Analysis Overview
SHA256
962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437
Threat Level: Known bad
The file 962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N was found to be: Known bad.
Malicious Activity Summary
UAC bypass
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Adds policy Run key to start application
Impair Defenses: Safe Mode Boot
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Checks whether UAC is enabled
Adds Run key to start application
Looks up external IP address via web service
Hijack Execution Flow: Executable Installer File Permissions Weakness
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
System policy modification
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-31 04:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-31 04:57
Reported
2024-10-31 04:59
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "axmkdbwmirwcsiuehtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "ytgctpiwqxaesgqyzje.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "xpzsgzparvvwhsze.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "axmkdbwmirwcsiuehtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "axmkdbwmirwcsiuehtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "exicrlcoglmoamuaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "nhtoezrexdfiviryyh.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "axmkdbwmirwcsiuehtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "xpzsgzparvvwhsze.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "ytgctpiwqxaesgqyzje.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "nhtoezrexdfiviryyh.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "lhvskhbqltxcrgracnjx.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "exicrlcoglmoamuaz.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "xpzsgzparvvwhsze.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "exicrlcoglmoamuaz.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "nhtoezrexdfiviryyh.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "ytgctpiwqxaesgqyzje.exe" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "ytgctpiwqxaesgqyzje.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "nhtoezrexdfiviryyh.exe ." | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\cfaedhiegvgsokcsbtwrvuy.vxm | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File created | C:\Windows\SysWOW64\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\cfaedhiegvgsokcsbtwrvuy.vxm | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File opened for modification | C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File created | C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File opened for modification | C:\Program Files (x86)\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\cfaedhiegvgsokcsbtwrvuy.vxm | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File created | C:\Windows\cfaedhiegvgsokcsbtwrvuy.vxm | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File opened for modification | C:\Windows\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| File created | C:\Windows\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\ahgor.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe
"C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"
C:\Users\Admin\AppData\Local\Temp\ahgor.exe
"C:\Users\Admin\AppData\Local\Temp\ahgor.exe" "-"
C:\Users\Admin\AppData\Local\Temp\ahgor.exe
"C:\Users\Admin\AppData\Local\Temp\ahgor.exe" "-"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.178.14:80 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | lrjekrdt.net | udp |
| US | 8.8.8.8:53 | rulifqblg.com | udp |
| US | 8.8.8.8:53 | hhvmzql.info | udp |
| US | 8.8.8.8:53 | eutwdyl.info | udp |
| US | 8.8.8.8:53 | rvpmfbpnfzxx.net | udp |
| US | 8.8.8.8:53 | vptprrjb.info | udp |
| US | 8.8.8.8:53 | bezodzbqq.net | udp |
| US | 8.8.8.8:53 | kavtbvqf.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | hmbjyjz.info | udp |
| US | 8.8.8.8:53 | qsegii.org | udp |
| US | 8.8.8.8:53 | sejibalqxar.net | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | wevgoov.info | udp |
| US | 8.8.8.8:53 | nbdztrqh.net | udp |
| US | 8.8.8.8:53 | qsykcwyamcee.com | udp |
| US | 8.8.8.8:53 | qappvxyiorbw.net | udp |
| US | 8.8.8.8:53 | ibtwekfadob.info | udp |
| US | 8.8.8.8:53 | egksyqv.info | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | nddzzd.info | udp |
| US | 8.8.8.8:53 | zyzqrbrqzcl.info | udp |
| US | 8.8.8.8:53 | xswgjufhld.net | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | mqwiqayk.com | udp |
| US | 8.8.8.8:53 | xdxafq.info | udp |
| US | 8.8.8.8:53 | hsxayjziyqb.com | udp |
| US | 8.8.8.8:53 | gyvqwcxtyk.info | udp |
| US | 8.8.8.8:53 | lunuyevcl.com | udp |
| US | 8.8.8.8:53 | uyqvxdvprq.net | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | aztkuyhbdm.net | udp |
| US | 8.8.8.8:53 | qxtyvdbi.net | udp |
| US | 8.8.8.8:53 | nlfesyzcz.net | udp |
| US | 8.8.8.8:53 | kblyjmxqp.info | udp |
| US | 8.8.8.8:53 | xdooerpr.info | udp |
| US | 8.8.8.8:53 | wytqwaxvp.info | udp |
| US | 8.8.8.8:53 | hmobnvtgcvsp.info | udp |
| US | 8.8.8.8:53 | uuzvpjrwcom.info | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | kojczou.info | udp |
| US | 8.8.8.8:53 | usqumg.org | udp |
| US | 8.8.8.8:53 | ekcecwqe.org | udp |
| US | 8.8.8.8:53 | ygdedymgkqb.net | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | cteohsfyc.info | udp |
| US | 8.8.8.8:53 | hsgptzrqqi.net | udp |
| US | 8.8.8.8:53 | hckgjytpikdx.net | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | gwneowcmczr.net | udp |
| US | 8.8.8.8:53 | qvmlwe.info | udp |
| US | 8.8.8.8:53 | uqleria.net | udp |
| US | 8.8.8.8:53 | lyuyiczcfss.com | udp |
| US | 8.8.8.8:53 | moyykaco.org | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
Files
\Users\Admin\AppData\Local\Temp\ahgor.exe
| MD5 | 6f451a41c9f96a5c513b4954680286f9 |
| SHA1 | 06456a5c776552246efaea2153cd408aa9320c0b |
| SHA256 | a32541929feeba2e8f57866fde0354d9354b20638f2a128189b55d351db60614 |
| SHA512 | 82a11fa921cc237d825ba7035bc8fa1e9c3325a26a0ad8aa10fccc163496da0c2e4e63b4ae90f1ffa49ba93ebd33a69d27d7b8f74d8382f264ed8bb53cfdfb32 |
C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | a127b6bb98ca5882f12d63ebca907925 |
| SHA1 | 443fec890c0216c27a7f2cadd3570aba5cdf9c4b |
| SHA256 | a78d8e706c1fddb96b611cc7ccd29542e73c767373c96af452573d5765a70274 |
| SHA512 | 22001df82bba6a42fcb45051ea883fbe53ff5a6bf71790497ad518201930e2eff8898f44309993c59a80f692f975022ef1fbb8a130d9797b18b8e8dbcbc525ee |
C:\Users\Admin\AppData\Local\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq
| MD5 | 4f57095f27adcc023d3401c023fedae3 |
| SHA1 | 02f460a263f9298b0e6a7ec04e8a72a91292857f |
| SHA256 | 60fda659ac265a9fa8743fe4aa9fce3edfee70e84f91c33e4228a1bb5157471f |
| SHA512 | 6cefe0e8236b19f6d3c87be223bb0186e4d0d3d10a8938f4c97b9ee88cdde57fe4b744014d0ac05ebb16e7775a6ec71eea988669f849829bde39c7bb8268a836 |
C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | c8ad36c2a9c426876ccbf3bf25ed0a5e |
| SHA1 | 23d1e834926a6f61863c02eea508a477be77886a |
| SHA256 | 0646865d81b1745e3d87b68ad15d27271eb79049951f71611251943c1e4a2e50 |
| SHA512 | cdcdf42b0acfcd21a61ff45d47f85f30d96bfaa341013bd18a19fbac671949ece0fe0a01564ad756f34701938e91a6a0889a917917306589372c19b0d696b887 |
C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | 54e18c8d056da40ce706109669410d91 |
| SHA1 | 1df4712c17aa4305262440df11d05d3e0b5d9597 |
| SHA256 | 99bb0c81a7b68282d51fc134a7c3e092891793ec7dc90f9a3274e495c8d21899 |
| SHA512 | 16a98ca9033858e04a8c665d285c39618e67d37d511638a47947a649cee838d27ed787c98e632442637668d999f4d881901348281e40bafa425cc3085efec94c |
C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | a101f59dc8df558387c5812573242d08 |
| SHA1 | d96a2704a3a56455c21653bbaf21c2ee7368c223 |
| SHA256 | de9e271f181bc479f973f02b08ff7090a04dc77ecbb49e09df881c16ea04d116 |
| SHA512 | 331c3c8f773f273588854a797572c9aa8e086147b9053b5b0496827128426ffaa59f5c6216e3c2c97df66f6b8dbd132c278e46832c7c8edde478b5ffbedf399e |
C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | c6b72a6b2d241bff801c01e30441e334 |
| SHA1 | 50e1dc96bec63c1436372d61ae5cd11cf4c389fc |
| SHA256 | 1f66e861beb6fae228069b4dffe2cf87d85092eb49643abfa06b4e1f5d9037ee |
| SHA512 | 07199ee879d9ea128766ea3f99e0638522fa0e371ec3214cd0c13a6e0c10fb1293146df2129f020895e29739821886cfc140db72972863657df14e53ecca58c4 |
C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | 523e0655896f97b87cd6dbbf5a1f473c |
| SHA1 | 3f21d23a353d5ce60589b6ebedbf0615f0808c90 |
| SHA256 | 7ea10530e0ed6b048302e7e7676d3d7a068447a8de921f96f0e290d8146db60b |
| SHA512 | 3ed6a16f7208f07bf0b6f01be4a5b3f080dac6ca92b342986577819e38567996f28fd46da21a6cf4160ba0f1f8e84cb3b0da402fc8213b721c1ee8e445b11f03 |
C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm
| MD5 | d0c936f8694a9a4fb587f768d45d00b2 |
| SHA1 | 9567724eec5541a5153493b8e5baea1e845227fc |
| SHA256 | 836e0ecf4ec98bae24aa0adf4921a57e398dba9fe79cf135f50d478af8380f44 |
| SHA512 | 751147eba668e836735adaad0c2f8c8795d0f466c5e1c19dd1f4d278482f2e7ff73ce0ad7818a9461412458d4fcd63036f53c5ee5cee844d1ffcda40021f80a3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-31 04:57
Reported
2024-10-31 04:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "dxljkdvqmeyurrwovlrlz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "qhsnlbqibqhaurtimz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "qhsnlbqibqhaurtimz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "btfbarhaukcwrpsinbf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "qhsnlbqibqhaurtimz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "apyrnboevixogbbo.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "apyrnboevixogbbo.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "btfbarhaukcwrpsinbf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "ohurrjaupgzuqptkqfkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "apyrnboevixogbbo.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "apyrnboevixogbbo.exe ." | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "btfbarhaukcwrpsinbf.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe ." | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "qhsnlbqibqhaurtimz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "ohurrjaupgzuqptkqfkd.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "btfbarhaukcwrpsinbf.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "hxhbynbskyogzvwkn.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "qhsnlbqibqhaurtimz.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "apyrnboevixogbbo.exe" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "dxljkdvqmeyurrwovlrlz.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "ohurrjaupgzuqptkqfkd.exe ." | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File created | C:\Windows\SysWOW64\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\fdvxczvuuqooptcyjdnld.khd | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File created | C:\Windows\SysWOW64\fdvxczvuuqooptcyjdnld.khd | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File created | C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File created | C:\Program Files (x86)\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\fdvxczvuuqooptcyjdnld.khd | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File created | C:\Windows\fdvxczvuuqooptcyjdnld.khd | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File opened for modification | C:\Windows\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| File created | C:\Windows\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe
"C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"
C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe
"C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe" "-"
C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe
"C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 106.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 172.217.169.14:80 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | kmeggs.org | udp |
| US | 8.8.8.8:53 | lrjekrdt.net | udp |
| US | 8.8.8.8:53 | tjvqfbvjmooz.info | udp |
| US | 8.8.8.8:53 | yowkwmuu.com | udp |
| US | 8.8.8.8:53 | wdjgvyhpkmk.info | udp |
| US | 8.8.8.8:53 | 14.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | kavtbvqf.info | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | ujgfxdqswh.net | udp |
| US | 8.8.8.8:53 | kwbbzbvgnzax.info | udp |
| US | 8.8.8.8:53 | iqeomussyi.com | udp |
| US | 8.8.8.8:53 | gujunlesowi.info | udp |
| US | 8.8.8.8:53 | sejibalqxar.net | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | torgnldl.info | udp |
| US | 8.8.8.8:53 | cgihagj.info | udp |
| US | 8.8.8.8:53 | qscweekc.com | udp |
| US | 8.8.8.8:53 | egksyqv.info | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | vdzphk.info | udp |
| US | 8.8.8.8:53 | uwpfpr.info | udp |
| US | 8.8.8.8:53 | oswaicicgymc.org | udp |
| US | 8.8.8.8:53 | pnsdfbklr.com | udp |
| US | 8.8.8.8:53 | uytvbd.info | udp |
| US | 8.8.8.8:53 | 177.188.244.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.26.100.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | rulmiuoebex.com | udp |
| US | 8.8.8.8:53 | zszohszakut.org | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | omaqio.org | udp |
| US | 8.8.8.8:53 | fxrvvrxmxh.info | udp |
| US | 8.8.8.8:53 | iolyaaphvkn.info | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | qcoegeqkwgcq.com | udp |
| US | 8.8.8.8:53 | hsksignnoewk.net | udp |
| US | 8.8.8.8:53 | hpsmipicxupt.info | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | syakbm.info | udp |
| US | 8.8.8.8:53 | qyveaudfmez.net | udp |
| US | 8.8.8.8:53 | nbisxf.info | udp |
| US | 8.8.8.8:53 | wslwlgx.info | udp |
| US | 8.8.8.8:53 | twmmkhcywuj.org | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | fyylzj.info | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | jkcnkmgboo.net | udp |
| US | 8.8.8.8:53 | eqpwnaryq.net | udp |
| US | 8.8.8.8:53 | lvqslsbcaef.info | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | yxjlyvzsnhxv.net | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | wwsijgyjecx.info | udp |
| US | 8.8.8.8:53 | rlofyx.info | udp |
| US | 8.8.8.8:53 | zrphjgfnm.info | udp |
| US | 8.8.8.8:53 | jrncvlzwiulh.net | udp |
| US | 8.8.8.8:53 | miisqa.org | udp |
| US | 8.8.8.8:53 | gotqpsxeq.net | udp |
| US | 8.8.8.8:53 | xoyvrevhha.net | udp |
| US | 8.8.8.8:53 | ekuedqrcp.info | udp |
| US | 8.8.8.8:53 | zgfqhof.org | udp |
| US | 8.8.8.8:53 | dkqayttmb.net | udp |
| US | 8.8.8.8:53 | vljgbupsl.net | udp |
| US | 8.8.8.8:53 | iavxtkk.info | udp |
| US | 8.8.8.8:53 | dyjzbs.net | udp |
| US | 8.8.8.8:53 | gmesqmckoyke.org | udp |
| US | 8.8.8.8:53 | hgqnhit.org | udp |
| US | 8.8.8.8:53 | qpejngowavjy.info | udp |
| US | 8.8.8.8:53 | wpumzcv.info | udp |
| US | 8.8.8.8:53 | zlkqvoxqx.org | udp |
| US | 8.8.8.8:53 | lcbsfiyyz.com | udp |
| US | 8.8.8.8:53 | pvvhcp.net | udp |
| US | 8.8.8.8:53 | birepoq.com | udp |
| US | 8.8.8.8:53 | oicaqk.org | udp |
| US | 8.8.8.8:53 | crfiladnpmv.net | udp |
| US | 8.8.8.8:53 | gwwefsd.net | udp |
| US | 8.8.8.8:53 | tqznqjobr.org | udp |
| US | 8.8.8.8:53 | pywtdsxnbwp.net | udp |
| US | 8.8.8.8:53 | dmbealkee.net | udp |
| US | 8.8.8.8:53 | gkmuow.org | udp |
| US | 8.8.8.8:53 | lqmphguwauj.net | udp |
| US | 8.8.8.8:53 | ykwmkakg.com | udp |
| US | 8.8.8.8:53 | cxpxjpr.net | udp |
| US | 8.8.8.8:53 | yqiweowi.com | udp |
| US | 8.8.8.8:53 | xupglkfya.info | udp |
| US | 8.8.8.8:53 | xqeihwjsx.com | udp |
| US | 8.8.8.8:53 | ssashm.info | udp |
| US | 8.8.8.8:53 | qskkpmw.net | udp |
| US | 8.8.8.8:53 | lksloqnzv.com | udp |
| US | 8.8.8.8:53 | fszehlnx.net | udp |
| US | 8.8.8.8:53 | fsiyrwqv.net | udp |
| US | 8.8.8.8:53 | jkdcdyf.com | udp |
| US | 8.8.8.8:53 | kkmeoq.org | udp |
| US | 8.8.8.8:53 | vahhkdgyeefx.net | udp |
| US | 8.8.8.8:53 | dvyyeptzjv.net | udp |
| US | 8.8.8.8:53 | qikccq.com | udp |
| US | 8.8.8.8:53 | fkkuzkhcr.com | udp |
| US | 8.8.8.8:53 | gfuvwmjpgb.net | udp |
| US | 8.8.8.8:53 | rivcjaszx.net | udp |
| US | 8.8.8.8:53 | kvpoqyl.info | udp |
| US | 8.8.8.8:53 | xixednsqy.net | udp |
| US | 8.8.8.8:53 | qklvmkpphtqq.info | udp |
| US | 8.8.8.8:53 | jractu.net | udp |
| US | 8.8.8.8:53 | zsqxejydfpnt.info | udp |
| US | 8.8.8.8:53 | euxuukuzlj.net | udp |
| US | 8.8.8.8:53 | eqbrod.info | udp |
| US | 8.8.8.8:53 | ltvwftzngl.net | udp |
| US | 8.8.8.8:53 | adrctuqehjon.info | udp |
| US | 8.8.8.8:53 | qudyrmntuow.info | udp |
| US | 8.8.8.8:53 | huasjgtckdu.com | udp |
| US | 8.8.8.8:53 | adqotj.info | udp |
| US | 8.8.8.8:53 | usiikeyy.org | udp |
| US | 8.8.8.8:53 | jojlfepmqic.net | udp |
| US | 8.8.8.8:53 | gqkqucek.org | udp |
| US | 8.8.8.8:53 | ncxein.net | udp |
| US | 8.8.8.8:53 | uspavcp.net | udp |
| US | 8.8.8.8:53 | wcoohuzezxuh.net | udp |
| US | 8.8.8.8:53 | xfozhjysnnrw.net | udp |
| US | 8.8.8.8:53 | ppvqcdqc.info | udp |
| US | 8.8.8.8:53 | hrnujmsfph.net | udp |
| US | 8.8.8.8:53 | xxxrxnll.info | udp |
| US | 8.8.8.8:53 | mznedobi.net | udp |
| US | 8.8.8.8:53 | ourepitvklx.info | udp |
| US | 8.8.8.8:53 | qgwghszfz.info | udp |
| US | 8.8.8.8:53 | trrvwxpupfak.net | udp |
| US | 8.8.8.8:53 | uuwygwcmmc.com | udp |
| US | 8.8.8.8:53 | fifqlpb.org | udp |
| US | 8.8.8.8:53 | xhisrub.org | udp |
| US | 8.8.8.8:53 | sefswvajalzq.net | udp |
| US | 8.8.8.8:53 | xododk.net | udp |
| US | 8.8.8.8:53 | octpnmfeveb.net | udp |
| US | 8.8.8.8:53 | igeuaeekqkai.com | udp |
| US | 8.8.8.8:53 | kasabx.net | udp |
| US | 8.8.8.8:53 | qepupmjufwt.net | udp |
| US | 8.8.8.8:53 | pyfofor.info | udp |
| US | 8.8.8.8:53 | swdbmuwabyg.info | udp |
| US | 8.8.8.8:53 | buoqqzlfnx.net | udp |
| US | 8.8.8.8:53 | awwkvlhbxgix.info | udp |
| US | 8.8.8.8:53 | buqvltnvkj.info | udp |
| US | 8.8.8.8:53 | ymtoaovfdbi.net | udp |
| US | 8.8.8.8:53 | bsrweqh.net | udp |
| US | 8.8.8.8:53 | wdilrbagqvbi.info | udp |
| US | 8.8.8.8:53 | wlnvccohvi.info | udp |
| US | 8.8.8.8:53 | ygqeiciwkoyw.com | udp |
| US | 8.8.8.8:53 | pysepcywro.info | udp |
| US | 8.8.8.8:53 | kshgvj.net | udp |
| US | 8.8.8.8:53 | pdejmv.info | udp |
| US | 8.8.8.8:53 | rnbmnnffvvpj.info | udp |
| US | 8.8.8.8:53 | oebdqtnylpn.net | udp |
| US | 8.8.8.8:53 | bxufyjogwoou.net | udp |
| US | 8.8.8.8:53 | papvlzf.info | udp |
| US | 8.8.8.8:53 | xykutplmhmfn.net | udp |
| US | 8.8.8.8:53 | hnsilwhmkd.net | udp |
| US | 8.8.8.8:53 | ikxvkrsulwd.net | udp |
| US | 8.8.8.8:53 | uoqaicsoscem.org | udp |
| US | 8.8.8.8:53 | nzzixvjhxgkl.net | udp |
| US | 8.8.8.8:53 | hsufhgsmqgl.org | udp |
| US | 8.8.8.8:53 | tsvrdkobl.org | udp |
| US | 8.8.8.8:53 | mlgsxflu.net | udp |
| US | 8.8.8.8:53 | ssgqwyoscwmq.com | udp |
| US | 8.8.8.8:53 | nmlilkf.net | udp |
| US | 8.8.8.8:53 | xelnlo.info | udp |
| US | 8.8.8.8:53 | kmpdjanxcx.info | udp |
| US | 8.8.8.8:53 | ayaisqusmc.com | udp |
| US | 8.8.8.8:53 | ymiiicyo.org | udp |
| US | 8.8.8.8:53 | rrbjyqfytb.info | udp |
| US | 8.8.8.8:53 | xqcyxif.info | udp |
| US | 8.8.8.8:53 | jljcywgh.info | udp |
| US | 8.8.8.8:53 | aptavxszku.info | udp |
| US | 8.8.8.8:53 | aobbzdl.info | udp |
| US | 8.8.8.8:53 | xirbjpd.com | udp |
| US | 8.8.8.8:53 | ovvmeermlar.net | udp |
| US | 8.8.8.8:53 | cihylwh.net | udp |
| US | 8.8.8.8:53 | xnzydftvlgzr.info | udp |
| US | 8.8.8.8:53 | mydflsxizio.info | udp |
| US | 8.8.8.8:53 | rtuovixut.info | udp |
| US | 8.8.8.8:53 | jinfugfp.net | udp |
| US | 8.8.8.8:53 | pcpgyj.net | udp |
| US | 8.8.8.8:53 | sjutctmlqp.info | udp |
| US | 8.8.8.8:53 | kanvzumtrd.net | udp |
| US | 8.8.8.8:53 | isiium.com | udp |
| US | 8.8.8.8:53 | ouhnpciy.net | udp |
| US | 8.8.8.8:53 | fvrkdzoj.info | udp |
| US | 8.8.8.8:53 | qdaqwtlafa.info | udp |
| US | 8.8.8.8:53 | sdbwfyjudmf.net | udp |
| US | 8.8.8.8:53 | lmpojrrxmeu.net | udp |
| US | 8.8.8.8:53 | azdltpai.net | udp |
| US | 8.8.8.8:53 | gxjmexojzn.info | udp |
| US | 8.8.8.8:53 | sjlbzs.net | udp |
| US | 8.8.8.8:53 | zekcpulqpnd.net | udp |
| US | 8.8.8.8:53 | uyyqvfqlwa.net | udp |
| US | 8.8.8.8:53 | poejdjuh.info | udp |
| US | 8.8.8.8:53 | dykmfirsf.org | udp |
| US | 8.8.8.8:53 | lgmblm.info | udp |
| US | 8.8.8.8:53 | fxayhti.com | udp |
| US | 8.8.8.8:53 | ajiemcue.net | udp |
| US | 8.8.8.8:53 | ekysuwaiqs.org | udp |
| US | 8.8.8.8:53 | bfnxsfwe.net | udp |
| US | 8.8.8.8:53 | yiwurhr.info | udp |
| US | 8.8.8.8:53 | rsnokt.info | udp |
| US | 8.8.8.8:53 | mocgiq.com | udp |
| US | 8.8.8.8:53 | mbiiznxdulyh.net | udp |
| US | 8.8.8.8:53 | ryoznqv.com | udp |
| US | 8.8.8.8:53 | xwdqxgxphkv.org | udp |
| US | 8.8.8.8:53 | lolhbiz.net | udp |
| US | 8.8.8.8:53 | rensjsymxwj.org | udp |
| US | 8.8.8.8:53 | mkkuwuiwwseq.com | udp |
| US | 8.8.8.8:53 | qpeavxszku.net | udp |
| US | 8.8.8.8:53 | bkxzwfixd.com | udp |
| US | 8.8.8.8:53 | xdtelisdm.info | udp |
| US | 8.8.8.8:53 | lszothkejnl.net | udp |
| US | 8.8.8.8:53 | nvqhtsfzlm.info | udp |
| US | 8.8.8.8:53 | aysyqc.com | udp |
| US | 8.8.8.8:53 | fqvopkmiayu.org | udp |
| US | 8.8.8.8:53 | qiucmopf.net | udp |
| US | 8.8.8.8:53 | opulkubj.info | udp |
| US | 8.8.8.8:53 | mytynnbrhspi.info | udp |
| US | 8.8.8.8:53 | oqhajmtmnmh.info | udp |
| US | 8.8.8.8:53 | sscuiedhv.net | udp |
| US | 8.8.8.8:53 | nczirwr.org | udp |
| US | 8.8.8.8:53 | esvkde.net | udp |
| US | 8.8.8.8:53 | wieavxszku.net | udp |
| US | 8.8.8.8:53 | ywsysaascsso.com | udp |
| US | 8.8.8.8:53 | nffzsjdajsx.info | udp |
| US | 8.8.8.8:53 | coowccmu.com | udp |
| US | 8.8.8.8:53 | suwotmgdjqk.info | udp |
| US | 8.8.8.8:53 | rreplnac.info | udp |
| US | 8.8.8.8:53 | lkgatfldr.com | udp |
| US | 8.8.8.8:53 | srdueil.net | udp |
| US | 8.8.8.8:53 | vdbicmahsofj.net | udp |
| US | 8.8.8.8:53 | xqeqvctmsuh.net | udp |
| US | 8.8.8.8:53 | mqoeqmkiyo.org | udp |
| US | 8.8.8.8:53 | qxrwrxkgnrd.net | udp |
| US | 8.8.8.8:53 | pghiaxrr.net | udp |
| US | 8.8.8.8:53 | qagoeiyu.org | udp |
| US | 8.8.8.8:53 | wgwtnn.info | udp |
| US | 8.8.8.8:53 | cqokiu.org | udp |
| US | 8.8.8.8:53 | xojmuqnhc.com | udp |
| US | 8.8.8.8:53 | ympczhxnodq.info | udp |
| US | 8.8.8.8:53 | hgxntkm.net | udp |
| US | 8.8.8.8:53 | tyjijtv.com | udp |
| US | 8.8.8.8:53 | tdorquu.net | udp |
| US | 8.8.8.8:53 | xyptkfpgzvnm.info | udp |
| US | 8.8.8.8:53 | sgsoagiiccyw.com | udp |
| US | 8.8.8.8:53 | jplefezrs.net | udp |
| US | 8.8.8.8:53 | yudtpekyh.info | udp |
| US | 8.8.8.8:53 | ruanaiucgbo.net | udp |
| US | 8.8.8.8:53 | tbdleeffez.net | udp |
| US | 8.8.8.8:53 | loizjl.net | udp |
| US | 8.8.8.8:53 | grblyx.net | udp |
| US | 8.8.8.8:53 | kwucnsvsjqz.net | udp |
| US | 8.8.8.8:53 | pniiuswcyn.info | udp |
| US | 8.8.8.8:53 | djlicfxk.net | udp |
| US | 8.8.8.8:53 | hgpliskn.net | udp |
| US | 8.8.8.8:53 | eolunulgzk.info | udp |
| US | 8.8.8.8:53 | dbuguvooxgpt.info | udp |
| US | 8.8.8.8:53 | nqbpjgon.net | udp |
| US | 8.8.8.8:53 | qofmvytzwzqq.info | udp |
| US | 8.8.8.8:53 | lwfepfetlwts.net | udp |
| US | 8.8.8.8:53 | ilhpunn.info | udp |
| US | 8.8.8.8:53 | edtcrscsug.info | udp |
| US | 8.8.8.8:53 | rwbklxfvdgn.net | udp |
| US | 8.8.8.8:53 | oepibgz.net | udp |
| US | 8.8.8.8:53 | wttaxtzszuhx.info | udp |
| US | 8.8.8.8:53 | kajpailpjmp.info | udp |
| US | 8.8.8.8:53 | lyafmmetvkjy.net | udp |
| US | 8.8.8.8:53 | avvyomf.net | udp |
| US | 8.8.8.8:53 | cgifcdlhyk.net | udp |
| US | 8.8.8.8:53 | cikykgok.org | udp |
| US | 8.8.8.8:53 | mysakufwi.info | udp |
| US | 8.8.8.8:53 | gwgoqq.com | udp |
| US | 8.8.8.8:53 | omnpqiitfi.net | udp |
| US | 8.8.8.8:53 | yyykwe.org | udp |
| US | 8.8.8.8:53 | qkqiic.org | udp |
| US | 8.8.8.8:53 | pssoqtdakwn.org | udp |
| US | 8.8.8.8:53 | bvtnqjtztcea.info | udp |
| US | 8.8.8.8:53 | cvhyxcvn.net | udp |
| US | 8.8.8.8:53 | fbjdeg.info | udp |
| US | 8.8.8.8:53 | ebkvmswc.info | udp |
| US | 8.8.8.8:53 | eldmqxqg.net | udp |
| US | 8.8.8.8:53 | gislpxktd.info | udp |
| US | 8.8.8.8:53 | zvpklryi.net | udp |
| US | 8.8.8.8:53 | aivodvscxbq.info | udp |
| US | 8.8.8.8:53 | hahmgwfnjkp.net | udp |
| US | 8.8.8.8:53 | dpwoyczy.info | udp |
| US | 8.8.8.8:53 | hobdowq.info | udp |
| US | 8.8.8.8:53 | vqrheyzex.net | udp |
| US | 8.8.8.8:53 | fghokddov.com | udp |
| US | 8.8.8.8:53 | ueyuoggoqk.com | udp |
| US | 8.8.8.8:53 | pyfgjlpruptb.info | udp |
| US | 8.8.8.8:53 | kbddptq.net | udp |
| US | 8.8.8.8:53 | oqhtrmhjycp.net | udp |
| US | 8.8.8.8:53 | jkegrujevkd.info | udp |
| US | 8.8.8.8:53 | grelailjse.info | udp |
| US | 8.8.8.8:53 | benjkycqgtgi.info | udp |
| US | 8.8.8.8:53 | gqgsuw.com | udp |
| US | 8.8.8.8:53 | ngrqjtwc.info | udp |
| US | 8.8.8.8:53 | wuyaiqgeqy.com | udp |
| US | 8.8.8.8:53 | vhmwlkbloe.info | udp |
| US | 8.8.8.8:53 | nirstmt.com | udp |
| US | 8.8.8.8:53 | uhpmrupuasn.net | udp |
| US | 8.8.8.8:53 | xqkxqkihtrhl.net | udp |
| US | 8.8.8.8:53 | jrzyrcaozcr.org | udp |
| US | 8.8.8.8:53 | vghjfigfab.net | udp |
| US | 8.8.8.8:53 | clnubo.net | udp |
| US | 8.8.8.8:53 | dfseulltvqhx.net | udp |
| US | 8.8.8.8:53 | cxlkhikkn.net | udp |
| US | 8.8.8.8:53 | tyoyxxeq.net | udp |
| US | 8.8.8.8:53 | iwjghqvqvvm.info | udp |
| US | 8.8.8.8:53 | huvwtwpaf.net | udp |
| US | 8.8.8.8:53 | bkwduobqjiz.org | udp |
| US | 8.8.8.8:53 | ryxdtsd.net | udp |
| US | 8.8.8.8:53 | fmjjvxv.com | udp |
| US | 8.8.8.8:53 | msfmtzx.info | udp |
| US | 8.8.8.8:53 | nlqpnxfa.net | udp |
| US | 8.8.8.8:53 | xyvyxoplk.net | udp |
| US | 8.8.8.8:53 | aakcwycucw.org | udp |
| US | 8.8.8.8:53 | trkeyr.info | udp |
| US | 8.8.8.8:53 | cvwyvxileiaf.info | udp |
| US | 8.8.8.8:53 | jpeuwohf.net | udp |
| US | 8.8.8.8:53 | ujjubgrehmw.net | udp |
| US | 8.8.8.8:53 | ouqoeesiae.org | udp |
| US | 8.8.8.8:53 | ememgusska.com | udp |
| US | 8.8.8.8:53 | icugggkqsw.org | udp |
| US | 8.8.8.8:53 | iuesgi.com | udp |
| US | 8.8.8.8:53 | foxpqijnhlx.org | udp |
| US | 8.8.8.8:53 | lxrxbczgl.info | udp |
| US | 8.8.8.8:53 | fmhiqazsog.info | udp |
| US | 8.8.8.8:53 | qubqirdevwh.net | udp |
| US | 8.8.8.8:53 | jklhikmyugnw.info | udp |
| US | 8.8.8.8:53 | seoqcqsaeugm.org | udp |
| US | 8.8.8.8:53 | mnqzjhqwdf.info | udp |
| US | 8.8.8.8:53 | fjafurvk.net | udp |
| US | 8.8.8.8:53 | reewxp.info | udp |
| US | 8.8.8.8:53 | htsbjk.net | udp |
| US | 8.8.8.8:53 | eimuee.org | udp |
| US | 8.8.8.8:53 | perbtsaqjhas.net | udp |
| US | 8.8.8.8:53 | jfrenmxp.net | udp |
| US | 8.8.8.8:53 | vhipfmwltmva.net | udp |
| US | 8.8.8.8:53 | bwggoh.info | udp |
| US | 8.8.8.8:53 | ewudht.net | udp |
| US | 8.8.8.8:53 | flicbgvlvx.net | udp |
| US | 8.8.8.8:53 | coeucocigqoa.com | udp |
| US | 8.8.8.8:53 | mmfzsurkpuw.net | udp |
| US | 8.8.8.8:53 | dunolqrmder.net | udp |
| US | 8.8.8.8:53 | pfpduv.info | udp |
| US | 8.8.8.8:53 | qerdboeqwcdg.info | udp |
| US | 8.8.8.8:53 | ajeufitgtoe.info | udp |
| US | 8.8.8.8:53 | oesaeigqwuki.com | udp |
| US | 8.8.8.8:53 | zvhqsuxsj.com | udp |
| US | 8.8.8.8:53 | srttit.info | udp |
| US | 8.8.8.8:53 | twqoneq.info | udp |
| US | 8.8.8.8:53 | hhbibsteqcn.info | udp |
| US | 8.8.8.8:53 | lcmvhufpbmvm.info | udp |
| US | 8.8.8.8:53 | czsexcrsz.net | udp |
| US | 8.8.8.8:53 | abzbxov.net | udp |
| US | 8.8.8.8:53 | hjdhrg.net | udp |
| US | 8.8.8.8:53 | pxsrzfbyrb.net | udp |
| US | 8.8.8.8:53 | qcaequgeic.org | udp |
| US | 8.8.8.8:53 | moyeakwwwy.com | udp |
| US | 8.8.8.8:53 | ikkgis.org | udp |
| US | 8.8.8.8:53 | qkwsio.org | udp |
| US | 8.8.8.8:53 | znhwdz.net | udp |
| US | 8.8.8.8:53 | bsymfywaz.org | udp |
| US | 8.8.8.8:53 | oyyayiwqgoca.com | udp |
| US | 8.8.8.8:53 | xvdptslkxiz.com | udp |
| US | 8.8.8.8:53 | hubvonuqiv.net | udp |
| US | 8.8.8.8:53 | teaacdtqjap.net | udp |
| US | 8.8.8.8:53 | xcdedoiyntx.org | udp |
| US | 8.8.8.8:53 | tienvhthew.info | udp |
| US | 8.8.8.8:53 | iaalpcmmn.info | udp |
| US | 8.8.8.8:53 | zlkyakezzw.info | udp |
| US | 8.8.8.8:53 | qdzsmgtaoqke.net | udp |
| US | 8.8.8.8:53 | dmdkecdcs.com | udp |
| US | 8.8.8.8:53 | lshkvxocnrlv.net | udp |
| US | 8.8.8.8:53 | hyhmnkflblw.info | udp |
| US | 8.8.8.8:53 | xwqowmqjhuy.info | udp |
| US | 8.8.8.8:53 | uzbgztimzi.net | udp |
| US | 8.8.8.8:53 | xofohiy.info | udp |
| US | 8.8.8.8:53 | mgsesxycvnji.net | udp |
| US | 8.8.8.8:53 | ncrmjafuzox.net | udp |
| US | 8.8.8.8:53 | zlwspz.info | udp |
| US | 8.8.8.8:53 | mdainrbbifun.net | udp |
| US | 8.8.8.8:53 | qsstfc.info | udp |
| US | 8.8.8.8:53 | rhjymzrvfpfa.info | udp |
| US | 8.8.8.8:53 | rqxypenixyn.net | udp |
| US | 8.8.8.8:53 | bqhbbyxrovtb.info | udp |
| US | 8.8.8.8:53 | xslknk.info | udp |
| US | 8.8.8.8:53 | ssywwsui.com | udp |
| US | 8.8.8.8:53 | sgeackqiyiay.com | udp |
| US | 8.8.8.8:53 | sioagm.com | udp |
| US | 8.8.8.8:53 | zljcwgd.com | udp |
| US | 8.8.8.8:53 | ysdptmpha.info | udp |
| US | 8.8.8.8:53 | zozgcobcaq.net | udp |
| US | 8.8.8.8:53 | llvmzokob.com | udp |
| US | 8.8.8.8:53 | kcmnjaggo.net | udp |
| US | 8.8.8.8:53 | hjjakml.com | udp |
| US | 8.8.8.8:53 | zyyurshpril.net | udp |
| US | 8.8.8.8:53 | myvicvzmjk.net | udp |
| US | 8.8.8.8:53 | dcvygkv.org | udp |
| US | 8.8.8.8:53 | typlvezvn.info | udp |
| US | 8.8.8.8:53 | mybhjaeixx.net | udp |
| US | 8.8.8.8:53 | mvrlhhspnj.info | udp |
| US | 8.8.8.8:53 | fzpfvmb.info | udp |
| US | 8.8.8.8:53 | ewcreajalkq.info | udp |
| US | 8.8.8.8:53 | pubdtrzkyif.com | udp |
| US | 8.8.8.8:53 | mycapcbzhgtu.info | udp |
| US | 8.8.8.8:53 | iegemk.com | udp |
| US | 8.8.8.8:53 | seghjqrmn.net | udp |
| US | 8.8.8.8:53 | rxhxfw.net | udp |
| US | 8.8.8.8:53 | yylmheaeg.net | udp |
| US | 8.8.8.8:53 | dzcefi.info | udp |
| US | 8.8.8.8:53 | shvkoco.net | udp |
| US | 8.8.8.8:53 | qjfrtgwqbz.net | udp |
| US | 8.8.8.8:53 | zkykjxrhzafp.net | udp |
| US | 8.8.8.8:53 | ikvudf.net | udp |
| US | 8.8.8.8:53 | vkcxio.net | udp |
| US | 8.8.8.8:53 | mucyzopmo.net | udp |
| US | 8.8.8.8:53 | mstejdzjr.info | udp |
| US | 8.8.8.8:53 | lgtqrspfq.info | udp |
| US | 8.8.8.8:53 | mexsbsbhjgq.info | udp |
| US | 8.8.8.8:53 | ygmwckcc.com | udp |
| US | 8.8.8.8:53 | qobgxef.info | udp |
| US | 8.8.8.8:53 | zmlsdmvna.info | udp |
| US | 8.8.8.8:53 | uvcodihahbp.net | udp |
| US | 8.8.8.8:53 | rmhpbovsxorv.net | udp |
| US | 8.8.8.8:53 | wecmkkjurxz.net | udp |
| US | 8.8.8.8:53 | ylaxujjvpzdt.info | udp |
| US | 8.8.8.8:53 | gzvidaauuzl.info | udp |
| US | 8.8.8.8:53 | hlqltge.net | udp |
| US | 8.8.8.8:53 | vrnmeulxxmv.net | udp |
| US | 8.8.8.8:53 | mnyyga.info | udp |
| US | 8.8.8.8:53 | ahhvtmpmcwa.net | udp |
| US | 8.8.8.8:53 | nbaspelkhrv.info | udp |
| US | 8.8.8.8:53 | gmgosasg.com | udp |
| US | 8.8.8.8:53 | lkdrlnviek.net | udp |
| US | 8.8.8.8:53 | vlsqekixshcp.net | udp |
| US | 8.8.8.8:53 | kavvbszwrkr.net | udp |
| US | 8.8.8.8:53 | acrtztoja.net | udp |
| US | 8.8.8.8:53 | lpornixlxqvy.info | udp |
| US | 8.8.8.8:53 | iwwmiiga.org | udp |
| US | 8.8.8.8:53 | itocvu.info | udp |
| US | 8.8.8.8:53 | hqlhgrgalrjb.info | udp |
| US | 8.8.8.8:53 | gcwrksxc.net | udp |
| US | 8.8.8.8:53 | jgzbxllqdecg.net | udp |
| US | 8.8.8.8:53 | zqgfdebofb.info | udp |
| US | 8.8.8.8:53 | yefilmp.info | udp |
| US | 8.8.8.8:53 | xigozx.info | udp |
| US | 8.8.8.8:53 | wtigijfy.info | udp |
| US | 8.8.8.8:53 | fafsdrambjf.info | udp |
| US | 8.8.8.8:53 | asecuyemymyi.org | udp |
| US | 8.8.8.8:53 | ameyys.com | udp |
| US | 8.8.8.8:53 | zmrarczuld.net | udp |
| US | 8.8.8.8:53 | tirlgfehui.info | udp |
| US | 8.8.8.8:53 | qztwsvd.info | udp |
| US | 8.8.8.8:53 | ccsutuzor.net | udp |
| US | 8.8.8.8:53 | dwpkzhv.com | udp |
| US | 8.8.8.8:53 | vsksierqjss.net | udp |
| US | 8.8.8.8:53 | stbglfrn.net | udp |
| US | 8.8.8.8:53 | wigyqqsmsceg.org | udp |
| US | 8.8.8.8:53 | ipusvbgbzw.net | udp |
| US | 8.8.8.8:53 | rltwexojzn.net | udp |
| US | 8.8.8.8:53 | zrpvpvrnly.net | udp |
| US | 8.8.8.8:53 | pyifqlvg.net | udp |
| US | 8.8.8.8:53 | yuuiomoyyy.org | udp |
| US | 8.8.8.8:53 | dayucgzmwkv.net | udp |
| US | 8.8.8.8:53 | irnfhoxpsbt.net | udp |
| US | 8.8.8.8:53 | kaudws.net | udp |
| US | 8.8.8.8:53 | wuybayvsmwt.info | udp |
| US | 8.8.8.8:53 | cbnbwgspb.net | udp |
| US | 8.8.8.8:53 | ygkiqkicik.org | udp |
| US | 8.8.8.8:53 | dedylft.net | udp |
| US | 8.8.8.8:53 | qisakqeiecqu.org | udp |
| US | 8.8.8.8:53 | saqupjmfylgx.net | udp |
| US | 8.8.8.8:53 | umgsswzkjb.info | udp |
| US | 8.8.8.8:53 | yguoyhhqrtl.net | udp |
| US | 8.8.8.8:53 | iggcfwpytwa.net | udp |
| US | 8.8.8.8:53 | uojatso.net | udp |
| US | 8.8.8.8:53 | rhrrzodshs.net | udp |
| US | 8.8.8.8:53 | zmviuqc.net | udp |
| US | 8.8.8.8:53 | clxkfijkxyb.net | udp |
| US | 8.8.8.8:53 | mzfipwlwrruo.info | udp |
| US | 8.8.8.8:53 | tuaxjj.net | udp |
| US | 8.8.8.8:53 | fgoavq.net | udp |
| US | 8.8.8.8:53 | qcouhxo.net | udp |
| US | 8.8.8.8:53 | vfjbjoxqsqd.org | udp |
| US | 8.8.8.8:53 | jdtgtz.info | udp |
| US | 8.8.8.8:53 | tvkintp.com | udp |
| US | 8.8.8.8:53 | fljidww.com | udp |
| US | 8.8.8.8:53 | vmqzqdvpyzll.info | udp |
| US | 8.8.8.8:53 | vkylhtylchns.net | udp |
| US | 8.8.8.8:53 | enzdtojn.net | udp |
| US | 8.8.8.8:53 | ealvofqh.net | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hqddoevgppp.info | udp |
| US | 8.8.8.8:53 | ushkxbyxdgg.net | udp |
| US | 8.8.8.8:53 | cmxaggh.info | udp |
| US | 8.8.8.8:53 | oerqjerjjued.info | udp |
| US | 8.8.8.8:53 | jalkbr.info | udp |
| US | 8.8.8.8:53 | yfjtbb.net | udp |
| US | 8.8.8.8:53 | kcqewgmikq.com | udp |
| US | 8.8.8.8:53 | zeiezcy.com | udp |
| US | 8.8.8.8:53 | cesedkbgdwf.info | udp |
| US | 8.8.8.8:53 | ritcvvzszh.info | udp |
| US | 8.8.8.8:53 | nwncjub.net | udp |
| US | 8.8.8.8:53 | cqbctiqnrpkq.info | udp |
| US | 8.8.8.8:53 | zzfybuxb.info | udp |
| US | 8.8.8.8:53 | dllcgyyp.net | udp |
| US | 8.8.8.8:53 | maltyz.net | udp |
| US | 8.8.8.8:53 | nunydcr.info | udp |
| US | 8.8.8.8:53 | uwbmlmv.net | udp |
| US | 8.8.8.8:53 | usztsauxtyh.net | udp |
| US | 8.8.8.8:53 | dqgbxjzi.net | udp |
| US | 8.8.8.8:53 | mgaiyksyai.com | udp |
| US | 8.8.8.8:53 | akrafm.net | udp |
| US | 8.8.8.8:53 | bktpfwsl.net | udp |
| US | 8.8.8.8:53 | lnnmvfvwzyrv.info | udp |
| US | 8.8.8.8:53 | sylvobemyo.net | udp |
| US | 8.8.8.8:53 | qqsaauqoes.com | udp |
| US | 8.8.8.8:53 | iplqdlbmaiyt.info | udp |
| US | 8.8.8.8:53 | jmeoksvnbqb.info | udp |
| US | 8.8.8.8:53 | ygfixowaz.net | udp |
| US | 8.8.8.8:53 | oczmxi.net | udp |
| HK | 156.237.207.232:80 | yeseee.com | tcp |
| US | 8.8.8.8:53 | gwrpxydgrih.net | udp |
| US | 8.8.8.8:53 | xpyqdkxjfdqz.net | udp |
| US | 8.8.8.8:53 | qkharfxnfm.net | udp |
| US | 8.8.8.8:53 | jupejihn.info | udp |
| US | 8.8.8.8:53 | wihsdoxslhit.info | udp |
| US | 8.8.8.8:53 | taxsnux.com | udp |
| US | 8.8.8.8:53 | sffcrqzy.net | udp |
| US | 8.8.8.8:53 | wrclinyubwwb.info | udp |
| US | 8.8.8.8:53 | iwlpzasaqq.net | udp |
| US | 8.8.8.8:53 | reepmyiozztu.info | udp |
| US | 8.8.8.8:53 | bakfznqyjrsl.net | udp |
| US | 8.8.8.8:53 | wfvgzqiev.net | udp |
| US | 8.8.8.8:53 | luompddplgp.info | udp |
| US | 8.8.8.8:53 | dgmbma.info | udp |
| US | 8.8.8.8:53 | tsxauoqgjzf.net | udp |
| US | 8.8.8.8:53 | vliuakjt.info | udp |
| US | 8.8.8.8:53 | dqgihaaagkt.net | udp |
| US | 8.8.8.8:53 | 232.207.237.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beklnku.com | udp |
| US | 8.8.8.8:53 | hircyjxzd.com | udp |
| US | 8.8.8.8:53 | otjjaic.net | udp |
| US | 8.8.8.8:53 | dcebgr.info | udp |
| US | 8.8.8.8:53 | nicxrmrxya.net | udp |
| US | 8.8.8.8:53 | uycaau.org | udp |
| US | 8.8.8.8:53 | pripvdai.net | udp |
| US | 8.8.8.8:53 | pxboiequk.net | udp |
| US | 8.8.8.8:53 | ibndnkpkk.net | udp |
| US | 8.8.8.8:53 | dxmaeadqtspu.net | udp |
| US | 8.8.8.8:53 | qmvygc.net | udp |
| US | 8.8.8.8:53 | oqcvhvzm.info | udp |
| US | 8.8.8.8:53 | cgqcssei.org | udp |
| US | 8.8.8.8:53 | pfdwrmr.com | udp |
| US | 8.8.8.8:53 | vdinsezipu.net | udp |
| US | 8.8.8.8:53 | jmpdwce.com | udp |
| US | 8.8.8.8:53 | jzhuzwporqfn.info | udp |
| US | 8.8.8.8:53 | rvmonfphd.org | udp |
| US | 8.8.8.8:53 | yovdhgwvh.net | udp |
| US | 8.8.8.8:53 | egoewyik.org | udp |
| US | 8.8.8.8:53 | mfxmirp.net | udp |
| US | 8.8.8.8:53 | cnsqroz.net | udp |
| US | 8.8.8.8:53 | iacmrpnoa.info | udp |
| US | 8.8.8.8:53 | fsafpo.info | udp |
| US | 8.8.8.8:53 | bcksphj.net | udp |
| US | 8.8.8.8:53 | lafqxmoqvsn.net | udp |
| US | 8.8.8.8:53 | rinafjymzbe.com | udp |
| US | 8.8.8.8:53 | xanwqkg.info | udp |
| US | 8.8.8.8:53 | zyxnxadigeg.org | udp |
| US | 8.8.8.8:53 | eassyeyy.com | udp |
| US | 8.8.8.8:53 | rqdkyeowgcx.net | udp |
| US | 8.8.8.8:53 | jvqhbkf.net | udp |
| US | 8.8.8.8:53 | xygbdoqlv.org | udp |
| US | 8.8.8.8:53 | dwbihonftk.info | udp |
| US | 8.8.8.8:53 | vskrxsu.org | udp |
| US | 8.8.8.8:53 | fofcgchur.net | udp |
| US | 8.8.8.8:53 | cuvrmof.info | udp |
| US | 8.8.8.8:53 | kmaocqew.org | udp |
| US | 8.8.8.8:53 | rwprwj.net | udp |
| US | 8.8.8.8:53 | zkxefdmqpkh.info | udp |
| US | 8.8.8.8:53 | nedyyvdlptlz.net | udp |
| US | 8.8.8.8:53 | hjjpwxvm.net | udp |
| US | 8.8.8.8:53 | icaijmduf.net | udp |
| US | 8.8.8.8:53 | vbwkktnk.net | udp |
| US | 8.8.8.8:53 | mpluixlvjb.net | udp |
| US | 8.8.8.8:53 | ilwsfnkqlckb.info | udp |
| US | 8.8.8.8:53 | abcjvqzufpmg.info | udp |
| US | 8.8.8.8:53 | oykqmo.com | udp |
| US | 8.8.8.8:53 | syfzstfcq.net | udp |
| US | 8.8.8.8:53 | kiqgwguueq.com | udp |
| US | 8.8.8.8:53 | tqneabbadms.net | udp |
| US | 8.8.8.8:53 | cnqmjmasvcv.net | udp |
| US | 8.8.8.8:53 | cfwjbujktq.info | udp |
| US | 8.8.8.8:53 | nersuqqh.info | udp |
| US | 8.8.8.8:53 | aouiogwg.org | udp |
| US | 8.8.8.8:53 | uaokqwgc.org | udp |
| US | 8.8.8.8:53 | kmntncwkb.info | udp |
| US | 8.8.8.8:53 | tuhfdgfqt.info | udp |
| US | 8.8.8.8:53 | bwcvcnmjtl.net | udp |
| US | 8.8.8.8:53 | stfhbwifvy.info | udp |
| US | 8.8.8.8:53 | fgyojpnggd.info | udp |
| US | 8.8.8.8:53 | uihitixcrmr.info | udp |
| US | 8.8.8.8:53 | ayacaaqqmigw.org | udp |
| US | 8.8.8.8:53 | pcfsnbks.net | udp |
| US | 8.8.8.8:53 | xiswyrvloa.net | udp |
| US | 8.8.8.8:53 | kfuxge.info | udp |
| US | 8.8.8.8:53 | qkpavcu.info | udp |
| US | 8.8.8.8:53 | efdlohhy.info | udp |
| US | 8.8.8.8:53 | vbvphiotr.net | udp |
| US | 8.8.8.8:53 | qirctsxecgr.info | udp |
| US | 8.8.8.8:53 | zitiqkxzo.info | udp |
| US | 8.8.8.8:53 | pohyzgs.net | udp |
| US | 8.8.8.8:53 | finkwch.org | udp |
| US | 8.8.8.8:53 | lkxojglutjz.com | udp |
| US | 8.8.8.8:53 | dsvejwvkb.com | udp |
| US | 8.8.8.8:53 | ixvdzszbb.info | udp |
| US | 8.8.8.8:53 | bgdqgf.net | udp |
| US | 8.8.8.8:53 | jzvdzqtkfsb.net | udp |
| US | 8.8.8.8:53 | owiueb.net | udp |
| US | 8.8.8.8:53 | szgsjsiqx.net | udp |
| US | 8.8.8.8:53 | cgkcui.org | udp |
| US | 8.8.8.8:53 | ypkkjpgu.info | udp |
| US | 8.8.8.8:53 | bdswzapmhep.org | udp |
| US | 8.8.8.8:53 | lrzbvelewq.net | udp |
| US | 8.8.8.8:53 | yilpmh.info | udp |
| US | 8.8.8.8:53 | ycxvrvto.info | udp |
| US | 8.8.8.8:53 | cklixmnyh.info | udp |
| US | 8.8.8.8:53 | xtpvvtdscp.net | udp |
| US | 8.8.8.8:53 | aafteqj.info | udp |
| US | 8.8.8.8:53 | eqwkxorsw.net | udp |
| US | 8.8.8.8:53 | amvbrfhisy.info | udp |
| US | 8.8.8.8:53 | xuvqwefbwnnd.net | udp |
| US | 8.8.8.8:53 | kewccc.org | udp |
| US | 8.8.8.8:53 | rzzqkof.com | udp |
| US | 8.8.8.8:53 | mcamskrhz.info | udp |
| US | 8.8.8.8:53 | sbablr.net | udp |
| US | 8.8.8.8:53 | mbbmtzygvjm.net | udp |
| US | 8.8.8.8:53 | mmmygcbl.info | udp |
| US | 8.8.8.8:53 | zsnkgzndrcr.org | udp |
| US | 8.8.8.8:53 | aubgzylblcd.info | udp |
| US | 8.8.8.8:53 | julxeotyhf.info | udp |
| US | 8.8.8.8:53 | tcbaruxybut.info | udp |
| US | 8.8.8.8:53 | ggpitvtrfo.info | udp |
| US | 8.8.8.8:53 | uacoqg.org | udp |
| US | 8.8.8.8:53 | oyocskcy.com | udp |
| US | 8.8.8.8:53 | nedoxetzar.info | udp |
| US | 8.8.8.8:53 | okmckikakg.com | udp |
| US | 8.8.8.8:53 | xcjowdreaa.net | udp |
| US | 8.8.8.8:53 | unpudkvtcsmq.info | udp |
| US | 8.8.8.8:53 | rcrcrbxww.net | udp |
| US | 8.8.8.8:53 | zewutfwnnky.net | udp |
| US | 8.8.8.8:53 | ckswwyye.org | udp |
| US | 8.8.8.8:53 | fypgcfia.info | udp |
| US | 8.8.8.8:53 | tiaeuvqt.net | udp |
| US | 8.8.8.8:53 | iupnxii.info | udp |
| US | 8.8.8.8:53 | ocmwkuug.com | udp |
| US | 8.8.8.8:53 | ekuqfjygo.info | udp |
| US | 8.8.8.8:53 | pyjuxpj.info | udp |
| US | 8.8.8.8:53 | oabggajzr.net | udp |
| US | 8.8.8.8:53 | tcnoictbpxwr.net | udp |
| US | 8.8.8.8:53 | erhypkzrn.net | udp |
| US | 8.8.8.8:53 | ereide.net | udp |
| US | 8.8.8.8:53 | nrkcjqrhycb.net | udp |
| US | 8.8.8.8:53 | ljtdmt.info | udp |
| US | 8.8.8.8:53 | mlfcdejcu.net | udp |
| US | 8.8.8.8:53 | pgumiizmg.net | udp |
| US | 8.8.8.8:53 | vckeie.net | udp |
| US | 8.8.8.8:53 | evakbpwlgsou.info | udp |
| US | 8.8.8.8:53 | swqagykogusi.org | udp |
| US | 8.8.8.8:53 | dvjbqcwr.net | udp |
| US | 8.8.8.8:53 | cmfwhshup.net | udp |
| US | 8.8.8.8:53 | dwsikogj.info | udp |
| US | 8.8.8.8:53 | hsxotfiifvj.org | udp |
| US | 8.8.8.8:53 | xlqwso.info | udp |
| US | 8.8.8.8:53 | dhioxsr.info | udp |
| US | 8.8.8.8:53 | kpvidqrwtqhx.net | udp |
| US | 8.8.8.8:53 | igmnvbk.net | udp |
| US | 8.8.8.8:53 | xgnijggfclh.com | udp |
| US | 8.8.8.8:53 | enhkjg.net | udp |
| US | 8.8.8.8:53 | qryuvntcdum.info | udp |
| US | 8.8.8.8:53 | nnycbrtaroy.com | udp |
| US | 8.8.8.8:53 | opbqcw.info | udp |
| US | 8.8.8.8:53 | xbtukk.info | udp |
| US | 8.8.8.8:53 | xykijz.info | udp |
| US | 8.8.8.8:53 | nmlmtevvo.info | udp |
| US | 8.8.8.8:53 | azvutebjec.net | udp |
| US | 8.8.8.8:53 | yieqldvgn.net | udp |
| US | 8.8.8.8:53 | wixavay.net | udp |
| US | 8.8.8.8:53 | wsyqzjzsjih.info | udp |
| US | 8.8.8.8:53 | byjodkzkfyl.com | udp |
| US | 8.8.8.8:53 | iuecpck.info | udp |
| US | 8.8.8.8:53 | eyhsvhpvq.net | udp |
| US | 8.8.8.8:53 | ltaldgalhggs.info | udp |
| US | 8.8.8.8:53 | ltnavcbkj.com | udp |
| US | 8.8.8.8:53 | bsgylclcjkx.net | udp |
| US | 8.8.8.8:53 | utoxqqqozaar.net | udp |
| US | 8.8.8.8:53 | hfgkacxqinla.net | udp |
| US | 8.8.8.8:53 | pkbpbyz.org | udp |
| US | 8.8.8.8:53 | sqgnol.net | udp |
| US | 8.8.8.8:53 | kcakoqui.com | udp |
| US | 8.8.8.8:53 | wgoaes.org | udp |
| US | 8.8.8.8:53 | xizjfuqnvubh.info | udp |
| US | 8.8.8.8:53 | azdnlsvyvgx.net | udp |
| US | 8.8.8.8:53 | iusiogeeos.org | udp |
| US | 8.8.8.8:53 | hmfhrulow.net | udp |
| US | 8.8.8.8:53 | miweegyg.com | udp |
| US | 8.8.8.8:53 | mnvffk.net | udp |
| US | 8.8.8.8:53 | lrowcjkt.net | udp |
| US | 8.8.8.8:53 | clrzcqly.net | udp |
| US | 8.8.8.8:53 | ubuczev.net | udp |
| US | 8.8.8.8:53 | tnyupynl.info | udp |
| US | 8.8.8.8:53 | tdfzviuv.info | udp |
| US | 8.8.8.8:53 | rqtuscv.com | udp |
| US | 8.8.8.8:53 | pizezzo.info | udp |
| US | 8.8.8.8:53 | ywvvrp.net | udp |
| US | 8.8.8.8:53 | jyrlymtf.net | udp |
| US | 8.8.8.8:53 | eiwuhmjet.net | udp |
| US | 8.8.8.8:53 | dlroaip.net | udp |
| US | 8.8.8.8:53 | cyvylfmsn.net | udp |
| US | 8.8.8.8:53 | fjswfmxs.net | udp |
| US | 8.8.8.8:53 | bepapexyfzc.info | udp |
| US | 8.8.8.8:53 | wsgxjkdiadf.net | udp |
| US | 8.8.8.8:53 | fyimvdv.net | udp |
| US | 8.8.8.8:53 | qdjzdqtshn.net | udp |
| US | 8.8.8.8:53 | ggiyck.org | udp |
| US | 8.8.8.8:53 | mmpmxeedp.info | udp |
| US | 8.8.8.8:53 | zyqkhyu.info | udp |
| US | 8.8.8.8:53 | wvnuagbghl.info | udp |
| US | 8.8.8.8:53 | vanjpyu.com | udp |
| US | 8.8.8.8:53 | eupzpmqczul.net | udp |
| US | 8.8.8.8:53 | memaiyym.org | udp |
| US | 8.8.8.8:53 | sjqyutdtcpjr.net | udp |
| US | 8.8.8.8:53 | dvdizxagkjvz.net | udp |
| US | 8.8.8.8:53 | oklwmhsexc.net | udp |
| US | 8.8.8.8:53 | rofmqcayo.org | udp |
| US | 8.8.8.8:53 | sepotsvcd.net | udp |
| US | 8.8.8.8:53 | ugdmtph.net | udp |
| US | 8.8.8.8:53 | qadleal.net | udp |
| US | 8.8.8.8:53 | wuicuco.net | udp |
| US | 8.8.8.8:53 | ywzmddn.info | udp |
| US | 8.8.8.8:53 | wgsemaqcqokk.com | udp |
| US | 8.8.8.8:53 | rqfkbmmuifl.net | udp |
| US | 8.8.8.8:53 | ywbmxtjsfezl.info | udp |
| US | 8.8.8.8:53 | kmrhzz.info | udp |
| US | 8.8.8.8:53 | icsapopgc.net | udp |
| US | 8.8.8.8:53 | ktjcvmuudb.info | udp |
| US | 8.8.8.8:53 | aloweqfabdt.info | udp |
| US | 8.8.8.8:53 | ygaayqgs.com | udp |
| US | 8.8.8.8:53 | kycqsykmcq.org | udp |
| US | 8.8.8.8:53 | ifmudfiiiw.info | udp |
| US | 8.8.8.8:53 | vmicpcytqyd.net | udp |
| US | 8.8.8.8:53 | nfnbtvjlrbvx.info | udp |
| US | 8.8.8.8:53 | rgyypnb.info | udp |
| US | 8.8.8.8:53 | ssmxzo.info | udp |
| US | 8.8.8.8:53 | tysudchmvsu.org | udp |
| US | 8.8.8.8:53 | rkcskjpolis.info | udp |
| US | 8.8.8.8:53 | tboyrtniuyn.net | udp |
| US | 8.8.8.8:53 | hppgptbmvgm.com | udp |
| US | 8.8.8.8:53 | dkhebsdcp.com | udp |
| US | 8.8.8.8:53 | efvtvci.info | udp |
| US | 8.8.8.8:53 | hrgdrvntub.net | udp |
| US | 8.8.8.8:53 | macuaiyeuqqe.org | udp |
| US | 8.8.8.8:53 | qciscqym.org | udp |
| US | 8.8.8.8:53 | ncpkouyhgkyi.info | udp |
| US | 8.8.8.8:53 | yejcqmdyrgw.info | udp |
| US | 8.8.8.8:53 | iqjkiytxpcb.net | udp |
| US | 8.8.8.8:53 | haddjeg.net | udp |
| US | 8.8.8.8:53 | sezygcvjx.info | udp |
| US | 8.8.8.8:53 | pmmqkjlutxq.org | udp |
| US | 8.8.8.8:53 | mwycqayuwe.com | udp |
| US | 8.8.8.8:53 | pprqiztobhe.info | udp |
| US | 8.8.8.8:53 | ckgqqyaw.com | udp |
| US | 8.8.8.8:53 | mutctc.net | udp |
| US | 8.8.8.8:53 | fcxwlja.org | udp |
| US | 8.8.8.8:53 | fvljsbupim.net | udp |
| US | 8.8.8.8:53 | seratzjan.net | udp |
| US | 8.8.8.8:53 | ymwaci.com | udp |
| US | 8.8.8.8:53 | atpsjmvhsmb.net | udp |
| US | 8.8.8.8:53 | hbnsjaf.info | udp |
| US | 8.8.8.8:53 | fcsaaehep.org | udp |
| US | 8.8.8.8:53 | haykczjcdyz.net | udp |
| US | 8.8.8.8:53 | hmzuogpis.info | udp |
| US | 8.8.8.8:53 | vbbmbovbv.org | udp |
| US | 8.8.8.8:53 | yhflzdqvid.info | udp |
| US | 8.8.8.8:53 | dewgvrjsbws.org | udp |
| US | 8.8.8.8:53 | tqazjgqoftf.org | udp |
| US | 8.8.8.8:53 | qwgtkkwxoej.net | udp |
| US | 8.8.8.8:53 | jmkhxsovbtdk.net | udp |
| US | 8.8.8.8:53 | zcvzbetsz.net | udp |
| US | 8.8.8.8:53 | bniybxlosz.info | udp |
| US | 8.8.8.8:53 | bjezpsjn.info | udp |
| US | 8.8.8.8:53 | eazerazey.net | udp |
| US | 8.8.8.8:53 | gkakhqr.net | udp |
| US | 8.8.8.8:53 | suokgkay.com | udp |
| US | 8.8.8.8:53 | cntgdlxcide.net | udp |
| US | 8.8.8.8:53 | mbmmyahou.info | udp |
| US | 8.8.8.8:53 | awojurap.info | udp |
| US | 8.8.8.8:53 | bbcyofnf.net | udp |
| US | 8.8.8.8:53 | dhxljkpvtpvm.info | udp |
| US | 8.8.8.8:53 | cydnzcjqzgl.net | udp |
| US | 8.8.8.8:53 | duixpqj.org | udp |
| US | 8.8.8.8:53 | waryzcdkowz.info | udp |
| US | 8.8.8.8:53 | vhveha.info | udp |
| US | 8.8.8.8:53 | eklabunbl.net | udp |
| US | 8.8.8.8:53 | zyegdrecqf.net | udp |
| US | 8.8.8.8:53 | cplerrz.info | udp |
| US | 8.8.8.8:53 | ymbczcvan.net | udp |
| US | 8.8.8.8:53 | sqqumgekumeo.org | udp |
| US | 8.8.8.8:53 | nuvqiefaviq.net | udp |
| US | 8.8.8.8:53 | vgjqhypit.net | udp |
| US | 8.8.8.8:53 | ctecojhb.info | udp |
| US | 8.8.8.8:53 | mqdujgx.info | udp |
| US | 8.8.8.8:53 | meumgzpu.info | udp |
| US | 8.8.8.8:53 | dynwhaprh.net | udp |
| US | 8.8.8.8:53 | ufbvrjgbvzfm.net | udp |
| US | 8.8.8.8:53 | mjthqrqk.net | udp |
| US | 8.8.8.8:53 | muztrnpnxfmb.info | udp |
| US | 8.8.8.8:53 | dnpxjwiyjzhb.info | udp |
| US | 8.8.8.8:53 | aaaqls.net | udp |
| US | 8.8.8.8:53 | fshhtxpue.org | udp |
| US | 8.8.8.8:53 | eqrkrktuhkd.info | udp |
| US | 8.8.8.8:53 | hrwghseuhdl.com | udp |
| US | 8.8.8.8:53 | lytuefatnbnu.net | udp |
| US | 8.8.8.8:53 | turinbssq.info | udp |
| US | 8.8.8.8:53 | ukwkagwkcska.com | udp |
| US | 8.8.8.8:53 | mgxcfovmrsu.net | udp |
| US | 8.8.8.8:53 | cnawber.net | udp |
| US | 8.8.8.8:53 | lnnvbcdyf.com | udp |
| US | 8.8.8.8:53 | kwowieuykucg.org | udp |
| US | 8.8.8.8:53 | pgufemvsvhj.org | udp |
| US | 8.8.8.8:53 | ksqgtux.info | udp |
| US | 8.8.8.8:53 | liuuaaf.com | udp |
| US | 8.8.8.8:53 | rrzimfainos.net | udp |
| US | 8.8.8.8:53 | ewdgfkcwjyw.net | udp |
| US | 8.8.8.8:53 | javjpwoegkbc.info | udp |
| US | 8.8.8.8:53 | hiaslst.org | udp |
| US | 8.8.8.8:53 | jczubghuf.com | udp |
| US | 8.8.8.8:53 | geuiwqsgwukw.org | udp |
| US | 8.8.8.8:53 | uylgmmp.net | udp |
| US | 8.8.8.8:53 | oahzbczz.info | udp |
| US | 8.8.8.8:53 | ozlgdwvyh.net | udp |
| US | 8.8.8.8:53 | fwlykwmlex.net | udp |
| US | 8.8.8.8:53 | wuvbhkdcq.net | udp |
| US | 8.8.8.8:53 | seckugai.org | udp |
| US | 8.8.8.8:53 | bsxjofye.info | udp |
| US | 8.8.8.8:53 | bcvczypfjat.com | udp |
| US | 8.8.8.8:53 | thxcpapcihok.info | udp |
| US | 8.8.8.8:53 | qylwnyduxed.net | udp |
| US | 8.8.8.8:53 | llmtynj.com | udp |
| US | 8.8.8.8:53 | yqmiacco.com | udp |
| US | 8.8.8.8:53 | udzelcyzy.info | udp |
| US | 8.8.8.8:53 | dngfrgoifb.info | udp |
| US | 8.8.8.8:53 | xtiukyhfeb.net | udp |
| US | 8.8.8.8:53 | elzyfuzghpx.info | udp |
| US | 8.8.8.8:53 | gqgmqyqimq.org | udp |
| US | 8.8.8.8:53 | gaocuwugqycq.com | udp |
| US | 8.8.8.8:53 | kkgskij.info | udp |
| US | 8.8.8.8:53 | eklqjdouo.info | udp |
| US | 8.8.8.8:53 | zusvgwqr.info | udp |
| US | 8.8.8.8:53 | ltmundpr.info | udp |
| US | 8.8.8.8:53 | iwkyak.com | udp |
| US | 8.8.8.8:53 | nwowokqtbgnl.info | udp |
| US | 8.8.8.8:53 | hthmoieetmxp.info | udp |
| US | 8.8.8.8:53 | baiizeh.com | udp |
| US | 8.8.8.8:53 | htaglefc.info | udp |
| US | 8.8.8.8:53 | ganqnaf.net | udp |
| US | 8.8.8.8:53 | pqvtwxnx.info | udp |
| US | 8.8.8.8:53 | gfweiy.info | udp |
| US | 8.8.8.8:53 | deyhwh.info | udp |
| US | 8.8.8.8:53 | wglxbeyixsg.info | udp |
| US | 8.8.8.8:53 | iwvjpg.net | udp |
| US | 8.8.8.8:53 | tzeymkpb.info | udp |
| US | 8.8.8.8:53 | nmxehosgj.org | udp |
| US | 8.8.8.8:53 | leqwbjbs.net | udp |
| US | 8.8.8.8:53 | zxbhbwp.com | udp |
| US | 8.8.8.8:53 | wvhiplldjb.net | udp |
| US | 8.8.8.8:53 | puqpxriibrly.net | udp |
| US | 8.8.8.8:53 | aogobal.info | udp |
| US | 8.8.8.8:53 | vhcevh.info | udp |
| US | 8.8.8.8:53 | swgcfgv.info | udp |
| US | 8.8.8.8:53 | gudechrg.info | udp |
| US | 8.8.8.8:53 | kolodajlv.net | udp |
| US | 8.8.8.8:53 | besiowltbt.info | udp |
| US | 8.8.8.8:53 | mkqkgq.org | udp |
| US | 8.8.8.8:53 | ztqdje.info | udp |
| US | 8.8.8.8:53 | spunvzsvakuj.net | udp |
| US | 8.8.8.8:53 | oyhyscz.info | udp |
| US | 8.8.8.8:53 | nqldnkf.com | udp |
| US | 8.8.8.8:53 | hxwghymhtm.info | udp |
| US | 8.8.8.8:53 | ngzaxftft.info | udp |
| US | 8.8.8.8:53 | scvcxn.info | udp |
| US | 8.8.8.8:53 | psjgnfdmjwx.net | udp |
| US | 8.8.8.8:53 | osbtam.net | udp |
| US | 8.8.8.8:53 | hqtkymx.org | udp |
| US | 8.8.8.8:53 | wsgrvobrq.net | udp |
| US | 8.8.8.8:53 | mlywvbhy.net | udp |
| DE | 85.214.228.140:80 | kavtbvqf.info | tcp |
| US | 8.8.8.8:53 | zuxejnv.info | udp |
| US | 54.244.188.177:80 | sejibalqxar.net | tcp |
| US | 8.8.8.8:53 | nujmtindoh.info | udp |
| US | 8.8.8.8:53 | eqlqhsu.net | udp |
| US | 8.8.8.8:53 | egskgowc.org | udp |
| US | 8.8.8.8:53 | owemucks.org | udp |
| US | 208.100.26.245:80 | egksyqv.info | tcp |
| US | 8.8.8.8:53 | uewyyocemu.org | udp |
| US | 8.8.8.8:53 | esuguqmssa.com | udp |
| US | 8.8.8.8:53 | qmhfkrviqp.info | udp |
| US | 8.8.8.8:53 | xanujykdioit.info | udp |
| US | 8.8.8.8:53 | ornkdyvmdjx.info | udp |
| US | 8.8.8.8:53 | pegjgcnafir.info | udp |
| US | 8.8.8.8:53 | pnfmjmvwlcx.org | udp |
| US | 8.8.8.8:53 | wbqprunbyhgq.net | udp |
| US | 8.8.8.8:53 | wclkqrqe.net | udp |
| US | 8.8.8.8:53 | nntasqfztalr.net | udp |
| US | 8.8.8.8:53 | mgcias.com | udp |
| US | 8.8.8.8:53 | hmobnvtgcvsp.info | udp |
| US | 8.8.8.8:53 | avsrqpxkbz.net | udp |
| US | 8.8.8.8:53 | tilmejkgujt.org | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vqhclzq.org | udp |
| US | 8.8.8.8:53 | ssbihypcx.info | udp |
| US | 8.8.8.8:53 | twtszxmita.net | udp |
| US | 8.8.8.8:53 | usqumg.org | udp |
| US | 8.8.8.8:53 | tsnmbypuq.org | udp |
| US | 8.8.8.8:53 | mrbhwa.info | udp |
| US | 8.8.8.8:53 | xerqiiou.net | udp |
| US | 8.8.8.8:53 | nzykhiwm.info | udp |
| US | 8.8.8.8:53 | wslwlgx.info | udp |
| US | 8.8.8.8:53 | miokgksskwum.com | udp |
| US | 8.8.8.8:53 | gtzrnb.net | udp |
| US | 8.8.8.8:53 | urpebsd.net | udp |
| US | 8.8.8.8:53 | nqzetqp.com | udp |
| US | 8.8.8.8:53 | hghtpojvfrvq.net | udp |
| US | 8.8.8.8:53 | zlyyorpkkiwh.info | udp |
| US | 8.8.8.8:53 | havbtylo.net | udp |
| US | 8.8.8.8:53 | yoagki.com | udp |
| US | 8.8.8.8:53 | sywgqwuu.com | udp |
| US | 8.8.8.8:53 | rmnmaithp.net | udp |
| US | 8.8.8.8:53 | nbjrecsg.net | udp |
| US | 8.8.8.8:53 | myocswemuq.org | udp |
| US | 8.8.8.8:53 | goqaii.com | udp |
| US | 8.8.8.8:53 | gojujyqwlln.net | udp |
| US | 8.8.8.8:53 | crhwdnbpv.net | udp |
| US | 8.8.8.8:53 | catdtirlxee.net | udp |
| US | 8.8.8.8:53 | kahxpoborph.net | udp |
| US | 8.8.8.8:53 | tpgznk.net | udp |
| US | 8.8.8.8:53 | eqdgxtrjvgr.info | udp |
| US | 8.8.8.8:53 | gotqpsxeq.net | udp |
| US | 8.8.8.8:53 | ielgkn.info | udp |
| US | 8.8.8.8:53 | lhyrlybqsqch.net | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | luxizqjdxmty.info | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ekuedqrcp.info | udp |
| US | 8.8.8.8:53 | pqvmfwcox.info | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | ndfuswhwpc.info | udp |
| US | 8.8.8.8:53 | bzjoqrtyb.info | udp |
| US | 8.8.8.8:53 | fwfunja.info | udp |
| US | 8.8.8.8:53 | vljgbupsl.net | udp |
| US | 8.8.8.8:53 | vdvxieszmhfp.info | udp |
| US | 8.8.8.8:53 | gmesqmckoyke.org | udp |
| US | 8.8.8.8:53 | qpejngowavjy.info | udp |
| US | 8.8.8.8:53 | zoxadhrur.com | udp |
| US | 8.8.8.8:53 | xgvubkkwk.net | udp |
| US | 8.8.8.8:53 | akyoaamowu.org | udp |
| US | 8.8.8.8:53 | rsdimkh.com | udp |
| US | 8.8.8.8:53 | lcbsfiyyz.com | udp |
| US | 8.8.8.8:53 | haimrezv.net | udp |
| US | 8.8.8.8:53 | dmbealkee.net | udp |
| US | 8.8.8.8:53 | uatsjrt.net | udp |
| US | 8.8.8.8:53 | zayymrktaj.net | udp |
| US | 8.8.8.8:53 | ibmkuvfttvtt.info | udp |
| US | 8.8.8.8:53 | lyjgdwtqjg.info | udp |
| US | 8.8.8.8:53 | yqiweowi.com | udp |
| US | 8.8.8.8:53 | wcjktahtms.info | udp |
| US | 8.8.8.8:53 | skjsavtulcg.info | udp |
| US | 8.8.8.8:53 | fthixlwh.info | udp |
| US | 8.8.8.8:53 | fszehlnx.net | udp |
| US | 8.8.8.8:53 | sdbkpc.net | udp |
| US | 8.8.8.8:53 | skguocey.org | udp |
| US | 8.8.8.8:53 | sqimiwaa.com | udp |
| US | 8.8.8.8:53 | ymuewofcf.net | udp |
| US | 8.8.8.8:53 | jkdcdyf.com | udp |
| US | 8.8.8.8:53 | amdrjnvymzd.net | udp |
| US | 8.8.8.8:53 | snlzpz.info | udp |
| US | 8.8.8.8:53 | ougqga.org | udp |
| US | 8.8.8.8:53 | gfuvwmjpgb.net | udp |
| US | 8.8.8.8:53 | ubhqdgmujci.info | udp |
| US | 8.8.8.8:53 | pvbhnu.net | udp |
| US | 8.8.8.8:53 | ioywaqei.com | udp |
| US | 8.8.8.8:53 | dggaosyre.org | udp |
| US | 8.8.8.8:53 | lemibrxund.info | udp |
| US | 8.8.8.8:53 | sxoabqtuaol.net | udp |
| US | 8.8.8.8:53 | tpsnlxpeht.net | udp |
| US | 8.8.8.8:53 | zsqxejydfpnt.info | udp |
| US | 8.8.8.8:53 | nkjblzcql.net | udp |
| US | 8.8.8.8:53 | hnfflvdwte.net | udp |
| US | 8.8.8.8:53 | qudyrmntuow.info | udp |
| US | 8.8.8.8:53 | ngupbuikqy.net | udp |
| US | 8.8.8.8:53 | usiikeyy.org | udp |
| US | 8.8.8.8:53 | tfjtwjah.info | udp |
| US | 8.8.8.8:53 | cqbpxyvyluq.info | udp |
| US | 8.8.8.8:53 | gbkvnabfqhos.info | udp |
| US | 8.8.8.8:53 | aunudjnnlfbf.net | udp |
| US | 8.8.8.8:53 | fkjsjnfcncz.info | udp |
| US | 8.8.8.8:53 | swmzrjrefp.info | udp |
| US | 8.8.8.8:53 | rnkxvy.net | udp |
| US | 8.8.8.8:53 | uspavcp.net | udp |
| US | 8.8.8.8:53 | btbcif.info | udp |
| US | 8.8.8.8:53 | juzvhys.org | udp |
| US | 8.8.8.8:53 | kakgmo.com | udp |
| US | 8.8.8.8:53 | uiaftrrpfp.info | udp |
| US | 8.8.8.8:53 | rjkojrpj.info | udp |
| US | 8.8.8.8:53 | hrnujmsfph.net | udp |
| US | 8.8.8.8:53 | icugterlbcz.net | udp |
| US | 8.8.8.8:53 | nsoekchlfkv.org | udp |
| US | 8.8.8.8:53 | dmrgcnz.net | udp |
| US | 8.8.8.8:53 | qudfwrxeufno.info | udp |
| US | 8.8.8.8:53 | ourepitvklx.info | udp |
| US | 8.8.8.8:53 | qioakyqeks.com | udp |
| US | 8.8.8.8:53 | jqpevr.net | udp |
| US | 8.8.8.8:53 | vlkfdsyuanna.net | udp |
| US | 8.8.8.8:53 | xhisrub.org | udp |
| US | 8.8.8.8:53 | ahjdjx.info | udp |
| US | 8.8.8.8:53 | tzttzvwvtn.net | udp |
| US | 8.8.8.8:53 | donewsikomx.info | udp |
| US | 8.8.8.8:53 | twzwmurw.info | udp |
| US | 8.8.8.8:53 | hklhjmvgaxh.info | udp |
| US | 8.8.8.8:53 | usgiag.info | udp |
| US | 8.8.8.8:53 | xododk.net | udp |
| US | 8.8.8.8:53 | khopbk.net | udp |
| US | 8.8.8.8:53 | fcpmbxlozomf.info | udp |
| US | 8.8.8.8:53 | owogfvcic.info | udp |
| US | 8.8.8.8:53 | zfvenyzb.info | udp |
| US | 8.8.8.8:53 | ruksvdctcqr.com | udp |
| US | 8.8.8.8:53 | znwjjxvv.net | udp |
| US | 8.8.8.8:53 | kcjvja.info | udp |
| US | 8.8.8.8:53 | njrwwgwf.info | udp |
| US | 8.8.8.8:53 | spzrhrvesz.net | udp |
| US | 8.8.8.8:53 | ibnzekestmvw.net | udp |
| US | 8.8.8.8:53 | idegzazut.net | udp |
| US | 8.8.8.8:53 | pwdmpqmewat.org | udp |
| US | 8.8.8.8:53 | lfnrjahslur.org | udp |
| US | 8.8.8.8:53 | rwefryngvgr.net | udp |
| US | 8.8.8.8:53 | vudulzdmzprb.net | udp |
| US | 8.8.8.8:53 | datktkxzr.org | udp |
| US | 8.8.8.8:53 | kfztdkmgmbxp.info | udp |
| US | 8.8.8.8:53 | kshgvj.net | udp |
| US | 8.8.8.8:53 | fceoxgscw.com | udp |
| US | 8.8.8.8:53 | olifwt.info | udp |
| US | 8.8.8.8:53 | oebdqtnylpn.net | udp |
| US | 8.8.8.8:53 | vfrkdsphsa.info | udp |
| US | 8.8.8.8:53 | falhshffh.net | udp |
| US | 8.8.8.8:53 | xykutplmhmfn.net | udp |
| US | 8.8.8.8:53 | wqqweg.org | udp |
| US | 8.8.8.8:53 | vmouvfpoaqcz.net | udp |
| US | 8.8.8.8:53 | byxkrkbsgek.info | udp |
| US | 8.8.8.8:53 | mlgsxflu.net | udp |
| US | 8.8.8.8:53 | eaqikw.org | udp |
| US | 8.8.8.8:53 | yegkai.com | udp |
| US | 8.8.8.8:53 | nvprjfjykv.info | udp |
| US | 8.8.8.8:53 | llmylvqrvc.info | udp |
| US | 8.8.8.8:53 | mmpfdlx.info | udp |
| US | 8.8.8.8:53 | kmpdjanxcx.info | udp |
| US | 8.8.8.8:53 | hgpydyr.org | udp |
| US | 8.8.8.8:53 | iwfjdihngcy.net | udp |
| US | 8.8.8.8:53 | jljcywgh.info | udp |
| US | 8.8.8.8:53 | rehoxhf.org | udp |
| US | 8.8.8.8:53 | elbysvpurov.info | udp |
| US | 8.8.8.8:53 | eeppryl.info | udp |
| US | 8.8.8.8:53 | adjdpnzooh.net | udp |
| US | 8.8.8.8:53 | zmiyjqdsz.com | udp |
| US | 8.8.8.8:53 | aptavxszku.info | udp |
| US | 8.8.8.8:53 | tnpwnmrz.net | udp |
| US | 8.8.8.8:53 | oesmaemmgi.com | udp |
| US | 8.8.8.8:53 | uytmtjfnqvkr.net | udp |
| US | 8.8.8.8:53 | jyppbb.info | udp |
| US | 8.8.8.8:53 | wyouywom.com | udp |
| US | 8.8.8.8:53 | jinfugfp.net | udp |
| US | 8.8.8.8:53 | yucwio.org | udp |
| US | 8.8.8.8:53 | ksqiqimy.org | udp |
| US | 8.8.8.8:53 | ddlzpyx.org | udp |
| US | 8.8.8.8:53 | tjqryxbhdomh.net | udp |
| US | 8.8.8.8:53 | isiium.com | udp |
| US | 8.8.8.8:53 | aqrimmi.info | udp |
| US | 8.8.8.8:53 | azmjyofexz.info | udp |
| US | 8.8.8.8:53 | akcuefigqd.info | udp |
| US | 8.8.8.8:53 | ysxpeafix.net | udp |
| US | 8.8.8.8:53 | yiwkhxpgv.info | udp |
| US | 8.8.8.8:53 | mgroafw.info | udp |
| US | 8.8.8.8:53 | dnbgtezpxix.net | udp |
| US | 8.8.8.8:53 | rxczpilihy.net | udp |
| US | 8.8.8.8:53 | gxjmexojzn.info | udp |
| US | 8.8.8.8:53 | rbkcrvul.net | udp |
| US | 8.8.8.8:53 | krlyna.info | udp |
| US | 8.8.8.8:53 | knckwex.net | udp |
| US | 8.8.8.8:53 | gkclfsx.info | udp |
| US | 8.8.8.8:53 | lgmblm.info | udp |
| US | 8.8.8.8:53 | dwidbiv.com | udp |
| US | 8.8.8.8:53 | jglaqupow.com | udp |
| US | 8.8.8.8:53 | aozgvijhv.info | udp |
| US | 8.8.8.8:53 | ekysuwaiqs.org | udp |
| US | 8.8.8.8:53 | ydzslmicb.info | udp |
| US | 8.8.8.8:53 | pcerrgzcfsz.net | udp |
| US | 8.8.8.8:53 | ikjuhe.net | udp |
| US | 8.8.8.8:53 | tcodlz.net | udp |
| US | 8.8.8.8:53 | usaaomsm.org | udp |
| US | 8.8.8.8:53 | gatcnh.net | udp |
| US | 8.8.8.8:53 | mbiiznxdulyh.net | udp |
| US | 8.8.8.8:53 | piixmh.net | udp |
| US | 8.8.8.8:53 | gtzmpsl.info | udp |
| US | 8.8.8.8:53 | uamgwamskqew.org | udp |
| US | 8.8.8.8:53 | fqzzunv.com | udp |
| US | 8.8.8.8:53 | amtqxoj.net | udp |
| US | 8.8.8.8:53 | vitfbhlzud.info | udp |
| US | 8.8.8.8:53 | pscgpnxpjov.org | udp |
| US | 8.8.8.8:53 | qpeavxszku.net | udp |
| US | 8.8.8.8:53 | zyddtkzdzmr.info | udp |
| US | 8.8.8.8:53 | gnfars.info | udp |
| US | 8.8.8.8:53 | ussmwkms.org | udp |
| US | 8.8.8.8:53 | mrvijkjbj.info | udp |
| US | 8.8.8.8:53 | nvqhtsfzlm.info | udp |
| US | 8.8.8.8:53 | ogticqh.info | udp |
| US | 8.8.8.8:53 | wuvdcemvbvq.net | udp |
| US | 8.8.8.8:53 | hmrjwwul.net | udp |
| US | 8.8.8.8:53 | sqryhufbbsn.info | udp |
| US | 8.8.8.8:53 | fqvopkmiayu.org | udp |
| US | 8.8.8.8:53 | hexutqazdll.info | udp |
| US | 8.8.8.8:53 | eargbiv.info | udp |
| US | 8.8.8.8:53 | jcuivq.info | udp |
| US | 8.8.8.8:53 | shpeij.net | udp |
| US | 8.8.8.8:53 | oqhajmtmnmh.info | udp |
| US | 8.8.8.8:53 | mtnkhgmycgo.info | udp |
| US | 8.8.8.8:53 | rfhptq.info | udp |
| US | 8.8.8.8:53 | fqayjauwuwki.net | udp |
| US | 8.8.8.8:53 | ppdisylgldz.info | udp |
| US | 8.8.8.8:53 | wieavxszku.net | udp |
| US | 8.8.8.8:53 | xmamxuigl.com | udp |
| US | 8.8.8.8:53 | brldhjhz.info | udp |
| US | 8.8.8.8:53 | gklcrejor.info | udp |
| US | 8.8.8.8:53 | bprtocllnykb.net | udp |
| US | 8.8.8.8:53 | xarmlxszz.com | udp |
| US | 8.8.8.8:53 | xqeqvctmsuh.net | udp |
| US | 8.8.8.8:53 | ikkwkysogw.com | udp |
| US | 8.8.8.8:53 | jmtnzgcazlrn.net | udp |
| US | 8.8.8.8:53 | txdnffyluhxv.info | udp |
| US | 8.8.8.8:53 | amxuzuvy.info | udp |
| US | 8.8.8.8:53 | oowogs.com | udp |
| US | 8.8.8.8:53 | xslxqsls.net | udp |
| US | 8.8.8.8:53 | iayfbimnpob.info | udp |
| US | 8.8.8.8:53 | jpmlta.info | udp |
| US | 8.8.8.8:53 | mquoqcyqaawg.org | udp |
| US | 8.8.8.8:53 | gkxxztxavsg.info | udp |
| US | 8.8.8.8:53 | tzdahsuuh.info | udp |
| US | 8.8.8.8:53 | xynria.net | udp |
| US | 8.8.8.8:53 | qagoeiyu.org | udp |
| US | 8.8.8.8:53 | vlaawwqz.net | udp |
| US | 8.8.8.8:53 | bvvalvmxzcsi.net | udp |
| US | 8.8.8.8:53 | bcxxvr.info | udp |
| US | 8.8.8.8:53 | bhfwrzmopmpx.net | udp |
| US | 8.8.8.8:53 | vbmxisps.info | udp |
| US | 8.8.8.8:53 | wfisikzczr.net | udp |
| US | 8.8.8.8:53 | xghygzsuyad.net | udp |
| US | 8.8.8.8:53 | wkhfdy.net | udp |
| US | 8.8.8.8:53 | hpnstrhtjg.info | udp |
| US | 8.8.8.8:53 | hgxntkm.net | udp |
| US | 8.8.8.8:53 | gicqywqkcoim.com | udp |
| US | 8.8.8.8:53 | ilewpvzo.info | udp |
| US | 8.8.8.8:53 | sgsoagiiccyw.com | udp |
| US | 8.8.8.8:53 | xkrrcuyy.net | udp |
| US | 8.8.8.8:53 | mpvxjh.net | udp |
| US | 8.8.8.8:53 | syzvcyk.net | udp |
| US | 8.8.8.8:53 | uquooammwuoi.com | udp |
| US | 8.8.8.8:53 | dzskvopmm.info | udp |
| US | 8.8.8.8:53 | grblyx.net | udp |
| US | 8.8.8.8:53 | zhnwgud.org | udp |
| US | 8.8.8.8:53 | nfsjpowl.info | udp |
| US | 8.8.8.8:53 | rcrijyxgd.org | udp |
| US | 8.8.8.8:53 | wfdecninnkmw.net | udp |
| US | 8.8.8.8:53 | seqodpz.info | udp |
| US | 8.8.8.8:53 | luinideacsle.net | udp |
| US | 8.8.8.8:53 | djlicfxk.net | udp |
| US | 8.8.8.8:53 | rphclgrybrf.com | udp |
| US | 8.8.8.8:53 | meoyentb.net | udp |
| US | 8.8.8.8:53 | eolunulgzk.info | udp |
| US | 8.8.8.8:53 | nmqouwmxgqi.org | udp |
| US | 8.8.8.8:53 | cmoaucco.com | udp |
| US | 8.8.8.8:53 | dbuguvooxgpt.info | udp |
| US | 8.8.8.8:53 | nqbpjgon.net | udp |
| US | 8.8.8.8:53 | zvhgslgc.info | udp |
| US | 8.8.8.8:53 | emgism.org | udp |
| US | 8.8.8.8:53 | alkzxaxfvfhz.info | udp |
| US | 8.8.8.8:53 | rwbklxfvdgn.net | udp |
| US | 8.8.8.8:53 | sxdusybh.info | udp |
| US | 8.8.8.8:53 | cihyrwwyc.net | udp |
| US | 8.8.8.8:53 | kajpailpjmp.info | udp |
| US | 8.8.8.8:53 | yedyvwtxjj.info | udp |
| US | 8.8.8.8:53 | oadcjwp.net | udp |
| US | 8.8.8.8:53 | ynruje.info | udp |
| US | 8.8.8.8:53 | jztvlgjokb.info | udp |
| US | 8.8.8.8:53 | fadyruaacbd.info | udp |
| US | 8.8.8.8:53 | gwgoqq.com | udp |
| US | 8.8.8.8:53 | omnpqiitfi.net | udp |
| US | 8.8.8.8:53 | jpjttaaexv.net | udp |
| US | 8.8.8.8:53 | cvhyxcvn.net | udp |
| US | 8.8.8.8:53 | jcrvvvj.com | udp |
| US | 8.8.8.8:53 | gaodcojpykuk.info | udp |
| US | 8.8.8.8:53 | pqmnvrwszsg.org | udp |
| US | 8.8.8.8:53 | jyuxpzhmw.net | udp |
| US | 8.8.8.8:53 | gislpxktd.info | udp |
| US | 8.8.8.8:53 | isbcryz.net | udp |
| US | 8.8.8.8:53 | apkyhy.net | udp |
| US | 8.8.8.8:53 | kygwckgiqw.org | udp |
| US | 8.8.8.8:53 | hahmgwfnjkp.net | udp |
| US | 8.8.8.8:53 | dpwoyczy.info | udp |
| US | 8.8.8.8:53 | pzwwrlewwj.net | udp |
| US | 8.8.8.8:53 | musojqg.info | udp |
| US | 8.8.8.8:53 | scysjbdmkeoc.info | udp |
| US | 8.8.8.8:53 | aficdkacl.net | udp |
| US | 8.8.8.8:53 | phrllcfgnqj.com | udp |
| US | 8.8.8.8:53 | vqrheyzex.net | udp |
| US | 8.8.8.8:53 | rulacqr.info | udp |
| US | 8.8.8.8:53 | sseiqyeccq.org | udp |
| US | 8.8.8.8:53 | oqhtrmhjycp.net | udp |
| US | 8.8.8.8:53 | jkegrujevkd.info | udp |
| US | 8.8.8.8:53 | ntiqojjqc.info | udp |
| US | 8.8.8.8:53 | ioljfepbb.info | udp |
| US | 8.8.8.8:53 | suwsuaaccawm.org | udp |
| US | 8.8.8.8:53 | qndemkcdxryk.net | udp |
| US | 8.8.8.8:53 | wuyaiqgeqy.com | udp |
| US | 8.8.8.8:53 | txheewfs.info | udp |
| US | 8.8.8.8:53 | hlznhyfm.info | udp |
| US | 8.8.8.8:53 | cqsuazaqru.net | udp |
| US | 8.8.8.8:53 | utggnqj.info | udp |
| US | 8.8.8.8:53 | apwkcgfmgf.info | udp |
| US | 8.8.8.8:53 | uhpmrupuasn.net | udp |
| US | 8.8.8.8:53 | frmdxwuxkz.info | udp |
| US | 8.8.8.8:53 | xppzylcflp.info | udp |
| US | 8.8.8.8:53 | lipurll.info | udp |
| US | 8.8.8.8:53 | hllixmp.net | udp |
| US | 8.8.8.8:53 | ayfoftqfrv.net | udp |
| US | 8.8.8.8:53 | jrzyrcaozcr.org | udp |
| US | 8.8.8.8:53 | qemazwtejgo.info | udp |
| US | 8.8.8.8:53 | cxlkhikkn.net | udp |
| US | 8.8.8.8:53 | exngsops.net | udp |
| US | 8.8.8.8:53 | ryxdtsd.net | udp |
| US | 8.8.8.8:53 | ymyuwggs.com | udp |
| US | 8.8.8.8:53 | xjmzxevz.net | udp |
| US | 8.8.8.8:53 | pcdsnsigne.net | udp |
| US | 8.8.8.8:53 | msfmtzx.info | udp |
| US | 8.8.8.8:53 | cikgciaceciq.org | udp |
| US | 8.8.8.8:53 | ouqoeesiae.org | udp |
| US | 8.8.8.8:53 | mggayygi.org | udp |
| US | 8.8.8.8:53 | vzbppajiqww.org | udp |
| US | 8.8.8.8:53 | butwbqu.org | udp |
| US | 8.8.8.8:53 | mysopy.net | udp |
| US | 8.8.8.8:53 | qubqirdevwh.net | udp |
| US | 8.8.8.8:53 | coqscemaacma.com | udp |
| US | 8.8.8.8:53 | rwwsigxjv.com | udp |
| US | 8.8.8.8:53 | djyhfe.net | udp |
| US | 8.8.8.8:53 | mrpoffh.net | udp |
| US | 8.8.8.8:53 | cjjcde.net | udp |
| US | 8.8.8.8:53 | cukickke.org | udp |
| US | 8.8.8.8:53 | reewxp.info | udp |
| US | 8.8.8.8:53 | uymylfsagk.net | udp |
| US | 8.8.8.8:53 | woipmktcih.info | udp |
| US | 8.8.8.8:53 | ggkoyk.com | udp |
| US | 8.8.8.8:53 | hkcgezmhb.com | udp |
| US | 8.8.8.8:53 | jfrenmxp.net | udp |
| US | 8.8.8.8:53 | qkvxlbrcv.info | udp |
| US | 8.8.8.8:53 | akbazoceb.info | udp |
| US | 8.8.8.8:53 | esinhkgfvs.info | udp |
| US | 8.8.8.8:53 | rschke.info | udp |
| US | 8.8.8.8:53 | jgvgwmvkjy.info | udp |
| US | 8.8.8.8:53 | yczclcviv.info | udp |
| US | 8.8.8.8:53 | dunolqrmder.net | udp |
| US | 8.8.8.8:53 | swcczad.net | udp |
| US | 8.8.8.8:53 | ujswmxmm.net | udp |
| US | 8.8.8.8:53 | qbjtrl.info | udp |
| US | 8.8.8.8:53 | axymmbtdurtr.info | udp |
| US | 8.8.8.8:53 | qwmgsisouk.org | udp |
| US | 8.8.8.8:53 | ajeufitgtoe.info | udp |
| US | 8.8.8.8:53 | gwmseoioyy.org | udp |
| US | 8.8.8.8:53 | dklezylud.net | udp |
| US | 8.8.8.8:53 | ektmnkvub.info | udp |
| US | 8.8.8.8:53 | onzovzd.info | udp |
| US | 8.8.8.8:53 | oesaeigqwuki.com | udp |
| US | 8.8.8.8:53 | lrjiyvhkpad.net | udp |
| US | 8.8.8.8:53 | bsoypkhpfo.net | udp |
| US | 8.8.8.8:53 | hhbibsteqcn.info | udp |
| US | 8.8.8.8:53 | wwleihr.info | udp |
| US | 8.8.8.8:53 | czsexcrsz.net | udp |
| US | 8.8.8.8:53 | varxirlszfv.org | udp |
| US | 8.8.8.8:53 | qcttocuciv.net | udp |
| US | 8.8.8.8:53 | gytyfrhwlmw.net | udp |
| US | 8.8.8.8:53 | qcaequgeic.org | udp |
| US | 8.8.8.8:53 | qhktjptk.net | udp |
| US | 8.8.8.8:53 | xwpxanbmqfuk.info | udp |
| US | 8.8.8.8:53 | teaacdtqjap.net | udp |
| US | 8.8.8.8:53 | xcdedoiyntx.org | udp |
| US | 8.8.8.8:53 | wkkwkkmw.org | udp |
| US | 8.8.8.8:53 | lrvcjxdsa.info | udp |
| US | 8.8.8.8:53 | eebcemndfbu.net | udp |
| US | 8.8.8.8:53 | kycmiu.com | udp |
| US | 8.8.8.8:53 | xwqowmqjhuy.info | udp |
| US | 8.8.8.8:53 | hwznjnnc.info | udp |
| US | 8.8.8.8:53 | mdainrbbifun.net | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe
| MD5 | 92fed7521129bd635097c0790c2dee8a |
| SHA1 | 8548b39b7f34783d260cab61401413992cd0ae95 |
| SHA256 | 721eac4c690533ed896b3ec2c6251b59f07b10d10c8648d1681fcc94384b7a1a |
| SHA512 | 64ff8ea5f00e24261214092dc3817cc6df5e1ea7dc2d75f785b5b19c280b6f26fd4f7643ce164514d5b3b505839f43f03a0e259049a0b43e0a619949af45ccca |
C:\Users\Admin\AppData\Local\fdvxczvuuqooptcyjdnld.khd
| MD5 | ab8654b07f180f4dab536cee4622f81b |
| SHA1 | a93691167a1a8b0c601e798b8210193e5dac96ba |
| SHA256 | eda4080fa975f15201efba273bd58b690736dfb03aa0318a7862ff4b596fa902 |
| SHA512 | 2cc4cafba25e1dc44370417229daf861d4a9ab92204e326abc1bc999bc968e65609d264348b3949ceb2aa265d91d30603563956ae30fdfabefb11a816d47c3f6 |
C:\Users\Admin\AppData\Local\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb
| MD5 | 229dd9c5581596dc76c4c61ffe7e6f44 |
| SHA1 | 0eb307d98d0a83665709c3621eb92ae7de99220a |
| SHA256 | b51c192bac5849ddeec85f0bc9f65a692ba4332b5911cfcabaa8a1dc38ab4d04 |
| SHA512 | 38b4ce99a7b6f2661dd94e490a0e932d0862667d089a2adfe43abccc7c34af77affa71038afbb62bfd8e6acd63de3377a34483ae996159c8a302e10090dbcb3a |
C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd
| MD5 | df5aa2624534cd11411c127bbe7eeb84 |
| SHA1 | 88e049c829f58ebf5ca9639f23b4634a24be7952 |
| SHA256 | 2578a5bf688dc8ee78eebc26ae73138a524295040999b3f1501034d6598becc7 |
| SHA512 | bf82ee46c03a35fed0d752188ae780945ee02d139b03a0833e306b382bf311ccb24a8301e31cafc63823120771d779e484bbbaf34afa32934b18082b17d1a560 |
C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd
| MD5 | cef31abac405a5242d482de0585fd3e8 |
| SHA1 | 989751aed20af6ddd93a7c75e2e1ddb6dee87c66 |
| SHA256 | 186d3aff0d3fee32679cf6641d42c1f6ea61065592d1bfa1c52081093aa7ec53 |
| SHA512 | 4e9856cb46d777d93c55b849e5e6caa31dd4f409d896e5dc39ec16028b2a00447a460d24b557c0fc5a5e79a00138c67d310181ddfc08b880059e0426b4decc3e |
C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd
| MD5 | def9682b0acdaf1006737dec10c6b131 |
| SHA1 | d59b43fa1e42cb64ba26b7b2e86228c3f1f2db14 |
| SHA256 | 1031071db80371e628841bbd8e137748bced0dd752067af6915a1bd57934bf3d |
| SHA512 | a62d5af33e48a5cf99df7893abddc7e90857bac3013325125a44c4202cd3ac207e52aa3ec5e5b642b4b79eca2a6a236e397b05d59afe40a8a0f5ca113d159c36 |
C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd
| MD5 | 7e835d81dbb79b602ba8fe3b43471997 |
| SHA1 | 8e9f529a62a1cf04283aacca0ec1384e1300c290 |
| SHA256 | 39a104e8b02c7eb35c15e6443138dae09b210ab43c49274f452d08e03d3df2d3 |
| SHA512 | 181e41124e53852e6842994fd6f63e1edee8220592beb01aefbbfc93a5147d99bd4a0ab2a8e15ae8ba50b7435b2c971580d70b43bd4c5a5e0be86b26fff317bd |
C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd
| MD5 | b728f74676dfc87628f6f9599010dac2 |
| SHA1 | 4e296ba99521ce2776cc9924374056a22a866667 |
| SHA256 | 939298081be30fcb9aac7ccbf306dbe884fd3652475e511b12d36eb538eed11a |
| SHA512 | b3f5b078b3ab2be404edd8302fd5b2a560f0593cfafb60099123a399759f22f68aaefb59d9befb70c3ce0808accb7ec3e60e352b73b0b9ebf77dcbe757d5e4ab |
C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd
| MD5 | 8918ce30c8bf8f6255e5410daa42c135 |
| SHA1 | da3e1f86abd31a71c3e6f9cb5ad12749c7922190 |
| SHA256 | ff6d1a6645fa3e3b25aee3299ee81766cd053b42fa1e67a450cd17cbb2b21b1c |
| SHA512 | 8cb4257bf4c7a76b0392cb37380200f4ccfd6b3db8fd840534bf8b33d887d3be8eee451cac8a9efbda28556ed7e194ae1a78c908babefbc2e211b8d458c7b3f1 |