Malware Analysis Report

2025-08-10 16:41

Sample ID 241030-qsy95avbpm
Target 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN
SHA256 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd
Tags
defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd

Threat Level: Known bad

The file 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence privilege_escalation trojan

UAC bypass

Modifies WinLogon for persistence

Adds policy Run key to start application

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Impair Defenses: Safe Mode Boot

Adds Run key to start application

Checks whether UAC is enabled

Looks up external IP address via web service

Hijack Execution Flow: Executable Installer File Permissions Weakness

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 13:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 13:32

Reported

2024-10-30 13:34

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "ghcuocdwqlvcyyanhije.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "vxtmhwysnjuczadrmoqmf.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ghcuocdwqlvcyyanhije.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "zxpevgeuldkohedne.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ttnexkkcvpyezyzleee.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "spgukurgwntwokir.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "ttnexkkcvpyezyzleee.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe ." C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ttnexkkcvpyezyzleee.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "vxtmhwysnjuczadrmoqmf.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ghcuocdwqlvcyyanhije.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ttnexkkcvpyezyzleee.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "zxpevgeuldkohedne.exe ." C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe ." C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "spgukurgwntwokir.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ihaqiutkcvdicaaldc.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "zxpevgeuldkohedne.exe" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\zxpevgeuldkohedne.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created C:\Windows\SysWOW64\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\zxpevgeuldkohedne.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\ttnexkkcvpyezyzleee.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\vxtmhwysnjuczadrmoqmf.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\mpmgcsvqmjveceixtwzwqm.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ttnexkkcvpyezyzleee.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ghcuocdwqlvcyyanhije.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\spgukurgwntwokir.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\mpmgcsvqmjveceixtwzwqm.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\fptuxuegjngwbkvrueostwtdf.mfv C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created C:\Windows\SysWOW64\fptuxuegjngwbkvrueostwtdf.mfv C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ghcuocdwqlvcyyanhije.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\spgukurgwntwokir.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\mpmgcsvqmjveceixtwzwqm.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\vxtmhwysnjuczadrmoqmf.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ghcuocdwqlvcyyanhije.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\SysWOW64\vxtmhwysnjuczadrmoqmf.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\spgukurgwntwokir.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\ttnexkkcvpyezyzleee.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\SysWOW64\zxpevgeuldkohedne.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Program Files (x86)\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created C:\Program Files (x86)\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\fptuxuegjngwbkvrueostwtdf.mfv C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\vxtmhwysnjuczadrmoqmf.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\mpmgcsvqmjveceixtwzwqm.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\spgukurgwntwokir.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\ihaqiutkcvdicaaldc.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\ttnexkkcvpyezyzleee.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\ghcuocdwqlvcyyanhije.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\zxpevgeuldkohedne.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\ttnexkkcvpyezyzleee.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\spgukurgwntwokir.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\zxpevgeuldkohedne.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\ihaqiutkcvdicaaldc.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\ihaqiutkcvdicaaldc.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\fptuxuegjngwbkvrueostwtdf.mfv C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File created C:\Windows\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\zxpevgeuldkohedne.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\vxtmhwysnjuczadrmoqmf.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\mpmgcsvqmjveceixtwzwqm.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\vxtmhwysnjuczadrmoqmf.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\mpmgcsvqmjveceixtwzwqm.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\ttnexkkcvpyezyzleee.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\ghcuocdwqlvcyyanhije.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
File opened for modification C:\Windows\spgukurgwntwokir.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
File opened for modification C:\Windows\ghcuocdwqlvcyyanhije.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1936 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
PID 1936 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
PID 1936 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
PID 1936 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2804 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
PID 2560 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe C:\Users\Admin\AppData\Local\Temp\thpubcq.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\thpubcq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe

"C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"

C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe

"C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdn.exe*"

C:\Users\Admin\AppData\Local\Temp\thpubcq.exe

"C:\Users\Admin\AppData\Local\Temp\thpubcq.exe" "-C:\Users\Admin\AppData\Local\Temp\spgukurgwntwokir.exe"

C:\Users\Admin\AppData\Local\Temp\thpubcq.exe

"C:\Users\Admin\AppData\Local\Temp\thpubcq.exe" "-C:\Users\Admin\AppData\Local\Temp\spgukurgwntwokir.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.baidu.com udp
HK 103.235.46.96:80 www.baidu.com tcp
LV 46.109.100.217:43167 tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 vkovxae.com udp
US 8.8.8.8:53 fkavvanx.info udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 vdnazgbzbzb.org udp
LV 46.109.100.217:43167 tcp
US 8.8.8.8:53 jrixau.net udp
US 8.8.8.8:53 kkgyko.org udp
US 8.8.8.8:53 wwuqguawcqqw.com udp
US 8.8.8.8:53 ymgqnsy.net udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 wrdoalxzylri.info udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 jqrmkhuihie.org udp
US 8.8.8.8:53 rplepif.org udp
US 8.8.8.8:53 aplvtllaxnd.net udp
US 8.8.8.8:53 aoaomsig.org udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 cgsicyecokuq.org udp
US 8.8.8.8:53 xlacfsfi.info udp
US 8.8.8.8:53 tenkfcxb.info udp
US 8.8.8.8:53 xwujeiv.org udp
US 8.8.8.8:53 afjhxq.net udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 gqxwros.info udp
US 8.8.8.8:53 lqfmrehenhc.net udp
US 8.8.8.8:53 xmnenarat.net udp
US 8.8.8.8:53 mmxsjopqz.info udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 aokuummcga.org udp
US 8.8.8.8:53 oodgre.net udp
US 8.8.8.8:53 axkuzetoxufc.net udp
US 8.8.8.8:53 fnpkkbwbra.net udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 mstzinxivqi.info udp
US 8.8.8.8:53 qqwayiokkaik.org udp
US 8.8.8.8:53 gwvkgix.net udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 pxwwhhrxnpal.net udp
US 8.8.8.8:53 uqgymo.org udp
US 8.8.8.8:53 susymk.org udp
US 8.8.8.8:53 mmvscncodmv.net udp
US 8.8.8.8:53 jzwhtwpalq.net udp
US 8.8.8.8:53 jlmyvkyzje.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 ssrgvlsglmn.net udp
US 8.8.8.8:53 xsncormab.net udp
US 8.8.8.8:53 agemigrodgx.info udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 mucnrwpswz.net udp
US 8.8.8.8:53 iuqqeiugkegg.com udp
US 8.8.8.8:53 fumndilz.info udp
US 8.8.8.8:53 mqjerubxfin.net udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 tcrqlxrafmkf.net udp
US 8.8.8.8:53 bvswoq.net udp

Files

\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe

MD5 bd53a3b959a07e7bd8e5e298fce15ef0
SHA1 449903a926b84be86fec08d7abad20cb2a60b2b7
SHA256 a1377b5569d1be59695bf735e529200499c5e5a84882412a7324b1b953663acc
SHA512 17c779d1e83e72fab21cd198e10fe0413fb9f7a2eb933df16fc84a23809eb2bd563e234aec854d21727e36f73cfd7d3b47a57fe8cddf9fce08e322acf5f21903

C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe

MD5 db1b7ac55a245032f066060d23d00630
SHA1 8b968e1eee41e0f4b2f030e672a609e65a7f7618
SHA256 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd
SHA512 b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb

\Users\Admin\AppData\Local\Temp\thpubcq.exe

MD5 26fac8b713cb236a1a9620a824d442ae
SHA1 f14f98c56a1d42858ee73dbe76565492e62774cc
SHA256 b623cbf2311c91633dfdd154cdeca5ac4109e1e4277d1e922e2d1e57dbf9a9b9
SHA512 6ec38d247aac71a823f7c273b8d6c1e88037b6cc29ff9fe0991b723c8131516fb828d22f473d1e20468b66a696cadc0a915d0fecd75d738f6ccd6b184f859e34

C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

MD5 93cedafa8f0bb470a692579d446e8b47
SHA1 d01c617c3d0e629d4b61e461ea5408b9c1a0855f
SHA256 18e1f9b469e13f48a243b2af1075f0111ada53ed15e37f278c97a752d673db34
SHA512 b65b54ad95e3f4e41faa6eaa6e987867d79da930c9d6adb816004c5621f5ad671665f984917cd4730cc5232f83ea4805c98ab1c056518068e7db5e43eb80c1f2

C:\Users\Admin\AppData\Local\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock

MD5 fcfb5944bbe2ecc528ef9a8924f1dc0e
SHA1 dc86298fe0d0c5efc8643d75e51f299cea5fed29
SHA256 edc55c869cae4e13b8a61d72333363d5bcf06c47923d0025d57cdf300795855e
SHA512 cb529fd60511e8156d56c9c0e704b64c0fad54a440ae73e19e141917cb782332c245fd693d366e8c1f9c2fbaa857ddb7265bd97860041d588710615809a44027

C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv

MD5 c6420d61fe64abd61e4a8f13b0d052bc
SHA1 257e479143d15d6d940d5c9d35ec7b3c3814e6b1
SHA256 227b7cffd5cfaa69f97e19785fbf8a673c137557f671b90e4cfc08ce5af2a66e
SHA512 df6627885f8c879e86526b53c06b0efb80616eb642150fb599345c2bb54cc7d6faac3a86fd84ca8f23164e218df6c417c261090517e25f2bc4e0958016247246

C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

MD5 346541167fb41914febebb2464a0d2af
SHA1 dfb0973b8adabc9baf0bdb426930e5f8dff514d5
SHA256 fc07ab9ad913d1d7ac148821c04514ff3ce8719ae2c8189b6579aeb6e6520614
SHA512 345e148c3ac34df401ed1bcdd7b7d450c43c2441179ed2abb0c73007afc7e7cfe3d28ef933a628cd1f0459471140d90f6f80c929c7c7f441d37692783feeb322

C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

MD5 4ea868960da9e2f4c795d06e153fc2d1
SHA1 1b3bc2a7f7e08b0aee8b8ad7ea911d7706a3be3f
SHA256 4d021d4de66891e9989fc5c7770986a2b1dbbacb88f0a1479c32c4217bffce54
SHA512 78495269dc307e83a2fd50298eca87fc19f468260513b532125b6612d387c2802aff416019c1261d27e3940520ac9c87cbd90f991a5bcda585acc67f1f16a075

C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

MD5 7896693213d91302f895264499867ddf
SHA1 1982ac7352dbfdd42e783c22ca079b8d514b1572
SHA256 2204e4c408cd695f387bc7f2eab66a81726618de09ffcec4ce6488051b4810d7
SHA512 d2edb27a6456ec0e363cf88181e78fc70477e10f4b3cc9ca000c314589133372b770cb4580e6bc7d8ddcd2d25eaebf3de5471c5beb2363f7c05799adcd2ced34

C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

MD5 ed894282104c791eac32343835400ae9
SHA1 3c487f1c3ecd881f99510f84369283995f2319b4
SHA256 29653692d357aa785867b769388c6e40ba40c6a73174717e869b8a88f6d4c97e
SHA512 a37e04330da70ef1b10e411beb2c7751f8ad82a7dd900a59ee1ee81ca622debb6821ad9be41d206659e6c354e92ad19d45bb644ff24497c37fe38b6a7afd0577

C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv

MD5 9c251e3e313af755f34ccdd53d8bffd3
SHA1 16a6b98c30b40ec6b98827d1e7516ccfe2e522cb
SHA256 1c8384983c652b0b303fff4e1bd7275da50b47e7d30c7697087cd8487e5b3437
SHA512 05b7736d0e7e5709315b7ecba8237bc19ffdadbabca034952bd8b3030d5bf6ed90330160965dff5728d9b99f90123e12738afd25751dd3766397563455a7dc8b

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 13:32

Reported

2024-10-30 13:34

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "nhbojeezlwtpzhsvvpjw.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "nhbojeezlwtpzhsvvpjw.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "zpfofwsjryrjptaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "phzkdwunxgbvdjstrj.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "nhbojeezlwtpzhsvvpjw.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "zpfofwsjryrjptaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "nhbojeezlwtpzhsvvpjw.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "nhbojeezlwtpzhsvvpjw.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "nhbojeezlwtpzhsvvpjw.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe ." C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "phzkdwunxgbvdjstrj.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "atmysmlfqawrahrtsle.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "cxsgcyzviuspajvzavqea.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "phzkdwunxgbvdjstrj.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "gxoyqifxgoibinvvs.exe ." C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "atmysmlfqawrahrtsle.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "gxoyqifxgoibinvvs.exe" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe ." C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\tplaxuwthutrdnafhdzoli.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\tplaxuwthutrdnafhdzoli.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\atmysmlfqawrahrtsle.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\cxsgcyzviuspajvzavqea.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\cxsgcyzviuspajvzavqea.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\nhbojeezlwtpzhsvvpjw.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\tplaxuwthutrdnafhdzoli.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\gxoyqifxgoibinvvs.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\atmysmlfqawrahrtsle.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\zpfofwsjryrjptaz.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\gxoyqifxgoibinvvs.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\nhbojeezlwtpzhsvvpjw.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\gxoyqifxgoibinvvs.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\cxsgcyzviuspajvzavqea.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\zpfofwsjryrjptaz.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\atmysmlfqawrahrtsle.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created C:\Windows\SysWOW64\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\zpfofwsjryrjptaz.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\SysWOW64\nhbojeezlwtpzhsvvpjw.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\SysWOW64\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Program Files (x86)\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\cxsgcyzviuspajvzavqea.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\atmysmlfqawrahrtsle.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\dddwxyefxortjxoxdddwxy.fxo C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\nhbojeezlwtpzhsvvpjw.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\cxsgcyzviuspajvzavqea.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\tplaxuwthutrdnafhdzoli.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\phzkdwunxgbvdjstrj.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\nhbojeezlwtpzhsvvpjw.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\nhbojeezlwtpzhsvvpjw.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\cxsgcyzviuspajvzavqea.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\zpfofwsjryrjptaz.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\gxoyqifxgoibinvvs.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\phzkdwunxgbvdjstrj.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\atmysmlfqawrahrtsle.exe C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
File opened for modification C:\Windows\zpfofwsjryrjptaz.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\gxoyqifxgoibinvvs.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\atmysmlfqawrahrtsle.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created C:\Windows\dddwxyefxortjxoxdddwxy.fxo C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\tplaxuwthutrdnafhdzoli.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\zpfofwsjryrjptaz.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\gxoyqifxgoibinvvs.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\phzkdwunxgbvdjstrj.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File opened for modification C:\Windows\tplaxuwthutrdnafhdzoli.exe C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
File created C:\Windows\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahoower.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe

"C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"

C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe

"C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe" "c:\users\admin\appdata\local\temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdn.exe*"

C:\Users\Admin\AppData\Local\Temp\ahoower.exe

"C:\Users\Admin\AppData\Local\Temp\ahoower.exe" "-C:\Users\Admin\AppData\Local\Temp\zpfofwsjryrjptaz.exe"

C:\Users\Admin\AppData\Local\Temp\ahoower.exe

"C:\Users\Admin\AppData\Local\Temp\ahoower.exe" "-C:\Users\Admin\AppData\Local\Temp\zpfofwsjryrjptaz.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 www.yahoo.com udp
GB 87.248.114.12:80 www.yahoo.com tcp
LV 46.109.100.217:43167 tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 qgcasw.org udp
US 8.8.8.8:53 12.114.248.87.in-addr.arpa udp
US 8.8.8.8:53 egelisb.info udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 wciqqewcyuqm.org udp
US 8.8.8.8:53 okvxvzwapml.net udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 oabgtwvvm.info udp
US 8.8.8.8:53 kqmgqnfbskjm.info udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 idwprdpbbh.info udp
US 8.8.8.8:53 dxlkrc.net udp
US 8.8.8.8:53 tgetropqtcq.info udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 uobglctmd.info udp
US 8.8.8.8:53 swzskvw.info udp
US 8.8.8.8:53 iuwkgqoy.org udp
US 8.8.8.8:53 muiysggk.org udp
US 8.8.8.8:53 tblqzvapoa.net udp
US 8.8.8.8:53 fkegnrjobmt.org udp
US 8.8.8.8:53 yswymy.org udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 jwkkwnof.net udp
US 8.8.8.8:53 melmnbxxjobo.info udp
US 8.8.8.8:53 wslkpkvumcp.info udp
US 8.8.8.8:53 xmfgbgus.net udp
LV 46.109.100.217:43167 tcp
US 8.8.8.8:53 ngqthn.net udp
US 8.8.8.8:53 gtfdbwxbawj.net udp
US 8.8.8.8:53 lneqhjtelcbt.net udp
US 8.8.8.8:53 twljtaxodoj.com udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 wgenxfwj.net udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 iykkcemq.org udp
US 8.8.8.8:53 hsvveinoxnps.info udp
US 8.8.8.8:53 xwujeiv.org udp
US 8.8.8.8:53 gghndefuock.info udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 gquyxisl.net udp
US 8.8.8.8:53 agigiiig.org udp
US 8.8.8.8:53 qgaumawmum.com udp
US 8.8.8.8:53 rkrcnjhzy.info udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 oyyvqd.info udp
US 8.8.8.8:53 jzfeev.info udp
US 8.8.8.8:53 ddlrnhit.net udp
US 8.8.8.8:53 ytrfryazim.net udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 ggmkcu.com udp
US 8.8.8.8:53 gwvkgix.net udp
US 8.8.8.8:53 fouohmuaxld.net udp
US 8.8.8.8:53 ayfyclwm.net udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 fcuwcyout.org udp
US 8.8.8.8:53 mtnpgtpcie.info udp
US 8.8.8.8:53 susymk.org udp
US 8.8.8.8:53 mgnihkd.net udp
US 8.8.8.8:53 jzwhtwpalq.net udp
US 8.8.8.8:53 jlmyvkyzje.info udp
US 8.8.8.8:53 uxqkzwzwl.net udp
US 8.8.8.8:53 fjovqcbxwf.net udp
US 8.8.8.8:53 eqssogym.com udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 qemyumqyiycu.com udp
US 8.8.8.8:53 javgduxir.com udp
US 8.8.8.8:53 bphaffyoxrnh.net udp
US 8.8.8.8:53 znaaicd.net udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 rnedtpjg.net udp
US 8.8.8.8:53 iuuelccce.net udp
US 8.8.8.8:53 gpbajxkm.net udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 xolldc.net udp
US 8.8.8.8:53 yselju.net udp
US 8.8.8.8:53 aiygis.org udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 fopkentqk.net udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 fulmlneq.net udp
US 8.8.8.8:53 ernpxn.net udp
US 8.8.8.8:53 qeassmswou.com udp
US 8.8.8.8:53 cofgkcwitgf.net udp
US 8.8.8.8:53 iwmqii.com udp
US 8.8.8.8:53 frggbptcrats.info udp
US 8.8.8.8:53 uzmiem.net udp
US 8.8.8.8:53 fshruwd.com udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 onlfrvcbng.info udp
US 8.8.8.8:53 huyioh.net udp
US 8.8.8.8:53 rysxtsjvfbtn.net udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 syphxstnoxy.info udp
US 8.8.8.8:53 mqseyc.com udp
US 8.8.8.8:53 hzpuzezauls.info udp
US 8.8.8.8:53 gdpopsbis.net udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 fgvenqjneu.info udp
US 8.8.8.8:53 crficb.net udp
US 8.8.8.8:53 swwzpsk.net udp
US 8.8.8.8:53 lqumty.info udp
US 8.8.8.8:53 xpppat.net udp
US 8.8.8.8:53 ryhjsedu.info udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 wkrkujvxnhhz.net udp
US 8.8.8.8:53 iawkogggse.org udp
US 8.8.8.8:53 naqchxnm.info udp
US 8.8.8.8:53 ycdalaawj.info udp
US 8.8.8.8:53 rtzxnvwalq.info udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 cccxnuzmblyi.net udp
US 8.8.8.8:53 luodjnbfwxnl.net udp
US 8.8.8.8:53 tovmvofzj.net udp
US 8.8.8.8:53 cwtntormn.net udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 xaycfcf.com udp
US 8.8.8.8:53 zadcikpivqp.info udp
US 8.8.8.8:53 lpzcukxaub.info udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 aqbeqimqm.net udp
US 8.8.8.8:53 uakqcake.com udp
US 8.8.8.8:53 bgpbjqx.net udp
US 8.8.8.8:53 xqtudi.net udp
US 8.8.8.8:53 shpomk.net udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 mcbukj.net udp
US 8.8.8.8:53 keygugse.org udp
US 8.8.8.8:53 agrvfbyrbu.info udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 fqhstspht.net udp
US 8.8.8.8:53 ngljnxblimlr.info udp
US 8.8.8.8:53 hznpjcul.net udp
US 8.8.8.8:53 xuzcxmraj.org udp
US 8.8.8.8:53 fnxbfxjel.info udp
US 8.8.8.8:53 tqvwqbbtwd.info udp
US 8.8.8.8:53 xdhgrgr.org udp
US 8.8.8.8:53 zuhmpzaxquyg.net udp
US 8.8.8.8:53 gtestsjwdqk.info udp
US 8.8.8.8:53 ycmaagek.org udp
US 8.8.8.8:53 bkzkbgzwr.net udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 gbfufod.net udp
US 8.8.8.8:53 ovfsgex.info udp
US 8.8.8.8:53 cgksgogo.org udp
US 8.8.8.8:53 yglipbziqiec.info udp
US 8.8.8.8:53 vxqered.net udp
US 8.8.8.8:53 usiikeyy.org udp
US 8.8.8.8:53 muhfidexjy.info udp
US 8.8.8.8:53 yhmkpzss.info udp
US 8.8.8.8:53 fouvhbpy.net udp
US 8.8.8.8:53 fqjhmrtketua.net udp
US 8.8.8.8:53 rwknsi.net udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 forayvbrj.com udp
US 8.8.8.8:53 xlcyrolabtab.info udp
US 8.8.8.8:53 irbrhrxisa.net udp
US 8.8.8.8:53 oietspbetgp.net udp
US 8.8.8.8:53 iqilxzly.net udp
US 8.8.8.8:53 yaeyyeoq.org udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 nziidz.info udp
US 8.8.8.8:53 tpvwhw.net udp
US 8.8.8.8:53 fancmntir.info udp
US 8.8.8.8:53 bdrgddnsu.org udp
US 8.8.8.8:53 bzjvup.info udp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 aqrknrz.info udp
US 8.8.8.8:53 oqwscsiwcwmc.com udp
US 8.8.8.8:53 iipdrizk.info udp
US 8.8.8.8:53 wymctkfgnifg.net udp
US 8.8.8.8:53 qwzykuuybql.net udp
US 8.8.8.8:53 xhisrub.org udp
US 8.8.8.8:53 kcyyguau.org udp
US 8.8.8.8:53 yswwwmgowcoe.org udp
US 8.8.8.8:53 rvgstufpmy.net udp
US 8.8.8.8:53 guaaya.org udp
US 8.8.8.8:53 axuapldtjvcg.info udp
US 8.8.8.8:53 prdqbfoc.net udp
US 8.8.8.8:53 octpnmfeveb.net udp
US 8.8.8.8:53 niplcpqlnoli.info udp
US 8.8.8.8:53 ruksvdctcqr.com udp
US 8.8.8.8:53 lapwaeoad.info udp
US 8.8.8.8:53 qifubnd.net udp
US 8.8.8.8:53 ksyiqcoy.org udp
US 8.8.8.8:53 lfhcepsafj.net udp
US 8.8.8.8:53 bsrweqh.net udp
US 8.8.8.8:53 vakgswdmx.info udp
US 8.8.8.8:53 pkxgknsfwf.net udp
US 8.8.8.8:53 ioeobjbuzh.net udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 aumuhss.info udp
US 8.8.8.8:53 alpkzjjtdu.info udp
US 8.8.8.8:53 grrlrqag.info udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 gsweeekmis.com udp
US 8.8.8.8:53 dihiaqxpbs.info udp
US 8.8.8.8:53 fvvkdgccg.net udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 smognxh.net udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 gpgwbngp.net udp
US 8.8.8.8:53 cskrglhjoojr.info udp
US 8.8.8.8:53 eiuhnt.info udp
US 8.8.8.8:53 mfoxqop.info udp
US 8.8.8.8:53 senaafbeh.info udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 cwdpmr.net udp
US 8.8.8.8:53 rxhslhrn.info udp
US 8.8.8.8:53 qeeouoyquguy.com udp
US 8.8.8.8:53 jiwatmckh.net udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 qkyiiqouuecq.org udp
US 8.8.8.8:53 rvhnkzsfrw.info udp
US 8.8.8.8:53 tyvvtarwfdni.info udp
US 8.8.8.8:53 jhnyyqrurg.net udp
US 8.8.8.8:53 aptavxszku.info udp
US 8.8.8.8:53 keoekeicce.org udp
US 8.8.8.8:53 vbbehin.info udp
US 8.8.8.8:53 joceavefxekv.net udp
US 8.8.8.8:53 oesmaemmgi.com udp
US 8.8.8.8:53 uhvqbsdmezb.info udp
US 8.8.8.8:53 hoynzeftdvi.org udp
US 8.8.8.8:53 ksemse.org udp
US 8.8.8.8:53 bntpkikedn.net udp
US 8.8.8.8:53 pctvvtpipi.info udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 ouceqa.org udp
US 8.8.8.8:53 sqgduexdbaib.net udp
US 8.8.8.8:53 knbdsfon.net udp
US 8.8.8.8:53 saxzztdy.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 oizvxkjyhpx.info udp
US 8.8.8.8:53 qgbezcjyecs.net udp
US 8.8.8.8:53 fhhxbhfcp.org udp
US 8.8.8.8:53 pjrmfsxzxhvb.net udp
US 8.8.8.8:53 lhthokwiep.info udp
US 8.8.8.8:53 syxaeaogz.net udp
US 8.8.8.8:53 qdaqwtlafa.info udp
US 8.8.8.8:53 ckfmtkt.net udp
US 8.8.8.8:53 ecwiiemwiu.org udp
US 8.8.8.8:53 bexgiaf.info udp
US 8.8.8.8:53 ktdkcmafdia.net udp
US 8.8.8.8:53 mcvpfaz.info udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 ccsuyaeigoya.com udp
US 8.8.8.8:53 eihhcqrelbr.net udp
US 8.8.8.8:53 ptcwjhpzatjf.info udp
US 8.8.8.8:53 pybujx.info udp
US 8.8.8.8:53 kgqgiweigcwm.org udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 ukfpxdqgdzg.net udp
US 8.8.8.8:53 kpzcnphxklle.net udp
US 8.8.8.8:53 lswalxxsqir.net udp
US 8.8.8.8:53 ekysuwaiqs.org udp
US 8.8.8.8:53 usugoook.org udp
US 8.8.8.8:53 mrgivkm.info udp
US 8.8.8.8:53 ltjgiqtox.com udp
US 8.8.8.8:53 kmwaiaekcwei.org udp
US 8.8.8.8:53 tjztzga.org udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 tmyinyg.com udp
US 8.8.8.8:53 ywvjzzzrus.info udp
US 8.8.8.8:53 xxnvfczwt.org udp
US 8.8.8.8:53 zapiax.info udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 zginrxjcpez.info udp
US 8.8.8.8:53 nwhyvqz.info udp
US 8.8.8.8:53 jqvqcwc.org udp
US 8.8.8.8:53 nvqhtsfzlm.info udp
US 8.8.8.8:53 jtgpcnwljjum.info udp
US 8.8.8.8:53 hwlshbmqjbtp.net udp
US 8.8.8.8:53 toretqn.net udp
US 8.8.8.8:53 kmyueqai.com udp
US 8.8.8.8:53 fqvopkmiayu.org udp
US 8.8.8.8:53 lplsiydjye.info udp
US 8.8.8.8:53 vkjknirfnmt.info udp
US 8.8.8.8:53 hbpsyqjmjwl.net udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 weukryhwykt.net udp
US 8.8.8.8:53 okgbaclfbxyj.net udp
US 8.8.8.8:53 vyotkllvdsiu.info udp
US 8.8.8.8:53 eyoewkwa.com udp
US 8.8.8.8:53 mungtmp.info udp
US 8.8.8.8:53 awejpxco.net udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 gqciopwgxayv.info udp
US 8.8.8.8:53 hkiqlzpcvc.info udp
US 8.8.8.8:53 wqiuas.com udp
US 8.8.8.8:53 kgrnpuf.info udp
US 8.8.8.8:53 rreplnac.info udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 kggwdcr.info udp
US 8.8.8.8:53 gkoyiwkekw.org udp
US 8.8.8.8:53 zfesiasq.info udp
US 8.8.8.8:53 yifbakr.net udp
US 8.8.8.8:53 kjjezca.net udp
US 8.8.8.8:53 atbkzmfgo.info udp
US 8.8.8.8:53 qxrwrxkgnrd.net udp
US 8.8.8.8:53 ipfpvw.net udp
US 8.8.8.8:53 mknuvmgmo.net udp
US 8.8.8.8:53 jefmdhzinr.info udp
US 8.8.8.8:53 lxvpph.info udp
US 8.8.8.8:53 tptrdivw.info udp
US 8.8.8.8:53 jjkatdwafto.net udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 knljds.info udp
US 8.8.8.8:53 xsvuvmqwv.info udp
US 8.8.8.8:53 yyyweewqmybi.info udp
US 8.8.8.8:53 meusvaaclew.net udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 dtgasbnwvj.net udp
US 8.8.8.8:53 hnagczgsail.com udp
US 8.8.8.8:53 sgsoagiiccyw.com udp
US 8.8.8.8:53 rciwpj.net udp
US 8.8.8.8:53 yeiigwwwqw.org udp
US 8.8.8.8:53 kmpzkyn.info udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 qcphvkrujjf.net udp
US 8.8.8.8:53 rmzezif.net udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 owtijkp.net udp
US 8.8.8.8:53 qupkfaz.net udp
US 8.8.8.8:53 dmpdff.info udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 vnwmvtugbe.info udp
US 8.8.8.8:53 psxyhmn.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 txhjzh.net udp
US 8.8.8.8:53 qgrcsrbcasb.info udp
US 8.8.8.8:53 dciykqzsoci.net udp
US 8.8.8.8:53 gmpglewadgm.net udp
US 8.8.8.8:53 ialawimkzmy.info udp
US 8.8.8.8:53 zsunsznhzb.net udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 gctgpbw.info udp
US 8.8.8.8:53 kyakwmqumu.com udp
US 8.8.8.8:53 rookkdkczjr.info udp
US 8.8.8.8:53 fcdccyb.org udp
US 8.8.8.8:53 xgyephqh.net udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 pbvwpi.info udp
US 8.8.8.8:53 wukaecii.org udp
US 8.8.8.8:53 hsbcpghaq.net udp
US 8.8.8.8:53 bulstp.info udp
US 8.8.8.8:53 jtnflqdandob.info udp
US 8.8.8.8:53 acuoawck.com udp
US 8.8.8.8:53 ouohovbr.info udp
US 8.8.8.8:53 alndoalcjiw.info udp
US 8.8.8.8:53 ucsmuaie.com udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 okfvzwhex.info udp
US 8.8.8.8:53 ykoxtuyyxy.net udp
US 8.8.8.8:53 etuzle.info udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 bzbyndvbu.net udp
US 8.8.8.8:53 ntqalhf.info udp
US 8.8.8.8:53 jvkvhpebad.info udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 szkgybraeieu.info udp
US 8.8.8.8:53 gwaycouasqkg.org udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 pqvszszafab.net udp
US 8.8.8.8:53 fuibnnp.com udp
US 8.8.8.8:53 ldeqiiwv.info udp
US 8.8.8.8:53 bcxooiben.org udp
US 8.8.8.8:53 rswytye.net udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 pkqjhjdnlgh.com udp
US 8.8.8.8:53 wzsepvkwuieh.net udp
US 8.8.8.8:53 abnceez.net udp
US 8.8.8.8:53 gyvhtt.info udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 vtvcsb.net udp
US 8.8.8.8:53 itrduhmpka.net udp
US 8.8.8.8:53 zdhmuffswsol.info udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 kpopxfxz.net udp
US 8.8.8.8:53 flvopqv.info udp
US 8.8.8.8:53 cbvwxkpor.net udp
US 8.8.8.8:53 zdruxrwnyl.net udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 kytslrbejxf.net udp
US 8.8.8.8:53 vwcwfcsm.info udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 donwdexaznk.info udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 iasckwwwcicu.org udp
US 8.8.8.8:53 imqkwqaywg.org udp
US 8.8.8.8:53 lisvddlibbxk.net udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 yyjcbuz.info udp
US 8.8.8.8:53 qnhxoip.info udp
US 8.8.8.8:53 kcgiacyc.org udp
US 8.8.8.8:53 nqfszz.info udp
US 8.8.8.8:53 rcdirepzxw.net udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 zpngpghc.net udp
US 8.8.8.8:53 zendbaz.info udp
US 8.8.8.8:53 rgnuyigkokd.info udp
US 8.8.8.8:53 dhbovcosjau.com udp
US 8.8.8.8:53 msdwehukzpmd.info udp
US 8.8.8.8:53 fsrkgyypqmq.info udp
US 8.8.8.8:53 yatgplgbv.info udp
US 8.8.8.8:53 bglkxanyd.info udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 pgxpbenjxwj.net udp
US 8.8.8.8:53 qubqirdevwh.net udp
US 8.8.8.8:53 hmiuxir.net udp
US 8.8.8.8:53 ioiibkl.info udp
US 8.8.8.8:53 cimgiewnbax.info udp
US 8.8.8.8:53 vlyabp.net udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 tnjcjk.info udp
US 8.8.8.8:53 rxxpfkytmfbb.net udp
US 8.8.8.8:53 tfyfcgjinz.net udp
US 8.8.8.8:53 jbgqcyga.net udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 wqcqcouy.org udp
US 8.8.8.8:53 bvzcbwatjijy.info udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 telmfkn.info udp
US 8.8.8.8:53 oghilap.info udp
US 8.8.8.8:53 bgnvvyziz.com udp
US 8.8.8.8:53 ajeufitgtoe.info udp
US 8.8.8.8:53 mqiaczbqjpf.net udp
US 8.8.8.8:53 xgnmpwv.org udp
US 8.8.8.8:53 zztzznya.info udp
US 8.8.8.8:53 euuuoct.net udp
US 8.8.8.8:53 hizhbbrot.org udp
US 8.8.8.8:53 gamoqcaq.com udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 zefims.net udp
US 8.8.8.8:53 hexogkdl.net udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 gletskotlhvw.info udp
US 8.8.8.8:53 hvcmqi.net udp
US 8.8.8.8:53 ceeeyewiisao.com udp
US 8.8.8.8:53 plfawv.net udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 belclih.org udp
US 8.8.8.8:53 sgwshyiqg.info udp
US 8.8.8.8:53 bwfcvob.info udp
US 8.8.8.8:53 kokweq.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 mrbepw.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 zsbpvappucz.org udp
US 8.8.8.8:53 xwqowmqjhuy.info udp
US 8.8.8.8:53 vrugvqdor.com udp
US 8.8.8.8:53 bhhdlkhnoegs.info udp
US 8.8.8.8:53 zofftqzpt.org udp
US 8.8.8.8:53 hztsjehsmkp.com udp
US 8.8.8.8:53 xkpkmzvix.com udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 owiwwmikeguu.com udp
US 8.8.8.8:53 qmuuueuswe.org udp
US 8.8.8.8:53 ssywwsui.com udp
US 8.8.8.8:53 wofrfi.net udp
US 8.8.8.8:53 aqvhvktox.net udp
US 8.8.8.8:53 srbzzycozyc.info udp
US 8.8.8.8:53 ccgosiuw.org udp
US 8.8.8.8:53 lrtatshhue.net udp
US 8.8.8.8:53 hdhedovmzki.net udp
US 8.8.8.8:53 zozgcobcaq.net udp
US 8.8.8.8:53 zvxsskzeom.info udp
US 8.8.8.8:53 maseqcao.org udp
US 8.8.8.8:53 gnaaxxeymv.net udp
US 8.8.8.8:53 pvzrxktymer.info udp
US 8.8.8.8:53 vlklbl.info udp
US 8.8.8.8:53 uwsqngzwg.info udp
US 8.8.8.8:53 ngvegt.info udp
US 8.8.8.8:53 ayokcoqu.org udp
US 8.8.8.8:53 okgqeeemimkw.org udp
US 8.8.8.8:53 ecwsigkysucc.org udp
US 8.8.8.8:53 hjjakml.com udp
US 8.8.8.8:53 wmymmiwoawie.com udp
US 8.8.8.8:53 qzvlzdxk.info udp
US 8.8.8.8:53 xxbmyg.info udp
US 8.8.8.8:53 eoemoyim.com udp
US 8.8.8.8:53 cjzprgtl.net udp
US 8.8.8.8:53 kigihja.net udp
US 8.8.8.8:53 mvrlhhspnj.info udp
US 8.8.8.8:53 ziztfp.net udp
US 8.8.8.8:53 pzvqzr.net udp
US 8.8.8.8:53 qemqwcgk.com udp
US 8.8.8.8:53 typouwz.info udp
US 8.8.8.8:53 pubdtrzkyif.com udp
US 8.8.8.8:53 ttxarez.info udp
US 8.8.8.8:53 aeiwkywkgs.org udp
US 8.8.8.8:53 wuoczejsxgl.info udp
US 8.8.8.8:53 ovzxhmsduxsc.info udp
US 8.8.8.8:53 lwlgokte.info udp
US 8.8.8.8:53 rxhxfw.net udp
US 8.8.8.8:53 izpequh.net udp
US 8.8.8.8:53 wwktmqhpazpn.info udp
US 8.8.8.8:53 fsbaviurbfb.info udp
US 8.8.8.8:53 aqeqguwiuoog.org udp
US 8.8.8.8:53 wqwsmmcgayqm.com udp
US 8.8.8.8:53 bsjkasxjhxw.net udp
US 8.8.8.8:53 kgucaomygu.com udp
US 8.8.8.8:53 rvrelq.net udp
US 8.8.8.8:53 zkykjxrhzafp.net udp
US 8.8.8.8:53 rakveqvc.info udp
US 8.8.8.8:53 emmsmu.com udp
US 8.8.8.8:53 geuuswao.org udp
US 8.8.8.8:53 mexsbsbhjgq.info udp
US 8.8.8.8:53 vqxhkvrvpm.info udp
US 8.8.8.8:53 noukmsg.net udp
US 8.8.8.8:53 dxvydrduxcl.info udp
US 8.8.8.8:53 ocduyw.info udp
US 8.8.8.8:53 hezsrypkq.org udp
US 8.8.8.8:53 ijxuxanpjkzz.info udp
US 8.8.8.8:53 uvcodihahbp.net udp
US 8.8.8.8:53 zbrjde.net udp
US 8.8.8.8:53 thizgzpdwmkr.net udp
US 8.8.8.8:53 hynbxs.info udp
US 8.8.8.8:53 dctklgtuvya.info udp
US 8.8.8.8:53 dqvevqfudqx.org udp
US 8.8.8.8:53 flrenbcibar.info udp
US 8.8.8.8:53 bqpdjktf.net udp
US 8.8.8.8:53 gmaycdtwf.net udp
US 8.8.8.8:53 ylaxujjvpzdt.info udp
US 8.8.8.8:53 cgvxhpb.net udp
US 8.8.8.8:53 quyeyqasag.org udp
US 8.8.8.8:53 hlqltge.net udp
US 8.8.8.8:53 bgymdquhrkv.info udp
US 8.8.8.8:53 byvkzm.net udp
US 8.8.8.8:53 vlsqekixshcp.net udp
US 8.8.8.8:53 lelkrsdnd.net udp
US 8.8.8.8:53 xzvyvt.net udp
US 8.8.8.8:53 iwwmiiga.org udp
US 8.8.8.8:53 jibeshsr.info udp
US 8.8.8.8:53 qmyccgwigi.com udp
US 8.8.8.8:53 qicgyo.info udp
US 8.8.8.8:53 kdawoeber.net udp
US 8.8.8.8:53 jgzbxllqdecg.net udp
US 8.8.8.8:53 msqius.org udp
US 8.8.8.8:53 yaesmqacuqos.org udp
US 8.8.8.8:53 raphrnjfmct.net udp
US 8.8.8.8:53 zexaysvce.net udp
US 8.8.8.8:53 pnmfmh.info udp
US 8.8.8.8:53 dbgglxb.info udp
US 8.8.8.8:53 odfccgh.info udp
US 8.8.8.8:53 sykmycam.org udp
US 8.8.8.8:53 wmmeca.org udp
US 8.8.8.8:53 yqexnlaewgfk.net udp
US 8.8.8.8:53 asecuyemymyi.org udp
US 8.8.8.8:53 mozttgxtgbye.info udp
US 8.8.8.8:53 ntgsxkvfow.net udp
US 8.8.8.8:53 povylmougkp.net udp
US 8.8.8.8:53 mdtkdwdpf.net udp
US 8.8.8.8:53 zmrarczuld.net udp
US 8.8.8.8:53 ewmcoogegiiq.org udp
US 8.8.8.8:53 hbxxyr.info udp
US 8.8.8.8:53 rrwwgpkofwtk.info udp
US 8.8.8.8:53 guqmagouco.com udp
US 8.8.8.8:53 fsdkiewbv.com udp
US 8.8.8.8:53 dwpkzhv.com udp
US 8.8.8.8:53 swjnlsjfu.info udp
US 8.8.8.8:53 uqtspir.info udp
US 8.8.8.8:53 cjtcljzn.info udp
US 8.8.8.8:53 vuveprtyh.com udp
US 8.8.8.8:53 gwruxwj.net udp
US 8.8.8.8:53 rfzdaegt.info udp
US 8.8.8.8:53 rltwexojzn.net udp
US 8.8.8.8:53 zewkvtseekqz.net udp
US 8.8.8.8:53 dpxudddhhuzr.net udp
US 8.8.8.8:53 nnddhyt.net udp
US 8.8.8.8:53 dayucgzmwkv.net udp
US 8.8.8.8:53 kimcciog.org udp
US 8.8.8.8:53 ozuptozur.info udp
US 8.8.8.8:53 ocbamyrdumk.info udp
US 8.8.8.8:53 fyzcpnp.info udp
US 8.8.8.8:53 wuybayvsmwt.info udp
US 8.8.8.8:53 hinqbkbuc.org udp
US 8.8.8.8:53 oyemiakukaik.org udp
US 8.8.8.8:53 qisakqeiecqu.org udp
US 8.8.8.8:53 ccasfghpwd.info udp
US 8.8.8.8:53 fupuptn.info udp
US 8.8.8.8:53 feodivxgzg.net udp
US 8.8.8.8:53 iggcfwpytwa.net udp
US 8.8.8.8:53 xztghpzgwb.net udp
US 8.8.8.8:53 dglsminizie.net udp
US 8.8.8.8:53 bkrqzynyzkx.com udp
US 8.8.8.8:53 qmpomi.net udp
US 8.8.8.8:53 acjwlabhzwf.info udp
US 8.8.8.8:53 qsgwhapnxoj.info udp
US 8.8.8.8:53 yvnqqohta.info udp
US 8.8.8.8:53 nugehkl.net udp
US 8.8.8.8:53 okdhekeqduru.net udp
US 8.8.8.8:53 tuaxjj.net udp
US 8.8.8.8:53 uvydokbmq.info udp
US 8.8.8.8:53 ioffdfbm.net udp
US 8.8.8.8:53 jmkmtdvgncu.com udp
US 8.8.8.8:53 ptxdme.net udp
US 8.8.8.8:53 ushkxbyxdgg.net udp
US 8.8.8.8:53 igtoomnmdmz.info udp
US 8.8.8.8:53 yknsjzcm.info udp
US 8.8.8.8:53 ngdyos.info udp
US 8.8.8.8:53 qeemuk.org udp
US 8.8.8.8:53 uqxidje.net udp
US 8.8.8.8:53 cywykqgs.org udp
US 8.8.8.8:53 iifiuxdp.net udp
US 8.8.8.8:53 jalkbr.info udp
US 8.8.8.8:53 gyfonjnjvz.net udp
US 8.8.8.8:53 cxffzmlflm.info udp
US 8.8.8.8:53 ajfykmd.info udp
US 8.8.8.8:53 duguevblvcyw.net udp
US 8.8.8.8:53 watmbgvso.info udp
US 8.8.8.8:53 maltyz.net udp
US 8.8.8.8:53 godvjqekrex.net udp
US 8.8.8.8:53 lpqqtps.net udp
US 8.8.8.8:53 hwxyjmfggod.info udp
US 8.8.8.8:53 bjbqtlraxsm.org udp
US 8.8.8.8:53 zfgukz.info udp
US 8.8.8.8:53 usztsauxtyh.net udp
US 8.8.8.8:53 equgwu.com udp
US 8.8.8.8:53 gwvmpgm.net udp
US 8.8.8.8:53 pbhthfszxsbj.net udp
US 8.8.8.8:53 bktpfwsl.net udp
US 8.8.8.8:53 dzrkpu.net udp
US 8.8.8.8:53 kmgxkahacmve.info udp
US 8.8.8.8:53 hxnuhcftd.org udp
US 8.8.8.8:53 qmjorwv.net udp
US 8.8.8.8:53 sepuacd.net udp
US 8.8.8.8:53 ekskhssmrep.info udp
US 8.8.8.8:53 iplqdlbmaiyt.info udp
US 8.8.8.8:53 joubuoqxgukf.info udp
US 8.8.8.8:53 bdbgdolozjp.info udp
US 8.8.8.8:53 vorfoxwslnp.org udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 156.237.207.232:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe

MD5 e97bdffa3003bce29426e78ff0a9b89e
SHA1 4680bca864946d45d9c1ef9d195011bba8704380
SHA256 856b0722fb88c9f9d25149acd22c499146077225b0177be47e7137810b39b6e1
SHA512 6895ca6df7292f0b66d48f125570d7192ebc152a65749851c3fc68ddb0bf95a4ae025f43af7dd65d177856132c70cd70c846920a649a6055579acbfb1fa3c320

C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe

MD5 db1b7ac55a245032f066060d23d00630
SHA1 8b968e1eee41e0f4b2f030e672a609e65a7f7618
SHA256 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd
SHA512 b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb

C:\Users\Admin\AppData\Local\Temp\ahoower.exe

MD5 5148bce28fd1bc7f6b23e61d45efbef2
SHA1 523a00e12c40d52bff59f041cff96d202c6f0a47
SHA256 1b1b4f59201354f38807cb1b1a4356818d15039c575e6de3b67c4b2e45946e6c
SHA512 ab88175cbc36cd9eac46ce418e328bdab3c1124e416e678547d5621256945d015195cee0f0a0b10f4c42d1afb1215635001d0a498b31475162dd80bcc269b05f

C:\Users\Admin\AppData\Local\dddwxyefxortjxoxdddwxy.fxo

MD5 07a51e18b6a73fbaa71fc2f540875e1b
SHA1 0297a65ea93d774209e0751eecdd15a594442ce6
SHA256 1474afd9f1b50b2ba266efcf92442fcbb4124de88c4e4d0851cf31e518b627ce
SHA512 bf304565b0bf3211a134f8a59818eb7a90153cb7a2dcaaf1ff2bb0fa2d770b77cd0d3a3caeb590ecbb4a5e18efb92d75518c2d325629f1ab2f3af1756eb722c1

C:\Users\Admin\AppData\Local\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu

MD5 406ce504fdfa8eadaecb54f2506e2b32
SHA1 113eacdee034471b67360bdb096718c33f10642d
SHA256 7856ae62ab9bcbab8cc3b0192e6ce22e70d16b6baae24fc6ffa3e58b5b3b46fd
SHA512 ec227775f25df57a8e44107c51d2a7979b958de833d4cd74590e04931635d8920ef97dcdb55bc64ab785db566d543276a35f9176f2888acf0fd37bbf1f20e4ee

C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

MD5 3cba3380817da951da12aecd276f77b3
SHA1 8ec199379859c54d17252ebebac5aca9303fde6e
SHA256 70c714ce334caaa9053d7bbc3e431350cdc3e82df4b95f5146a63a38a544b161
SHA512 2f808b6676a94eafbd1234d29cac7d782a83360c0c376b35a9f63c9a72ec86a02ae56aa09e6a4b7a4f312512642d90d1838f4a776085eab13be9507b391d8f2c

C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo

MD5 aabdb47094f2024cb1ea2d4c301cdbf1
SHA1 41cb7277daaa26d85aafc4f96595b266028487c6
SHA256 540e2943357b8fab9d928a821784774a54c28212a6c636dcf868dc77685d9c5d
SHA512 476cbba0759c3cd10aa5e5020fcc2df09313671874939ba29871fa4f9d42c5d4b99e8f1b447a2cfd58c175f42151a41240668be4d677d8b0053d4728fc28e095

C:\zjtwhsitvw.bat

MD5 718ee4e1ab9b11ab9741db91eaf0f945
SHA1 ce8bd9ee7d7f8531f5b54d5353b6e5e8a7618638
SHA256 dd92fcc55737c783d17ead98c56d1f40ad16acba3fac147f5ba0ed12a2613140
SHA512 dd78cedc694fa1fda5a6a998ca0c96bdbdfb0466ed95034a5706178850f39191705b925bd74733cacf2819697aeb3299e0b86896147c6d838f599b20fb0ef89b

C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

MD5 488ec01580ce2d04312e3e1c8923e951
SHA1 ee90f5ed0d639439a1b4901439695689b00b609e
SHA256 28402f02c4795cd927e0292294f92f1c9c0789b221f79dfff3be2268a0476b73
SHA512 8e2af5b21b13f04a6cd762d6f76100440c880fb3b0719b701a0950e884a32559975810d7829b75b1732d407c28b46d889ecabe2e3a8a0fb08df16230f732f0ee

C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

MD5 468415442f1e0ff134a4a981033a254b
SHA1 e67d788aad54099a0677edb42a698562573f7f74
SHA256 e3de0755a8318921d4677d3b862e931052409f1437f5fbdfa7f31f60ed8d9663
SHA512 c3f5c45edbb22891cefd1403de6afe070bc7129aef665a6447474cdba557377af034ee0527b0acc708c76a97b80b430df4c2b54604227a4906556cf77128528a

C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

MD5 6defd78024d6fe2fde4e21d318c3f7c2
SHA1 6add3a9b93e00e355b1c14269cf04492adb194f6
SHA256 8252314c2e0519fa4c200e102ff3671ea38b861b36c90c9e60eba5631a1780ee
SHA512 cb6f86dc8e82b83097fcbc1d4183b5d22c02e7a8bac627b1e16c84a866ee91e3c07c2436e07e4439f527b8081e3257d157d428d104b19d57fdf54e5cfe637b67

C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo

MD5 d2d5cffbf2f6e07ba43e017f6612a26f
SHA1 66e8e6976db61e6272f2613f43636445a5c21372
SHA256 3c2b21fb060b7d6b176a693fe7632781860fa7a94ba89fa2c67987c24532a03a
SHA512 384586c264b2b113d819f85ba4548d745dbe5aa822691c8931901fbe1bd069c7f107238d224852521aa0394a1c7c3a4c1a50b36c3088c9f9829a76bf8fd9007e