Malware Analysis Report

2025-03-15 00:57

Sample ID 240626-g2xcfssdrn
Target 5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe
SHA256 5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785
Tags
defense_evasion evasion persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785

Threat Level: Known bad

The file 5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion evasion persistence trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Adds policy Run key to start application

Executes dropped EXE

Loads dropped DLL

Impair Defenses: Safe Mode Boot

Checks computer location settings

Adds Run key to start application

Looks up external IP address via web service

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-26 06:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-26 06:18

Reported

2024-06-26 06:21

Platform

win7-20240508-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\pwjdiumteriq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\scspxmhrfvpavig = "nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "xizxgwsdsjeqmazb.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "aqmpdyzpjffwxqubeuoea.exe ." C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "aqmpdyzpjffwxqubeuoea.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "eqihrifrhzvifuuxw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "eqihrifrhzvifuuxw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "ymghtmlzrljyxoqvwkc.exe ." C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "xizxgwsdsjeqmazb.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xizxgwsdsjeqmazb.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "lavxkeetmhgwworxzohw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "nattewuhyrocaqrvvi.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nattewuhyrocaqrvvi.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "xizxgwsdsjeqmazb.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "ymghtmlzrljyxoqvwkc.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\eqihrifrhzvifuuxw = "ymghtmlzrljyxoqvwkc.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "xizxgwsdsjeqmazb.exe ." C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "nattewuhyrocaqrvvi.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "lavxkeetmhgwworxzohw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "nattewuhyrocaqrvvi.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lavxkeetmhgwworxzohw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nattewuhyrocaqrvvi = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe ." C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymghtmlzrljyxoqvwkc.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pynjqeyhujcmgs = "lavxkeetmhgwworxzohw.exe ." C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\owkflyrzlzrat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Run\xizxgwsdsjeqmazb = "aqmpdyzpjffwxqubeuoea.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ymghtmlzrljyxoqvwkc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\eqihrifrhzvifuuxw.exe" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\cyajdelhhjpmtscpyuuqsbv.dzz C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File opened for modification C:\Windows\SysWOW64\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File created C:\Windows\SysWOW64\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File opened for modification C:\Windows\SysWOW64\cyajdelhhjpmtscpyuuqsbv.dzz C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\cyajdelhhjpmtscpyuuqsbv.dzz C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File opened for modification C:\Program Files (x86)\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File created C:\Program Files (x86)\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File opened for modification C:\Program Files (x86)\cyajdelhhjpmtscpyuuqsbv.dzz C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File created C:\Windows\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File opened for modification C:\Windows\cyajdelhhjpmtscpyuuqsbv.dzz C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
File created C:\Windows\cyajdelhhjpmtscpyuuqsbv.dzz C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1424 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe
PID 1424 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe C:\Users\Admin\AppData\Local\Temp\aagtr.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\aagtr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\aagtr.exe

"C:\Users\Admin\AppData\Local\Temp\aagtr.exe" "-"

C:\Users\Admin\AppData\Local\Temp\aagtr.exe

"C:\Users\Admin\AppData\Local\Temp\aagtr.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.showmyipaddress.com udp

Files

\Users\Admin\AppData\Local\Temp\aagtr.exe

MD5 aa9e9cc5b776b54cf314f610d45773e9
SHA1 3590a9b76ffc46d5a8a6438d0dee2b720ff85b9b
SHA256 6c73a28dedfd1b5792c601f29dc020fd480e161b5f9449fd09ededcf1087d194
SHA512 c085e52b1c9647b7e558f76273aa603337402e0d1f9f67c0d65e2c2d191166717191823b02935e156a02cac456c919f730a874dafdfd54bb5805f73ca1b95697

C:\Users\Admin\AppData\Local\pwjdiumteriqisnlfmxerlqcubmzqyqavt.ufm

MD5 5746b0caa45aba69ad1e4629e1561c70
SHA1 9f77f50f17b4c0da4343ce1300998e9812c4692f
SHA256 d8c21aa2528889d2e080e6100da3d9bd243b769d40c24c3ed44380d42e31397a
SHA512 75564c2255ac1bd42b34155674eb399d631850ca3ab8517c37090b65e58dcaf967597608c11f4efd1fca18414e7a81076f0de213561c75af93f8c53252af90f3

C:\Users\Admin\AppData\Local\cyajdelhhjpmtscpyuuqsbv.dzz

MD5 26715693e8e833139915cb3365413a41
SHA1 6b6427ebad35eb2ba3ded2ff2692a1471ce3e2d9
SHA256 d44d1e81b05e7985129d69ad32096a2169259c67f2abafedda4f75a8a789be96
SHA512 887749a3806328adb4753eb0352851c1636a95385381310bbb4516e2cbfd9a45ce0f970b0ead1373fbb6957bfc62204119045f5ae5472940fccac8b97600ad0f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-26 06:18

Reported

2024-06-26 06:21

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gozdfk = "tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\fks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "gcbtjcbtlgzwgzwpodcy.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "vsslcwwpieywhbzttjjgg.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "skftfupdrixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "gcbtjcbtlgzwgzwpodcy.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "skftfupdrixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "iczpdurhxqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "iczpdurhxqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "tomdskizqkcyhzvnlzx.exe ." C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "gcbtjcbtlgzwgzwpodcy.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "vsslcwwpieywhbzttjjgg.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "tomdskizqkcyhzvnlzx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "iczpdurhxqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "vsslcwwpieywhbzttjjgg.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\isflpwjp = "zsodqgcrgyoipfzpl.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tcotwco = "skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "gcbtjcbtlgzwgzwpodcy.exe ." C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\skftfupdrixqwlet.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\setbhqfnvg = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zkyfksgnu = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "vsslcwwpieywhbzttjjgg.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tomdskizqkcyhzvnlzx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iczpdurhxqhckbwnkx.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\msbd = "gcbtjcbtlgzwgzwpodcy.exe" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msbd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zsodqgcrgyoipfzpl.exe" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\vcmpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vsslcwwpieywhbzttjjgg.exe ." C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\msbddgprtybicfmpyxgmvxxajl.svc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File created C:\Windows\SysWOW64\msbddgprtybicfmpyxgmvxxajl.svc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File opened for modification C:\Windows\SysWOW64\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File created C:\Windows\SysWOW64\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File created C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File opened for modification C:\Program Files (x86)\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File created C:\Program Files (x86)\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msbddgprtybicfmpyxgmvxxajl.svc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File opened for modification C:\Windows\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File created C:\Windows\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
File opened for modification C:\Windows\msbddgprtybicfmpyxgmvxxajl.svc C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\vcmpq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\5d24b5537111c317c2024c7ef0d8d58f43351689b5ebf48d8b0f27d1db9bd785_NeikiAnalytics.exe"

C:\Users\Admin\AppData\Local\Temp\vcmpq.exe

"C:\Users\Admin\AppData\Local\Temp\vcmpq.exe" "-"

C:\Users\Admin\AppData\Local\Temp\vcmpq.exe

"C:\Users\Admin\AppData\Local\Temp\vcmpq.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 52.182.143.211:443 tcp
US 8.8.8.8:53 www.imdb.com udp
FR 52.222.167.201:80 www.imdb.com tcp
US 8.8.8.8:53 vsdgddzap.org udp
US 162.249.65.164:80 vsdgddzap.org tcp
US 8.8.8.8:53 201.167.222.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 xywnxsb.org udp
US 8.8.8.8:53 kwhfqnnejec.info udp
US 34.211.97.45:80 kwhfqnnejec.info tcp
US 8.8.8.8:53 bigmrsg.net udp
US 8.8.8.8:53 yaecmm.com udp
US 8.8.8.8:53 eeschahcf.net udp
US 8.8.8.8:53 xmltddpax.info udp
US 8.8.8.8:53 eomqiyui.org udp
US 162.249.65.164:80 eomqiyui.org tcp
US 8.8.8.8:53 45.97.211.34.in-addr.arpa udp
US 8.8.8.8:53 hazzthxrziyh.net udp
US 8.8.8.8:53 nwiwhbflbslf.info udp
US 8.8.8.8:53 natdhz.info udp
US 8.8.8.8:53 jawzfnq.org udp
US 162.249.65.164:80 jawzfnq.org tcp
US 8.8.8.8:53 zfbfplygzg.net udp
US 8.8.8.8:53 nqmsvc.net udp
US 8.8.8.8:53 sddwslteldjj.net udp
US 8.8.8.8:53 ibafxyhcljt.net udp
US 8.8.8.8:53 yzunrn.net udp
US 8.8.8.8:53 miokoi.org udp
US 8.8.8.8:53 ikzszjxmq.info udp
US 208.100.26.245:80 ikzszjxmq.info tcp
US 8.8.8.8:53 nibgvqqbg.net udp
US 8.8.8.8:53 xcbstas.info udp
US 8.8.8.8:53 bcnxdfnqjbh.info udp
US 8.8.8.8:53 igeuycoawe.org udp
US 8.8.8.8:53 mskiumkecmce.org udp
US 8.8.8.8:53 bfnkdfbtnuch.info udp
US 8.8.8.8:53 vvdqqei.net udp
US 8.8.8.8:53 rfdrzkhqh.com udp
US 8.8.8.8:53 atpgrejalrl.net udp
US 8.8.8.8:53 lyhtor.info udp
US 8.8.8.8:53 vvnyfkdnjb.net udp
US 8.8.8.8:53 hswepwt.com udp
US 8.8.8.8:53 sicssakc.org udp
US 8.8.8.8:53 ocmywwiy.com udp
US 8.8.8.8:53 eikaeweguw.org udp
US 8.8.8.8:53 nzxugtv.org udp
US 8.8.8.8:53 bkjahm.info udp
US 8.8.8.8:53 kuvgoefcz.info udp
US 8.8.8.8:53 uqmmeguw.com udp
US 8.8.8.8:53 oanuvegufez.net udp
US 8.8.8.8:53 uxxemyqar.net udp
US 8.8.8.8:53 yvrnagjc.info udp
US 8.8.8.8:53 atierp.info udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 rrkrbx.net udp
US 8.8.8.8:53 kidrmkwxqbba.info udp
US 8.8.8.8:53 ioqchmdfdod.net udp
US 8.8.8.8:53 jydnupwk.net udp
US 8.8.8.8:53 zvyxohnch.com udp
US 8.8.8.8:53 xwtadyhqm.net udp
US 8.8.8.8:53 fmypvadav.info udp
US 8.8.8.8:53 lzzqgigv.info udp
US 8.8.8.8:53 snbgwtjx.info udp
US 8.8.8.8:53 xbptoctu.net udp
US 8.8.8.8:53 ostdxxh.info udp
US 8.8.8.8:53 xaleewrmhb.info udp
US 8.8.8.8:53 eyomuq.org udp
US 8.8.8.8:53 mupsdagsd.info udp
US 8.8.8.8:53 cgeqrpjejzug.info udp
US 8.8.8.8:53 jwdiiuxpmd.info udp
US 8.8.8.8:53 yagvfmkvlik.net udp
US 8.8.8.8:53 wyrczwwyzdv.net udp
US 8.8.8.8:53 oocgwu.org udp
US 162.249.65.164:80 oocgwu.org tcp
US 8.8.8.8:53 hxgxjgpgxugv.info udp
US 8.8.8.8:53 fxvwgkda.net udp
US 8.8.8.8:53 vivuws.net udp
US 8.8.8.8:53 nxyebckfpje.net udp
US 8.8.8.8:53 mebzfgl.net udp
US 8.8.8.8:53 pdsfrq.info udp
US 8.8.8.8:53 zqsumcz.net udp
US 8.8.8.8:53 zjxedey.org udp
US 8.8.8.8:53 ztuuvewk.info udp
US 8.8.8.8:53 tanuxkhcugs.net udp
US 8.8.8.8:53 xknruirqxxr.info udp
US 8.8.8.8:53 pjhkhcf.org udp
US 8.8.8.8:53 wrurbikhe.net udp
US 8.8.8.8:53 nedqvlayv.org udp
US 8.8.8.8:53 exlkxnhr.info udp
US 8.8.8.8:53 dbctsw.info udp
US 8.8.8.8:53 qeoufsq.info udp
US 8.8.8.8:53 qehybax.net udp
US 8.8.8.8:53 twvyrobjhur.org udp
US 162.249.65.164:80 twvyrobjhur.org tcp
US 8.8.8.8:53 uvmopjqhsbvt.info udp
US 8.8.8.8:53 eoxxtgbjfwp.info udp
US 8.8.8.8:53 mvndtylzwo.net udp
US 8.8.8.8:53 nomvmt.net udp
US 8.8.8.8:53 hxpzoscrmfeg.net udp
US 8.8.8.8:53 gossiagocogo.com udp
US 8.8.8.8:53 uggascemos.org udp
US 162.249.65.164:80 uggascemos.org tcp
US 8.8.8.8:53 pfnndcwyocr.com udp
US 8.8.8.8:53 ksntlwnenqk.net udp
US 8.8.8.8:53 kpncts.net udp
US 8.8.8.8:53 jdpyxlk.info udp
US 8.8.8.8:53 jemmtsfcs.info udp
US 8.8.8.8:53 fmvjnanjyb.info udp
US 8.8.8.8:53 caciay.org udp
US 8.8.8.8:53 qahdxtmcddb.info udp
US 8.8.8.8:53 hqxchhh.com udp
US 8.8.8.8:53 igpojblq.info udp
US 8.8.8.8:53 actnbsqbnad.info udp
US 8.8.8.8:53 hpfwskhidyp.org udp
US 8.8.8.8:53 zzrduz.net udp
US 8.8.8.8:53 nyfrtlzhbdsv.info udp
US 8.8.8.8:53 jedbqqewoif.org udp
US 8.8.8.8:53 fionle.net udp
US 8.8.8.8:53 xpustd.info udp
US 8.8.8.8:53 bgbtfyrujy.net udp
US 8.8.8.8:53 cfoqzyogcute.net udp
US 8.8.8.8:53 ggakymgo.com udp
US 8.8.8.8:53 zxtntmkai.org udp
US 8.8.8.8:53 oqztlmkcw.net udp
US 8.8.8.8:53 nqfozsnnji.info udp
US 8.8.8.8:53 lflwqwvdsn.info udp
US 8.8.8.8:53 kojxtgf.net udp
US 8.8.8.8:53 rnwxnrvlej.net udp
US 8.8.8.8:53 omskhihwcv.net udp
US 8.8.8.8:53 lzfkraf.info udp
US 8.8.8.8:53 deqqqufxz.org udp
US 8.8.8.8:53 tcnswhzsiqt.org udp
US 8.8.8.8:53 mqxovzhirrp.net udp
US 8.8.8.8:53 xuvsjinhp.com udp
US 8.8.8.8:53 yuxgzfjlql.info udp
US 8.8.8.8:53 dppkkhyq.net udp
US 8.8.8.8:53 kositdtnau.info udp
US 8.8.8.8:53 hsolelxe.net udp
US 8.8.8.8:53 gsvixgkco.net udp
US 8.8.8.8:53 awaqgy.com udp
US 8.8.8.8:53 qgbfhmwddluf.info udp
US 8.8.8.8:53 lwkgzaxwa.com udp
US 8.8.8.8:53 lkcenos.org udp
US 8.8.8.8:53 hunngurrkj.net udp
US 8.8.8.8:53 scyssywk.org udp
US 162.249.65.164:80 scyssywk.org tcp
US 8.8.8.8:53 mmsgbehenil.info udp
US 8.8.8.8:53 tljohdld.net udp
US 8.8.8.8:53 kmxwusnxdap.net udp
US 8.8.8.8:53 hupytxy.net udp
US 8.8.8.8:53 xdyczuzcjph.org udp
US 8.8.8.8:53 vutipnlltpz.info udp
US 8.8.8.8:53 owaceg.com udp
US 8.8.8.8:53 lvpicxnk.info udp
US 8.8.8.8:53 rlofyortapuf.net udp
US 8.8.8.8:53 wqugyoiime.org udp
US 8.8.8.8:53 ywpfhwxczvlc.info udp
US 8.8.8.8:53 euinkmsa.net udp
US 8.8.8.8:53 jynrzkxhni.net udp
US 8.8.8.8:53 xqpptyhlxpwz.info udp
US 8.8.8.8:53 nyexzeu.net udp
US 8.8.8.8:53 rqialyc.net udp
US 8.8.8.8:53 iueyaacs.com udp
US 8.8.8.8:53 pxbwsrnxa.com udp
US 8.8.8.8:53 hrzypddipjy.com udp
US 8.8.8.8:53 iamwpdfuvsf.info udp
US 8.8.8.8:53 twldsvwufp.info udp
US 8.8.8.8:53 kwgcyk.com udp
US 8.8.8.8:53 kefnoyimx.info udp
US 8.8.8.8:53 tayddxqraiej.net udp
US 8.8.8.8:53 pmdacdzcfkd.com udp
US 8.8.8.8:53 nejddo.info udp
US 8.8.8.8:53 zswpbpbmna.net udp
US 8.8.8.8:53 pbxpuuk.com udp
PL 93.184.221.240:80 tcp
US 8.8.8.8:53 ljrjsmnoxsfr.net udp
US 8.8.8.8:53 udhmlbuqpa.info udp
US 8.8.8.8:53 mizvmc.info udp
US 8.8.8.8:53 bizkbqamxllw.net udp
US 8.8.8.8:53 lyidvwncp.net udp
US 8.8.8.8:53 boduqn.info udp
US 8.8.8.8:53 pqlknm.info udp
US 8.8.8.8:53 efochgzyukl.net udp
US 8.8.8.8:53 epodgb.net udp
US 8.8.8.8:53 kffvvzdg.info udp
US 8.8.8.8:53 wizrbog.info udp
US 8.8.8.8:53 ypyuoitqoa.info udp
US 8.8.8.8:53 fsuhsbzkpmzv.info udp
US 8.8.8.8:53 kecctlh.net udp
US 8.8.8.8:53 kvjmpkyo.net udp
US 8.8.8.8:53 acpmpgvckov.net udp
US 8.8.8.8:53 gilaiixumtdm.info udp
US 8.8.8.8:53 ukkybsbyb.info udp
US 8.8.8.8:53 jkudqejzfc.net udp
US 8.8.8.8:53 dplkjpeuzog.org udp
US 8.8.8.8:53 meeergp.info udp
US 8.8.8.8:53 zjzbeqyt.info udp
US 8.8.8.8:53 zmaquu.net udp
US 8.8.8.8:53 qdeocjjcnhkb.info udp
US 8.8.8.8:53 swthasg.net udp
US 8.8.8.8:53 rcerfcdqvdrj.info udp
US 8.8.8.8:53 bqnqljllbyn.com udp
US 8.8.8.8:53 asxblsbai.info udp
US 8.8.8.8:53 vzrawxycib.info udp
US 8.8.8.8:53 hedmzgrfliux.net udp
US 8.8.8.8:53 eentliv.net udp
US 8.8.8.8:53 kyyvpjph.net udp
US 8.8.8.8:53 jojcpqbg.net udp
US 8.8.8.8:53 wyvxmzbg.info udp
US 8.8.8.8:53 yeiiow.com udp
US 8.8.8.8:53 wuihibpv.net udp
US 8.8.8.8:53 yuwemy.org udp
US 8.8.8.8:53 obcsuc.info udp
US 8.8.8.8:53 woilsbpt.info udp
US 8.8.8.8:53 ozdbxljg.info udp
US 8.8.8.8:53 akridp.info udp
US 8.8.8.8:53 tugghpuyzgj.org udp
US 8.8.8.8:53 dkthecjthti.com udp
US 8.8.8.8:53 hkudak.net udp
US 8.8.8.8:53 hmskewbfw.net udp
US 8.8.8.8:53 kyiwsjqob.net udp
US 8.8.8.8:53 jcfavurdlf.info udp
US 8.8.8.8:53 kgumucoa.com udp
US 8.8.8.8:53 nnkapwjgdgw.com udp
US 8.8.8.8:53 jqowtofcr.org udp
US 8.8.8.8:53 wqxmfwhkleb.info udp
US 8.8.8.8:53 acdmuqqgd.net udp
US 8.8.8.8:53 bjnfrkcekktj.net udp
US 8.8.8.8:53 vmxqzithpbz.org udp
US 8.8.8.8:53 cjrsdgmijgn.net udp
US 8.8.8.8:53 cnlubrwctose.net udp
US 8.8.8.8:53 xutjfhnilv.info udp
US 8.8.8.8:53 bbvqvapdqw.net udp
US 8.8.8.8:53 jzfiblfy.net udp
US 8.8.8.8:53 ijxoidecbii.info udp
US 8.8.8.8:53 lshwdaj.info udp
US 8.8.8.8:53 zztqhglqa.info udp
US 8.8.8.8:53 kexythjteun.info udp
US 8.8.8.8:53 xjlpbt.net udp
US 8.8.8.8:53 tglikq.net udp
US 8.8.8.8:53 uczhzpnr.net udp
US 8.8.8.8:53 yqbhlbl.info udp
US 8.8.8.8:53 bgqvnupg.net udp
US 8.8.8.8:53 qmenegzxfmih.net udp
US 8.8.8.8:53 tsjlatxlzhn.info udp
US 8.8.8.8:53 ywqgfsxcr.info udp
US 8.8.8.8:53 zftavh.info udp
US 8.8.8.8:53 iuejasqyl.info udp
US 8.8.8.8:53 yqvgpzbxro.net udp
US 8.8.8.8:53 xizgvuz.com udp
US 8.8.8.8:53 kyrmbot.net udp
US 8.8.8.8:53 uzfnber.info udp
US 8.8.8.8:53 shvehdrsc.net udp
US 8.8.8.8:53 dzwwlg.info udp
US 8.8.8.8:53 jndkwwyxbs.info udp
US 8.8.8.8:53 jcxcwolq.info udp
US 8.8.8.8:53 zezqyob.net udp
US 8.8.8.8:53 jrbvuwneayxd.info udp
US 8.8.8.8:53 hyndhm.info udp
US 8.8.8.8:53 dfsxyyifghdm.net udp
US 8.8.8.8:53 urdgrv.info udp
US 8.8.8.8:53 bshorya.net udp
US 8.8.8.8:53 kbsaiirr.info udp
US 8.8.8.8:53 rgtytol.net udp
US 8.8.8.8:53 pwwuxkcsdms.info udp
US 8.8.8.8:53 qsvebrdyx.info udp
US 8.8.8.8:53 iegkceci.org udp
US 8.8.8.8:53 wobxezdp.info udp
US 8.8.8.8:53 vzzivev.org udp
US 8.8.8.8:53 vdqmxytepgk.com udp
US 8.8.8.8:53 auowmaggsumq.org udp
US 162.249.65.164:80 auowmaggsumq.org tcp
US 8.8.8.8:53 jeldscsql.info udp
US 8.8.8.8:53 gqmegmwimiyk.com udp
US 8.8.8.8:53 odbyecuvyc.net udp
US 8.8.8.8:53 tnlmhupput.net udp
US 8.8.8.8:53 nqjfwuadxx.net udp
US 8.8.8.8:53 ubmkhc.info udp
US 8.8.8.8:53 fwbqrqrej.org udp
US 8.8.8.8:53 swvytsb.net udp
US 8.8.8.8:53 slonyk.net udp
US 8.8.8.8:53 mguyyaokiu.org udp
US 8.8.8.8:53 gkewsmyo.org udp
US 8.8.8.8:53 tcpcbgjjfyh.com udp
US 8.8.8.8:53 zsbetsfudis.net udp
US 8.8.8.8:53 bwsextlslip.net udp
US 8.8.8.8:53 luryrzlbw.info udp
US 8.8.8.8:53 mwbhbki.info udp
US 8.8.8.8:53 oiqajiyuvqb.net udp
US 8.8.8.8:53 fnqeru.net udp
US 8.8.8.8:53 wxrookvymwl.net udp
US 8.8.8.8:53 pjbtan.net udp
US 8.8.8.8:53 tzpixn.info udp
US 8.8.8.8:53 yykkaa.org udp
US 8.8.8.8:53 vwwmxlvmw.com udp
US 8.8.8.8:53 bmrjlm.net udp
US 8.8.8.8:53 yysknzzav.info udp
US 8.8.8.8:53 gmoekft.net udp
US 8.8.8.8:53 cesofhkucqaz.net udp
US 8.8.8.8:53 mixxrlpevw.info udp
US 8.8.8.8:53 kiixvivcp.net udp
US 8.8.8.8:53 ewwmosoaaskg.org udp
US 8.8.8.8:53 rknytaxaj.com udp
US 8.8.8.8:53 swscsu.com udp
US 8.8.8.8:53 padqvlbq.net udp
US 8.8.8.8:53 asuiik.com udp
US 8.8.8.8:53 xwswqor.org udp
US 8.8.8.8:53 dgekmtp.info udp
US 8.8.8.8:53 oqyegm.org udp
US 162.249.65.164:80 oqyegm.org tcp
US 8.8.8.8:53 btencvvlfzic.info udp
US 8.8.8.8:53 fmczrhqh.net udp
US 8.8.8.8:53 fgnmhy.net udp
US 8.8.8.8:53 bkbqhxwa.net udp
US 8.8.8.8:53 iugtnhteopkr.net udp
US 8.8.8.8:53 jdpuvcpsropt.info udp
US 8.8.8.8:53 oykyxrz.info udp
US 8.8.8.8:53 osuqasmwkega.com udp
US 8.8.8.8:53 ejusptc.info udp
US 8.8.8.8:53 fysqbgfw.info udp
US 8.8.8.8:53 eaouymasiykg.org udp
US 8.8.8.8:53 dmbqkvswfk.info udp
US 8.8.8.8:53 isbvzdvimgmj.info udp
US 8.8.8.8:53 ekouzqeif.net udp
US 8.8.8.8:53 hmqlyvayxwe.net udp
US 8.8.8.8:53 jqredmyeb.net udp
US 8.8.8.8:53 cgorvkif.net udp
US 8.8.8.8:53 dyrrlkpgb.net udp
US 8.8.8.8:53 wsvqduxyfgp.net udp
US 8.8.8.8:53 aghitst.net udp
US 8.8.8.8:53 mwkyisww.com udp
US 8.8.8.8:53 jtjkqpygzy.net udp
US 8.8.8.8:53 cmaqegqw.com udp
US 8.8.8.8:53 olkwto.info udp
US 8.8.8.8:53 zcbepvztirpy.net udp
US 8.8.8.8:53 mtnykydxqd.net udp
US 8.8.8.8:53 fjrdep.net udp
US 8.8.8.8:53 rylygidzr.com udp
US 8.8.8.8:53 ukgkumgcko.com udp
US 8.8.8.8:53 swwufwv.net udp
US 8.8.8.8:53 sqyanldsrrk.net udp
US 8.8.8.8:53 ygmauaki.org udp
US 8.8.8.8:53 rihfigppyj.info udp
US 8.8.8.8:53 vvtpgopw.net udp
US 8.8.8.8:53 xazwpufumgl.org udp
US 8.8.8.8:53 jqoysilxy.net udp
US 8.8.8.8:53 drhdjqvr.info udp
US 8.8.8.8:53 ddvanmqovoh.org udp
US 8.8.8.8:53 faslpqgx.info udp
US 8.8.8.8:53 osguuuamaqyq.org udp
US 8.8.8.8:53 urbalgldojie.net udp
US 8.8.8.8:53 dshanojktdcl.info udp
US 8.8.8.8:53 btibdgnz.net udp
US 8.8.8.8:53 dmiiag.info udp
US 8.8.8.8:53 qgibxcbtfa.info udp
US 8.8.8.8:53 qqanntumbzoa.net udp
US 8.8.8.8:53 aasnrhqpji.info udp
US 8.8.8.8:53 ninflensmcsr.net udp
US 8.8.8.8:53 zwslnruqxia.info udp
US 8.8.8.8:53 andacygtfi.net udp
US 8.8.8.8:53 agyauq.org udp
US 8.8.8.8:53 lwldae.net udp
US 8.8.8.8:53 wyqcaxiaddji.net udp
US 8.8.8.8:53 baoapr.net udp
US 8.8.8.8:53 fapmez.net udp
US 8.8.8.8:53 xgeyhjl.com udp
US 8.8.8.8:53 kikseiuooceu.com udp
US 8.8.8.8:53 rcsigemqchf.net udp
US 8.8.8.8:53 dwvohi.info udp
US 8.8.8.8:53 oeuqlkdeh.info udp
US 8.8.8.8:53 mwxvqtfcj.net udp
US 8.8.8.8:53 ecymkuuqey.org udp
US 8.8.8.8:53 hmompwowdd.net udp
US 8.8.8.8:53 gkwuccsw.com udp
US 8.8.8.8:53 qcgiceycma.org udp
US 8.8.8.8:53 hnytjshsft.info udp
US 8.8.8.8:53 jkshpd.info udp
US 8.8.8.8:53 psgthebjdaf.info udp
US 8.8.8.8:53 tvektbtohe.info udp
US 8.8.8.8:53 tjhabtt.info udp
US 8.8.8.8:53 xpwbmqdl.info udp
US 8.8.8.8:53 kszclst.info udp
US 8.8.8.8:53 ngvczopf.info udp
US 8.8.8.8:53 jjutpcseyf.net udp
US 8.8.8.8:53 ougixybel.info udp
US 8.8.8.8:53 pfveuyfezshg.info udp
US 8.8.8.8:53 naiyhchqbgz.net udp
US 8.8.8.8:53 kuowyawqie.com udp
US 8.8.8.8:53 aakiwimkmq.org udp
US 8.8.8.8:53 wythfceiu.net udp
US 8.8.8.8:53 valkehh.info udp
US 8.8.8.8:53 avhorwnwh.net udp
US 8.8.8.8:53 jcnjwtauqhrf.info udp
US 8.8.8.8:53 vkhuow.net udp
US 8.8.8.8:53 pizibejpn.net udp
US 8.8.8.8:53 gfdceuwh.net udp
US 8.8.8.8:53 wmvwweu.info udp
US 8.8.8.8:53 bkfbvngppr.info udp
US 8.8.8.8:53 jdccsrfyfqo.net udp
US 8.8.8.8:53 qqqcoscyie.com udp
US 8.8.8.8:53 rdpytbusquja.info udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 hivxir.net udp
US 8.8.8.8:53 ctmahojgx.net udp
US 8.8.8.8:53 uvcxbxmz.info udp
US 8.8.8.8:53 vltfvwtkf.com udp
US 8.8.8.8:53 dpzepnwnudlt.net udp
US 8.8.8.8:53 uewqvzpoasx.info udp
US 8.8.8.8:53 qanlrh.net udp
US 8.8.8.8:53 nyncnhtblcds.info udp
US 8.8.8.8:53 ozopntzb.net udp
US 8.8.8.8:53 piuizhqklib.net udp
US 8.8.8.8:53 loftqx.info udp
US 8.8.8.8:53 dudplt.net udp
US 8.8.8.8:53 inagoxllds.net udp
US 8.8.8.8:53 cjleudnxfzvs.info udp
US 8.8.8.8:53 kjvudodlbt.info udp
US 8.8.8.8:53 uoykqq.com udp
US 8.8.8.8:53 dimymlzczx.net udp
US 8.8.8.8:53 lcntttebwj.net udp
US 8.8.8.8:53 pdzqpjfbf.info udp
US 8.8.8.8:53 kqbcnxjeliba.net udp
US 8.8.8.8:53 sbnwmhdd.info udp
US 8.8.8.8:53 qywogqaokw.org udp
US 8.8.8.8:53 ptxtvcjnhqc.info udp
US 8.8.8.8:53 gegacoci.org udp
US 8.8.8.8:53 tnfdpusr.net udp
US 8.8.8.8:53 thvipkbramui.info udp
US 8.8.8.8:53 xvbgtqtzdv.net udp
US 8.8.8.8:53 zqgctaon.info udp
US 8.8.8.8:53 bvhflq.info udp
US 8.8.8.8:53 eygqmyae.com udp
US 8.8.8.8:53 ncpgvox.net udp
US 8.8.8.8:53 vesyuca.net udp
US 8.8.8.8:53 oknmxgaxdkf.net udp
US 8.8.8.8:53 cyltuqrr.net udp
US 8.8.8.8:53 hvothij.info udp
US 8.8.8.8:53 jbjfnsfegev.net udp
US 8.8.8.8:53 lkdqkorpnev.com udp
US 8.8.8.8:53 jlkxbpfz.info udp
US 8.8.8.8:53 unmorfx.info udp
US 8.8.8.8:53 bdvwwu.info udp
US 8.8.8.8:53 nvmxprrsrzcw.info udp
US 8.8.8.8:53 bnbjfb.info udp
US 8.8.8.8:53 okblnqbmyu.net udp
US 8.8.8.8:53 mwaylqhpmgfm.info udp
US 8.8.8.8:53 nmtalyx.org udp
US 8.8.8.8:53 gkllimd.info udp
US 8.8.8.8:53 zjbsoklmx.net udp
US 8.8.8.8:53 tapcprxcbck.com udp
US 8.8.8.8:53 yfqwhib.net udp
US 8.8.8.8:53 mejacwxplz.info udp
US 8.8.8.8:53 kefujkm.net udp
US 8.8.8.8:53 ycvlyc.net udp
US 8.8.8.8:53 wvnxwtgs.info udp
US 8.8.8.8:53 lbxklt.info udp
US 8.8.8.8:53 fzhgzcvmbvj.net udp
US 8.8.8.8:53 wopkjbimodrl.net udp
US 8.8.8.8:53 nogsnytsc.net udp
US 8.8.8.8:53 seaueuemgaem.com udp
US 8.8.8.8:53 hujnckw.info udp
US 8.8.8.8:53 uckmkewakoos.org udp
US 8.8.8.8:53 fotabqldheyn.info udp
US 8.8.8.8:53 lwcpjkog.info udp
US 8.8.8.8:53 vxyettrklkij.info udp
US 8.8.8.8:53 yvcbvi.info udp
US 8.8.8.8:53 czxtpuafgqbr.info udp
US 8.8.8.8:53 teywtwk.com udp
US 8.8.8.8:53 esptjthv.info udp
US 8.8.8.8:53 tqvzkzco.info udp
US 8.8.8.8:53 eqmwwwsw.com udp
US 8.8.8.8:53 oiylvyioqt.info udp
US 8.8.8.8:53 ziiwdb.info udp
US 8.8.8.8:53 smozzlz.info udp
US 8.8.8.8:53 tmysvsm.com udp
US 8.8.8.8:53 zamsbstunhp.com udp
US 8.8.8.8:53 qbkmkfhqr.net udp
US 8.8.8.8:53 uybfjppqbwi.net udp
US 8.8.8.8:53 egowbukwd.info udp
US 8.8.8.8:53 baizalia.net udp
US 8.8.8.8:53 hyxyegbtfb.net udp
US 8.8.8.8:53 yqsulei.info udp
US 8.8.8.8:53 dgbcaun.net udp
US 8.8.8.8:53 lsfgofca.net udp
US 8.8.8.8:53 guntby.net udp
US 8.8.8.8:53 yazupsk.info udp
US 8.8.8.8:53 tzyaexc.info udp
US 8.8.8.8:53 gwumgkswsk.com udp
US 8.8.8.8:53 qsdmyqtub.net udp
US 8.8.8.8:53 pmubsrdczgb.net udp
US 8.8.8.8:53 wgexcijk.net udp
US 8.8.8.8:53 eismrmu.net udp
US 8.8.8.8:53 hbalfcbztj.info udp
US 8.8.8.8:53 vhhrrylpmb.net udp
US 8.8.8.8:53 zwxewzlyrqh.com udp
US 8.8.8.8:53 wrrpqs.net udp
US 8.8.8.8:53 kyiuqkemso.org udp
US 8.8.8.8:53 gulcbgcwted.info udp
US 8.8.8.8:53 ejjltdlmpejs.net udp
US 8.8.8.8:53 kimgimsioiai.org udp
US 8.8.8.8:53 nyvixexmh.info udp
US 8.8.8.8:53 wmmmnnvsb.net udp
US 8.8.8.8:53 uealvp.info udp
US 8.8.8.8:53 lipxzjhkop.net udp
US 8.8.8.8:53 bttqrqrpxsjv.info udp
US 8.8.8.8:53 mmcwdiwt.info udp
US 8.8.8.8:53 tfldcopk.net udp
US 8.8.8.8:53 fsgnbqhqscf.org udp
US 8.8.8.8:53 syqcoscyie.com udp
US 8.8.8.8:53 rqgmhpveajwl.info udp
US 8.8.8.8:53 thfcjvbjjgyn.net udp
US 8.8.8.8:53 zkbuiqprluk.net udp
US 8.8.8.8:53 uvlvqxyijddu.net udp
US 8.8.8.8:53 qwigcgykyo.com udp
US 8.8.8.8:53 xmlficz.net udp
US 8.8.8.8:53 suekgiym.com udp
US 8.8.8.8:53 wdxhaicsckn.info udp
US 8.8.8.8:53 egisqlbjdstv.info udp
US 8.8.8.8:53 uejxrnwt.net udp
US 8.8.8.8:53 vcponhpsj.org udp
US 8.8.8.8:53 kogkmgecau.com udp
US 8.8.8.8:53 iuoacmcs.org udp
US 8.8.8.8:53 dqctbyqccix.net udp
US 8.8.8.8:53 xrbklm.info udp
US 8.8.8.8:53 anoczmgryx.info udp
US 8.8.8.8:53 imemam.com udp
US 8.8.8.8:53 acqsuqyuea.org udp
US 8.8.8.8:53 lptsdmvyjii.org udp
US 8.8.8.8:53 qfbpefnz.info udp
US 8.8.8.8:53 jvunsxaneq.info udp
US 8.8.8.8:53 suicwlhzdsrh.net udp
US 8.8.8.8:53 uglodye.net udp
US 8.8.8.8:53 kamaoeccsq.org udp
US 8.8.8.8:53 icczging.info udp
US 8.8.8.8:53 uwcwqqgkyyak.org udp
US 8.8.8.8:53 nujjjhwmtcyu.info udp
US 8.8.8.8:53 gskeciqake.com udp
US 8.8.8.8:53 eiqurqxebnen.net udp
US 8.8.8.8:53 tiravstadc.net udp
US 8.8.8.8:53 diintjzv.info udp
US 8.8.8.8:53 osfirsowmqo.info udp
US 8.8.8.8:53 ladegcamm.info udp
US 8.8.8.8:53 patwxrpycrac.net udp
US 8.8.8.8:53 aujzhqu.net udp
US 8.8.8.8:53 fnqpsvux.info udp
US 8.8.8.8:53 ysywsegiqm.org udp
US 8.8.8.8:53 pgspkfxgla.info udp
US 8.8.8.8:53 aomkcqaa.com udp
US 8.8.8.8:53 pvqlykfq.net udp
US 8.8.8.8:53 drdglop.com udp
US 8.8.8.8:53 rdjnva.net udp
US 8.8.8.8:53 jvcuyszjq.com udp
US 8.8.8.8:53 prvddfje.net udp
US 8.8.8.8:53 kdvmcluywgdv.info udp
US 8.8.8.8:53 vmihlahazqo.net udp
US 8.8.8.8:53 ajjzfemivc.net udp
US 8.8.8.8:53 equhrhl.net udp
US 8.8.8.8:53 cofqgl.info udp
US 8.8.8.8:53 ffrdbxtq.net udp
US 8.8.8.8:53 egkokkimaaei.com udp
US 8.8.8.8:53 kylfjgffwk.net udp
US 8.8.8.8:53 nxkwbqnpaoj.info udp
US 8.8.8.8:53 nsfkeafrtjn.info udp
US 8.8.8.8:53 kdhfoco.net udp
US 8.8.8.8:53 nsrybgduhqm.info udp
US 8.8.8.8:53 nyvdmij.com udp
US 8.8.8.8:53 aowsiuke.com udp
US 8.8.8.8:53 pvbhwkylhb.info udp
US 8.8.8.8:53 jtpdhst.org udp
US 162.249.65.164:80 jtpdhst.org tcp
US 8.8.8.8:53 bergxszkm.com udp
US 8.8.8.8:53 uqwiwgie.com udp
US 8.8.8.8:53 tjhgonruler.net udp
US 8.8.8.8:53 oyxpnufu.info udp
US 8.8.8.8:53 bfvbpfllrewl.net udp
US 8.8.8.8:53 gpkwdv.net udp
US 8.8.8.8:53 nnzeuedwnl.net udp
US 8.8.8.8:53 kwlxazgum.net udp
US 8.8.8.8:53 btzqttbivkpu.net udp
US 8.8.8.8:53 tbrpvoic.net udp
US 8.8.8.8:53 oortuswiyyhz.info udp
US 8.8.8.8:53 jcjanwp.info udp
US 8.8.8.8:53 lngqglyz.info udp
US 8.8.8.8:53 oexcjzj.net udp
US 8.8.8.8:53 yvvwtcdubbd.net udp
US 8.8.8.8:53 xnfkwib.info udp
US 8.8.8.8:53 qnxsyozse.info udp
US 8.8.8.8:53 nvnijvcsb.net udp
US 8.8.8.8:53 iwjaigphvmz.info udp
US 8.8.8.8:53 kasuiyek.com udp
US 8.8.8.8:53 ayaquoqyaw.com udp
US 8.8.8.8:53 eqfijd.info udp
US 8.8.8.8:53 rqsmlao.net udp
US 8.8.8.8:53 igehpw.net udp
US 8.8.8.8:53 yaiwwqauqmom.com udp
US 8.8.8.8:53 pbwkpxldr.org udp
US 8.8.8.8:53 ilotakteky.net udp
US 8.8.8.8:53 pnvtzoaqcxld.info udp
US 8.8.8.8:53 razbluvsqqa.net udp
US 8.8.8.8:53 wrvhnypcpi.net udp
US 8.8.8.8:53 hkfnasy.org udp
US 8.8.8.8:53 pabbidcpwndg.net udp
US 8.8.8.8:53 oamefufinsp.info udp
US 8.8.8.8:53 xwyisqvuf.org udp
US 8.8.8.8:53 mbpwcqlboe.info udp
US 8.8.8.8:53 hmvcozfilo.info udp
US 8.8.8.8:53 nvkegmombev.info udp
US 8.8.8.8:53 rsjbotkem.info udp
US 8.8.8.8:53 xqxwooj.info udp
US 8.8.8.8:53 zdfqxmraf.org udp
US 162.249.65.164:80 zdfqxmraf.org tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 epfvqsmidj.info udp
US 8.8.8.8:53 bixsou.info udp
US 8.8.8.8:53 mivsfcbdusk.net udp
US 8.8.8.8:53 dwyylx.net udp
US 8.8.8.8:53 wcrozxs.net udp
US 8.8.8.8:53 omuejyvdsq.info udp
US 8.8.8.8:53 klkphat.info udp
US 8.8.8.8:53 yrudwj.info udp
US 8.8.8.8:53 wewypqp.info udp
US 8.8.8.8:53 famdhrjmvh.net udp
US 8.8.8.8:53 owewgkuogg.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 iuucwa.org udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ocnxbvt.info udp
US 8.8.8.8:53 ofqdimldvyj.net udp
US 8.8.8.8:53 hsbqnqd.info udp
US 8.8.8.8:53 jvmkdb.info udp
US 8.8.8.8:53 reynaufj.net udp
US 8.8.8.8:53 begljodzgofd.info udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 kyqugqywge.com udp
US 8.8.8.8:53 waictgkiv.net udp
US 8.8.8.8:53 amkoxbpqmsz.net udp
US 8.8.8.8:53 uhzkxav.info udp
US 8.8.8.8:53 gefgtkx.net udp
US 8.8.8.8:53 jrnzxalqzcnu.net udp
US 8.8.8.8:53 gounbviz.info udp
US 8.8.8.8:53 fhnvfh.net udp
US 8.8.8.8:53 jhevjz.net udp
US 8.8.8.8:53 caaaigqkmiae.org udp
US 162.249.65.164:80 caaaigqkmiae.org tcp
US 8.8.8.8:53 fhfoxidsrkd.net udp
US 8.8.8.8:53 iocsqoyceyge.org udp
US 8.8.8.8:53 xszzpiu.info udp
US 8.8.8.8:53 jhtoyqf.net udp
US 8.8.8.8:53 didllg.net udp
US 8.8.8.8:53 tuyuforrawr.org udp
US 8.8.8.8:53 weyrtj.net udp
US 8.8.8.8:53 dvranxamb.net udp
US 8.8.8.8:53 vcraxpzeeu.net udp
US 8.8.8.8:53 pcnxhmngxez.com udp
US 8.8.8.8:53 gdnezqmkx.info udp
US 8.8.8.8:53 kzxjhgaeni.net udp
US 8.8.8.8:53 pwzqhieopbd.info udp
US 8.8.8.8:53 zscuzunaj.net udp
US 8.8.8.8:53 ycigdusnl.net udp
US 8.8.8.8:53 yijytqjuk.net udp
US 8.8.8.8:53 nndxyx.info udp
US 8.8.8.8:53 jfzciyx.org udp
US 162.249.65.164:80 jfzciyx.org tcp
US 8.8.8.8:53 wkvevbotghap.info udp
US 8.8.8.8:53 pgfzbuzm.net udp
US 8.8.8.8:53 frvfbcfb.net udp
US 8.8.8.8:53 ojaujkdz.info udp
US 8.8.8.8:53 wgnsyuzh.info udp
US 8.8.8.8:53 hasyua.info udp
US 8.8.8.8:53 viedmcttdt.info udp
US 8.8.8.8:53 nmqejuzej.org udp
US 8.8.8.8:53 pwdhdmz.info udp
US 8.8.8.8:53 cxhpao.info udp
US 8.8.8.8:53 edgwmadgx.info udp
US 8.8.8.8:53 hibgsjgsgwp.info udp
US 8.8.8.8:53 zxechlt.net udp
US 8.8.8.8:53 ehwoqrboiogy.net udp
US 8.8.8.8:53 qrctswibwten.info udp
US 8.8.8.8:53 yiicek.com udp
US 8.8.8.8:53 drzqzpp.net udp
US 8.8.8.8:53 zlpcbh.net udp
US 8.8.8.8:53 asnapiuotwf.net udp
US 8.8.8.8:53 udfmtffwzzj.net udp
US 8.8.8.8:53 bctsjtxpibgl.info udp
US 8.8.8.8:53 aowywqwiqiue.com udp
US 8.8.8.8:53 dsfyfldxzegw.info udp
US 8.8.8.8:53 undnnlzbrar.net udp
US 8.8.8.8:53 xfvqmg.info udp
US 8.8.8.8:53 kamwsy.com udp
US 8.8.8.8:53 bdjouyjaeeb.net udp
US 8.8.8.8:53 yanmegluv.net udp
US 8.8.8.8:53 naxvdqhghpr.info udp
US 8.8.8.8:53 zmtkywp.org udp
US 162.249.65.164:80 zmtkywp.org tcp
US 8.8.8.8:53 awjehcpfzso.net udp
US 8.8.8.8:53 eykcogyisoig.org udp
US 8.8.8.8:53 hsugeaf.info udp
US 8.8.8.8:53 levhskhmt.org udp
US 8.8.8.8:53 bhhfap.net udp
US 8.8.8.8:53 hozqvimincu.net udp
US 8.8.8.8:53 kwmkeckayc.com udp
US 8.8.8.8:53 sinaneg.net udp
US 8.8.8.8:53 rmmgsgjrl.info udp
US 8.8.8.8:53 vsfodbkflt.info udp
US 8.8.8.8:53 ldsnofofle.net udp
US 8.8.8.8:53 rrkmwnrm.net udp
US 8.8.8.8:53 yuwbfmnhinp.info udp
US 8.8.8.8:53 ctauzxtx.net udp
US 8.8.8.8:53 ciwyeiukcw.com udp
US 8.8.8.8:53 peffyirwg.net udp
US 8.8.8.8:53 phxqdgbrpmsv.info udp
US 8.8.8.8:53 dzpmjawy.net udp
US 8.8.8.8:53 xxijimf.com udp
US 8.8.8.8:53 fatiyppe.info udp
US 8.8.8.8:53 gnzcnkq.net udp
US 8.8.8.8:53 hglsgvaxry.net udp
US 8.8.8.8:53 bopuogiv.net udp
US 8.8.8.8:53 igkuqw.com udp
US 8.8.8.8:53 yceqcskoeg.org udp
US 162.249.65.164:80 yceqcskoeg.org tcp
US 8.8.8.8:53 bvqkrktejqp.org udp
US 8.8.8.8:53 yieykkga.org udp
US 8.8.8.8:53 ewdzlxvrdeg.net udp
US 8.8.8.8:53 dqsyhykmtnp.info udp
US 8.8.8.8:53 adomofxvpaq.net udp
US 8.8.8.8:53 qawxtu.net udp
US 8.8.8.8:53 hwlonrvh.info udp
US 8.8.8.8:53 gijvpt.info udp
US 8.8.8.8:53 cgwgaguesg.org udp
US 162.249.65.164:80 cgwgaguesg.org tcp
US 8.8.8.8:53 aoyvxbiiyz.info udp
US 8.8.8.8:53 alfrnycvgg.info udp
US 8.8.8.8:53 juwaxhdtj.info udp
US 8.8.8.8:53 julxerwaocda.net udp
US 8.8.8.8:53 kgiesm.com udp
US 8.8.8.8:53 jfqflsatlx.net udp
US 8.8.8.8:53 qygegmqgeags.org udp
US 8.8.8.8:53 ktvyxuzqprew.net udp
US 8.8.8.8:53 waiaeqgw.org udp
US 8.8.8.8:53 nkybtwpgzoi.info udp
US 8.8.8.8:53 vmvokk.net udp
US 8.8.8.8:53 gqdkvelag.net udp
US 8.8.8.8:53 tnxpffhon.com udp
US 8.8.8.8:53 gwmeafacbwrh.info udp
US 8.8.8.8:53 pqhknjclv.org udp
US 8.8.8.8:53 qkdqch.net udp
US 8.8.8.8:53 uqmgwqsous.com udp
US 8.8.8.8:53 giqpub.info udp
US 8.8.8.8:53 kevcvg.info udp
US 8.8.8.8:53 hspwtqg.com udp
US 8.8.8.8:53 lcxalxnawm.net udp
US 8.8.8.8:53 fwzdawdkuy.info udp
US 8.8.8.8:53 eaisokwcuc.com udp
US 8.8.8.8:53 gzhynesg.info udp
US 8.8.8.8:53 ecqdzksnfx.net udp
US 8.8.8.8:53 htqkvotdqo.info udp
US 8.8.8.8:53 zztdzeju.info udp
US 8.8.8.8:53 lblxlwomf.net udp
US 8.8.8.8:53 yqaqgg.org udp
US 8.8.8.8:53 hqtptex.info udp
US 8.8.8.8:53 lxjvkxlgnmr.org udp
US 8.8.8.8:53 vnqwalqs.net udp
US 8.8.8.8:53 ekamqi.org udp
US 162.249.65.164:80 ekamqi.org tcp
US 8.8.8.8:53 ikwkgeauyucc.com udp
US 8.8.8.8:53 gzvunr.net udp
US 8.8.8.8:53 tndknhie.info udp
US 8.8.8.8:53 zioazcxoj.net udp
US 8.8.8.8:53 cvwpfiesyd.info udp
US 8.8.8.8:53 lpsuhhyxqjwd.net udp
US 8.8.8.8:53 xopgozy.com udp
US 8.8.8.8:53 hqppccub.net udp
US 8.8.8.8:53 rscowabeg.net udp
US 8.8.8.8:53 hyafbvpm.net udp
US 8.8.8.8:53 yqocscgqq.info udp
US 8.8.8.8:53 vsmkgitmfby.net udp
US 8.8.8.8:53 hxfemtow.info udp
US 8.8.8.8:53 eqcsskwyyiug.org udp
US 162.249.65.164:80 eqcsskwyyiug.org tcp
US 8.8.8.8:53 yajkbehusaz.net udp
US 8.8.8.8:53 cuosyw.com udp
US 8.8.8.8:53 pgchlxgc.net udp
US 8.8.8.8:53 kywqtewctwx.info udp
US 8.8.8.8:53 yzvffvv.info udp
US 8.8.8.8:53 jsnojd.net udp
US 8.8.8.8:53 eweuaigycy.org udp
US 162.249.65.164:80 eweuaigycy.org tcp
US 8.8.8.8:53 hueeryh.net udp
US 8.8.8.8:53 sakgiuyyqo.org udp
US 8.8.8.8:53 ripjdvuags.net udp
US 8.8.8.8:53 cslmzr.net udp
US 8.8.8.8:53 qldinizingz.net udp
US 8.8.8.8:53 ishstyjyxiz.net udp
US 8.8.8.8:53 dqvankrj.info udp
US 8.8.8.8:53 lurjzfmnqvwz.info udp
US 8.8.8.8:53 oeaqcugq.com udp
US 8.8.8.8:53 fmdijknjgl.net udp
US 8.8.8.8:53 gnsvyvbztuqc.net udp
US 8.8.8.8:53 ckqqaueogk.com udp
US 8.8.8.8:53 pznxzmlgwkh.info udp
US 8.8.8.8:53 uxfhrqtkdtxg.net udp
US 8.8.8.8:53 azpwhu.net udp
US 8.8.8.8:53 rgrdpwvmpxbc.net udp
US 8.8.8.8:53 zkrtuazwmas.net udp
US 8.8.8.8:53 omcyyrusmmix.net udp
US 8.8.8.8:53 mugegqokuoea.com udp
US 8.8.8.8:53 mcoooeuq.com udp
US 8.8.8.8:53 ewaeouugwaig.org udp
US 8.8.8.8:53 dztoayiligf.com udp
US 8.8.8.8:53 rdposn.net udp
US 8.8.8.8:53 gzzhsqoo.info udp
US 8.8.8.8:53 bnlopyl.com udp
US 8.8.8.8:53 wkwnlcdyvgp.net udp
US 8.8.8.8:53 xpwszkox.net udp
US 8.8.8.8:53 cqhuumdsz.info udp
US 8.8.8.8:53 rgcjqihbl.net udp
US 8.8.8.8:53 rdrsxai.info udp
US 8.8.8.8:53 ewusteqhnw.info udp
US 8.8.8.8:53 bxtqdt.net udp
US 8.8.8.8:53 ngvehkv.net udp
US 8.8.8.8:53 wzngbs.info udp
US 8.8.8.8:53 fnqsmcftroxg.info udp
US 8.8.8.8:53 qlvcpcoolu.net udp
US 8.8.8.8:53 xqbizkh.com udp
US 8.8.8.8:53 wzxqqsksmhht.net udp
US 8.8.8.8:53 vxwwrahun.org udp
US 8.8.8.8:53 ytpkamlzria.net udp
US 8.8.8.8:53 bofqba.net udp
US 8.8.8.8:53 kcguuuas.com udp
US 8.8.8.8:53 pdmxljwa.info udp
US 8.8.8.8:53 amwckseeao.com udp
US 8.8.8.8:53 jnhotjhsp.info udp
US 8.8.8.8:53 puzvapuipbyg.info udp
US 8.8.8.8:53 uldmdftk.info udp
US 8.8.8.8:53 ycaunmdur.net udp
US 8.8.8.8:53 kfkgsr.net udp
US 8.8.8.8:53 wlflblpcjarz.info udp
US 8.8.8.8:53 fouothaovrx.com udp
US 8.8.8.8:53 icemewicau.com udp
US 8.8.8.8:53 uznphg.net udp
US 8.8.8.8:53 twldjcvctccx.info udp
US 8.8.8.8:53 gqcqic.com udp
US 8.8.8.8:53 qyiwrcy.info udp
US 8.8.8.8:53 nirbnkmibci.com udp
US 8.8.8.8:53 qkegaesa.com udp
US 8.8.8.8:53 hkcoqwbpitf.net udp
US 8.8.8.8:53 lfzhtsazbb.net udp
US 8.8.8.8:53 suqoes.com udp
US 8.8.8.8:53 kirtpkjmv.net udp
US 8.8.8.8:53 nizybszil.info udp
US 8.8.8.8:53 ubcvfhlvzxkh.info udp
US 8.8.8.8:53 sqhzcjrupwfp.net udp
US 8.8.8.8:53 hhkwtcc.net udp
US 8.8.8.8:53 iqsgmuyk.org udp
US 8.8.8.8:53 zzlafkume.net udp
US 8.8.8.8:53 ykhkvljit.info udp
US 8.8.8.8:53 uyegugkcwque.com udp
US 8.8.8.8:53 hnfclldjdx.info udp
US 8.8.8.8:53 pyhxrhfs.info udp
US 8.8.8.8:53 neotjkse.info udp
US 8.8.8.8:53 qgoekk.com udp
US 8.8.8.8:53 onzwewex.net udp
US 8.8.8.8:53 vunjwe.info udp
US 8.8.8.8:53 wdnylizhcs.net udp
US 8.8.8.8:53 zrtplqi.com udp
US 8.8.8.8:53 ukdltgkqjoxu.net udp
US 8.8.8.8:53 ujznyh.net udp
US 8.8.8.8:53 auxvmsb.info udp
US 8.8.8.8:53 nefwulmsyx.net udp
US 8.8.8.8:53 pofvvcveh.info udp
US 8.8.8.8:53 outibmb.info udp
US 8.8.8.8:53 jfaoqmrgtn.info udp
US 8.8.8.8:53 lrbqxqikxvb.info udp
US 8.8.8.8:53 pszpmikqxer.com udp
US 8.8.8.8:53 rycmkqswqjq.info udp
US 8.8.8.8:53 znpsldu.org udp
US 162.249.65.164:80 znpsldu.org tcp
US 8.8.8.8:53 htbynf.info udp
US 8.8.8.8:53 hazflwzsb.org udp
US 8.8.8.8:53 aovxmktl.info udp
US 8.8.8.8:53 nohktgdansd.org udp
US 8.8.8.8:53 ewcgvchalkf.info udp
US 8.8.8.8:53 nkrzvcyyty.info udp
US 8.8.8.8:53 phfezwenok.info udp
US 8.8.8.8:53 lbpzrwjb.info udp
US 8.8.8.8:53 djdjhidqmwh.com udp
US 8.8.8.8:53 wsmouwmkuk.com udp
US 8.8.8.8:53 eyrubiiqjii.net udp
US 8.8.8.8:53 miswccdu.net udp
US 8.8.8.8:53 ywqcymyummyc.org udp
US 8.8.8.8:53 tnqkazvppy.info udp
US 8.8.8.8:53 fkxzbanstmy.net udp
US 8.8.8.8:53 tgdsrey.org udp
US 8.8.8.8:53 uckymuoq.com udp
US 8.8.8.8:53 rnhcdglpngvu.info udp
US 8.8.8.8:53 zejhqebena.net udp
US 8.8.8.8:53 odgwkyal.net udp
US 8.8.8.8:53 roisxhr.net udp
US 8.8.8.8:53 aotovfsijge.info udp
US 8.8.8.8:53 uqpvbknclmr.info udp
US 8.8.8.8:53 kmkgsypnlw.net udp
US 8.8.8.8:53 oklpbvpo.net udp
US 8.8.8.8:53 oqctmkzcpuwi.info udp
US 8.8.8.8:53 ogkskmomem.org udp
US 8.8.8.8:53 cugcmy.org udp
US 162.249.65.164:80 cugcmy.org tcp
US 8.8.8.8:53 qmwgeqcu.org udp
US 8.8.8.8:53 gqaznun.info udp
US 8.8.8.8:53 kqrhhigmwu.net udp
US 8.8.8.8:53 ncvvot.net udp
US 8.8.8.8:53 iceaam.org udp
US 8.8.8.8:53 eoxijuwynqt.net udp
US 8.8.8.8:53 zawufqzwz.net udp
US 8.8.8.8:53 kfcnga.net udp
US 8.8.8.8:53 rspfzwhyc.net udp
US 8.8.8.8:53 gmopic.info udp
US 8.8.8.8:53 czbewodfns.info udp
US 8.8.8.8:53 moeiosouca.com udp
US 8.8.8.8:53 raiobwskm.info udp
US 8.8.8.8:53 jtdgaf.info udp
US 8.8.8.8:53 husoxazaz.net udp
US 8.8.8.8:53 osagdqbwf.net udp
US 8.8.8.8:53 tmboeiceqwx.org udp
US 8.8.8.8:53 lysassfobzx.net udp
US 8.8.8.8:53 hhypjk.info udp
US 8.8.8.8:53 kzogmvfgenmo.info udp
US 8.8.8.8:53 pecerfpftd.info udp
US 8.8.8.8:53 xbdyxk.info udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\vcmpq.exe

MD5 a9f73635d908f411dee7c62a0f112ba4
SHA1 627b4c637f019687e4d0cbc1394e338148ec2f6c
SHA256 a5a5dadb6e9fc2e62709533b895d643f773914046df8e4d324618cbefc9c4ba3
SHA512 2fb60b119ba7417094c112b89200f82a7a60b3595e40d0df60e6004a5b4f98b8af956262c8f776dc5f13c5be96ea39f7aba4e3da6c67520fb48865fed039fa1d

C:\Users\Admin\AppData\Local\msbddgprtybicfmpyxgmvxxajl.svc

MD5 aec548a3f91df2bab53dc86b4355e285
SHA1 a0d641f8441d2f8bbbf35d771866efb0b87b10e5
SHA256 a9f9bff9377cfb0b55ca56f96f8ba351febdb2f3a36665e5e9a236e3ebb3e765
SHA512 9e907d40f7b635d56ffbcba3debd87512c3979060927a6e14b5f4c7a79671b8de79d77c36c3658aabce1e1ed6d579a698cf5da72ace98bbc2c97dc1feb4df69c

C:\Users\Admin\AppData\Local\neylwkereuiaftlztdxoivguoboeskpdvjdnh.sfq

MD5 fe1e2a3ace7607fa86c8d74e6b5401bd
SHA1 4862b3d1021d33c04b899d236408ab31a7e83700
SHA256 de40c124a3cd3a37f2aa5edb5cbc1ceb72824e37b0a0ebb412af1d03adcb8b88
SHA512 0f4510c54cc4f962478a5ee110bb3a5d45c4bfcfe9cf6074da9e4ccf55126fbfb8eb32edc31099117814f662d70fc1923355b18b65f22dbac73bb937cef43e17

C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc

MD5 12e065a09736e70e673bbe07a53b5494
SHA1 c1631907f10cbeb55989260e0fdc37b6cb5a07bf
SHA256 9d08e34b7d573a34931d4686d4a77947d77ddc58f92dc0f07effc1c8e61adddb
SHA512 5e72b2b51ec3c17dec2191d02556fa5aed17aea2e43d69ba40b71b9056240bd179a9c8c40b5c1714a94bcc7a8e14be50c74ccf4348379d9cc3e6564b6501b5f4

C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc

MD5 19fe6634591be0ed0de15c8ac004ba03
SHA1 6a6fb5fbd2c01664ab3a0bdcf438d33345baddd2
SHA256 4e87a6fede72e6f58ee584cf2dfa7ead8502b15f39d9834fa59ed49edd6d08d2
SHA512 3e412c8d8cec7b37f2f022fe0ad98552c39f447c049a03bb99801290aaf9a7eeb61fb967231f6b600a4c59a3fe5c42b555deb8d178ced4dc8464bf29fcb3b1ea

C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc

MD5 be36ec85eb04dac141fb05d3e0cd4667
SHA1 b2dcab38b751e3ed7717040eca4eab1b328307d2
SHA256 dff57338c6c2c3d8c5e311d699d972c67084ac8a303f7bf7586df1259f84b31b
SHA512 94e017498744f15edb8636c403246d15084c6a210ae75f1c712fb01f27eda56ce847ddf8d02b6dfb21beaac228b413c0bddf294459e741a22df66fb2e8be78a1

C:\Users\Admin\AppData\Local\msbddgprtybicfmpyxgmvxxajl.svc

MD5 08bc7397142bd19bd6d9785435260217
SHA1 69cc3dee7f56606890f93d7b7940c54d95ff6691
SHA256 289828f40b9ccf1292be998917bec9644e97b1b5352ec7406ba3d5c11a88d040
SHA512 7a3813d3c874f8fa46997dfb35107f91b58af4fe2a8360440422aeea64f4165718834c1a49086a58bb09a5a1ebed638f3b9c1cbd83e776efcca6720c98935cd2

C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc

MD5 a7c5f037397d763b8f631b3f7495e09f
SHA1 122a5c703e32c110e29881ff1d4150ff596b7d94
SHA256 5ff839cbc192ebd4c681b7463801a53a9e2c4c1981769d7b5b1dda32d96db0ef
SHA512 c797dbd35fd1992d221c6436a58c100fa919a167fb5efd1c7ffd5d1f62da36b8801a1f770027fbfbde0cd72e7f66d95290400c82fc952814ecdf4f088cc8426a

C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc

MD5 13054255b77c054e55c8756084a89905
SHA1 73d5c65ff6a0b1a9791bd5f2a86edf6a85db416b
SHA256 81004bb3a0e626ba9ad183aa5d7e5711278a0310fba5605a5cc026252150f4dc
SHA512 050d7db358aa08e845ffbea9f2818de544a63048a83bde3e20200005fb3f26c3542a2dc642121d4b5f74cf9d517cbee2c32329a7596b75bb1c6a64779cb17809

C:\Program Files (x86)\msbddgprtybicfmpyxgmvxxajl.svc

MD5 6712eece8ac7fe20ca7773ebd6a8c03d
SHA1 28f0d6907a73e81df4d1899c1be90359a8c42e93
SHA256 21d2afc7d197f9519c21091120f248a60a729aa0dada75385cb61c4836fd2388
SHA512 6366fe2d3b9641de42e274cff35ae8fc72c796260d73803a80781b7d835243cc3caf9348c1cbded5e19d60b5ca6104da10b6b35dfcf8d483215408b12584808f