Analysis Overview
SHA256
5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd
Threat Level: Known bad
The file 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Adds policy Run key to start application
Disables RegEdit via registry modification
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Impair Defenses: Safe Mode Boot
Adds Run key to start application
Checks whether UAC is enabled
Looks up external IP address via web service
Hijack Execution Flow: Executable Installer File Permissions Weakness
Drops file in System32 directory
Drops autorun.inf file
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
System policy modification
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 13:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 13:32
Reported
2024-10-30 13:34
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ixgmuwls = "ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vhnqv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "ghcuocdwqlvcyyanhije.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "vxtmhwysnjuczadrmoqmf.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ghcuocdwqlvcyyanhije.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "zxpevgeuldkohedne.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ttnexkkcvpyezyzleee.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "spgukurgwntwokir.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "ttnexkkcvpyezyzleee.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe ." | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ttnexkkcvpyezyzleee.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\spgukurgwntwokir.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "vxtmhwysnjuczadrmoqmf.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "ghcuocdwqlvcyyanhije.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\gtaekk = "ttnexkkcvpyezyzleee.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "zxpevgeuldkohedne.exe ." | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ttnexkkcvpyezyzleee.exe ." | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\sjucmqhqal = "spgukurgwntwokir.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vxtmhwysnjuczadrmoqmf.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zxpevgeuldkohedne.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nfralqisdpq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\gtaekk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "ihaqiutkcvdicaaldc.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\thpubcq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ihaqiutkcvdicaaldc.exe ." | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\kdqamslwivxw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ghcuocdwqlvcyyanhije.exe" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\zpzgpsiqz = "zxpevgeuldkohedne.exe" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\zxpevgeuldkohedne.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | C:\Windows\SysWOW64\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zxpevgeuldkohedne.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ttnexkkcvpyezyzleee.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vxtmhwysnjuczadrmoqmf.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mpmgcsvqmjveceixtwzwqm.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ttnexkkcvpyezyzleee.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ghcuocdwqlvcyyanhije.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spgukurgwntwokir.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mpmgcsvqmjveceixtwzwqm.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fptuxuegjngwbkvrueostwtdf.mfv | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | C:\Windows\SysWOW64\fptuxuegjngwbkvrueostwtdf.mfv | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ghcuocdwqlvcyyanhije.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spgukurgwntwokir.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mpmgcsvqmjveceixtwzwqm.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vxtmhwysnjuczadrmoqmf.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ghcuocdwqlvcyyanhije.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\vxtmhwysnjuczadrmoqmf.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\spgukurgwntwokir.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ttnexkkcvpyezyzleee.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zxpevgeuldkohedne.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Program Files (x86)\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | C:\Program Files (x86)\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\fptuxuegjngwbkvrueostwtdf.mfv | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\vxtmhwysnjuczadrmoqmf.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\mpmgcsvqmjveceixtwzwqm.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\spgukurgwntwokir.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\ihaqiutkcvdicaaldc.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\ttnexkkcvpyezyzleee.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\ghcuocdwqlvcyyanhije.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\zxpevgeuldkohedne.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\ttnexkkcvpyezyzleee.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\spgukurgwntwokir.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\zxpevgeuldkohedne.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\ihaqiutkcvdicaaldc.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\ihaqiutkcvdicaaldc.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\fptuxuegjngwbkvrueostwtdf.mfv | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File created | C:\Windows\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\zxpevgeuldkohedne.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\vxtmhwysnjuczadrmoqmf.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\mpmgcsvqmjveceixtwzwqm.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\vxtmhwysnjuczadrmoqmf.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\mpmgcsvqmjveceixtwzwqm.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\ttnexkkcvpyezyzleee.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\ghcuocdwqlvcyyanhije.exe | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| File opened for modification | C:\Windows\spgukurgwntwokir.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| File opened for modification | C:\Windows\ghcuocdwqlvcyyanhije.exe | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\thpubcq.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe
"C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"
C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
"C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdn.exe*"
C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
"C:\Users\Admin\AppData\Local\Temp\thpubcq.exe" "-C:\Users\Admin\AppData\Local\Temp\spgukurgwntwokir.exe"
C:\Users\Admin\AppData\Local\Temp\thpubcq.exe
"C:\Users\Admin\AppData\Local\Temp\thpubcq.exe" "-C:\Users\Admin\AppData\Local\Temp\spgukurgwntwokir.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.baidu.com | udp |
| HK | 103.235.46.96:80 | www.baidu.com | tcp |
| LV | 46.109.100.217:43167 | tcp | |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | vkovxae.com | udp |
| US | 8.8.8.8:53 | fkavvanx.info | udp |
| US | 8.8.8.8:53 | kavtbvqf.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | vdnazgbzbzb.org | udp |
| LV | 46.109.100.217:43167 | tcp | |
| US | 8.8.8.8:53 | jrixau.net | udp |
| US | 8.8.8.8:53 | kkgyko.org | udp |
| US | 8.8.8.8:53 | wwuqguawcqqw.com | udp |
| US | 8.8.8.8:53 | ymgqnsy.net | udp |
| US | 8.8.8.8:53 | sejibalqxar.net | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | wrdoalxzylri.info | udp |
| US | 8.8.8.8:53 | egksyqv.info | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | jqrmkhuihie.org | udp |
| US | 8.8.8.8:53 | rplepif.org | udp |
| US | 8.8.8.8:53 | aplvtllaxnd.net | udp |
| US | 8.8.8.8:53 | aoaomsig.org | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | cgsicyecokuq.org | udp |
| US | 8.8.8.8:53 | xlacfsfi.info | udp |
| US | 8.8.8.8:53 | tenkfcxb.info | udp |
| US | 8.8.8.8:53 | xwujeiv.org | udp |
| US | 8.8.8.8:53 | afjhxq.net | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | gqxwros.info | udp |
| US | 8.8.8.8:53 | lqfmrehenhc.net | udp |
| US | 8.8.8.8:53 | xmnenarat.net | udp |
| US | 8.8.8.8:53 | mmxsjopqz.info | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | aokuummcga.org | udp |
| US | 8.8.8.8:53 | oodgre.net | udp |
| US | 8.8.8.8:53 | axkuzetoxufc.net | udp |
| US | 8.8.8.8:53 | fnpkkbwbra.net | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | mstzinxivqi.info | udp |
| US | 8.8.8.8:53 | qqwayiokkaik.org | udp |
| US | 8.8.8.8:53 | gwvkgix.net | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | pxwwhhrxnpal.net | udp |
| US | 8.8.8.8:53 | uqgymo.org | udp |
| US | 8.8.8.8:53 | susymk.org | udp |
| US | 8.8.8.8:53 | mmvscncodmv.net | udp |
| US | 8.8.8.8:53 | jzwhtwpalq.net | udp |
| US | 8.8.8.8:53 | jlmyvkyzje.info | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | ssrgvlsglmn.net | udp |
| US | 8.8.8.8:53 | xsncormab.net | udp |
| US | 8.8.8.8:53 | agemigrodgx.info | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | mucnrwpswz.net | udp |
| US | 8.8.8.8:53 | iuqqeiugkegg.com | udp |
| US | 8.8.8.8:53 | fumndilz.info | udp |
| US | 8.8.8.8:53 | mqjerubxfin.net | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | tcrqlxrafmkf.net | udp |
| US | 8.8.8.8:53 | bvswoq.net | udp |
Files
\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
| MD5 | bd53a3b959a07e7bd8e5e298fce15ef0 |
| SHA1 | 449903a926b84be86fec08d7abad20cb2a60b2b7 |
| SHA256 | a1377b5569d1be59695bf735e529200499c5e5a84882412a7324b1b953663acc |
| SHA512 | 17c779d1e83e72fab21cd198e10fe0413fb9f7a2eb933df16fc84a23809eb2bd563e234aec854d21727e36f73cfd7d3b47a57fe8cddf9fce08e322acf5f21903 |
C:\Windows\SysWOW64\ihaqiutkcvdicaaldc.exe
| MD5 | db1b7ac55a245032f066060d23d00630 |
| SHA1 | 8b968e1eee41e0f4b2f030e672a609e65a7f7618 |
| SHA256 | 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd |
| SHA512 | b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb |
\Users\Admin\AppData\Local\Temp\thpubcq.exe
| MD5 | 26fac8b713cb236a1a9620a824d442ae |
| SHA1 | f14f98c56a1d42858ee73dbe76565492e62774cc |
| SHA256 | b623cbf2311c91633dfdd154cdeca5ac4109e1e4277d1e922e2d1e57dbf9a9b9 |
| SHA512 | 6ec38d247aac71a823f7c273b8d6c1e88037b6cc29ff9fe0991b723c8131516fb828d22f473d1e20468b66a696cadc0a915d0fecd75d738f6ccd6b184f859e34 |
C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | 93cedafa8f0bb470a692579d446e8b47 |
| SHA1 | d01c617c3d0e629d4b61e461ea5408b9c1a0855f |
| SHA256 | 18e1f9b469e13f48a243b2af1075f0111ada53ed15e37f278c97a752d673db34 |
| SHA512 | b65b54ad95e3f4e41faa6eaa6e987867d79da930c9d6adb816004c5621f5ad671665f984917cd4730cc5232f83ea4805c98ab1c056518068e7db5e43eb80c1f2 |
C:\Users\Admin\AppData\Local\kfugucxkynrsicyftojykygbocrvwmgcjxsn.ock
| MD5 | fcfb5944bbe2ecc528ef9a8924f1dc0e |
| SHA1 | dc86298fe0d0c5efc8643d75e51f299cea5fed29 |
| SHA256 | edc55c869cae4e13b8a61d72333363d5bcf06c47923d0025d57cdf300795855e |
| SHA512 | cb529fd60511e8156d56c9c0e704b64c0fad54a440ae73e19e141917cb782332c245fd693d366e8c1f9c2fbaa857ddb7265bd97860041d588710615809a44027 |
C:\Program Files (x86)\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | c6420d61fe64abd61e4a8f13b0d052bc |
| SHA1 | 257e479143d15d6d940d5c9d35ec7b3c3814e6b1 |
| SHA256 | 227b7cffd5cfaa69f97e19785fbf8a673c137557f671b90e4cfc08ce5af2a66e |
| SHA512 | df6627885f8c879e86526b53c06b0efb80616eb642150fb599345c2bb54cc7d6faac3a86fd84ca8f23164e218df6c417c261090517e25f2bc4e0958016247246 |
C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | 346541167fb41914febebb2464a0d2af |
| SHA1 | dfb0973b8adabc9baf0bdb426930e5f8dff514d5 |
| SHA256 | fc07ab9ad913d1d7ac148821c04514ff3ce8719ae2c8189b6579aeb6e6520614 |
| SHA512 | 345e148c3ac34df401ed1bcdd7b7d450c43c2441179ed2abb0c73007afc7e7cfe3d28ef933a628cd1f0459471140d90f6f80c929c7c7f441d37692783feeb322 |
C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | 4ea868960da9e2f4c795d06e153fc2d1 |
| SHA1 | 1b3bc2a7f7e08b0aee8b8ad7ea911d7706a3be3f |
| SHA256 | 4d021d4de66891e9989fc5c7770986a2b1dbbacb88f0a1479c32c4217bffce54 |
| SHA512 | 78495269dc307e83a2fd50298eca87fc19f468260513b532125b6612d387c2802aff416019c1261d27e3940520ac9c87cbd90f991a5bcda585acc67f1f16a075 |
C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | 7896693213d91302f895264499867ddf |
| SHA1 | 1982ac7352dbfdd42e783c22ca079b8d514b1572 |
| SHA256 | 2204e4c408cd695f387bc7f2eab66a81726618de09ffcec4ce6488051b4810d7 |
| SHA512 | d2edb27a6456ec0e363cf88181e78fc70477e10f4b3cc9ca000c314589133372b770cb4580e6bc7d8ddcd2d25eaebf3de5471c5beb2363f7c05799adcd2ced34 |
C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | ed894282104c791eac32343835400ae9 |
| SHA1 | 3c487f1c3ecd881f99510f84369283995f2319b4 |
| SHA256 | 29653692d357aa785867b769388c6e40ba40c6a73174717e869b8a88f6d4c97e |
| SHA512 | a37e04330da70ef1b10e411beb2c7751f8ad82a7dd900a59ee1ee81ca622debb6821ad9be41d206659e6c354e92ad19d45bb644ff24497c37fe38b6a7afd0577 |
C:\Users\Admin\AppData\Local\fptuxuegjngwbkvrueostwtdf.mfv
| MD5 | 9c251e3e313af755f34ccdd53d8bffd3 |
| SHA1 | 16a6b98c30b40ec6b98827d1e7516ccfe2e522cb |
| SHA256 | 1c8384983c652b0b303fff4e1bd7275da50b47e7d30c7697087cd8487e5b3437 |
| SHA512 | 05b7736d0e7e5709315b7ecba8237bc19ffdadbabca034952bd8b3030d5bf6ed90330160965dff5728d9b99f90123e12738afd25751dd3766397563455a7dc8b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 13:32
Reported
2024-10-30 13:34
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "nhbojeezlwtpzhsvvpjw.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "nhbojeezlwtpzhsvvpjw.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\gpyakujtu = "phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ntzyfm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "zpfofwsjryrjptaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "phzkdwunxgbvdjstrj.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "nhbojeezlwtpzhsvvpjw.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "zpfofwsjryrjptaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "nhbojeezlwtpzhsvvpjw.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "nhbojeezlwtpzhsvvpjw.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "nhbojeezlwtpzhsvvpjw.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhbojeezlwtpzhsvvpjw.exe ." | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ahoower = "phzkdwunxgbvdjstrj.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "atmysmlfqawrahrtsle.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "cxsgcyzviuspajvzavqea.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahoower = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpfofwsjryrjptaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pxfgpymv = "phzkdwunxgbvdjstrj.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "gxoyqifxgoibinvvs.exe ." | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ufqugsjvyao = "atmysmlfqawrahrtsle.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\zjtwhsitvw = "gxoyqifxgoibinvvs.exe" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qdqwkyrfkoetw = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxsgcyzviuspajvzavqea.exe" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdpuhumzdgvj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phzkdwunxgbvdjstrj.exe ." | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File opened for modification | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | F:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | C:\autorun.inf | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\tplaxuwthutrdnafhdzoli.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tplaxuwthutrdnafhdzoli.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atmysmlfqawrahrtsle.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cxsgcyzviuspajvzavqea.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cxsgcyzviuspajvzavqea.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nhbojeezlwtpzhsvvpjw.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\tplaxuwthutrdnafhdzoli.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gxoyqifxgoibinvvs.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atmysmlfqawrahrtsle.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zpfofwsjryrjptaz.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gxoyqifxgoibinvvs.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nhbojeezlwtpzhsvvpjw.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\gxoyqifxgoibinvvs.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cxsgcyzviuspajvzavqea.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zpfofwsjryrjptaz.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\atmysmlfqawrahrtsle.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | C:\Windows\SysWOW64\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zpfofwsjryrjptaz.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\nhbojeezlwtpzhsvvpjw.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\cxsgcyzviuspajvzavqea.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\atmysmlfqawrahrtsle.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\dddwxyefxortjxoxdddwxy.fxo | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\nhbojeezlwtpzhsvvpjw.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\cxsgcyzviuspajvzavqea.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\tplaxuwthutrdnafhdzoli.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\phzkdwunxgbvdjstrj.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\nhbojeezlwtpzhsvvpjw.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\nhbojeezlwtpzhsvvpjw.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\cxsgcyzviuspajvzavqea.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\zpfofwsjryrjptaz.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\gxoyqifxgoibinvvs.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\phzkdwunxgbvdjstrj.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\atmysmlfqawrahrtsle.exe | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| File opened for modification | C:\Windows\zpfofwsjryrjptaz.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\gxoyqifxgoibinvvs.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\atmysmlfqawrahrtsle.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | C:\Windows\dddwxyefxortjxoxdddwxy.fxo | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\tplaxuwthutrdnafhdzoli.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\zpfofwsjryrjptaz.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\gxoyqifxgoibinvvs.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\phzkdwunxgbvdjstrj.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File opened for modification | C:\Windows\tplaxuwthutrdnafhdzoli.exe | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| File created | C:\Windows\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahoower.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe
"C:\Users\Admin\AppData\Local\Temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdN.exe"
C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe
"C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe" "c:\users\admin\appdata\local\temp\5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fdn.exe*"
C:\Users\Admin\AppData\Local\Temp\ahoower.exe
"C:\Users\Admin\AppData\Local\Temp\ahoower.exe" "-C:\Users\Admin\AppData\Local\Temp\zpfofwsjryrjptaz.exe"
C:\Users\Admin\AppData\Local\Temp\ahoower.exe
"C:\Users\Admin\AppData\Local\Temp\ahoower.exe" "-C:\Users\Admin\AppData\Local\Temp\zpfofwsjryrjptaz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 56.74.21.104.in-addr.arpa | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.206.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.223.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.223.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| GB | 87.248.114.12:80 | www.yahoo.com | tcp |
| LV | 46.109.100.217:43167 | tcp | |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | qgcasw.org | udp |
| US | 8.8.8.8:53 | 12.114.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | egelisb.info | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wciqqewcyuqm.org | udp |
| US | 8.8.8.8:53 | okvxvzwapml.net | udp |
| US | 8.8.8.8:53 | kavtbvqf.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | oabgtwvvm.info | udp |
| US | 8.8.8.8:53 | kqmgqnfbskjm.info | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | idwprdpbbh.info | udp |
| US | 8.8.8.8:53 | dxlkrc.net | udp |
| US | 8.8.8.8:53 | tgetropqtcq.info | udp |
| US | 8.8.8.8:53 | sejibalqxar.net | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | uobglctmd.info | udp |
| US | 8.8.8.8:53 | swzskvw.info | udp |
| US | 8.8.8.8:53 | iuwkgqoy.org | udp |
| US | 8.8.8.8:53 | muiysggk.org | udp |
| US | 8.8.8.8:53 | tblqzvapoa.net | udp |
| US | 8.8.8.8:53 | fkegnrjobmt.org | udp |
| US | 8.8.8.8:53 | yswymy.org | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | egksyqv.info | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | jwkkwnof.net | udp |
| US | 8.8.8.8:53 | melmnbxxjobo.info | udp |
| US | 8.8.8.8:53 | wslkpkvumcp.info | udp |
| US | 8.8.8.8:53 | xmfgbgus.net | udp |
| LV | 46.109.100.217:43167 | tcp | |
| US | 8.8.8.8:53 | ngqthn.net | udp |
| US | 8.8.8.8:53 | gtfdbwxbawj.net | udp |
| US | 8.8.8.8:53 | lneqhjtelcbt.net | udp |
| US | 8.8.8.8:53 | twljtaxodoj.com | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wgenxfwj.net | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | iykkcemq.org | udp |
| US | 8.8.8.8:53 | hsvveinoxnps.info | udp |
| US | 8.8.8.8:53 | xwujeiv.org | udp |
| US | 8.8.8.8:53 | gghndefuock.info | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | gquyxisl.net | udp |
| US | 8.8.8.8:53 | agigiiig.org | udp |
| US | 8.8.8.8:53 | qgaumawmum.com | udp |
| US | 8.8.8.8:53 | rkrcnjhzy.info | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | oyyvqd.info | udp |
| US | 8.8.8.8:53 | jzfeev.info | udp |
| US | 8.8.8.8:53 | ddlrnhit.net | udp |
| US | 8.8.8.8:53 | ytrfryazim.net | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | ggmkcu.com | udp |
| US | 8.8.8.8:53 | gwvkgix.net | udp |
| US | 8.8.8.8:53 | fouohmuaxld.net | udp |
| US | 8.8.8.8:53 | ayfyclwm.net | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | fcuwcyout.org | udp |
| US | 8.8.8.8:53 | mtnpgtpcie.info | udp |
| US | 8.8.8.8:53 | susymk.org | udp |
| US | 8.8.8.8:53 | mgnihkd.net | udp |
| US | 8.8.8.8:53 | jzwhtwpalq.net | udp |
| US | 8.8.8.8:53 | jlmyvkyzje.info | udp |
| US | 8.8.8.8:53 | uxqkzwzwl.net | udp |
| US | 8.8.8.8:53 | fjovqcbxwf.net | udp |
| US | 8.8.8.8:53 | eqssogym.com | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | qemyumqyiycu.com | udp |
| US | 8.8.8.8:53 | javgduxir.com | udp |
| US | 8.8.8.8:53 | bphaffyoxrnh.net | udp |
| US | 8.8.8.8:53 | znaaicd.net | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | rnedtpjg.net | udp |
| US | 8.8.8.8:53 | iuuelccce.net | udp |
| US | 8.8.8.8:53 | gpbajxkm.net | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | xolldc.net | udp |
| US | 8.8.8.8:53 | yselju.net | udp |
| US | 8.8.8.8:53 | aiygis.org | udp |
| US | 8.8.8.8:53 | gotqpsxeq.net | udp |
| US | 8.8.8.8:53 | fopkentqk.net | udp |
| US | 8.8.8.8:53 | ekuedqrcp.info | udp |
| US | 8.8.8.8:53 | fulmlneq.net | udp |
| US | 8.8.8.8:53 | ernpxn.net | udp |
| US | 8.8.8.8:53 | qeassmswou.com | udp |
| US | 8.8.8.8:53 | cofgkcwitgf.net | udp |
| US | 8.8.8.8:53 | iwmqii.com | udp |
| US | 8.8.8.8:53 | frggbptcrats.info | udp |
| US | 8.8.8.8:53 | uzmiem.net | udp |
| US | 8.8.8.8:53 | fshruwd.com | udp |
| US | 8.8.8.8:53 | vljgbupsl.net | udp |
| US | 8.8.8.8:53 | onlfrvcbng.info | udp |
| US | 8.8.8.8:53 | huyioh.net | udp |
| US | 8.8.8.8:53 | rysxtsjvfbtn.net | udp |
| US | 8.8.8.8:53 | qpejngowavjy.info | udp |
| US | 8.8.8.8:53 | syphxstnoxy.info | udp |
| US | 8.8.8.8:53 | mqseyc.com | udp |
| US | 8.8.8.8:53 | hzpuzezauls.info | udp |
| US | 8.8.8.8:53 | gdpopsbis.net | udp |
| US | 8.8.8.8:53 | lcbsfiyyz.com | udp |
| US | 8.8.8.8:53 | fgvenqjneu.info | udp |
| US | 8.8.8.8:53 | crficb.net | udp |
| US | 8.8.8.8:53 | swwzpsk.net | udp |
| US | 8.8.8.8:53 | lqumty.info | udp |
| US | 8.8.8.8:53 | xpppat.net | udp |
| US | 8.8.8.8:53 | ryhjsedu.info | udp |
| US | 8.8.8.8:53 | dmbealkee.net | udp |
| US | 8.8.8.8:53 | wkrkujvxnhhz.net | udp |
| US | 8.8.8.8:53 | iawkogggse.org | udp |
| US | 8.8.8.8:53 | naqchxnm.info | udp |
| US | 8.8.8.8:53 | ycdalaawj.info | udp |
| US | 8.8.8.8:53 | rtzxnvwalq.info | udp |
| US | 8.8.8.8:53 | yqiweowi.com | udp |
| US | 8.8.8.8:53 | cccxnuzmblyi.net | udp |
| US | 8.8.8.8:53 | luodjnbfwxnl.net | udp |
| US | 8.8.8.8:53 | tovmvofzj.net | udp |
| US | 8.8.8.8:53 | cwtntormn.net | udp |
| US | 8.8.8.8:53 | fszehlnx.net | udp |
| US | 8.8.8.8:53 | xaycfcf.com | udp |
| US | 8.8.8.8:53 | zadcikpivqp.info | udp |
| US | 8.8.8.8:53 | lpzcukxaub.info | udp |
| US | 8.8.8.8:53 | jkdcdyf.com | udp |
| US | 8.8.8.8:53 | aqbeqimqm.net | udp |
| US | 8.8.8.8:53 | uakqcake.com | udp |
| US | 8.8.8.8:53 | bgpbjqx.net | udp |
| US | 8.8.8.8:53 | xqtudi.net | udp |
| US | 8.8.8.8:53 | shpomk.net | udp |
| US | 8.8.8.8:53 | gfuvwmjpgb.net | udp |
| US | 8.8.8.8:53 | mcbukj.net | udp |
| US | 8.8.8.8:53 | keygugse.org | udp |
| US | 8.8.8.8:53 | agrvfbyrbu.info | udp |
| US | 8.8.8.8:53 | zsqxejydfpnt.info | udp |
| US | 8.8.8.8:53 | fqhstspht.net | udp |
| US | 8.8.8.8:53 | ngljnxblimlr.info | udp |
| US | 8.8.8.8:53 | hznpjcul.net | udp |
| US | 8.8.8.8:53 | xuzcxmraj.org | udp |
| US | 8.8.8.8:53 | fnxbfxjel.info | udp |
| US | 8.8.8.8:53 | tqvwqbbtwd.info | udp |
| US | 8.8.8.8:53 | xdhgrgr.org | udp |
| US | 8.8.8.8:53 | zuhmpzaxquyg.net | udp |
| US | 8.8.8.8:53 | gtestsjwdqk.info | udp |
| US | 8.8.8.8:53 | ycmaagek.org | udp |
| US | 8.8.8.8:53 | bkzkbgzwr.net | udp |
| US | 8.8.8.8:53 | qudyrmntuow.info | udp |
| US | 8.8.8.8:53 | gbfufod.net | udp |
| US | 8.8.8.8:53 | ovfsgex.info | udp |
| US | 8.8.8.8:53 | cgksgogo.org | udp |
| US | 8.8.8.8:53 | yglipbziqiec.info | udp |
| US | 8.8.8.8:53 | vxqered.net | udp |
| US | 8.8.8.8:53 | usiikeyy.org | udp |
| US | 8.8.8.8:53 | muhfidexjy.info | udp |
| US | 8.8.8.8:53 | yhmkpzss.info | udp |
| US | 8.8.8.8:53 | fouvhbpy.net | udp |
| US | 8.8.8.8:53 | fqjhmrtketua.net | udp |
| US | 8.8.8.8:53 | rwknsi.net | udp |
| US | 8.8.8.8:53 | uspavcp.net | udp |
| US | 8.8.8.8:53 | forayvbrj.com | udp |
| US | 8.8.8.8:53 | xlcyrolabtab.info | udp |
| US | 8.8.8.8:53 | irbrhrxisa.net | udp |
| US | 8.8.8.8:53 | oietspbetgp.net | udp |
| US | 8.8.8.8:53 | iqilxzly.net | udp |
| US | 8.8.8.8:53 | yaeyyeoq.org | udp |
| US | 8.8.8.8:53 | hrnujmsfph.net | udp |
| US | 8.8.8.8:53 | nziidz.info | udp |
| US | 8.8.8.8:53 | tpvwhw.net | udp |
| US | 8.8.8.8:53 | fancmntir.info | udp |
| US | 8.8.8.8:53 | bdrgddnsu.org | udp |
| US | 8.8.8.8:53 | bzjvup.info | udp |
| US | 8.8.8.8:53 | ourepitvklx.info | udp |
| US | 8.8.8.8:53 | aqrknrz.info | udp |
| US | 8.8.8.8:53 | oqwscsiwcwmc.com | udp |
| US | 8.8.8.8:53 | iipdrizk.info | udp |
| US | 8.8.8.8:53 | wymctkfgnifg.net | udp |
| US | 8.8.8.8:53 | qwzykuuybql.net | udp |
| US | 8.8.8.8:53 | xhisrub.org | udp |
| US | 8.8.8.8:53 | kcyyguau.org | udp |
| US | 8.8.8.8:53 | yswwwmgowcoe.org | udp |
| US | 8.8.8.8:53 | rvgstufpmy.net | udp |
| US | 8.8.8.8:53 | guaaya.org | udp |
| US | 8.8.8.8:53 | axuapldtjvcg.info | udp |
| US | 8.8.8.8:53 | prdqbfoc.net | udp |
| US | 8.8.8.8:53 | octpnmfeveb.net | udp |
| US | 8.8.8.8:53 | niplcpqlnoli.info | udp |
| US | 8.8.8.8:53 | ruksvdctcqr.com | udp |
| US | 8.8.8.8:53 | lapwaeoad.info | udp |
| US | 8.8.8.8:53 | qifubnd.net | udp |
| US | 8.8.8.8:53 | ksyiqcoy.org | udp |
| US | 8.8.8.8:53 | lfhcepsafj.net | udp |
| US | 8.8.8.8:53 | bsrweqh.net | udp |
| US | 8.8.8.8:53 | vakgswdmx.info | udp |
| US | 8.8.8.8:53 | pkxgknsfwf.net | udp |
| US | 8.8.8.8:53 | ioeobjbuzh.net | udp |
| US | 8.8.8.8:53 | kshgvj.net | udp |
| US | 8.8.8.8:53 | aumuhss.info | udp |
| US | 8.8.8.8:53 | alpkzjjtdu.info | udp |
| US | 8.8.8.8:53 | grrlrqag.info | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gsweeekmis.com | udp |
| US | 8.8.8.8:53 | dihiaqxpbs.info | udp |
| US | 8.8.8.8:53 | fvvkdgccg.net | udp |
| US | 8.8.8.8:53 | xykutplmhmfn.net | udp |
| US | 8.8.8.8:53 | smognxh.net | udp |
| US | 8.8.8.8:53 | mlgsxflu.net | udp |
| US | 8.8.8.8:53 | gpgwbngp.net | udp |
| US | 8.8.8.8:53 | cskrglhjoojr.info | udp |
| US | 8.8.8.8:53 | eiuhnt.info | udp |
| US | 8.8.8.8:53 | mfoxqop.info | udp |
| US | 8.8.8.8:53 | senaafbeh.info | udp |
| US | 8.8.8.8:53 | kmpdjanxcx.info | udp |
| US | 8.8.8.8:53 | cwdpmr.net | udp |
| US | 8.8.8.8:53 | rxhslhrn.info | udp |
| US | 8.8.8.8:53 | qeeouoyquguy.com | udp |
| US | 8.8.8.8:53 | jiwatmckh.net | udp |
| US | 8.8.8.8:53 | jljcywgh.info | udp |
| US | 8.8.8.8:53 | qkyiiqouuecq.org | udp |
| US | 8.8.8.8:53 | rvhnkzsfrw.info | udp |
| US | 8.8.8.8:53 | tyvvtarwfdni.info | udp |
| US | 8.8.8.8:53 | jhnyyqrurg.net | udp |
| US | 8.8.8.8:53 | aptavxszku.info | udp |
| US | 8.8.8.8:53 | keoekeicce.org | udp |
| US | 8.8.8.8:53 | vbbehin.info | udp |
| US | 8.8.8.8:53 | joceavefxekv.net | udp |
| US | 8.8.8.8:53 | oesmaemmgi.com | udp |
| US | 8.8.8.8:53 | uhvqbsdmezb.info | udp |
| US | 8.8.8.8:53 | hoynzeftdvi.org | udp |
| US | 8.8.8.8:53 | ksemse.org | udp |
| US | 8.8.8.8:53 | bntpkikedn.net | udp |
| US | 8.8.8.8:53 | pctvvtpipi.info | udp |
| US | 8.8.8.8:53 | jinfugfp.net | udp |
| US | 8.8.8.8:53 | ouceqa.org | udp |
| US | 8.8.8.8:53 | sqgduexdbaib.net | udp |
| US | 8.8.8.8:53 | knbdsfon.net | udp |
| US | 8.8.8.8:53 | saxzztdy.net | udp |
| US | 8.8.8.8:53 | isiium.com | udp |
| US | 8.8.8.8:53 | oizvxkjyhpx.info | udp |
| US | 8.8.8.8:53 | qgbezcjyecs.net | udp |
| US | 8.8.8.8:53 | fhhxbhfcp.org | udp |
| US | 8.8.8.8:53 | pjrmfsxzxhvb.net | udp |
| US | 8.8.8.8:53 | lhthokwiep.info | udp |
| US | 8.8.8.8:53 | syxaeaogz.net | udp |
| US | 8.8.8.8:53 | qdaqwtlafa.info | udp |
| US | 8.8.8.8:53 | ckfmtkt.net | udp |
| US | 8.8.8.8:53 | ecwiiemwiu.org | udp |
| US | 8.8.8.8:53 | bexgiaf.info | udp |
| US | 8.8.8.8:53 | ktdkcmafdia.net | udp |
| US | 8.8.8.8:53 | mcvpfaz.info | udp |
| US | 8.8.8.8:53 | gxjmexojzn.info | udp |
| US | 8.8.8.8:53 | ccsuyaeigoya.com | udp |
| US | 8.8.8.8:53 | eihhcqrelbr.net | udp |
| US | 8.8.8.8:53 | ptcwjhpzatjf.info | udp |
| US | 8.8.8.8:53 | pybujx.info | udp |
| US | 8.8.8.8:53 | kgqgiweigcwm.org | udp |
| US | 8.8.8.8:53 | lgmblm.info | udp |
| US | 8.8.8.8:53 | ukfpxdqgdzg.net | udp |
| US | 8.8.8.8:53 | kpzcnphxklle.net | udp |
| US | 8.8.8.8:53 | lswalxxsqir.net | udp |
| US | 8.8.8.8:53 | ekysuwaiqs.org | udp |
| US | 8.8.8.8:53 | usugoook.org | udp |
| US | 8.8.8.8:53 | mrgivkm.info | udp |
| US | 8.8.8.8:53 | ltjgiqtox.com | udp |
| US | 8.8.8.8:53 | kmwaiaekcwei.org | udp |
| US | 8.8.8.8:53 | tjztzga.org | udp |
| US | 8.8.8.8:53 | mbiiznxdulyh.net | udp |
| US | 8.8.8.8:53 | tmyinyg.com | udp |
| US | 8.8.8.8:53 | ywvjzzzrus.info | udp |
| US | 8.8.8.8:53 | xxnvfczwt.org | udp |
| US | 8.8.8.8:53 | zapiax.info | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | qpeavxszku.net | udp |
| US | 8.8.8.8:53 | zginrxjcpez.info | udp |
| US | 8.8.8.8:53 | nwhyvqz.info | udp |
| US | 8.8.8.8:53 | jqvqcwc.org | udp |
| US | 8.8.8.8:53 | nvqhtsfzlm.info | udp |
| US | 8.8.8.8:53 | jtgpcnwljjum.info | udp |
| US | 8.8.8.8:53 | hwlshbmqjbtp.net | udp |
| US | 8.8.8.8:53 | toretqn.net | udp |
| US | 8.8.8.8:53 | kmyueqai.com | udp |
| US | 8.8.8.8:53 | fqvopkmiayu.org | udp |
| US | 8.8.8.8:53 | lplsiydjye.info | udp |
| US | 8.8.8.8:53 | vkjknirfnmt.info | udp |
| US | 8.8.8.8:53 | hbpsyqjmjwl.net | udp |
| US | 8.8.8.8:53 | oqhajmtmnmh.info | udp |
| US | 8.8.8.8:53 | weukryhwykt.net | udp |
| US | 8.8.8.8:53 | okgbaclfbxyj.net | udp |
| US | 8.8.8.8:53 | vyotkllvdsiu.info | udp |
| US | 8.8.8.8:53 | eyoewkwa.com | udp |
| US | 8.8.8.8:53 | mungtmp.info | udp |
| US | 8.8.8.8:53 | awejpxco.net | udp |
| US | 8.8.8.8:53 | wieavxszku.net | udp |
| US | 8.8.8.8:53 | gqciopwgxayv.info | udp |
| US | 8.8.8.8:53 | hkiqlzpcvc.info | udp |
| US | 8.8.8.8:53 | wqiuas.com | udp |
| US | 8.8.8.8:53 | kgrnpuf.info | udp |
| US | 8.8.8.8:53 | rreplnac.info | udp |
| US | 8.8.8.8:53 | xqeqvctmsuh.net | udp |
| US | 8.8.8.8:53 | kggwdcr.info | udp |
| US | 8.8.8.8:53 | gkoyiwkekw.org | udp |
| US | 8.8.8.8:53 | zfesiasq.info | udp |
| US | 8.8.8.8:53 | yifbakr.net | udp |
| US | 8.8.8.8:53 | kjjezca.net | udp |
| US | 8.8.8.8:53 | atbkzmfgo.info | udp |
| US | 8.8.8.8:53 | qxrwrxkgnrd.net | udp |
| US | 8.8.8.8:53 | ipfpvw.net | udp |
| US | 8.8.8.8:53 | mknuvmgmo.net | udp |
| US | 8.8.8.8:53 | jefmdhzinr.info | udp |
| US | 8.8.8.8:53 | lxvpph.info | udp |
| US | 8.8.8.8:53 | tptrdivw.info | udp |
| US | 8.8.8.8:53 | jjkatdwafto.net | udp |
| US | 8.8.8.8:53 | qagoeiyu.org | udp |
| US | 8.8.8.8:53 | knljds.info | udp |
| US | 8.8.8.8:53 | xsvuvmqwv.info | udp |
| US | 8.8.8.8:53 | yyyweewqmybi.info | udp |
| US | 8.8.8.8:53 | meusvaaclew.net | udp |
| US | 8.8.8.8:53 | hgxntkm.net | udp |
| US | 8.8.8.8:53 | dtgasbnwvj.net | udp |
| US | 8.8.8.8:53 | hnagczgsail.com | udp |
| US | 8.8.8.8:53 | sgsoagiiccyw.com | udp |
| US | 8.8.8.8:53 | rciwpj.net | udp |
| US | 8.8.8.8:53 | yeiigwwwqw.org | udp |
| US | 8.8.8.8:53 | kmpzkyn.info | udp |
| US | 8.8.8.8:53 | grblyx.net | udp |
| US | 8.8.8.8:53 | qcphvkrujjf.net | udp |
| US | 8.8.8.8:53 | rmzezif.net | udp |
| US | 8.8.8.8:53 | djlicfxk.net | udp |
| US | 8.8.8.8:53 | owtijkp.net | udp |
| US | 8.8.8.8:53 | qupkfaz.net | udp |
| US | 8.8.8.8:53 | dmpdff.info | udp |
| US | 8.8.8.8:53 | dbuguvooxgpt.info | udp |
| US | 8.8.8.8:53 | vnwmvtugbe.info | udp |
| US | 8.8.8.8:53 | psxyhmn.info | udp |
| US | 8.8.8.8:53 | rwbklxfvdgn.net | udp |
| US | 8.8.8.8:53 | txhjzh.net | udp |
| US | 8.8.8.8:53 | qgrcsrbcasb.info | udp |
| US | 8.8.8.8:53 | dciykqzsoci.net | udp |
| US | 8.8.8.8:53 | gmpglewadgm.net | udp |
| US | 8.8.8.8:53 | ialawimkzmy.info | udp |
| US | 8.8.8.8:53 | zsunsznhzb.net | udp |
| US | 8.8.8.8:53 | kajpailpjmp.info | udp |
| US | 8.8.8.8:53 | gctgpbw.info | udp |
| US | 8.8.8.8:53 | kyakwmqumu.com | udp |
| US | 8.8.8.8:53 | rookkdkczjr.info | udp |
| US | 8.8.8.8:53 | fcdccyb.org | udp |
| US | 8.8.8.8:53 | xgyephqh.net | udp |
| US | 8.8.8.8:53 | gwgoqq.com | udp |
| US | 8.8.8.8:53 | pbvwpi.info | udp |
| US | 8.8.8.8:53 | wukaecii.org | udp |
| US | 8.8.8.8:53 | hsbcpghaq.net | udp |
| US | 8.8.8.8:53 | bulstp.info | udp |
| US | 8.8.8.8:53 | jtnflqdandob.info | udp |
| US | 8.8.8.8:53 | acuoawck.com | udp |
| US | 8.8.8.8:53 | ouohovbr.info | udp |
| US | 8.8.8.8:53 | alndoalcjiw.info | udp |
| US | 8.8.8.8:53 | ucsmuaie.com | udp |
| US | 8.8.8.8:53 | cvhyxcvn.net | udp |
| US | 8.8.8.8:53 | okfvzwhex.info | udp |
| US | 8.8.8.8:53 | ykoxtuyyxy.net | udp |
| US | 8.8.8.8:53 | etuzle.info | udp |
| US | 8.8.8.8:53 | gislpxktd.info | udp |
| US | 8.8.8.8:53 | bzbyndvbu.net | udp |
| US | 8.8.8.8:53 | ntqalhf.info | udp |
| US | 8.8.8.8:53 | jvkvhpebad.info | udp |
| US | 8.8.8.8:53 | dpwoyczy.info | udp |
| US | 8.8.8.8:53 | szkgybraeieu.info | udp |
| US | 8.8.8.8:53 | gwaycouasqkg.org | udp |
| US | 8.8.8.8:53 | vqrheyzex.net | udp |
| US | 8.8.8.8:53 | pqvszszafab.net | udp |
| US | 8.8.8.8:53 | fuibnnp.com | udp |
| US | 8.8.8.8:53 | ldeqiiwv.info | udp |
| US | 8.8.8.8:53 | bcxooiben.org | udp |
| US | 8.8.8.8:53 | rswytye.net | udp |
| US | 8.8.8.8:53 | jkegrujevkd.info | udp |
| US | 8.8.8.8:53 | pkqjhjdnlgh.com | udp |
| US | 8.8.8.8:53 | wzsepvkwuieh.net | udp |
| US | 8.8.8.8:53 | abnceez.net | udp |
| US | 8.8.8.8:53 | gyvhtt.info | udp |
| US | 8.8.8.8:53 | wuyaiqgeqy.com | udp |
| US | 8.8.8.8:53 | vtvcsb.net | udp |
| US | 8.8.8.8:53 | itrduhmpka.net | udp |
| US | 8.8.8.8:53 | zdhmuffswsol.info | udp |
| US | 8.8.8.8:53 | uhpmrupuasn.net | udp |
| US | 8.8.8.8:53 | kpopxfxz.net | udp |
| US | 8.8.8.8:53 | flvopqv.info | udp |
| US | 8.8.8.8:53 | cbvwxkpor.net | udp |
| US | 8.8.8.8:53 | zdruxrwnyl.net | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kytslrbejxf.net | udp |
| US | 8.8.8.8:53 | vwcwfcsm.info | udp |
| US | 8.8.8.8:53 | jrzyrcaozcr.org | udp |
| US | 8.8.8.8:53 | donwdexaznk.info | udp |
| US | 8.8.8.8:53 | cxlkhikkn.net | udp |
| US | 8.8.8.8:53 | iasckwwwcicu.org | udp |
| US | 8.8.8.8:53 | imqkwqaywg.org | udp |
| US | 8.8.8.8:53 | lisvddlibbxk.net | udp |
| US | 8.8.8.8:53 | ryxdtsd.net | udp |
| US | 8.8.8.8:53 | yyjcbuz.info | udp |
| US | 8.8.8.8:53 | qnhxoip.info | udp |
| US | 8.8.8.8:53 | kcgiacyc.org | udp |
| US | 8.8.8.8:53 | nqfszz.info | udp |
| US | 8.8.8.8:53 | rcdirepzxw.net | udp |
| US | 8.8.8.8:53 | msfmtzx.info | udp |
| US | 8.8.8.8:53 | zpngpghc.net | udp |
| US | 8.8.8.8:53 | zendbaz.info | udp |
| US | 8.8.8.8:53 | rgnuyigkokd.info | udp |
| US | 8.8.8.8:53 | dhbovcosjau.com | udp |
| US | 8.8.8.8:53 | msdwehukzpmd.info | udp |
| US | 8.8.8.8:53 | fsrkgyypqmq.info | udp |
| US | 8.8.8.8:53 | yatgplgbv.info | udp |
| US | 8.8.8.8:53 | bglkxanyd.info | udp |
| US | 8.8.8.8:53 | ouqoeesiae.org | udp |
| US | 8.8.8.8:53 | pgxpbenjxwj.net | udp |
| US | 8.8.8.8:53 | qubqirdevwh.net | udp |
| US | 8.8.8.8:53 | hmiuxir.net | udp |
| US | 8.8.8.8:53 | ioiibkl.info | udp |
| US | 8.8.8.8:53 | cimgiewnbax.info | udp |
| US | 8.8.8.8:53 | vlyabp.net | udp |
| US | 8.8.8.8:53 | reewxp.info | udp |
| US | 8.8.8.8:53 | tnjcjk.info | udp |
| US | 8.8.8.8:53 | rxxpfkytmfbb.net | udp |
| US | 8.8.8.8:53 | tfyfcgjinz.net | udp |
| US | 8.8.8.8:53 | jbgqcyga.net | udp |
| US | 8.8.8.8:53 | jfrenmxp.net | udp |
| US | 8.8.8.8:53 | wqcqcouy.org | udp |
| US | 8.8.8.8:53 | bvzcbwatjijy.info | udp |
| US | 8.8.8.8:53 | dunolqrmder.net | udp |
| US | 8.8.8.8:53 | telmfkn.info | udp |
| US | 8.8.8.8:53 | oghilap.info | udp |
| US | 8.8.8.8:53 | bgnvvyziz.com | udp |
| US | 8.8.8.8:53 | ajeufitgtoe.info | udp |
| US | 8.8.8.8:53 | mqiaczbqjpf.net | udp |
| US | 8.8.8.8:53 | xgnmpwv.org | udp |
| US | 8.8.8.8:53 | zztzznya.info | udp |
| US | 8.8.8.8:53 | euuuoct.net | udp |
| US | 8.8.8.8:53 | hizhbbrot.org | udp |
| US | 8.8.8.8:53 | gamoqcaq.com | udp |
| US | 8.8.8.8:53 | oesaeigqwuki.com | udp |
| US | 8.8.8.8:53 | zefims.net | udp |
| US | 8.8.8.8:53 | hexogkdl.net | udp |
| US | 8.8.8.8:53 | hhbibsteqcn.info | udp |
| US | 8.8.8.8:53 | gletskotlhvw.info | udp |
| US | 8.8.8.8:53 | hvcmqi.net | udp |
| US | 8.8.8.8:53 | ceeeyewiisao.com | udp |
| US | 8.8.8.8:53 | plfawv.net | udp |
| US | 8.8.8.8:53 | qcaequgeic.org | udp |
| US | 8.8.8.8:53 | belclih.org | udp |
| US | 8.8.8.8:53 | sgwshyiqg.info | udp |
| US | 8.8.8.8:53 | bwfcvob.info | udp |
| US | 8.8.8.8:53 | kokweq.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | mrbepw.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | teaacdtqjap.net | udp |
| US | 8.8.8.8:53 | zsbpvappucz.org | udp |
| US | 8.8.8.8:53 | xwqowmqjhuy.info | udp |
| US | 8.8.8.8:53 | vrugvqdor.com | udp |
| US | 8.8.8.8:53 | bhhdlkhnoegs.info | udp |
| US | 8.8.8.8:53 | zofftqzpt.org | udp |
| US | 8.8.8.8:53 | hztsjehsmkp.com | udp |
| US | 8.8.8.8:53 | xkpkmzvix.com | udp |
| US | 8.8.8.8:53 | mdainrbbifun.net | udp |
| US | 8.8.8.8:53 | owiwwmikeguu.com | udp |
| US | 8.8.8.8:53 | qmuuueuswe.org | udp |
| US | 8.8.8.8:53 | ssywwsui.com | udp |
| US | 8.8.8.8:53 | wofrfi.net | udp |
| US | 8.8.8.8:53 | aqvhvktox.net | udp |
| US | 8.8.8.8:53 | srbzzycozyc.info | udp |
| US | 8.8.8.8:53 | ccgosiuw.org | udp |
| US | 8.8.8.8:53 | lrtatshhue.net | udp |
| US | 8.8.8.8:53 | hdhedovmzki.net | udp |
| US | 8.8.8.8:53 | zozgcobcaq.net | udp |
| US | 8.8.8.8:53 | zvxsskzeom.info | udp |
| US | 8.8.8.8:53 | maseqcao.org | udp |
| US | 8.8.8.8:53 | gnaaxxeymv.net | udp |
| US | 8.8.8.8:53 | pvzrxktymer.info | udp |
| US | 8.8.8.8:53 | vlklbl.info | udp |
| US | 8.8.8.8:53 | uwsqngzwg.info | udp |
| US | 8.8.8.8:53 | ngvegt.info | udp |
| US | 8.8.8.8:53 | ayokcoqu.org | udp |
| US | 8.8.8.8:53 | okgqeeemimkw.org | udp |
| US | 8.8.8.8:53 | ecwsigkysucc.org | udp |
| US | 8.8.8.8:53 | hjjakml.com | udp |
| US | 8.8.8.8:53 | wmymmiwoawie.com | udp |
| US | 8.8.8.8:53 | qzvlzdxk.info | udp |
| US | 8.8.8.8:53 | xxbmyg.info | udp |
| US | 8.8.8.8:53 | eoemoyim.com | udp |
| US | 8.8.8.8:53 | cjzprgtl.net | udp |
| US | 8.8.8.8:53 | kigihja.net | udp |
| US | 8.8.8.8:53 | mvrlhhspnj.info | udp |
| US | 8.8.8.8:53 | ziztfp.net | udp |
| US | 8.8.8.8:53 | pzvqzr.net | udp |
| US | 8.8.8.8:53 | qemqwcgk.com | udp |
| US | 8.8.8.8:53 | typouwz.info | udp |
| US | 8.8.8.8:53 | pubdtrzkyif.com | udp |
| US | 8.8.8.8:53 | ttxarez.info | udp |
| US | 8.8.8.8:53 | aeiwkywkgs.org | udp |
| US | 8.8.8.8:53 | wuoczejsxgl.info | udp |
| US | 8.8.8.8:53 | ovzxhmsduxsc.info | udp |
| US | 8.8.8.8:53 | lwlgokte.info | udp |
| US | 8.8.8.8:53 | rxhxfw.net | udp |
| US | 8.8.8.8:53 | izpequh.net | udp |
| US | 8.8.8.8:53 | wwktmqhpazpn.info | udp |
| US | 8.8.8.8:53 | fsbaviurbfb.info | udp |
| US | 8.8.8.8:53 | aqeqguwiuoog.org | udp |
| US | 8.8.8.8:53 | wqwsmmcgayqm.com | udp |
| US | 8.8.8.8:53 | bsjkasxjhxw.net | udp |
| US | 8.8.8.8:53 | kgucaomygu.com | udp |
| US | 8.8.8.8:53 | rvrelq.net | udp |
| US | 8.8.8.8:53 | zkykjxrhzafp.net | udp |
| US | 8.8.8.8:53 | rakveqvc.info | udp |
| US | 8.8.8.8:53 | emmsmu.com | udp |
| US | 8.8.8.8:53 | geuuswao.org | udp |
| US | 8.8.8.8:53 | mexsbsbhjgq.info | udp |
| US | 8.8.8.8:53 | vqxhkvrvpm.info | udp |
| US | 8.8.8.8:53 | noukmsg.net | udp |
| US | 8.8.8.8:53 | dxvydrduxcl.info | udp |
| US | 8.8.8.8:53 | ocduyw.info | udp |
| US | 8.8.8.8:53 | hezsrypkq.org | udp |
| US | 8.8.8.8:53 | ijxuxanpjkzz.info | udp |
| US | 8.8.8.8:53 | uvcodihahbp.net | udp |
| US | 8.8.8.8:53 | zbrjde.net | udp |
| US | 8.8.8.8:53 | thizgzpdwmkr.net | udp |
| US | 8.8.8.8:53 | hynbxs.info | udp |
| US | 8.8.8.8:53 | dctklgtuvya.info | udp |
| US | 8.8.8.8:53 | dqvevqfudqx.org | udp |
| US | 8.8.8.8:53 | flrenbcibar.info | udp |
| US | 8.8.8.8:53 | bqpdjktf.net | udp |
| US | 8.8.8.8:53 | gmaycdtwf.net | udp |
| US | 8.8.8.8:53 | ylaxujjvpzdt.info | udp |
| US | 8.8.8.8:53 | cgvxhpb.net | udp |
| US | 8.8.8.8:53 | quyeyqasag.org | udp |
| US | 8.8.8.8:53 | hlqltge.net | udp |
| US | 8.8.8.8:53 | bgymdquhrkv.info | udp |
| US | 8.8.8.8:53 | byvkzm.net | udp |
| US | 8.8.8.8:53 | vlsqekixshcp.net | udp |
| US | 8.8.8.8:53 | lelkrsdnd.net | udp |
| US | 8.8.8.8:53 | xzvyvt.net | udp |
| US | 8.8.8.8:53 | iwwmiiga.org | udp |
| US | 8.8.8.8:53 | jibeshsr.info | udp |
| US | 8.8.8.8:53 | qmyccgwigi.com | udp |
| US | 8.8.8.8:53 | qicgyo.info | udp |
| US | 8.8.8.8:53 | kdawoeber.net | udp |
| US | 8.8.8.8:53 | jgzbxllqdecg.net | udp |
| US | 8.8.8.8:53 | msqius.org | udp |
| US | 8.8.8.8:53 | yaesmqacuqos.org | udp |
| US | 8.8.8.8:53 | raphrnjfmct.net | udp |
| US | 8.8.8.8:53 | zexaysvce.net | udp |
| US | 8.8.8.8:53 | pnmfmh.info | udp |
| US | 8.8.8.8:53 | dbgglxb.info | udp |
| US | 8.8.8.8:53 | odfccgh.info | udp |
| US | 8.8.8.8:53 | sykmycam.org | udp |
| US | 8.8.8.8:53 | wmmeca.org | udp |
| US | 8.8.8.8:53 | yqexnlaewgfk.net | udp |
| US | 8.8.8.8:53 | asecuyemymyi.org | udp |
| US | 8.8.8.8:53 | mozttgxtgbye.info | udp |
| US | 8.8.8.8:53 | ntgsxkvfow.net | udp |
| US | 8.8.8.8:53 | povylmougkp.net | udp |
| US | 8.8.8.8:53 | mdtkdwdpf.net | udp |
| US | 8.8.8.8:53 | zmrarczuld.net | udp |
| US | 8.8.8.8:53 | ewmcoogegiiq.org | udp |
| US | 8.8.8.8:53 | hbxxyr.info | udp |
| US | 8.8.8.8:53 | rrwwgpkofwtk.info | udp |
| US | 8.8.8.8:53 | guqmagouco.com | udp |
| US | 8.8.8.8:53 | fsdkiewbv.com | udp |
| US | 8.8.8.8:53 | dwpkzhv.com | udp |
| US | 8.8.8.8:53 | swjnlsjfu.info | udp |
| US | 8.8.8.8:53 | uqtspir.info | udp |
| US | 8.8.8.8:53 | cjtcljzn.info | udp |
| US | 8.8.8.8:53 | vuveprtyh.com | udp |
| US | 8.8.8.8:53 | gwruxwj.net | udp |
| US | 8.8.8.8:53 | rfzdaegt.info | udp |
| US | 8.8.8.8:53 | rltwexojzn.net | udp |
| US | 8.8.8.8:53 | zewkvtseekqz.net | udp |
| US | 8.8.8.8:53 | dpxudddhhuzr.net | udp |
| US | 8.8.8.8:53 | nnddhyt.net | udp |
| US | 8.8.8.8:53 | dayucgzmwkv.net | udp |
| US | 8.8.8.8:53 | kimcciog.org | udp |
| US | 8.8.8.8:53 | ozuptozur.info | udp |
| US | 8.8.8.8:53 | ocbamyrdumk.info | udp |
| US | 8.8.8.8:53 | fyzcpnp.info | udp |
| US | 8.8.8.8:53 | wuybayvsmwt.info | udp |
| US | 8.8.8.8:53 | hinqbkbuc.org | udp |
| US | 8.8.8.8:53 | oyemiakukaik.org | udp |
| US | 8.8.8.8:53 | qisakqeiecqu.org | udp |
| US | 8.8.8.8:53 | ccasfghpwd.info | udp |
| US | 8.8.8.8:53 | fupuptn.info | udp |
| US | 8.8.8.8:53 | feodivxgzg.net | udp |
| US | 8.8.8.8:53 | iggcfwpytwa.net | udp |
| US | 8.8.8.8:53 | xztghpzgwb.net | udp |
| US | 8.8.8.8:53 | dglsminizie.net | udp |
| US | 8.8.8.8:53 | bkrqzynyzkx.com | udp |
| US | 8.8.8.8:53 | qmpomi.net | udp |
| US | 8.8.8.8:53 | acjwlabhzwf.info | udp |
| US | 8.8.8.8:53 | qsgwhapnxoj.info | udp |
| US | 8.8.8.8:53 | yvnqqohta.info | udp |
| US | 8.8.8.8:53 | nugehkl.net | udp |
| US | 8.8.8.8:53 | okdhekeqduru.net | udp |
| US | 8.8.8.8:53 | tuaxjj.net | udp |
| US | 8.8.8.8:53 | uvydokbmq.info | udp |
| US | 8.8.8.8:53 | ioffdfbm.net | udp |
| US | 8.8.8.8:53 | jmkmtdvgncu.com | udp |
| US | 8.8.8.8:53 | ptxdme.net | udp |
| US | 8.8.8.8:53 | ushkxbyxdgg.net | udp |
| US | 8.8.8.8:53 | igtoomnmdmz.info | udp |
| US | 8.8.8.8:53 | yknsjzcm.info | udp |
| US | 8.8.8.8:53 | ngdyos.info | udp |
| US | 8.8.8.8:53 | qeemuk.org | udp |
| US | 8.8.8.8:53 | uqxidje.net | udp |
| US | 8.8.8.8:53 | cywykqgs.org | udp |
| US | 8.8.8.8:53 | iifiuxdp.net | udp |
| US | 8.8.8.8:53 | jalkbr.info | udp |
| US | 8.8.8.8:53 | gyfonjnjvz.net | udp |
| US | 8.8.8.8:53 | cxffzmlflm.info | udp |
| US | 8.8.8.8:53 | ajfykmd.info | udp |
| US | 8.8.8.8:53 | duguevblvcyw.net | udp |
| US | 8.8.8.8:53 | watmbgvso.info | udp |
| US | 8.8.8.8:53 | maltyz.net | udp |
| US | 8.8.8.8:53 | godvjqekrex.net | udp |
| US | 8.8.8.8:53 | lpqqtps.net | udp |
| US | 8.8.8.8:53 | hwxyjmfggod.info | udp |
| US | 8.8.8.8:53 | bjbqtlraxsm.org | udp |
| US | 8.8.8.8:53 | zfgukz.info | udp |
| US | 8.8.8.8:53 | usztsauxtyh.net | udp |
| US | 8.8.8.8:53 | equgwu.com | udp |
| US | 8.8.8.8:53 | gwvmpgm.net | udp |
| US | 8.8.8.8:53 | pbhthfszxsbj.net | udp |
| US | 8.8.8.8:53 | bktpfwsl.net | udp |
| US | 8.8.8.8:53 | dzrkpu.net | udp |
| US | 8.8.8.8:53 | kmgxkahacmve.info | udp |
| US | 8.8.8.8:53 | hxnuhcftd.org | udp |
| US | 8.8.8.8:53 | qmjorwv.net | udp |
| US | 8.8.8.8:53 | sepuacd.net | udp |
| US | 8.8.8.8:53 | ekskhssmrep.info | udp |
| US | 8.8.8.8:53 | iplqdlbmaiyt.info | udp |
| US | 8.8.8.8:53 | joubuoqxgukf.info | udp |
| US | 8.8.8.8:53 | bdbgdolozjp.info | udp |
| US | 8.8.8.8:53 | vorfoxwslnp.org | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| N/A | 156.237.207.232:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\oqersrtnyao.exe
| MD5 | e97bdffa3003bce29426e78ff0a9b89e |
| SHA1 | 4680bca864946d45d9c1ef9d195011bba8704380 |
| SHA256 | 856b0722fb88c9f9d25149acd22c499146077225b0177be47e7137810b39b6e1 |
| SHA512 | 6895ca6df7292f0b66d48f125570d7192ebc152a65749851c3fc68ddb0bf95a4ae025f43af7dd65d177856132c70cd70c846920a649a6055579acbfb1fa3c320 |
C:\Windows\SysWOW64\phzkdwunxgbvdjstrj.exe
| MD5 | db1b7ac55a245032f066060d23d00630 |
| SHA1 | 8b968e1eee41e0f4b2f030e672a609e65a7f7618 |
| SHA256 | 5af9b60910a74aec64dc3c1e407411e7aff0f57bd8fed6fd3143606dea2d43fd |
| SHA512 | b78051b0d851c883afe6005c16e442ce48cd137aec83a8e3a4d24f11187d41706c42bc63483834d1bb51e2fb950ac253f385714f9cf8b466f4b61c915dea72eb |
C:\Users\Admin\AppData\Local\Temp\ahoower.exe
| MD5 | 5148bce28fd1bc7f6b23e61d45efbef2 |
| SHA1 | 523a00e12c40d52bff59f041cff96d202c6f0a47 |
| SHA256 | 1b1b4f59201354f38807cb1b1a4356818d15039c575e6de3b67c4b2e45946e6c |
| SHA512 | ab88175cbc36cd9eac46ce418e328bdab3c1124e416e678547d5621256945d015195cee0f0a0b10f4c42d1afb1215635001d0a498b31475162dd80bcc269b05f |
C:\Users\Admin\AppData\Local\dddwxyefxortjxoxdddwxy.fxo
| MD5 | 07a51e18b6a73fbaa71fc2f540875e1b |
| SHA1 | 0297a65ea93d774209e0751eecdd15a594442ce6 |
| SHA256 | 1474afd9f1b50b2ba266efcf92442fcbb4124de88c4e4d0851cf31e518b627ce |
| SHA512 | bf304565b0bf3211a134f8a59818eb7a90153cb7a2dcaaf1ff2bb0fa2d770b77cd0d3a3caeb590ecbb4a5e18efb92d75518c2d325629f1ab2f3af1756eb722c1 |
C:\Users\Admin\AppData\Local\ufqugsjvyaobcbdxozkoamdpsuivwvxri.eiu
| MD5 | 406ce504fdfa8eadaecb54f2506e2b32 |
| SHA1 | 113eacdee034471b67360bdb096718c33f10642d |
| SHA256 | 7856ae62ab9bcbab8cc3b0192e6ce22e70d16b6baae24fc6ffa3e58b5b3b46fd |
| SHA512 | ec227775f25df57a8e44107c51d2a7979b958de833d4cd74590e04931635d8920ef97dcdb55bc64ab785db566d543276a35f9176f2888acf0fd37bbf1f20e4ee |
C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo
| MD5 | 3cba3380817da951da12aecd276f77b3 |
| SHA1 | 8ec199379859c54d17252ebebac5aca9303fde6e |
| SHA256 | 70c714ce334caaa9053d7bbc3e431350cdc3e82df4b95f5146a63a38a544b161 |
| SHA512 | 2f808b6676a94eafbd1234d29cac7d782a83360c0c376b35a9f63c9a72ec86a02ae56aa09e6a4b7a4f312512642d90d1838f4a776085eab13be9507b391d8f2c |
C:\Windows\SysWOW64\dddwxyefxortjxoxdddwxy.fxo
| MD5 | aabdb47094f2024cb1ea2d4c301cdbf1 |
| SHA1 | 41cb7277daaa26d85aafc4f96595b266028487c6 |
| SHA256 | 540e2943357b8fab9d928a821784774a54c28212a6c636dcf868dc77685d9c5d |
| SHA512 | 476cbba0759c3cd10aa5e5020fcc2df09313671874939ba29871fa4f9d42c5d4b99e8f1b447a2cfd58c175f42151a41240668be4d677d8b0053d4728fc28e095 |
C:\zjtwhsitvw.bat
| MD5 | 718ee4e1ab9b11ab9741db91eaf0f945 |
| SHA1 | ce8bd9ee7d7f8531f5b54d5353b6e5e8a7618638 |
| SHA256 | dd92fcc55737c783d17ead98c56d1f40ad16acba3fac147f5ba0ed12a2613140 |
| SHA512 | dd78cedc694fa1fda5a6a998ca0c96bdbdfb0466ed95034a5706178850f39191705b925bd74733cacf2819697aeb3299e0b86896147c6d838f599b20fb0ef89b |
C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo
| MD5 | 488ec01580ce2d04312e3e1c8923e951 |
| SHA1 | ee90f5ed0d639439a1b4901439695689b00b609e |
| SHA256 | 28402f02c4795cd927e0292294f92f1c9c0789b221f79dfff3be2268a0476b73 |
| SHA512 | 8e2af5b21b13f04a6cd762d6f76100440c880fb3b0719b701a0950e884a32559975810d7829b75b1732d407c28b46d889ecabe2e3a8a0fb08df16230f732f0ee |
C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo
| MD5 | 468415442f1e0ff134a4a981033a254b |
| SHA1 | e67d788aad54099a0677edb42a698562573f7f74 |
| SHA256 | e3de0755a8318921d4677d3b862e931052409f1437f5fbdfa7f31f60ed8d9663 |
| SHA512 | c3f5c45edbb22891cefd1403de6afe070bc7129aef665a6447474cdba557377af034ee0527b0acc708c76a97b80b430df4c2b54604227a4906556cf77128528a |
C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo
| MD5 | 6defd78024d6fe2fde4e21d318c3f7c2 |
| SHA1 | 6add3a9b93e00e355b1c14269cf04492adb194f6 |
| SHA256 | 8252314c2e0519fa4c200e102ff3671ea38b861b36c90c9e60eba5631a1780ee |
| SHA512 | cb6f86dc8e82b83097fcbc1d4183b5d22c02e7a8bac627b1e16c84a866ee91e3c07c2436e07e4439f527b8081e3257d157d428d104b19d57fdf54e5cfe637b67 |
C:\Program Files (x86)\dddwxyefxortjxoxdddwxy.fxo
| MD5 | d2d5cffbf2f6e07ba43e017f6612a26f |
| SHA1 | 66e8e6976db61e6272f2613f43636445a5c21372 |
| SHA256 | 3c2b21fb060b7d6b176a693fe7632781860fa7a94ba89fa2c67987c24532a03a |
| SHA512 | 384586c264b2b113d819f85ba4548d745dbe5aa822691c8931901fbe1bd069c7f107238d224852521aa0394a1c7c3a4c1a50b36c3088c9f9829a76bf8fd9007e |