.8:53 | wkvevbotghap.info | udp |
| US | 8.8.8.8:53 | pgfzbuzm.net | udp |
| US | 8.8.8.8:53 | frvfbcfb.net | udp |
| US | 8.8.8.8:53 | ojaujkdz.info | udp |
| US | 8.8.8.8:53 | wgnsyuzh.info | udp |
| US | 8.8.8.8:53 | hasyua.info | udp |
| US | 8.8.8.8:53 | viedmcttdt.info | udp |
| US | 8.8.8.8:53 | nmqejuzej.org | udp |
| US | 8.8.8.8:53 | pwdhdmz.info | udp |
| US | 8.8.8.8:53 | cxhpao.info | udp |
| US | 8.8.8.8:53 | edgwmadgx.info | udp |
| US | 8.8.8.8:53 | hibgsjgsgwp.info | udp |
| US | 8.8.8.8:53 | zxechlt.net | udp |
| US | 8.8.8.8:53 | ehwoqrboiogy.net | udp |
| US | 8.8.8.8:53 | qrctswibwten.info | udp |
| US | 8.8.8.8:53 | yiicek.com | udp |
| US | 8.8.8.8:53 | drzqzpp.net | udp |
| US | 8.8.8.8:53 | zlpcbh.net | udp |
| US | 8.8.8.8:53 | asnapiuotwf.net | udp |
| US | 8.8.8.8:53 | udfmtffwzzj.net | udp |
| US | 8.8.8.8:53 | bctsjtxpibgl.info | udp |
| US | 8.8.8.8:53 | aowywqwiqiue.com | udp |
| US | 8.8.8.8:53 | dsfyfldxzegw.info | udp |
| US | 8.8.8.8:53 | undnnlzbrar.net | udp |
| US | 8.8.8.8:53 | xfvqmg.info | udp |
| US | 8.8.8.8:53 | kamwsy.com | udp |
| US | 8.8.8.8:53 | bdjouyjaeeb.net | udp |
| US | 8.8.8.8:53 | yanmegluv.net | udp |
| US | 8.8.8.8:53 | naxvdqhghpr.info | udp |
| US | 8.8.8.8:53 | zmtkywp.org | udp |
| US | 162.249.65.164:80 | zmtkywp.org | tcp |
| US | 8.8.8.8:53 | awjehcpfzso.net | udp |
| US | 8.8.8.8:53 | eykcogyisoig.org | udp |
| US | 8.8.8.8:53 | hsugeaf.info | udp |
| US | 8.8.8.8:53 | levhskhmt.org | udp |
| US | 8.8.8.8:53 | bhhfap.net | udp |
| US | 8.8.8.8:53 | hozqvimincu.net | udp |
| US | 8.8.8.8:53 | kwmkeckayc.com | udp |
| US | 8.8.8.8:53 | sinaneg.net | udp |
| US | 8.8.8.8:53 | rmmgsgjrl.info | udp |
| US | 8.8.8.8:53 | vsfodbkflt.info | udp |
| US | 8.8.8.8:53 | ldsnofofle.net | udp |
| US | 8.8.8.8:53 | rrkmwnrm.net | udp |
| US | 8.8.8.8:53 | yuwbfmnhinp.info | udp |
| US | 8.8.8.8:53 | ctauzxtx.net | udp |
| US | 8.8.8.8:53 | ciwyeiukcw.com | udp |
| US | 8.8.8.8:53 | peffyirwg.net | udp |
| US | 8.8.8.8:53 | phxqdgbrpmsv.info | udp |
| US | 8.8.8.8:53 | dzpmjawy.net | udp |
| US | 8.8.8.8:53 | xxijimf.com | udp |
| US | 8.8.8.8:53 | fatiyppe.info | udp |
| US | 8.8.8.8:53 | gnzcnkq.net | udp |
| US | 8.8.8.8:53 | hglsgvaxry.net | udp |
| US | 8.8.8.8:53 | bopuogiv.net | udp |
| US | 8.8.8.8:53 | igkuqw.com | udp |
| US | 8.8.8.8:53 | yceqcskoeg.org | udp |
| US | 162.249.65.164:80 | yceqcskoeg.org | tcp |
| US | 8.8.8.8:53 | bvqkrktejqp.org | udp |
| US | 8.8.8.8:53 | yieykkga.org | udp |
| US | 8.8.8.8:53 | ewdzlxvrdeg.net | udp |
| US | 8.8.8.8:53 | dqsyhykmtnp.info | udp |
| US | 8.8.8.8:53 | adomofxvpaq.net | udp |
| US | 8.8.8.8:53 | qawxtu.net | udp |
| US | 8.8.8.8:53 | hwlonrvh.info | udp |
| US | 8.8.8.8:53 | gijvpt.info | udp |
| US | 8.8.8.8:53 | cgwgaguesg.org | udp |
| US | 162.249.65.164:80 | cgwgaguesg.org | tcp |
| US | 8.8.8.8:53 | aoyvxbiiyz.info | udp |
| US | 8.8.8.8:53 | alfrnycvgg.info | udp |
| US | 8.8.8.8:53 | juwaxhdtj.info | udp |
| US | 8.8.8.8:53 | julxerwaocda.net | udp |
| US | 8.8.8.8:53 | kgiesm.com | udp |
| US | 8.8.8.8:53 | jfqflsatlx.net | udp |
| US | 8.8.8.8:53 | qygegmqgeags.org | udp |
| US | 8.8.8.8:53 | ktvyxuzqprew.net | udp |
| US | 8.8.8.8:53 | waiaeqgw.org | udp |
| US | 8.8.8.8:53 | nkybtwpgzoi.info | udp |
| US | 8.8.8.8:53 | vmvokk.net | udp |
| US | 8.8.8.8:53 | gqdkvelag.net | udp |
| US | 8.8.8.8:53 | tnxpffhon.com | udp |
| US | 8.8.8.8:53 | gwmeafacbwrh.info | udp |
| US | 8.8.8.8:53 | pqhknjclv.org | udp |
| US | 8.8.8.8:53 | qkdqch.net | udp |
| US | 8.8.8.8:53 | uqmgwqsous.com | udp |
| US | 8.8.8.8:53 | giqpub.info | udp |
| US | 8.8.8.8:53 | kevcvg.info | udp |
| US | 8.8.8.8:53 | hspwtqg.com | udp |
| US | 8.8.8.8:53 | lcxalxnawm.net | udp |
| US | 8.8.8.8:53 | fwzdawdkuy.info | udp |
| US | 8.8.8.8:53 | eaisokwcuc.com | udp |
| US | 8.8.8.8:53 | gzhynesg.info | udp |
| US | 8.8.8.8:53 | ecqdzksnfx.net | udp |
| US | 8.8.8.8:53 | htqkvotdqo.info | udp |
| US | 8.8.8.8:53 | zztdzeju.info | udp |
| US | 8.8.8.8:53 | lblxlwomf.net | udp |
| US | 8.8.8.8:53 | yqaqgg.org | udp |
| US | 8.8.8.8:53 | hqtptex.info | udp |
| US | 8.8.8.8:53 | lxjvkxlgnmr.org | udp |
| US | 8.8.8.8:53 | vnqwalqs.net | udp |
| US | 8.8.8.8:53 | ekamqi.org | udp |
| US | 162.249.65.164:80 | ekamqi.org | tcp |
| US | 8.8.8.8:53 | ikwkgeauyucc.com | udp |
| US | 8.8.8.8:53 | gzvunr.net | udp |
| US | 8.8.8.8:53 | tndknhie.info | udp |
| US | 8.8.8.8:53 | zioazcxoj.net | udp |
| US | 8.8.8.8:53 | cvwpfiesyd.info | udp |
| US | 8.8.8.8:53 | lpsuhhyxqjwd.net | udp |
| US | 8.8.8.8:53 | xopgozy.com | udp |
| US | 8.8.8.8:53 | hqppccub.net | udp |
| US | 8.8.8.8:53 | rscowabeg.net | udp |
| US | 8.8.8.8:53 | hyafbvpm.net | udp |
| US | 8.8.8.8:53 | yqocscgqq.info | udp |
| US | 8.8.8.8:53 | vsmkgitmfby.net | udp |
| US | 8.8.8.8:53 | hxfemtow.info | udp |
| US | 8.8.8.8:53 | eqcsskwyyiug.org | udp |
| US | 162.249.65.164:80 | eqcsskwyyiug.org | tcp |
| US | 8.8.8.8:53 | yajkbehusaz.net | udp |
| US | 8.8.8.8:53 | cuosyw.com | udp |
| US | 8.8.8.8:53 | pgchlxgc.net | udp |
| US | 8.8.8.8:53 | kywqtewctwx.info | udp |
| US | 8.8.8.8:53 | yzvffvv.info | udp |
| US | 8.8.8.8:53 | jsnojd.net | udp |
| US | 8.8.8.8:53 | eweuaigycy.org | udp |
| US | 162.249.65.164:80 | eweuaigycy.org | tcp |
| US | 8.8.8.8:53 | hueeryh.net | udp |
| US | 8.8.8.8:53 | sakgiuyyqo.org | udp |
| US | 8.8.8.8:53 | ripjdvuags.net | udp |
| US | 8.8.8.8:53 | cslmzr.net | udp |
| US | 8.8.8.8:53 | qldinizingz.net | udp |
| US | 8.8.8.8:53 | ishstyjyxiz.net | udp |
| US | 8.8.8.8:53 | dqvankrj.info | udp |
| US | 8.8.8.8:53 | lurjzfmnqvwz.info | udp |
| US | 8.8.8.8:53 | oeaqcugq.com | udp |
| US | 8.8.8.8:53 | fmdijknjgl.net | udp |
| US | 8.8.8.8:53 | gnsvyvbztuqc.net | udp |
| US | 8.8.8.8:53 | ckqqaueogk.com | udp |
| US | 8.8.8.8:53 | pznxzmlgwkh.info | udp |
| US | 8.8.8.8:53 | uxfhrqtkdtxg.net | udp |
| US | 8.8.8.8:53 | azpwhu.net | udp |
| US | 8.8.8.8:53 | rgrdpwvmpxbc.net | udp |
| US | 8.8.8.8:53 | zkrtuazwmas.net | udp |
| US | 8.8.8.8:53 | omcyyrusmmix.net | udp |
| US | 8.8.8.8:53 | mugegqokuoea.com | udp |
| US | 8.8.8.8:53 | mcoooeuq.com | udp |
| US | 8.8.8.8:53 | ewaeouugwaig.org | udp |
| US | 8.8.8.8:53 | dztoayiligf.com | udp |
| US | 8.8.8.8:53 | rdposn.net | udp |
| US | 8.8.8.8:53 | gzzhsqoo.info | udp |
| US | 8.8.8.8:53 | bnlopyl.com | udp |
| US | 8.8.8.8:53 | wkwnlcdyvgp.net | udp |
| US | 8.8.8.8:53 | xpwszkox.net | udp |
| US | 8.8.8.8:53 | cqhuumdsz.info | udp |
| US | 8.8.8.8:53 | rgcjqihbl.net | udp |
| US | 8.8.8.8:53 | rdrsxai.info | udp |
| US | 8.8.8.8:53 | ewusteqhnw.info | udp |
| US | 8.8.8.8:53 | bxtqdt.net | udp |
| US | 8.8.8.8:53 | ngvehkv.net | udp |
| US | 8.8.8.8:53 | wzngbs.info | udp |
| US | 8.8.8.8:53 | fnqsmcftroxg.info | udp |
| US | 8.8.8.8:53 | qlvcpcoolu.net | udp |
| US | 8.8.8.8:53 | xqbizkh.com | udp |
| US | 8.8.8.8:53 | wzxqqsksmhht.net | udp |
| US | 8.8.8.8:53 | vxwwrahun.org | udp |
| US | 8.8.8.8:53 | ytpkamlzria.net | udp |
| US | 8.8.8.8:53 | bofqba.net | udp |
| US | 8.8.8.8:53 | kcguuuas.com | udp |
| US | 8.8.8.8:53 | pdmxljwa.info | udp |
| US | 8.8.8.8:53 | amwckseeao.com | udp |
| US | 8.8.8.8:53 | jnhotjhsp.info | udp |
| US | 8.8.8.8:53 | puzvapuipbyg.info | udp |
| US | 8.8.8.8:53 | uldmdftk.info | udp |
| US | 8.8.8.8:53 | ycaunmdur.net | udp |
| US | 8.8.8.8:53 | kfkgsr.net | udp |
| US | 8.8.8.8:53 | wlflblpcjarz.info | udp |
| US | 8.8.8.8:53 | fouothaovrx.com | udp |
| US | 8.8.8.8:53 | icemewicau.com | udp |
| US | 8.8.8.8:53 | uznphg.net | udp |
| US | 8.8.8.8:53 | twldjcvctccx.info | udp |
| US | 8.8.8.8:53 | gqcqic.com | udp |
| US | 8.8.8.8:53 | qyiwrcy.info | udp |
| US | 8.8.8.8:53 | nirbnkmibci.com | udp |
| US | 8.8.8.8:53 | qkegaesa.com | udp |
| US | 8.8.8.8:53 | hkcoqwbpitf.net | udp |
| US | 8.8.8.8:53 | lfzhtsazbb.net | udp |
| US | 8.8.8.8:53 | suqoes.com | udp |
| US | 8.8.8.8:53 | kirtpkjmv.net | udp |
| US | 8.8.8.8:53 | nizybszil.info | udp |
| US | 8.8.8.8:53 | ubcvfhlvzxkh.info | udp |
| US | 8.8.8.8:53 | sqhzcjrupwfp.net | udp |
| US | 8.8.8.8:53 | hhkwtcc.net | udp |
| US | 8.8.8.8:53 | iqsgmuyk.org | udp |
| US | 8.8.8.8:53 | zzlafkume.net | udp |
| US | 8.8.8.8:53 | ykhkvljit.info | udp |
| US | 8.8.8.8:53 | uyegugkcwque.com | udp |
| US | 8.8.8.8:53 | hnfclldjdx.info | udp |
| US | 8.8.8.8:53 | pyhxrhfs.info | udp |
| US | 8.8.8.8:53 | neotjkse.info | udp |
| US | 8.8.8.8:53 | qgoekk.com | udp |
| US | 8.8.8.8:53 | onzwewex.net | udp |
| US | 8.8.8.8:53 | vunjwe.info | udp |
| US | 8.8.8.8:53 | wdnylizhcs.net | udp |
| US | 8.8.8.8:53 | zrtplqi.com | udp |
| US | 8.8.8.8:53 | ukdltgkqjoxu.net | udp |
| US | 8.8.8.8:53 | ujznyh.net | udp |
| US | 8.8.8.8:53 | auxvmsb.info | udp |
| US | 8.8.8.8:53 | nefwulmsyx.net | udp |
| US | 8.8.8.8:53 | pofvvcveh.info | udp |
| US | 8.8.8.8:53 | outibmb.info | udp |
| US | 8.8.8.8:53 | jfaoqmrgtn.info | udp |
| US | 8.8.8.8:53 | lrbqxqikxvb.info | udp |
| US | 8.8.8.8:53 | pszpmikqxer.com | udp |
| US | 8.8.8.8:53 | rycmkqswqjq.info | udp |
| US | 8.8.8.8:53 | znpsldu.org | udp |
| US | 162.249.65.164:80 | znpsldu.org | tcp |
| US | 8.8.8.8:53 | htbynf.info | udp |
| US | 8.8.8.8:53 | hazflwzsb.org | udp |
| US | 8.8.8.8:53 | aovxmktl.info | udp |
| US | 8.8.8.8:53 | nohktgdansd.org | udp |
| US | 8.8.8.8:53 | ewcgvchalkf.info | udp |
| US | 8.8.8.8:53 | nkrzvcyyty.info | udp |
| US | 8.8.8.8:53 | phfezwenok.info | udp |
| US | 8.8.8.8:53 | lbpzrwjb.info | udp |
| US | 8.8.8.8:53 | djdjhidqmwh.com | udp |
| US | 8.8.8.8:53 | wsmouwmkuk.com | udp |
| US | 8.8.8.8:53 | eyrubiiqjii.net | udp |
| US | 8.8.8.8:53 | miswccdu.net | udp |
| US | 8.8.8.8:53 | ywqcymyummyc.org | udp |
| US | 8.8.8.8:53 | tnqkazvppy.info | udp |
| US | 8.8.8.8:53 | fkxzbanstmy.net | udp |
| US | 8.8.8.8:53 | tgdsrey.org | udp |
| US | 8.8.8.8:53 | uckymuoq.com | udp |
| US | 8.8.8.8:53 | rnhcdglpngvu.info | udp |
| US | 8.8.8.8:53 | zejhqebena.net | udp |
| US | 8.8.8.8:53 | odgwkyal.net | udp |
| US | 8.8.8.8:53 | roisxhr.net | udp |
| US | 8.8.8.8:53 | aotovfsijge.info | udp |
| US | 8.8.8.8:53 | uqpvbknclmr.info | udp |
| US | 8.8.8.8:53 | kmkgsypnlw.net | udp |
| US | 8.8.8.8:53 | oklpbvpo.net | udp |
| US | 8.8.8.8:53 | oqctmkzcpuwi.info | udp |
| US | 8.8.8.8:53 | ogkskmomem.org | udp |
| US | 8.8.8.8:53 | cugcmy.org | udp |
| US | 162.249.65.164:80 | cugcmy.org | tcp |
| US | 8.8.8.8:53 | qmwgeqcu.org | udp |
| US | 8.8.8.8:53 | gqaznun.info | udp |
| US | 8.8.8.8:53 | kqrhhigmwu.net | udp |
| US | 8.8.8.8:53 | ncvvot.net | udp |
| US | 8.8.8.8:53 | iceaam.org | udp |
| US | 8.8.8.8:53 | eoxijuwynqt.net | udp |
| US | 8.8.8.8:53 | zawufqzwz.net | udp |
| US | 8.8.8.8:53 | kfcnga.net | udp |
| US | 8.8.8.8:53 | rspfzwhyc.net | udp |
| US | 8.8.8.8:53 | gmopic.info | udp |
| US | 8.8.8.8:53 | czbewodfns.info | udp |
| US | 8.8.8.8:53 | moeiosouca.com | udp |
| US | 8.8.8.8:53 | raiobwskm.info | udp |
| US | 8.8.8.8:53 | jtdgaf.info | udp |
| US | 8.8.8.8:53 | husoxazaz.net | udp |
| US | 8.8.8.8:53 | osagdqbwf.net | udp |
| US | 8.8.8.8:53 | tmboeiceqwx.org | udp |
| US | 8.8.8.8:53 | lysassfobzx.net | udp |
| US | 8.8.8.8:53 | hhypjk.info | udp |
| US | 8.8.8.8:53 | kzogmvfgenmo.info | udp |
| US | 8.8.8.8:53 | pecerfpftd.info | udp |
| US | 8.8.8.8:53 | xbdyxk.info | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\vcmpq.exe
| MD5 | a9f73635d908f411dee7c62a0f112ba4 |
| SHA1 | 627b4c637f019687e4d0cbc1394e338148ec2f6c |
| SHA256 | a5a5dadb6e9fc2e62709533b895d643f773914046df8e4d324618cbefc9c4ba3 |
| SHA512 | 2fb60b119ba7417094c112b89200f82a7a60b3595e40d0df60e6004a5b4f98b8af956262c8f776dc5f13c5be96ea39f7aba4e3da6c67520fb48865fed039fa1d |
C:\Users\Admin\AppData\Local\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | aec548a3f91df2bab53dc86b4355e285 |
| SHA1 | a0d641f8441d2f8bbbf35d771866efb0b87b10e5 |
| SHA256 | a9f9bff9377cfb0b55ca56f96f8ba351febdb2f3a36665e5e9a236e3ebb3e765 |
| SHA512 | 9e907d40f7b635d56ffbcba3debd87512c3979060927a6e14b5f4c7a79671b8de79d77c36c3658aabce1e1ed6d579a698cf5da72ace98bbc2c97dc1feb4df69c |
C:\Users\Admin\AppData\Local\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq
| MD5 | fe1e2a3ace7607fa86c8d74e6b5401bd |
| SHA1 | 4862b3d1021d33c04b899d236408ab31a7e83700 |
| SHA256 | de40c124a3cd3a37f2aa5edb5cbc1ceb72824e37b0a0ebb412af1d03adcb8b88 |
| SHA512 | 0f4510c54cc4f962478a5ee110bb3a5d45c4bfcfe9cf6074da9e4ccf55126fbfb8eb32edc31099117814f662d70fc1923355b18b65f22dbac73bb937cef43e17 |
C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | 12e065a09736e70e673bbe07a53b5494 |
| SHA1 | c1631907f10cbeb55989260e0fdc37b6cb5a07bf |
| SHA256 | 9d08e34b7d573a34931d4686d4a77947d77ddc58f92dc0f07effc1c8e61adddb |
| SHA512 | 5e72b2b51ec3c17dec2191d02556fa5aed17aea2e43d69ba40b71b9056240bd179a9c8c40b5c1714a94bcc7a8e14be50c74ccf4348379d9cc3e6564b6501b5f4 |
C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | 19fe6634591be0ed0de15c8ac004ba03 |
| SHA1 | 6a6fb5fbd2c01664ab3a0bdcf438d33345baddd2 |
| SHA256 | 4e87a6fede72e6f58ee584cf2dfa7ead8502b15f39d9834fa59ed49edd6d08d2 |
| SHA512 | 3e412c8d8cec7b37f2f022fe0ad98552c39f447c049a03bb99801290aaf9a7eeb61fb967231f6b600a4c59a3fe5c42b555deb8d178ced4dc8464bf29fcb3b1ea |
C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | be36ec85eb04dac141fb05d3e0cd4667 |
| SHA1 | b2dcab38b751e3ed7717040eca4eab1b328307d2 |
| SHA256 | dff57338c6c2c3d8c5e311d699d972c67084ac8a303f7bf7586df1259f84b31b |
| SHA512 | 94e017498744f15edb8636c403246d15084c6a210ae75f1c712fb01f27eda56ce847ddf8d02b6dfb21beaac228b413c0bddf294459e741a22df66fb2e8be78a1 |
C:\Users\Admin\AppData\Local\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | 08bc7397142bd19bd6d9785435260217 |
| SHA1 | 69cc3dee7f56606890f93d7b7940c54d95ff6691 |
| SHA256 | 289828f40b9ccf1292be998917bec9644e97b1b5352ec7406ba3d5c11a88d040 |
| SHA512 | 7a3813d3c874f8fa46997dfb35107f91b58af4fe2a8360440422aeea64f4165718834c1a49086a58bb09a5a1ebed638f3b9c1cbd83e776efcca6720c98935cd2 |
C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | a7c5f037397d763b8f631b3f7495e09f |
| SHA1 | 122a5c703e32c110e29881ff1d4150ff596b7d94 |
| SHA256 | 5ff839cbc192ebd4c681b7463801a53a9e2c4c1981769d7b5b1dda32d96db0ef |
| SHA512 | c797dbd35fd1992d221c6436a58c100fa919a167fb5efd1c7ffd5d1f62da36b8801a1f770027fbfbde0cd72e7f66d95290400c82fc952814ecdf4f088cc8426a |
C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | 13054255b77c054e55c8756084a89905 |
| SHA1 | 73d5c65ff6a0b1a9791bd5f2a86edf6a85db416b |
| SHA256 | 81004bb3a0e626ba9ad183aa5d7e5711278a0310fba5605a5cc026252150f4dc |
| SHA512 | 050d7db358aa08e845ffbea9f2818de544a63048a83bde3e20200005fb3f26c3542a2dc642121d4b5f74cf9d517cbee2c32329a7596b75bb1c6a64779cb17809 |
C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc
| MD5 | 6712eece8ac7fe20ca7773ebd6a8c03d |
| SHA1 | 28f0d6907a73e81df4d1899c1be90359a8c42e93 |
| SHA256 | 21d2afc7d197f9519c21091120f248a60a729aa0dada75385cb61c4836fd2388 |
| SHA512 | 6366fe2d3b9641de42e274cff35ae8fc72c796260d73803a80781b7d835243cc3caf9348c1cbded5e19d60b5ca6104da10b6b35dfcf8d483215408b12584808f |