Malware Analysis Report

2025-08-05 11:48

Sample ID 241031-flb6xasjfn
Target 962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N
SHA256 962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437
Tags
defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437

Threat Level: Known bad

The file 962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence privilege_escalation trojan

UAC bypass

Modifies WinLogon for persistence

Disables RegEdit via registry modification

Adds policy Run key to start application

Impair Defenses: Safe Mode Boot

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Looks up external IP address via web service

Hijack Execution Flow: Executable Installer File Permissions Weakness

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 04:57

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 04:57

Reported

2024-10-31 04:59

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\sfkyhvgmyxs = "lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nxzkqbjm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "axmkdbwmirwcsiuehtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "ytgctpiwqxaesgqyzje.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "xpzsgzparvvwhsze.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "axmkdbwmirwcsiuehtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "axmkdbwmirwcsiuehtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "exicrlcoglmoamuaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "nhtoezrexdfiviryyh.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "axmkdbwmirwcsiuehtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "xpzsgzparvvwhsze.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "ytgctpiwqxaesgqyzje.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "nhtoezrexdfiviryyh.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\exicrlcoglmoamuaz.exe ." C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\pfneqhvetvtsbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "lhvskhbqltxcrgracnjx.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "exicrlcoglmoamuaz.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xpzsgzparvvwhsze.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "xpzsgzparvvwhsze.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\epselxgku = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\axmkdbwmirwcsiuehtqfd.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhtoezrexdfiviryyh.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\epselxgku = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "exicrlcoglmoamuaz.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sjskxpeoehggqag = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lhvskhbqltxcrgracnjx.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "nhtoezrexdfiviryyh.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\pdjyixjqddzw = "ytgctpiwqxaesgqyzje.exe" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "ytgctpiwqxaesgqyzje.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xjnaivfkvt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ytgctpiwqxaesgqyzje.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\odkalbowkligo = "nhtoezrexdfiviryyh.exe ." C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.showmyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\cfaedhiegvgsokcsbtwrvuy.vxm C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File opened for modification C:\Windows\SysWOW64\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File created C:\Windows\SysWOW64\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File opened for modification C:\Windows\SysWOW64\cfaedhiegvgsokcsbtwrvuy.vxm C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File opened for modification C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File created C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File opened for modification C:\Program Files (x86)\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\cfaedhiegvgsokcsbtwrvuy.vxm C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File created C:\Windows\cfaedhiegvgsokcsbtwrvuy.vxm C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File opened for modification C:\Windows\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
File created C:\Windows\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2368 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 3012 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe
PID 2368 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe C:\Users\Admin\AppData\Local\Temp\ahgor.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\ahgor.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe

"C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"

C:\Users\Admin\AppData\Local\Temp\ahgor.exe

"C:\Users\Admin\AppData\Local\Temp\ahgor.exe" "-"

C:\Users\Admin\AppData\Local\Temp\ahgor.exe

"C:\Users\Admin\AppData\Local\Temp\ahgor.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.178.14:80 www.youtube.com tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 lrjekrdt.net udp
US 8.8.8.8:53 rulifqblg.com udp
US 8.8.8.8:53 hhvmzql.info udp
US 8.8.8.8:53 eutwdyl.info udp
US 8.8.8.8:53 rvpmfbpnfzxx.net udp
US 8.8.8.8:53 vptprrjb.info udp
US 8.8.8.8:53 bezodzbqq.net udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 hmbjyjz.info udp
US 8.8.8.8:53 qsegii.org udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 wevgoov.info udp
US 8.8.8.8:53 nbdztrqh.net udp
US 8.8.8.8:53 qsykcwyamcee.com udp
US 8.8.8.8:53 qappvxyiorbw.net udp
US 8.8.8.8:53 ibtwekfadob.info udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 nddzzd.info udp
US 8.8.8.8:53 zyzqrbrqzcl.info udp
US 8.8.8.8:53 xswgjufhld.net udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 mqwiqayk.com udp
US 8.8.8.8:53 xdxafq.info udp
US 8.8.8.8:53 hsxayjziyqb.com udp
US 8.8.8.8:53 gyvqwcxtyk.info udp
US 8.8.8.8:53 lunuyevcl.com udp
US 8.8.8.8:53 uyqvxdvprq.net udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 aztkuyhbdm.net udp
US 8.8.8.8:53 qxtyvdbi.net udp
US 8.8.8.8:53 nlfesyzcz.net udp
US 8.8.8.8:53 kblyjmxqp.info udp
US 8.8.8.8:53 xdooerpr.info udp
US 8.8.8.8:53 wytqwaxvp.info udp
US 8.8.8.8:53 hmobnvtgcvsp.info udp
US 8.8.8.8:53 uuzvpjrwcom.info udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 kojczou.info udp
US 8.8.8.8:53 usqumg.org udp
US 8.8.8.8:53 ekcecwqe.org udp
US 8.8.8.8:53 ygdedymgkqb.net udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 cteohsfyc.info udp
US 8.8.8.8:53 hsgptzrqqi.net udp
US 8.8.8.8:53 hckgjytpikdx.net udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 gwneowcmczr.net udp
US 8.8.8.8:53 qvmlwe.info udp
US 8.8.8.8:53 uqleria.net udp
US 8.8.8.8:53 lyuyiczcfss.com udp
US 8.8.8.8:53 moyykaco.org udp
US 8.8.8.8:53 havbtylo.net udp

Files

\Users\Admin\AppData\Local\Temp\ahgor.exe

MD5 6f451a41c9f96a5c513b4954680286f9
SHA1 06456a5c776552246efaea2153cd408aa9320c0b
SHA256 a32541929feeba2e8f57866fde0354d9354b20638f2a128189b55d351db60614
SHA512 82a11fa921cc237d825ba7035bc8fa1e9c3325a26a0ad8aa10fccc163496da0c2e4e63b4ae90f1ffa49ba93ebd33a69d27d7b8f74d8382f264ed8bb53cfdfb32

C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 a127b6bb98ca5882f12d63ebca907925
SHA1 443fec890c0216c27a7f2cadd3570aba5cdf9c4b
SHA256 a78d8e706c1fddb96b611cc7ccd29542e73c767373c96af452573d5765a70274
SHA512 22001df82bba6a42fcb45051ea883fbe53ff5a6bf71790497ad518201930e2eff8898f44309993c59a80f692f975022ef1fbb8a130d9797b18b8e8dbcbc525ee

C:\Users\Admin\AppData\Local\pdjyixjqddzwdknoilzfuetfmzzvszgjke.vbq

MD5 4f57095f27adcc023d3401c023fedae3
SHA1 02f460a263f9298b0e6a7ec04e8a72a91292857f
SHA256 60fda659ac265a9fa8743fe4aa9fce3edfee70e84f91c33e4228a1bb5157471f
SHA512 6cefe0e8236b19f6d3c87be223bb0186e4d0d3d10a8938f4c97b9ee88cdde57fe4b744014d0ac05ebb16e7775a6ec71eea988669f849829bde39c7bb8268a836

C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 c8ad36c2a9c426876ccbf3bf25ed0a5e
SHA1 23d1e834926a6f61863c02eea508a477be77886a
SHA256 0646865d81b1745e3d87b68ad15d27271eb79049951f71611251943c1e4a2e50
SHA512 cdcdf42b0acfcd21a61ff45d47f85f30d96bfaa341013bd18a19fbac671949ece0fe0a01564ad756f34701938e91a6a0889a917917306589372c19b0d696b887

C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 54e18c8d056da40ce706109669410d91
SHA1 1df4712c17aa4305262440df11d05d3e0b5d9597
SHA256 99bb0c81a7b68282d51fc134a7c3e092891793ec7dc90f9a3274e495c8d21899
SHA512 16a98ca9033858e04a8c665d285c39618e67d37d511638a47947a649cee838d27ed787c98e632442637668d999f4d881901348281e40bafa425cc3085efec94c

C:\Program Files (x86)\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 a101f59dc8df558387c5812573242d08
SHA1 d96a2704a3a56455c21653bbaf21c2ee7368c223
SHA256 de9e271f181bc479f973f02b08ff7090a04dc77ecbb49e09df881c16ea04d116
SHA512 331c3c8f773f273588854a797572c9aa8e086147b9053b5b0496827128426ffaa59f5c6216e3c2c97df66f6b8dbd132c278e46832c7c8edde478b5ffbedf399e

C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 c6b72a6b2d241bff801c01e30441e334
SHA1 50e1dc96bec63c1436372d61ae5cd11cf4c389fc
SHA256 1f66e861beb6fae228069b4dffe2cf87d85092eb49643abfa06b4e1f5d9037ee
SHA512 07199ee879d9ea128766ea3f99e0638522fa0e371ec3214cd0c13a6e0c10fb1293146df2129f020895e29739821886cfc140db72972863657df14e53ecca58c4

C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 523e0655896f97b87cd6dbbf5a1f473c
SHA1 3f21d23a353d5ce60589b6ebedbf0615f0808c90
SHA256 7ea10530e0ed6b048302e7e7676d3d7a068447a8de921f96f0e290d8146db60b
SHA512 3ed6a16f7208f07bf0b6f01be4a5b3f080dac6ca92b342986577819e38567996f28fd46da21a6cf4160ba0f1f8e84cb3b0da402fc8213b721c1ee8e445b11f03

C:\Users\Admin\AppData\Local\cfaedhiegvgsokcsbtwrvuy.vxm

MD5 d0c936f8694a9a4fb587f768d45d00b2
SHA1 9567724eec5541a5153493b8e5baea1e845227fc
SHA256 836e0ecf4ec98bae24aa0adf4921a57e398dba9fe79cf135f50d478af8380f44
SHA512 751147eba668e836735adaad0c2f8c8795d0f466c5e1c19dd1f4d278482f2e7ff73ce0ad7818a9461412458d4fcd63036f53c5ee5cee844d1ffcda40021f80a3

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 04:57

Reported

2024-10-31 04:59

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "dxljkdvqmeyurrwovlrlz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bhhrejn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajmzpxeozg = "apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "qhsnlbqibqhaurtimz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "qhsnlbqibqhaurtimz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "btfbarhaukcwrpsinbf.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "qhsnlbqibqhaurtimz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "apyrnboevixogbbo.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "apyrnboevixogbbo.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "btfbarhaukcwrpsinbf.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "ohurrjaupgzuqptkqfkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "apyrnboevixogbbo.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "apyrnboevixogbbo.exe ." C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "btfbarhaukcwrpsinbf.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rdjzsdnaoykyn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe ." C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "qhsnlbqibqhaurtimz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "ohurrjaupgzuqptkqfkd.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "btfbarhaukcwrpsinbf.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "hxhbynbskyogzvwkn.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sfmdxjuixivkat = "C:\\Users\\Admin\\AppData\\Local\\Temp\\apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "qhsnlbqibqhaurtimz.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qxyjxdiq = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hxhbynbskyogzvwkn.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ohurrjaupgzuqptkqfkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vfjxoxfqcku = "apyrnboevixogbbo.exe" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\sdixpziuhqbo = "dxljkdvqmeyurrwovlrlz.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hprdszfoy = "ohurrjaupgzuqptkqfkd.exe ." C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File created C:\Windows\SysWOW64\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File opened for modification C:\Windows\SysWOW64\fdvxczvuuqooptcyjdnld.khd C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File created C:\Windows\SysWOW64\fdvxczvuuqooptcyjdnld.khd C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File created C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File opened for modification C:\Program Files (x86)\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File created C:\Program Files (x86)\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\fdvxczvuuqooptcyjdnld.khd C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File created C:\Windows\fdvxczvuuqooptcyjdnld.khd C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File opened for modification C:\Windows\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
File created C:\Windows\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key created \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe

"C:\Users\Admin\AppData\Local\Temp\962abe742b881b2b370f810a1d8955ae72ffd3410f53555cbfe68ed9644c2437N.exe"

C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe

"C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe" "-"

C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe

"C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 106.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.14:80 www.youtube.com tcp
US 8.8.8.8:53 kmeggs.org udp
US 8.8.8.8:53 lrjekrdt.net udp
US 8.8.8.8:53 tjvqfbvjmooz.info udp
US 8.8.8.8:53 yowkwmuu.com udp
US 8.8.8.8:53 wdjgvyhpkmk.info udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 kavtbvqf.info udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 ujgfxdqswh.net udp
US 8.8.8.8:53 kwbbzbvgnzax.info udp
US 8.8.8.8:53 iqeomussyi.com udp
US 8.8.8.8:53 gujunlesowi.info udp
US 8.8.8.8:53 sejibalqxar.net udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 torgnldl.info udp
US 8.8.8.8:53 cgihagj.info udp
US 8.8.8.8:53 qscweekc.com udp
US 8.8.8.8:53 egksyqv.info udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 vdzphk.info udp
US 8.8.8.8:53 uwpfpr.info udp
US 8.8.8.8:53 oswaicicgymc.org udp
US 8.8.8.8:53 pnsdfbklr.com udp
US 8.8.8.8:53 uytvbd.info udp
US 8.8.8.8:53 177.188.244.54.in-addr.arpa udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 rulmiuoebex.com udp
US 8.8.8.8:53 zszohszakut.org udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 omaqio.org udp
US 8.8.8.8:53 fxrvvrxmxh.info udp
US 8.8.8.8:53 iolyaaphvkn.info udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 qcoegeqkwgcq.com udp
US 8.8.8.8:53 hsksignnoewk.net udp
US 8.8.8.8:53 hpsmipicxupt.info udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 syakbm.info udp
US 8.8.8.8:53 qyveaudfmez.net udp
US 8.8.8.8:53 nbisxf.info udp
US 8.8.8.8:53 wslwlgx.info udp
US 8.8.8.8:53 twmmkhcywuj.org udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 fyylzj.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 jkcnkmgboo.net udp
US 8.8.8.8:53 eqpwnaryq.net udp
US 8.8.8.8:53 lvqslsbcaef.info udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 yxjlyvzsnhxv.net udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 wwsijgyjecx.info udp
US 8.8.8.8:53 rlofyx.info udp
US 8.8.8.8:53 zrphjgfnm.info udp
US 8.8.8.8:53 jrncvlzwiulh.net udp
US 8.8.8.8:53 miisqa.org udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 xoyvrevhha.net udp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 zgfqhof.org udp
US 8.8.8.8:53 dkqayttmb.net udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 iavxtkk.info udp
US 8.8.8.8:53 dyjzbs.net udp
US 8.8.8.8:53 gmesqmckoyke.org udp
US 8.8.8.8:53 hgqnhit.org udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 wpumzcv.info udp
US 8.8.8.8:53 zlkqvoxqx.org udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 pvvhcp.net udp
US 8.8.8.8:53 birepoq.com udp
US 8.8.8.8:53 oicaqk.org udp
US 8.8.8.8:53 crfiladnpmv.net udp
US 8.8.8.8:53 gwwefsd.net udp
US 8.8.8.8:53 tqznqjobr.org udp
US 8.8.8.8:53 pywtdsxnbwp.net udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 gkmuow.org udp
US 8.8.8.8:53 lqmphguwauj.net udp
US 8.8.8.8:53 ykwmkakg.com udp
US 8.8.8.8:53 cxpxjpr.net udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 xupglkfya.info udp
US 8.8.8.8:53 xqeihwjsx.com udp
US 8.8.8.8:53 ssashm.info udp
US 8.8.8.8:53 qskkpmw.net udp
US 8.8.8.8:53 lksloqnzv.com udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 fsiyrwqv.net udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 kkmeoq.org udp
US 8.8.8.8:53 vahhkdgyeefx.net udp
US 8.8.8.8:53 dvyyeptzjv.net udp
US 8.8.8.8:53 qikccq.com udp
US 8.8.8.8:53 fkkuzkhcr.com udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 rivcjaszx.net udp
US 8.8.8.8:53 kvpoqyl.info udp
US 8.8.8.8:53 xixednsqy.net udp
US 8.8.8.8:53 qklvmkpphtqq.info udp
US 8.8.8.8:53 jractu.net udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 euxuukuzlj.net udp
US 8.8.8.8:53 eqbrod.info udp
US 8.8.8.8:53 ltvwftzngl.net udp
US 8.8.8.8:53 adrctuqehjon.info udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 huasjgtckdu.com udp
US 8.8.8.8:53 adqotj.info udp
US 8.8.8.8:53 usiikeyy.org udp
US 8.8.8.8:53 jojlfepmqic.net udp
US 8.8.8.8:53 gqkqucek.org udp
US 8.8.8.8:53 ncxein.net udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 wcoohuzezxuh.net udp
US 8.8.8.8:53 xfozhjysnnrw.net udp
US 8.8.8.8:53 ppvqcdqc.info udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 xxxrxnll.info udp
US 8.8.8.8:53 mznedobi.net udp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 qgwghszfz.info udp
US 8.8.8.8:53 trrvwxpupfak.net udp
US 8.8.8.8:53 uuwygwcmmc.com udp
US 8.8.8.8:53 fifqlpb.org udp
US 8.8.8.8:53 xhisrub.org udp
US 8.8.8.8:53 sefswvajalzq.net udp
US 8.8.8.8:53 xododk.net udp
US 8.8.8.8:53 octpnmfeveb.net udp
US 8.8.8.8:53 igeuaeekqkai.com udp
US 8.8.8.8:53 kasabx.net udp
US 8.8.8.8:53 qepupmjufwt.net udp
US 8.8.8.8:53 pyfofor.info udp
US 8.8.8.8:53 swdbmuwabyg.info udp
US 8.8.8.8:53 buoqqzlfnx.net udp
US 8.8.8.8:53 awwkvlhbxgix.info udp
US 8.8.8.8:53 buqvltnvkj.info udp
US 8.8.8.8:53 ymtoaovfdbi.net udp
US 8.8.8.8:53 bsrweqh.net udp
US 8.8.8.8:53 wdilrbagqvbi.info udp
US 8.8.8.8:53 wlnvccohvi.info udp
US 8.8.8.8:53 ygqeiciwkoyw.com udp
US 8.8.8.8:53 pysepcywro.info udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 pdejmv.info udp
US 8.8.8.8:53 rnbmnnffvvpj.info udp
US 8.8.8.8:53 oebdqtnylpn.net udp
US 8.8.8.8:53 bxufyjogwoou.net udp
US 8.8.8.8:53 papvlzf.info udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 hnsilwhmkd.net udp
US 8.8.8.8:53 ikxvkrsulwd.net udp
US 8.8.8.8:53 uoqaicsoscem.org udp
US 8.8.8.8:53 nzzixvjhxgkl.net udp
US 8.8.8.8:53 hsufhgsmqgl.org udp
US 8.8.8.8:53 tsvrdkobl.org udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 ssgqwyoscwmq.com udp
US 8.8.8.8:53 nmlilkf.net udp
US 8.8.8.8:53 xelnlo.info udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 ayaisqusmc.com udp
US 8.8.8.8:53 ymiiicyo.org udp
US 8.8.8.8:53 rrbjyqfytb.info udp
US 8.8.8.8:53 xqcyxif.info udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 aptavxszku.info udp
US 8.8.8.8:53 aobbzdl.info udp
US 8.8.8.8:53 xirbjpd.com udp
US 8.8.8.8:53 ovvmeermlar.net udp
US 8.8.8.8:53 cihylwh.net udp
US 8.8.8.8:53 xnzydftvlgzr.info udp
US 8.8.8.8:53 mydflsxizio.info udp
US 8.8.8.8:53 rtuovixut.info udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 pcpgyj.net udp
US 8.8.8.8:53 sjutctmlqp.info udp
US 8.8.8.8:53 kanvzumtrd.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 ouhnpciy.net udp
US 8.8.8.8:53 fvrkdzoj.info udp
US 8.8.8.8:53 qdaqwtlafa.info udp
US 8.8.8.8:53 sdbwfyjudmf.net udp
US 8.8.8.8:53 lmpojrrxmeu.net udp
US 8.8.8.8:53 azdltpai.net udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 sjlbzs.net udp
US 8.8.8.8:53 zekcpulqpnd.net udp
US 8.8.8.8:53 uyyqvfqlwa.net udp
US 8.8.8.8:53 poejdjuh.info udp
US 8.8.8.8:53 dykmfirsf.org udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 fxayhti.com udp
US 8.8.8.8:53 ajiemcue.net udp
US 8.8.8.8:53 ekysuwaiqs.org udp
US 8.8.8.8:53 bfnxsfwe.net udp
US 8.8.8.8:53 yiwurhr.info udp
US 8.8.8.8:53 rsnokt.info udp
US 8.8.8.8:53 mocgiq.com udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 ryoznqv.com udp
US 8.8.8.8:53 xwdqxgxphkv.org udp
US 8.8.8.8:53 lolhbiz.net udp
US 8.8.8.8:53 rensjsymxwj.org udp
US 8.8.8.8:53 mkkuwuiwwseq.com udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 bkxzwfixd.com udp
US 8.8.8.8:53 xdtelisdm.info udp
US 8.8.8.8:53 lszothkejnl.net udp
US 8.8.8.8:53 nvqhtsfzlm.info udp
US 8.8.8.8:53 aysyqc.com udp
US 8.8.8.8:53 fqvopkmiayu.org udp
US 8.8.8.8:53 qiucmopf.net udp
US 8.8.8.8:53 opulkubj.info udp
US 8.8.8.8:53 mytynnbrhspi.info udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 sscuiedhv.net udp
US 8.8.8.8:53 nczirwr.org udp
US 8.8.8.8:53 esvkde.net udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 ywsysaascsso.com udp
US 8.8.8.8:53 nffzsjdajsx.info udp
US 8.8.8.8:53 coowccmu.com udp
US 8.8.8.8:53 suwotmgdjqk.info udp
US 8.8.8.8:53 rreplnac.info udp
US 8.8.8.8:53 lkgatfldr.com udp
US 8.8.8.8:53 srdueil.net udp
US 8.8.8.8:53 vdbicmahsofj.net udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 mqoeqmkiyo.org udp
US 8.8.8.8:53 qxrwrxkgnrd.net udp
US 8.8.8.8:53 pghiaxrr.net udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 wgwtnn.info udp
US 8.8.8.8:53 cqokiu.org udp
US 8.8.8.8:53 xojmuqnhc.com udp
US 8.8.8.8:53 ympczhxnodq.info udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 tyjijtv.com udp
US 8.8.8.8:53 tdorquu.net udp
US 8.8.8.8:53 xyptkfpgzvnm.info udp
US 8.8.8.8:53 sgsoagiiccyw.com udp
US 8.8.8.8:53 jplefezrs.net udp
US 8.8.8.8:53 yudtpekyh.info udp
US 8.8.8.8:53 ruanaiucgbo.net udp
US 8.8.8.8:53 tbdleeffez.net udp
US 8.8.8.8:53 loizjl.net udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 kwucnsvsjqz.net udp
US 8.8.8.8:53 pniiuswcyn.info udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 hgpliskn.net udp
US 8.8.8.8:53 eolunulgzk.info udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 nqbpjgon.net udp
US 8.8.8.8:53 qofmvytzwzqq.info udp
US 8.8.8.8:53 lwfepfetlwts.net udp
US 8.8.8.8:53 ilhpunn.info udp
US 8.8.8.8:53 edtcrscsug.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 oepibgz.net udp
US 8.8.8.8:53 wttaxtzszuhx.info udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 lyafmmetvkjy.net udp
US 8.8.8.8:53 avvyomf.net udp
US 8.8.8.8:53 cgifcdlhyk.net udp
US 8.8.8.8:53 cikykgok.org udp
US 8.8.8.8:53 mysakufwi.info udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 omnpqiitfi.net udp
US 8.8.8.8:53 yyykwe.org udp
US 8.8.8.8:53 qkqiic.org udp
US 8.8.8.8:53 pssoqtdakwn.org udp
US 8.8.8.8:53 bvtnqjtztcea.info udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 fbjdeg.info udp
US 8.8.8.8:53 ebkvmswc.info udp
US 8.8.8.8:53 eldmqxqg.net udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 zvpklryi.net udp
US 8.8.8.8:53 aivodvscxbq.info udp
US 8.8.8.8:53 hahmgwfnjkp.net udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 hobdowq.info udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 fghokddov.com udp
US 8.8.8.8:53 ueyuoggoqk.com udp
US 8.8.8.8:53 pyfgjlpruptb.info udp
US 8.8.8.8:53 kbddptq.net udp
US 8.8.8.8:53 oqhtrmhjycp.net udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 grelailjse.info udp
US 8.8.8.8:53 benjkycqgtgi.info udp
US 8.8.8.8:53 gqgsuw.com udp
US 8.8.8.8:53 ngrqjtwc.info udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 vhmwlkbloe.info udp
US 8.8.8.8:53 nirstmt.com udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 xqkxqkihtrhl.net udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 vghjfigfab.net udp
US 8.8.8.8:53 clnubo.net udp
US 8.8.8.8:53 dfseulltvqhx.net udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 tyoyxxeq.net udp
US 8.8.8.8:53 iwjghqvqvvm.info udp
US 8.8.8.8:53 huvwtwpaf.net udp
US 8.8.8.8:53 bkwduobqjiz.org udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 fmjjvxv.com udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 nlqpnxfa.net udp
US 8.8.8.8:53 xyvyxoplk.net udp
US 8.8.8.8:53 aakcwycucw.org udp
US 8.8.8.8:53 trkeyr.info udp
US 8.8.8.8:53 cvwyvxileiaf.info udp
US 8.8.8.8:53 jpeuwohf.net udp
US 8.8.8.8:53 ujjubgrehmw.net udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 ememgusska.com udp
US 8.8.8.8:53 icugggkqsw.org udp
US 8.8.8.8:53 iuesgi.com udp
US 8.8.8.8:53 foxpqijnhlx.org udp
US 8.8.8.8:53 lxrxbczgl.info udp
US 8.8.8.8:53 fmhiqazsog.info udp
US 8.8.8.8:53 qubqirdevwh.net udp
US 8.8.8.8:53 jklhikmyugnw.info udp
US 8.8.8.8:53 seoqcqsaeugm.org udp
US 8.8.8.8:53 mnqzjhqwdf.info udp
US 8.8.8.8:53 fjafurvk.net udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 htsbjk.net udp
US 8.8.8.8:53 eimuee.org udp
US 8.8.8.8:53 perbtsaqjhas.net udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 vhipfmwltmva.net udp
US 8.8.8.8:53 bwggoh.info udp
US 8.8.8.8:53 ewudht.net udp
US 8.8.8.8:53 flicbgvlvx.net udp
US 8.8.8.8:53 coeucocigqoa.com udp
US 8.8.8.8:53 mmfzsurkpuw.net udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 pfpduv.info udp
US 8.8.8.8:53 qerdboeqwcdg.info udp
US 8.8.8.8:53 ajeufitgtoe.info udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 zvhqsuxsj.com udp
US 8.8.8.8:53 srttit.info udp
US 8.8.8.8:53 twqoneq.info udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 lcmvhufpbmvm.info udp
US 8.8.8.8:53 czsexcrsz.net udp
US 8.8.8.8:53 abzbxov.net udp
US 8.8.8.8:53 hjdhrg.net udp
US 8.8.8.8:53 pxsrzfbyrb.net udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 moyeakwwwy.com udp
US 8.8.8.8:53 ikkgis.org udp
US 8.8.8.8:53 qkwsio.org udp
US 8.8.8.8:53 znhwdz.net udp
US 8.8.8.8:53 bsymfywaz.org udp
US 8.8.8.8:53 oyyayiwqgoca.com udp
US 8.8.8.8:53 xvdptslkxiz.com udp
US 8.8.8.8:53 hubvonuqiv.net udp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 xcdedoiyntx.org udp
US 8.8.8.8:53 tienvhthew.info udp
US 8.8.8.8:53 iaalpcmmn.info udp
US 8.8.8.8:53 zlkyakezzw.info udp
US 8.8.8.8:53 qdzsmgtaoqke.net udp
US 8.8.8.8:53 dmdkecdcs.com udp
US 8.8.8.8:53 lshkvxocnrlv.net udp
US 8.8.8.8:53 hyhmnkflblw.info udp
US 8.8.8.8:53 xwqowmqjhuy.info udp
US 8.8.8.8:53 uzbgztimzi.net udp
US 8.8.8.8:53 xofohiy.info udp
US 8.8.8.8:53 mgsesxycvnji.net udp
US 8.8.8.8:53 ncrmjafuzox.net udp
US 8.8.8.8:53 zlwspz.info udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 qsstfc.info udp
US 8.8.8.8:53 rhjymzrvfpfa.info udp
US 8.8.8.8:53 rqxypenixyn.net udp
US 8.8.8.8:53 bqhbbyxrovtb.info udp
US 8.8.8.8:53 xslknk.info udp
US 8.8.8.8:53 ssywwsui.com udp
US 8.8.8.8:53 sgeackqiyiay.com udp
US 8.8.8.8:53 sioagm.com udp
US 8.8.8.8:53 zljcwgd.com udp
US 8.8.8.8:53 ysdptmpha.info udp
US 8.8.8.8:53 zozgcobcaq.net udp
US 8.8.8.8:53 llvmzokob.com udp
US 8.8.8.8:53 kcmnjaggo.net udp
US 8.8.8.8:53 hjjakml.com udp
US 8.8.8.8:53 zyyurshpril.net udp
US 8.8.8.8:53 myvicvzmjk.net udp
US 8.8.8.8:53 dcvygkv.org udp
US 8.8.8.8:53 typlvezvn.info udp
US 8.8.8.8:53 mybhjaeixx.net udp
US 8.8.8.8:53 mvrlhhspnj.info udp
US 8.8.8.8:53 fzpfvmb.info udp
US 8.8.8.8:53 ewcreajalkq.info udp
US 8.8.8.8:53 pubdtrzkyif.com udp
US 8.8.8.8:53 mycapcbzhgtu.info udp
US 8.8.8.8:53 iegemk.com udp
US 8.8.8.8:53 seghjqrmn.net udp
US 8.8.8.8:53 rxhxfw.net udp
US 8.8.8.8:53 yylmheaeg.net udp
US 8.8.8.8:53 dzcefi.info udp
US 8.8.8.8:53 shvkoco.net udp
US 8.8.8.8:53 qjfrtgwqbz.net udp
US 8.8.8.8:53 zkykjxrhzafp.net udp
US 8.8.8.8:53 ikvudf.net udp
US 8.8.8.8:53 vkcxio.net udp
US 8.8.8.8:53 mucyzopmo.net udp
US 8.8.8.8:53 mstejdzjr.info udp
US 8.8.8.8:53 lgtqrspfq.info udp
US 8.8.8.8:53 mexsbsbhjgq.info udp
US 8.8.8.8:53 ygmwckcc.com udp
US 8.8.8.8:53 qobgxef.info udp
US 8.8.8.8:53 zmlsdmvna.info udp
US 8.8.8.8:53 uvcodihahbp.net udp
US 8.8.8.8:53 rmhpbovsxorv.net udp
US 8.8.8.8:53 wecmkkjurxz.net udp
US 8.8.8.8:53 ylaxujjvpzdt.info udp
US 8.8.8.8:53 gzvidaauuzl.info udp
US 8.8.8.8:53 hlqltge.net udp
US 8.8.8.8:53 vrnmeulxxmv.net udp
US 8.8.8.8:53 mnyyga.info udp
US 8.8.8.8:53 ahhvtmpmcwa.net udp
US 8.8.8.8:53 nbaspelkhrv.info udp
US 8.8.8.8:53 gmgosasg.com udp
US 8.8.8.8:53 lkdrlnviek.net udp
US 8.8.8.8:53 vlsqekixshcp.net udp
US 8.8.8.8:53 kavvbszwrkr.net udp
US 8.8.8.8:53 acrtztoja.net udp
US 8.8.8.8:53 lpornixlxqvy.info udp
US 8.8.8.8:53 iwwmiiga.org udp
US 8.8.8.8:53 itocvu.info udp
US 8.8.8.8:53 hqlhgrgalrjb.info udp
US 8.8.8.8:53 gcwrksxc.net udp
US 8.8.8.8:53 jgzbxllqdecg.net udp
US 8.8.8.8:53 zqgfdebofb.info udp
US 8.8.8.8:53 yefilmp.info udp
US 8.8.8.8:53 xigozx.info udp
US 8.8.8.8:53 wtigijfy.info udp
US 8.8.8.8:53 fafsdrambjf.info udp
US 8.8.8.8:53 asecuyemymyi.org udp
US 8.8.8.8:53 ameyys.com udp
US 8.8.8.8:53 zmrarczuld.net udp
US 8.8.8.8:53 tirlgfehui.info udp
US 8.8.8.8:53 qztwsvd.info udp
US 8.8.8.8:53 ccsutuzor.net udp
US 8.8.8.8:53 dwpkzhv.com udp
US 8.8.8.8:53 vsksierqjss.net udp
US 8.8.8.8:53 stbglfrn.net udp
US 8.8.8.8:53 wigyqqsmsceg.org udp
US 8.8.8.8:53 ipusvbgbzw.net udp
US 8.8.8.8:53 rltwexojzn.net udp
US 8.8.8.8:53 zrpvpvrnly.net udp
US 8.8.8.8:53 pyifqlvg.net udp
US 8.8.8.8:53 yuuiomoyyy.org udp
US 8.8.8.8:53 dayucgzmwkv.net udp
US 8.8.8.8:53 irnfhoxpsbt.net udp
US 8.8.8.8:53 kaudws.net udp
US 8.8.8.8:53 wuybayvsmwt.info udp
US 8.8.8.8:53 cbnbwgspb.net udp
US 8.8.8.8:53 ygkiqkicik.org udp
US 8.8.8.8:53 dedylft.net udp
US 8.8.8.8:53 qisakqeiecqu.org udp
US 8.8.8.8:53 saqupjmfylgx.net udp
US 8.8.8.8:53 umgsswzkjb.info udp
US 8.8.8.8:53 yguoyhhqrtl.net udp
US 8.8.8.8:53 iggcfwpytwa.net udp
US 8.8.8.8:53 uojatso.net udp
US 8.8.8.8:53 rhrrzodshs.net udp
US 8.8.8.8:53 zmviuqc.net udp
US 8.8.8.8:53 clxkfijkxyb.net udp
US 8.8.8.8:53 mzfipwlwrruo.info udp
US 8.8.8.8:53 tuaxjj.net udp
US 8.8.8.8:53 fgoavq.net udp
US 8.8.8.8:53 qcouhxo.net udp
US 8.8.8.8:53 vfjbjoxqsqd.org udp
US 8.8.8.8:53 jdtgtz.info udp
US 8.8.8.8:53 tvkintp.com udp
US 8.8.8.8:53 fljidww.com udp
US 8.8.8.8:53 vmqzqdvpyzll.info udp
US 8.8.8.8:53 vkylhtylchns.net udp
US 8.8.8.8:53 enzdtojn.net udp
US 8.8.8.8:53 ealvofqh.net udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 hqddoevgppp.info udp
US 8.8.8.8:53 ushkxbyxdgg.net udp
US 8.8.8.8:53 cmxaggh.info udp
US 8.8.8.8:53 oerqjerjjued.info udp
US 8.8.8.8:53 jalkbr.info udp
US 8.8.8.8:53 yfjtbb.net udp
US 8.8.8.8:53 kcqewgmikq.com udp
US 8.8.8.8:53 zeiezcy.com udp
US 8.8.8.8:53 cesedkbgdwf.info udp
US 8.8.8.8:53 ritcvvzszh.info udp
US 8.8.8.8:53 nwncjub.net udp
US 8.8.8.8:53 cqbctiqnrpkq.info udp
US 8.8.8.8:53 zzfybuxb.info udp
US 8.8.8.8:53 dllcgyyp.net udp
US 8.8.8.8:53 maltyz.net udp
US 8.8.8.8:53 nunydcr.info udp
US 8.8.8.8:53 uwbmlmv.net udp
US 8.8.8.8:53 usztsauxtyh.net udp
US 8.8.8.8:53 dqgbxjzi.net udp
US 8.8.8.8:53 mgaiyksyai.com udp
US 8.8.8.8:53 akrafm.net udp
US 8.8.8.8:53 bktpfwsl.net udp
US 8.8.8.8:53 lnnmvfvwzyrv.info udp
US 8.8.8.8:53 sylvobemyo.net udp
US 8.8.8.8:53 qqsaauqoes.com udp
US 8.8.8.8:53 iplqdlbmaiyt.info udp
US 8.8.8.8:53 jmeoksvnbqb.info udp
US 8.8.8.8:53 ygfixowaz.net udp
US 8.8.8.8:53 oczmxi.net udp
HK 156.237.207.232:80 yeseee.com tcp
US 8.8.8.8:53 gwrpxydgrih.net udp
US 8.8.8.8:53 xpyqdkxjfdqz.net udp
US 8.8.8.8:53 qkharfxnfm.net udp
US 8.8.8.8:53 jupejihn.info udp
US 8.8.8.8:53 wihsdoxslhit.info udp
US 8.8.8.8:53 taxsnux.com udp
US 8.8.8.8:53 sffcrqzy.net udp
US 8.8.8.8:53 wrclinyubwwb.info udp
US 8.8.8.8:53 iwlpzasaqq.net udp
US 8.8.8.8:53 reepmyiozztu.info udp
US 8.8.8.8:53 bakfznqyjrsl.net udp
US 8.8.8.8:53 wfvgzqiev.net udp
US 8.8.8.8:53 luompddplgp.info udp
US 8.8.8.8:53 dgmbma.info udp
US 8.8.8.8:53 tsxauoqgjzf.net udp
US 8.8.8.8:53 vliuakjt.info udp
US 8.8.8.8:53 dqgihaaagkt.net udp
US 8.8.8.8:53 232.207.237.156.in-addr.arpa udp
US 8.8.8.8:53 beklnku.com udp
US 8.8.8.8:53 hircyjxzd.com udp
US 8.8.8.8:53 otjjaic.net udp
US 8.8.8.8:53 dcebgr.info udp
US 8.8.8.8:53 nicxrmrxya.net udp
US 8.8.8.8:53 uycaau.org udp
US 8.8.8.8:53 pripvdai.net udp
US 8.8.8.8:53 pxboiequk.net udp
US 8.8.8.8:53 ibndnkpkk.net udp
US 8.8.8.8:53 dxmaeadqtspu.net udp
US 8.8.8.8:53 qmvygc.net udp
US 8.8.8.8:53 oqcvhvzm.info udp
US 8.8.8.8:53 cgqcssei.org udp
US 8.8.8.8:53 pfdwrmr.com udp
US 8.8.8.8:53 vdinsezipu.net udp
US 8.8.8.8:53 jmpdwce.com udp
US 8.8.8.8:53 jzhuzwporqfn.info udp
US 8.8.8.8:53 rvmonfphd.org udp
US 8.8.8.8:53 yovdhgwvh.net udp
US 8.8.8.8:53 egoewyik.org udp
US 8.8.8.8:53 mfxmirp.net udp
US 8.8.8.8:53 cnsqroz.net udp
US 8.8.8.8:53 iacmrpnoa.info udp
US 8.8.8.8:53 fsafpo.info udp
US 8.8.8.8:53 bcksphj.net udp
US 8.8.8.8:53 lafqxmoqvsn.net udp
US 8.8.8.8:53 rinafjymzbe.com udp
US 8.8.8.8:53 xanwqkg.info udp
US 8.8.8.8:53 zyxnxadigeg.org udp
US 8.8.8.8:53 eassyeyy.com udp
US 8.8.8.8:53 rqdkyeowgcx.net udp
US 8.8.8.8:53 jvqhbkf.net udp
US 8.8.8.8:53 xygbdoqlv.org udp
US 8.8.8.8:53 dwbihonftk.info udp
US 8.8.8.8:53 vskrxsu.org udp
US 8.8.8.8:53 fofcgchur.net udp
US 8.8.8.8:53 cuvrmof.info udp
US 8.8.8.8:53 kmaocqew.org udp
US 8.8.8.8:53 rwprwj.net udp
US 8.8.8.8:53 zkxefdmqpkh.info udp
US 8.8.8.8:53 nedyyvdlptlz.net udp
US 8.8.8.8:53 hjjpwxvm.net udp
US 8.8.8.8:53 icaijmduf.net udp
US 8.8.8.8:53 vbwkktnk.net udp
US 8.8.8.8:53 mpluixlvjb.net udp
US 8.8.8.8:53 ilwsfnkqlckb.info udp
US 8.8.8.8:53 abcjvqzufpmg.info udp
US 8.8.8.8:53 oykqmo.com udp
US 8.8.8.8:53 syfzstfcq.net udp
US 8.8.8.8:53 kiqgwguueq.com udp
US 8.8.8.8:53 tqneabbadms.net udp
US 8.8.8.8:53 cnqmjmasvcv.net udp
US 8.8.8.8:53 cfwjbujktq.info udp
US 8.8.8.8:53 nersuqqh.info udp
US 8.8.8.8:53 aouiogwg.org udp
US 8.8.8.8:53 uaokqwgc.org udp
US 8.8.8.8:53 kmntncwkb.info udp
US 8.8.8.8:53 tuhfdgfqt.info udp
US 8.8.8.8:53 bwcvcnmjtl.net udp
US 8.8.8.8:53 stfhbwifvy.info udp
US 8.8.8.8:53 fgyojpnggd.info udp
US 8.8.8.8:53 uihitixcrmr.info udp
US 8.8.8.8:53 ayacaaqqmigw.org udp
US 8.8.8.8:53 pcfsnbks.net udp
US 8.8.8.8:53 xiswyrvloa.net udp
US 8.8.8.8:53 kfuxge.info udp
US 8.8.8.8:53 qkpavcu.info udp
US 8.8.8.8:53 efdlohhy.info udp
US 8.8.8.8:53 vbvphiotr.net udp
US 8.8.8.8:53 qirctsxecgr.info udp
US 8.8.8.8:53 zitiqkxzo.info udp
US 8.8.8.8:53 pohyzgs.net udp
US 8.8.8.8:53 finkwch.org udp
US 8.8.8.8:53 lkxojglutjz.com udp
US 8.8.8.8:53 dsvejwvkb.com udp
US 8.8.8.8:53 ixvdzszbb.info udp
US 8.8.8.8:53 bgdqgf.net udp
US 8.8.8.8:53 jzvdzqtkfsb.net udp
US 8.8.8.8:53 owiueb.net udp
US 8.8.8.8:53 szgsjsiqx.net udp
US 8.8.8.8:53 cgkcui.org udp
US 8.8.8.8:53 ypkkjpgu.info udp
US 8.8.8.8:53 bdswzapmhep.org udp
US 8.8.8.8:53 lrzbvelewq.net udp
US 8.8.8.8:53 yilpmh.info udp
US 8.8.8.8:53 ycxvrvto.info udp
US 8.8.8.8:53 cklixmnyh.info udp
US 8.8.8.8:53 xtpvvtdscp.net udp
US 8.8.8.8:53 aafteqj.info udp
US 8.8.8.8:53 eqwkxorsw.net udp
US 8.8.8.8:53 amvbrfhisy.info udp
US 8.8.8.8:53 xuvqwefbwnnd.net udp
US 8.8.8.8:53 kewccc.org udp
US 8.8.8.8:53 rzzqkof.com udp
US 8.8.8.8:53 mcamskrhz.info udp
US 8.8.8.8:53 sbablr.net udp
US 8.8.8.8:53 mbbmtzygvjm.net udp
US 8.8.8.8:53 mmmygcbl.info udp
US 8.8.8.8:53 zsnkgzndrcr.org udp
US 8.8.8.8:53 aubgzylblcd.info udp
US 8.8.8.8:53 julxeotyhf.info udp
US 8.8.8.8:53 tcbaruxybut.info udp
US 8.8.8.8:53 ggpitvtrfo.info udp
US 8.8.8.8:53 uacoqg.org udp
US 8.8.8.8:53 oyocskcy.com udp
US 8.8.8.8:53 nedoxetzar.info udp
US 8.8.8.8:53 okmckikakg.com udp
US 8.8.8.8:53 xcjowdreaa.net udp
US 8.8.8.8:53 unpudkvtcsmq.info udp
US 8.8.8.8:53 rcrcrbxww.net udp
US 8.8.8.8:53 zewutfwnnky.net udp
US 8.8.8.8:53 ckswwyye.org udp
US 8.8.8.8:53 fypgcfia.info udp
US 8.8.8.8:53 tiaeuvqt.net udp
US 8.8.8.8:53 iupnxii.info udp
US 8.8.8.8:53 ocmwkuug.com udp
US 8.8.8.8:53 ekuqfjygo.info udp
US 8.8.8.8:53 pyjuxpj.info udp
US 8.8.8.8:53 oabggajzr.net udp
US 8.8.8.8:53 tcnoictbpxwr.net udp
US 8.8.8.8:53 erhypkzrn.net udp
US 8.8.8.8:53 ereide.net udp
US 8.8.8.8:53 nrkcjqrhycb.net udp
US 8.8.8.8:53 ljtdmt.info udp
US 8.8.8.8:53 mlfcdejcu.net udp
US 8.8.8.8:53 pgumiizmg.net udp
US 8.8.8.8:53 vckeie.net udp
US 8.8.8.8:53 evakbpwlgsou.info udp
US 8.8.8.8:53 swqagykogusi.org udp
US 8.8.8.8:53 dvjbqcwr.net udp
US 8.8.8.8:53 cmfwhshup.net udp
US 8.8.8.8:53 dwsikogj.info udp
US 8.8.8.8:53 hsxotfiifvj.org udp
US 8.8.8.8:53 xlqwso.info udp
US 8.8.8.8:53 dhioxsr.info udp
US 8.8.8.8:53 kpvidqrwtqhx.net udp
US 8.8.8.8:53 igmnvbk.net udp
US 8.8.8.8:53 xgnijggfclh.com udp
US 8.8.8.8:53 enhkjg.net udp
US 8.8.8.8:53 qryuvntcdum.info udp
US 8.8.8.8:53 nnycbrtaroy.com udp
US 8.8.8.8:53 opbqcw.info udp
US 8.8.8.8:53 xbtukk.info udp
US 8.8.8.8:53 xykijz.info udp
US 8.8.8.8:53 nmlmtevvo.info udp
US 8.8.8.8:53 azvutebjec.net udp
US 8.8.8.8:53 yieqldvgn.net udp
US 8.8.8.8:53 wixavay.net udp
US 8.8.8.8:53 wsyqzjzsjih.info udp
US 8.8.8.8:53 byjodkzkfyl.com udp
US 8.8.8.8:53 iuecpck.info udp
US 8.8.8.8:53 eyhsvhpvq.net udp
US 8.8.8.8:53 ltaldgalhggs.info udp
US 8.8.8.8:53 ltnavcbkj.com udp
US 8.8.8.8:53 bsgylclcjkx.net udp
US 8.8.8.8:53 utoxqqqozaar.net udp
US 8.8.8.8:53 hfgkacxqinla.net udp
US 8.8.8.8:53 pkbpbyz.org udp
US 8.8.8.8:53 sqgnol.net udp
US 8.8.8.8:53 kcakoqui.com udp
US 8.8.8.8:53 wgoaes.org udp
US 8.8.8.8:53 xizjfuqnvubh.info udp
US 8.8.8.8:53 azdnlsvyvgx.net udp
US 8.8.8.8:53 iusiogeeos.org udp
US 8.8.8.8:53 hmfhrulow.net udp
US 8.8.8.8:53 miweegyg.com udp
US 8.8.8.8:53 mnvffk.net udp
US 8.8.8.8:53 lrowcjkt.net udp
US 8.8.8.8:53 clrzcqly.net udp
US 8.8.8.8:53 ubuczev.net udp
US 8.8.8.8:53 tnyupynl.info udp
US 8.8.8.8:53 tdfzviuv.info udp
US 8.8.8.8:53 rqtuscv.com udp
US 8.8.8.8:53 pizezzo.info udp
US 8.8.8.8:53 ywvvrp.net udp
US 8.8.8.8:53 jyrlymtf.net udp
US 8.8.8.8:53 eiwuhmjet.net udp
US 8.8.8.8:53 dlroaip.net udp
US 8.8.8.8:53 cyvylfmsn.net udp
US 8.8.8.8:53 fjswfmxs.net udp
US 8.8.8.8:53 bepapexyfzc.info udp
US 8.8.8.8:53 wsgxjkdiadf.net udp
US 8.8.8.8:53 fyimvdv.net udp
US 8.8.8.8:53 qdjzdqtshn.net udp
US 8.8.8.8:53 ggiyck.org udp
US 8.8.8.8:53 mmpmxeedp.info udp
US 8.8.8.8:53 zyqkhyu.info udp
US 8.8.8.8:53 wvnuagbghl.info udp
US 8.8.8.8:53 vanjpyu.com udp
US 8.8.8.8:53 eupzpmqczul.net udp
US 8.8.8.8:53 memaiyym.org udp
US 8.8.8.8:53 sjqyutdtcpjr.net udp
US 8.8.8.8:53 dvdizxagkjvz.net udp
US 8.8.8.8:53 oklwmhsexc.net udp
US 8.8.8.8:53 rofmqcayo.org udp
US 8.8.8.8:53 sepotsvcd.net udp
US 8.8.8.8:53 ugdmtph.net udp
US 8.8.8.8:53 qadleal.net udp
US 8.8.8.8:53 wuicuco.net udp
US 8.8.8.8:53 ywzmddn.info udp
US 8.8.8.8:53 wgsemaqcqokk.com udp
US 8.8.8.8:53 rqfkbmmuifl.net udp
US 8.8.8.8:53 ywbmxtjsfezl.info udp
US 8.8.8.8:53 kmrhzz.info udp
US 8.8.8.8:53 icsapopgc.net udp
US 8.8.8.8:53 ktjcvmuudb.info udp
US 8.8.8.8:53 aloweqfabdt.info udp
US 8.8.8.8:53 ygaayqgs.com udp
US 8.8.8.8:53 kycqsykmcq.org udp
US 8.8.8.8:53 ifmudfiiiw.info udp
US 8.8.8.8:53 vmicpcytqyd.net udp
US 8.8.8.8:53 nfnbtvjlrbvx.info udp
US 8.8.8.8:53 rgyypnb.info udp
US 8.8.8.8:53 ssmxzo.info udp
US 8.8.8.8:53 tysudchmvsu.org udp
US 8.8.8.8:53 rkcskjpolis.info udp
US 8.8.8.8:53 tboyrtniuyn.net udp
US 8.8.8.8:53 hppgptbmvgm.com udp
US 8.8.8.8:53 dkhebsdcp.com udp
US 8.8.8.8:53 efvtvci.info udp
US 8.8.8.8:53 hrgdrvntub.net udp
US 8.8.8.8:53 macuaiyeuqqe.org udp
US 8.8.8.8:53 qciscqym.org udp
US 8.8.8.8:53 ncpkouyhgkyi.info udp
US 8.8.8.8:53 yejcqmdyrgw.info udp
US 8.8.8.8:53 iqjkiytxpcb.net udp
US 8.8.8.8:53 haddjeg.net udp
US 8.8.8.8:53 sezygcvjx.info udp
US 8.8.8.8:53 pmmqkjlutxq.org udp
US 8.8.8.8:53 mwycqayuwe.com udp
US 8.8.8.8:53 pprqiztobhe.info udp
US 8.8.8.8:53 ckgqqyaw.com udp
US 8.8.8.8:53 mutctc.net udp
US 8.8.8.8:53 fcxwlja.org udp
US 8.8.8.8:53 fvljsbupim.net udp
US 8.8.8.8:53 seratzjan.net udp
US 8.8.8.8:53 ymwaci.com udp
US 8.8.8.8:53 atpsjmvhsmb.net udp
US 8.8.8.8:53 hbnsjaf.info udp
US 8.8.8.8:53 fcsaaehep.org udp
US 8.8.8.8:53 haykczjcdyz.net udp
US 8.8.8.8:53 hmzuogpis.info udp
US 8.8.8.8:53 vbbmbovbv.org udp
US 8.8.8.8:53 yhflzdqvid.info udp
US 8.8.8.8:53 dewgvrjsbws.org udp
US 8.8.8.8:53 tqazjgqoftf.org udp
US 8.8.8.8:53 qwgtkkwxoej.net udp
US 8.8.8.8:53 jmkhxsovbtdk.net udp
US 8.8.8.8:53 zcvzbetsz.net udp
US 8.8.8.8:53 bniybxlosz.info udp
US 8.8.8.8:53 bjezpsjn.info udp
US 8.8.8.8:53 eazerazey.net udp
US 8.8.8.8:53 gkakhqr.net udp
US 8.8.8.8:53 suokgkay.com udp
US 8.8.8.8:53 cntgdlxcide.net udp
US 8.8.8.8:53 mbmmyahou.info udp
US 8.8.8.8:53 awojurap.info udp
US 8.8.8.8:53 bbcyofnf.net udp
US 8.8.8.8:53 dhxljkpvtpvm.info udp
US 8.8.8.8:53 cydnzcjqzgl.net udp
US 8.8.8.8:53 duixpqj.org udp
US 8.8.8.8:53 waryzcdkowz.info udp
US 8.8.8.8:53 vhveha.info udp
US 8.8.8.8:53 eklabunbl.net udp
US 8.8.8.8:53 zyegdrecqf.net udp
US 8.8.8.8:53 cplerrz.info udp
US 8.8.8.8:53 ymbczcvan.net udp
US 8.8.8.8:53 sqqumgekumeo.org udp
US 8.8.8.8:53 nuvqiefaviq.net udp
US 8.8.8.8:53 vgjqhypit.net udp
US 8.8.8.8:53 ctecojhb.info udp
US 8.8.8.8:53 mqdujgx.info udp
US 8.8.8.8:53 meumgzpu.info udp
US 8.8.8.8:53 dynwhaprh.net udp
US 8.8.8.8:53 ufbvrjgbvzfm.net udp
US 8.8.8.8:53 mjthqrqk.net udp
US 8.8.8.8:53 muztrnpnxfmb.info udp
US 8.8.8.8:53 dnpxjwiyjzhb.info udp
US 8.8.8.8:53 aaaqls.net udp
US 8.8.8.8:53 fshhtxpue.org udp
US 8.8.8.8:53 eqrkrktuhkd.info udp
US 8.8.8.8:53 hrwghseuhdl.com udp
US 8.8.8.8:53 lytuefatnbnu.net udp
US 8.8.8.8:53 turinbssq.info udp
US 8.8.8.8:53 ukwkagwkcska.com udp
US 8.8.8.8:53 mgxcfovmrsu.net udp
US 8.8.8.8:53 cnawber.net udp
US 8.8.8.8:53 lnnvbcdyf.com udp
US 8.8.8.8:53 kwowieuykucg.org udp
US 8.8.8.8:53 pgufemvsvhj.org udp
US 8.8.8.8:53 ksqgtux.info udp
US 8.8.8.8:53 liuuaaf.com udp
US 8.8.8.8:53 rrzimfainos.net udp
US 8.8.8.8:53 ewdgfkcwjyw.net udp
US 8.8.8.8:53 javjpwoegkbc.info udp
US 8.8.8.8:53 hiaslst.org udp
US 8.8.8.8:53 jczubghuf.com udp
US 8.8.8.8:53 geuiwqsgwukw.org udp
US 8.8.8.8:53 uylgmmp.net udp
US 8.8.8.8:53 oahzbczz.info udp
US 8.8.8.8:53 ozlgdwvyh.net udp
US 8.8.8.8:53 fwlykwmlex.net udp
US 8.8.8.8:53 wuvbhkdcq.net udp
US 8.8.8.8:53 seckugai.org udp
US 8.8.8.8:53 bsxjofye.info udp
US 8.8.8.8:53 bcvczypfjat.com udp
US 8.8.8.8:53 thxcpapcihok.info udp
US 8.8.8.8:53 qylwnyduxed.net udp
US 8.8.8.8:53 llmtynj.com udp
US 8.8.8.8:53 yqmiacco.com udp
US 8.8.8.8:53 udzelcyzy.info udp
US 8.8.8.8:53 dngfrgoifb.info udp
US 8.8.8.8:53 xtiukyhfeb.net udp
US 8.8.8.8:53 elzyfuzghpx.info udp
US 8.8.8.8:53 gqgmqyqimq.org udp
US 8.8.8.8:53 gaocuwugqycq.com udp
US 8.8.8.8:53 kkgskij.info udp
US 8.8.8.8:53 eklqjdouo.info udp
US 8.8.8.8:53 zusvgwqr.info udp
US 8.8.8.8:53 ltmundpr.info udp
US 8.8.8.8:53 iwkyak.com udp
US 8.8.8.8:53 nwowokqtbgnl.info udp
US 8.8.8.8:53 hthmoieetmxp.info udp
US 8.8.8.8:53 baiizeh.com udp
US 8.8.8.8:53 htaglefc.info udp
US 8.8.8.8:53 ganqnaf.net udp
US 8.8.8.8:53 pqvtwxnx.info udp
US 8.8.8.8:53 gfweiy.info udp
US 8.8.8.8:53 deyhwh.info udp
US 8.8.8.8:53 wglxbeyixsg.info udp
US 8.8.8.8:53 iwvjpg.net udp
US 8.8.8.8:53 tzeymkpb.info udp
US 8.8.8.8:53 nmxehosgj.org udp
US 8.8.8.8:53 leqwbjbs.net udp
US 8.8.8.8:53 zxbhbwp.com udp
US 8.8.8.8:53 wvhiplldjb.net udp
US 8.8.8.8:53 puqpxriibrly.net udp
US 8.8.8.8:53 aogobal.info udp
US 8.8.8.8:53 vhcevh.info udp
US 8.8.8.8:53 swgcfgv.info udp
US 8.8.8.8:53 gudechrg.info udp
US 8.8.8.8:53 kolodajlv.net udp
US 8.8.8.8:53 besiowltbt.info udp
US 8.8.8.8:53 mkqkgq.org udp
US 8.8.8.8:53 ztqdje.info udp
US 8.8.8.8:53 spunvzsvakuj.net udp
US 8.8.8.8:53 oyhyscz.info udp
US 8.8.8.8:53 nqldnkf.com udp
US 8.8.8.8:53 hxwghymhtm.info udp
US 8.8.8.8:53 ngzaxftft.info udp
US 8.8.8.8:53 scvcxn.info udp
US 8.8.8.8:53 psjgnfdmjwx.net udp
US 8.8.8.8:53 osbtam.net udp
US 8.8.8.8:53 hqtkymx.org udp
US 8.8.8.8:53 wsgrvobrq.net udp
US 8.8.8.8:53 mlywvbhy.net udp
DE 85.214.228.140:80 kavtbvqf.info tcp
US 8.8.8.8:53 zuxejnv.info udp
US 54.244.188.177:80 sejibalqxar.net tcp
US 8.8.8.8:53 nujmtindoh.info udp
US 8.8.8.8:53 eqlqhsu.net udp
US 8.8.8.8:53 egskgowc.org udp
US 8.8.8.8:53 owemucks.org udp
US 208.100.26.245:80 egksyqv.info tcp
US 8.8.8.8:53 uewyyocemu.org udp
US 8.8.8.8:53 esuguqmssa.com udp
US 8.8.8.8:53 qmhfkrviqp.info udp
US 8.8.8.8:53 xanujykdioit.info udp
US 8.8.8.8:53 ornkdyvmdjx.info udp
US 8.8.8.8:53 pegjgcnafir.info udp
US 8.8.8.8:53 pnfmjmvwlcx.org udp
US 8.8.8.8:53 wbqprunbyhgq.net udp
US 8.8.8.8:53 wclkqrqe.net udp
US 8.8.8.8:53 nntasqfztalr.net udp
US 8.8.8.8:53 mgcias.com udp
US 8.8.8.8:53 hmobnvtgcvsp.info udp
US 8.8.8.8:53 avsrqpxkbz.net udp
US 8.8.8.8:53 tilmejkgujt.org udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 vqhclzq.org udp
US 8.8.8.8:53 ssbihypcx.info udp
US 8.8.8.8:53 twtszxmita.net udp
US 8.8.8.8:53 usqumg.org udp
US 8.8.8.8:53 tsnmbypuq.org udp
US 8.8.8.8:53 mrbhwa.info udp
US 8.8.8.8:53 xerqiiou.net udp
US 8.8.8.8:53 nzykhiwm.info udp
US 8.8.8.8:53 wslwlgx.info udp
US 8.8.8.8:53 miokgksskwum.com udp
US 8.8.8.8:53 gtzrnb.net udp
US 8.8.8.8:53 urpebsd.net udp
US 8.8.8.8:53 nqzetqp.com udp
US 8.8.8.8:53 hghtpojvfrvq.net udp
US 8.8.8.8:53 zlyyorpkkiwh.info udp
US 8.8.8.8:53 havbtylo.net udp
US 8.8.8.8:53 yoagki.com udp
US 8.8.8.8:53 sywgqwuu.com udp
US 8.8.8.8:53 rmnmaithp.net udp
US 8.8.8.8:53 nbjrecsg.net udp
US 8.8.8.8:53 myocswemuq.org udp
US 8.8.8.8:53 goqaii.com udp
US 8.8.8.8:53 gojujyqwlln.net udp
US 8.8.8.8:53 crhwdnbpv.net udp
US 8.8.8.8:53 catdtirlxee.net udp
US 8.8.8.8:53 kahxpoborph.net udp
US 8.8.8.8:53 tpgznk.net udp
US 8.8.8.8:53 eqdgxtrjvgr.info udp
US 8.8.8.8:53 gotqpsxeq.net udp
US 8.8.8.8:53 ielgkn.info udp
US 8.8.8.8:53 lhyrlybqsqch.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 luxizqjdxmty.info udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ekuedqrcp.info udp
US 8.8.8.8:53 pqvmfwcox.info udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 ndfuswhwpc.info udp
US 8.8.8.8:53 bzjoqrtyb.info udp
US 8.8.8.8:53 fwfunja.info udp
US 8.8.8.8:53 vljgbupsl.net udp
US 8.8.8.8:53 vdvxieszmhfp.info udp
US 8.8.8.8:53 gmesqmckoyke.org udp
US 8.8.8.8:53 qpejngowavjy.info udp
US 8.8.8.8:53 zoxadhrur.com udp
US 8.8.8.8:53 xgvubkkwk.net udp
US 8.8.8.8:53 akyoaamowu.org udp
US 8.8.8.8:53 rsdimkh.com udp
US 8.8.8.8:53 lcbsfiyyz.com udp
US 8.8.8.8:53 haimrezv.net udp
US 8.8.8.8:53 dmbealkee.net udp
US 8.8.8.8:53 uatsjrt.net udp
US 8.8.8.8:53 zayymrktaj.net udp
US 8.8.8.8:53 ibmkuvfttvtt.info udp
US 8.8.8.8:53 lyjgdwtqjg.info udp
US 8.8.8.8:53 yqiweowi.com udp
US 8.8.8.8:53 wcjktahtms.info udp
US 8.8.8.8:53 skjsavtulcg.info udp
US 8.8.8.8:53 fthixlwh.info udp
US 8.8.8.8:53 fszehlnx.net udp
US 8.8.8.8:53 sdbkpc.net udp
US 8.8.8.8:53 skguocey.org udp
US 8.8.8.8:53 sqimiwaa.com udp
US 8.8.8.8:53 ymuewofcf.net udp
US 8.8.8.8:53 jkdcdyf.com udp
US 8.8.8.8:53 amdrjnvymzd.net udp
US 8.8.8.8:53 snlzpz.info udp
US 8.8.8.8:53 ougqga.org udp
US 8.8.8.8:53 gfuvwmjpgb.net udp
US 8.8.8.8:53 ubhqdgmujci.info udp
US 8.8.8.8:53 pvbhnu.net udp
US 8.8.8.8:53 ioywaqei.com udp
US 8.8.8.8:53 dggaosyre.org udp
US 8.8.8.8:53 lemibrxund.info udp
US 8.8.8.8:53 sxoabqtuaol.net udp
US 8.8.8.8:53 tpsnlxpeht.net udp
US 8.8.8.8:53 zsqxejydfpnt.info udp
US 8.8.8.8:53 nkjblzcql.net udp
US 8.8.8.8:53 hnfflvdwte.net udp
US 8.8.8.8:53 qudyrmntuow.info udp
US 8.8.8.8:53 ngupbuikqy.net udp
US 8.8.8.8:53 usiikeyy.org udp
US 8.8.8.8:53 tfjtwjah.info udp
US 8.8.8.8:53 cqbpxyvyluq.info udp
US 8.8.8.8:53 gbkvnabfqhos.info udp
US 8.8.8.8:53 aunudjnnlfbf.net udp
US 8.8.8.8:53 fkjsjnfcncz.info udp
US 8.8.8.8:53 swmzrjrefp.info udp
US 8.8.8.8:53 rnkxvy.net udp
US 8.8.8.8:53 uspavcp.net udp
US 8.8.8.8:53 btbcif.info udp
US 8.8.8.8:53 juzvhys.org udp
US 8.8.8.8:53 kakgmo.com udp
US 8.8.8.8:53 uiaftrrpfp.info udp
US 8.8.8.8:53 rjkojrpj.info udp
US 8.8.8.8:53 hrnujmsfph.net udp
US 8.8.8.8:53 icugterlbcz.net udp
US 8.8.8.8:53 nsoekchlfkv.org udp
US 8.8.8.8:53 dmrgcnz.net udp
US 8.8.8.8:53 qudfwrxeufno.info udp
US 8.8.8.8:53 ourepitvklx.info udp
US 8.8.8.8:53 qioakyqeks.com udp
US 8.8.8.8:53 jqpevr.net udp
US 8.8.8.8:53 vlkfdsyuanna.net udp
US 8.8.8.8:53 xhisrub.org udp
US 8.8.8.8:53 ahjdjx.info udp
US 8.8.8.8:53 tzttzvwvtn.net udp
US 8.8.8.8:53 donewsikomx.info udp
US 8.8.8.8:53 twzwmurw.info udp
US 8.8.8.8:53 hklhjmvgaxh.info udp
US 8.8.8.8:53 usgiag.info udp
US 8.8.8.8:53 xododk.net udp
US 8.8.8.8:53 khopbk.net udp
US 8.8.8.8:53 fcpmbxlozomf.info udp
US 8.8.8.8:53 owogfvcic.info udp
US 8.8.8.8:53 zfvenyzb.info udp
US 8.8.8.8:53 ruksvdctcqr.com udp
US 8.8.8.8:53 znwjjxvv.net udp
US 8.8.8.8:53 kcjvja.info udp
US 8.8.8.8:53 njrwwgwf.info udp
US 8.8.8.8:53 spzrhrvesz.net udp
US 8.8.8.8:53 ibnzekestmvw.net udp
US 8.8.8.8:53 idegzazut.net udp
US 8.8.8.8:53 pwdmpqmewat.org udp
US 8.8.8.8:53 lfnrjahslur.org udp
US 8.8.8.8:53 rwefryngvgr.net udp
US 8.8.8.8:53 vudulzdmzprb.net udp
US 8.8.8.8:53 datktkxzr.org udp
US 8.8.8.8:53 kfztdkmgmbxp.info udp
US 8.8.8.8:53 kshgvj.net udp
US 8.8.8.8:53 fceoxgscw.com udp
US 8.8.8.8:53 olifwt.info udp
US 8.8.8.8:53 oebdqtnylpn.net udp
US 8.8.8.8:53 vfrkdsphsa.info udp
US 8.8.8.8:53 falhshffh.net udp
US 8.8.8.8:53 xykutplmhmfn.net udp
US 8.8.8.8:53 wqqweg.org udp
US 8.8.8.8:53 vmouvfpoaqcz.net udp
US 8.8.8.8:53 byxkrkbsgek.info udp
US 8.8.8.8:53 mlgsxflu.net udp
US 8.8.8.8:53 eaqikw.org udp
US 8.8.8.8:53 yegkai.com udp
US 8.8.8.8:53 nvprjfjykv.info udp
US 8.8.8.8:53 llmylvqrvc.info udp
US 8.8.8.8:53 mmpfdlx.info udp
US 8.8.8.8:53 kmpdjanxcx.info udp
US 8.8.8.8:53 hgpydyr.org udp
US 8.8.8.8:53 iwfjdihngcy.net udp
US 8.8.8.8:53 jljcywgh.info udp
US 8.8.8.8:53 rehoxhf.org udp
US 8.8.8.8:53 elbysvpurov.info udp
US 8.8.8.8:53 eeppryl.info udp
US 8.8.8.8:53 adjdpnzooh.net udp
US 8.8.8.8:53 zmiyjqdsz.com udp
US 8.8.8.8:53 aptavxszku.info udp
US 8.8.8.8:53 tnpwnmrz.net udp
US 8.8.8.8:53 oesmaemmgi.com udp
US 8.8.8.8:53 uytmtjfnqvkr.net udp
US 8.8.8.8:53 jyppbb.info udp
US 8.8.8.8:53 wyouywom.com udp
US 8.8.8.8:53 jinfugfp.net udp
US 8.8.8.8:53 yucwio.org udp
US 8.8.8.8:53 ksqiqimy.org udp
US 8.8.8.8:53 ddlzpyx.org udp
US 8.8.8.8:53 tjqryxbhdomh.net udp
US 8.8.8.8:53 isiium.com udp
US 8.8.8.8:53 aqrimmi.info udp
US 8.8.8.8:53 azmjyofexz.info udp
US 8.8.8.8:53 akcuefigqd.info udp
US 8.8.8.8:53 ysxpeafix.net udp
US 8.8.8.8:53 yiwkhxpgv.info udp
US 8.8.8.8:53 mgroafw.info udp
US 8.8.8.8:53 dnbgtezpxix.net udp
US 8.8.8.8:53 rxczpilihy.net udp
US 8.8.8.8:53 gxjmexojzn.info udp
US 8.8.8.8:53 rbkcrvul.net udp
US 8.8.8.8:53 krlyna.info udp
US 8.8.8.8:53 knckwex.net udp
US 8.8.8.8:53 gkclfsx.info udp
US 8.8.8.8:53 lgmblm.info udp
US 8.8.8.8:53 dwidbiv.com udp
US 8.8.8.8:53 jglaqupow.com udp
US 8.8.8.8:53 aozgvijhv.info udp
US 8.8.8.8:53 ekysuwaiqs.org udp
US 8.8.8.8:53 ydzslmicb.info udp
US 8.8.8.8:53 pcerrgzcfsz.net udp
US 8.8.8.8:53 ikjuhe.net udp
US 8.8.8.8:53 tcodlz.net udp
US 8.8.8.8:53 usaaomsm.org udp
US 8.8.8.8:53 gatcnh.net udp
US 8.8.8.8:53 mbiiznxdulyh.net udp
US 8.8.8.8:53 piixmh.net udp
US 8.8.8.8:53 gtzmpsl.info udp
US 8.8.8.8:53 uamgwamskqew.org udp
US 8.8.8.8:53 fqzzunv.com udp
US 8.8.8.8:53 amtqxoj.net udp
US 8.8.8.8:53 vitfbhlzud.info udp
US 8.8.8.8:53 pscgpnxpjov.org udp
US 8.8.8.8:53 qpeavxszku.net udp
US 8.8.8.8:53 zyddtkzdzmr.info udp
US 8.8.8.8:53 gnfars.info udp
US 8.8.8.8:53 ussmwkms.org udp
US 8.8.8.8:53 mrvijkjbj.info udp
US 8.8.8.8:53 nvqhtsfzlm.info udp
US 8.8.8.8:53 ogticqh.info udp
US 8.8.8.8:53 wuvdcemvbvq.net udp
US 8.8.8.8:53 hmrjwwul.net udp
US 8.8.8.8:53 sqryhufbbsn.info udp
US 8.8.8.8:53 fqvopkmiayu.org udp
US 8.8.8.8:53 hexutqazdll.info udp
US 8.8.8.8:53 eargbiv.info udp
US 8.8.8.8:53 jcuivq.info udp
US 8.8.8.8:53 shpeij.net udp
US 8.8.8.8:53 oqhajmtmnmh.info udp
US 8.8.8.8:53 mtnkhgmycgo.info udp
US 8.8.8.8:53 rfhptq.info udp
US 8.8.8.8:53 fqayjauwuwki.net udp
US 8.8.8.8:53 ppdisylgldz.info udp
US 8.8.8.8:53 wieavxszku.net udp
US 8.8.8.8:53 xmamxuigl.com udp
US 8.8.8.8:53 brldhjhz.info udp
US 8.8.8.8:53 gklcrejor.info udp
US 8.8.8.8:53 bprtocllnykb.net udp
US 8.8.8.8:53 xarmlxszz.com udp
US 8.8.8.8:53 xqeqvctmsuh.net udp
US 8.8.8.8:53 ikkwkysogw.com udp
US 8.8.8.8:53 jmtnzgcazlrn.net udp
US 8.8.8.8:53 txdnffyluhxv.info udp
US 8.8.8.8:53 amxuzuvy.info udp
US 8.8.8.8:53 oowogs.com udp
US 8.8.8.8:53 xslxqsls.net udp
US 8.8.8.8:53 iayfbimnpob.info udp
US 8.8.8.8:53 jpmlta.info udp
US 8.8.8.8:53 mquoqcyqaawg.org udp
US 8.8.8.8:53 gkxxztxavsg.info udp
US 8.8.8.8:53 tzdahsuuh.info udp
US 8.8.8.8:53 xynria.net udp
US 8.8.8.8:53 qagoeiyu.org udp
US 8.8.8.8:53 vlaawwqz.net udp
US 8.8.8.8:53 bvvalvmxzcsi.net udp
US 8.8.8.8:53 bcxxvr.info udp
US 8.8.8.8:53 bhfwrzmopmpx.net udp
US 8.8.8.8:53 vbmxisps.info udp
US 8.8.8.8:53 wfisikzczr.net udp
US 8.8.8.8:53 xghygzsuyad.net udp
US 8.8.8.8:53 wkhfdy.net udp
US 8.8.8.8:53 hpnstrhtjg.info udp
US 8.8.8.8:53 hgxntkm.net udp
US 8.8.8.8:53 gicqywqkcoim.com udp
US 8.8.8.8:53 ilewpvzo.info udp
US 8.8.8.8:53 sgsoagiiccyw.com udp
US 8.8.8.8:53 xkrrcuyy.net udp
US 8.8.8.8:53 mpvxjh.net udp
US 8.8.8.8:53 syzvcyk.net udp
US 8.8.8.8:53 uquooammwuoi.com udp
US 8.8.8.8:53 dzskvopmm.info udp
US 8.8.8.8:53 grblyx.net udp
US 8.8.8.8:53 zhnwgud.org udp
US 8.8.8.8:53 nfsjpowl.info udp
US 8.8.8.8:53 rcrijyxgd.org udp
US 8.8.8.8:53 wfdecninnkmw.net udp
US 8.8.8.8:53 seqodpz.info udp
US 8.8.8.8:53 luinideacsle.net udp
US 8.8.8.8:53 djlicfxk.net udp
US 8.8.8.8:53 rphclgrybrf.com udp
US 8.8.8.8:53 meoyentb.net udp
US 8.8.8.8:53 eolunulgzk.info udp
US 8.8.8.8:53 nmqouwmxgqi.org udp
US 8.8.8.8:53 cmoaucco.com udp
US 8.8.8.8:53 dbuguvooxgpt.info udp
US 8.8.8.8:53 nqbpjgon.net udp
US 8.8.8.8:53 zvhgslgc.info udp
US 8.8.8.8:53 emgism.org udp
US 8.8.8.8:53 alkzxaxfvfhz.info udp
US 8.8.8.8:53 rwbklxfvdgn.net udp
US 8.8.8.8:53 sxdusybh.info udp
US 8.8.8.8:53 cihyrwwyc.net udp
US 8.8.8.8:53 kajpailpjmp.info udp
US 8.8.8.8:53 yedyvwtxjj.info udp
US 8.8.8.8:53 oadcjwp.net udp
US 8.8.8.8:53 ynruje.info udp
US 8.8.8.8:53 jztvlgjokb.info udp
US 8.8.8.8:53 fadyruaacbd.info udp
US 8.8.8.8:53 gwgoqq.com udp
US 8.8.8.8:53 omnpqiitfi.net udp
US 8.8.8.8:53 jpjttaaexv.net udp
US 8.8.8.8:53 cvhyxcvn.net udp
US 8.8.8.8:53 jcrvvvj.com udp
US 8.8.8.8:53 gaodcojpykuk.info udp
US 8.8.8.8:53 pqmnvrwszsg.org udp
US 8.8.8.8:53 jyuxpzhmw.net udp
US 8.8.8.8:53 gislpxktd.info udp
US 8.8.8.8:53 isbcryz.net udp
US 8.8.8.8:53 apkyhy.net udp
US 8.8.8.8:53 kygwckgiqw.org udp
US 8.8.8.8:53 hahmgwfnjkp.net udp
US 8.8.8.8:53 dpwoyczy.info udp
US 8.8.8.8:53 pzwwrlewwj.net udp
US 8.8.8.8:53 musojqg.info udp
US 8.8.8.8:53 scysjbdmkeoc.info udp
US 8.8.8.8:53 aficdkacl.net udp
US 8.8.8.8:53 phrllcfgnqj.com udp
US 8.8.8.8:53 vqrheyzex.net udp
US 8.8.8.8:53 rulacqr.info udp
US 8.8.8.8:53 sseiqyeccq.org udp
US 8.8.8.8:53 oqhtrmhjycp.net udp
US 8.8.8.8:53 jkegrujevkd.info udp
US 8.8.8.8:53 ntiqojjqc.info udp
US 8.8.8.8:53 ioljfepbb.info udp
US 8.8.8.8:53 suwsuaaccawm.org udp
US 8.8.8.8:53 qndemkcdxryk.net udp
US 8.8.8.8:53 wuyaiqgeqy.com udp
US 8.8.8.8:53 txheewfs.info udp
US 8.8.8.8:53 hlznhyfm.info udp
US 8.8.8.8:53 cqsuazaqru.net udp
US 8.8.8.8:53 utggnqj.info udp
US 8.8.8.8:53 apwkcgfmgf.info udp
US 8.8.8.8:53 uhpmrupuasn.net udp
US 8.8.8.8:53 frmdxwuxkz.info udp
US 8.8.8.8:53 xppzylcflp.info udp
US 8.8.8.8:53 lipurll.info udp
US 8.8.8.8:53 hllixmp.net udp
US 8.8.8.8:53 ayfoftqfrv.net udp
US 8.8.8.8:53 jrzyrcaozcr.org udp
US 8.8.8.8:53 qemazwtejgo.info udp
US 8.8.8.8:53 cxlkhikkn.net udp
US 8.8.8.8:53 exngsops.net udp
US 8.8.8.8:53 ryxdtsd.net udp
US 8.8.8.8:53 ymyuwggs.com udp
US 8.8.8.8:53 xjmzxevz.net udp
US 8.8.8.8:53 pcdsnsigne.net udp
US 8.8.8.8:53 msfmtzx.info udp
US 8.8.8.8:53 cikgciaceciq.org udp
US 8.8.8.8:53 ouqoeesiae.org udp
US 8.8.8.8:53 mggayygi.org udp
US 8.8.8.8:53 vzbppajiqww.org udp
US 8.8.8.8:53 butwbqu.org udp
US 8.8.8.8:53 mysopy.net udp
US 8.8.8.8:53 qubqirdevwh.net udp
US 8.8.8.8:53 coqscemaacma.com udp
US 8.8.8.8:53 rwwsigxjv.com udp
US 8.8.8.8:53 djyhfe.net udp
US 8.8.8.8:53 mrpoffh.net udp
US 8.8.8.8:53 cjjcde.net udp
US 8.8.8.8:53 cukickke.org udp
US 8.8.8.8:53 reewxp.info udp
US 8.8.8.8:53 uymylfsagk.net udp
US 8.8.8.8:53 woipmktcih.info udp
US 8.8.8.8:53 ggkoyk.com udp
US 8.8.8.8:53 hkcgezmhb.com udp
US 8.8.8.8:53 jfrenmxp.net udp
US 8.8.8.8:53 qkvxlbrcv.info udp
US 8.8.8.8:53 akbazoceb.info udp
US 8.8.8.8:53 esinhkgfvs.info udp
US 8.8.8.8:53 rschke.info udp
US 8.8.8.8:53 jgvgwmvkjy.info udp
US 8.8.8.8:53 yczclcviv.info udp
US 8.8.8.8:53 dunolqrmder.net udp
US 8.8.8.8:53 swcczad.net udp
US 8.8.8.8:53 ujswmxmm.net udp
US 8.8.8.8:53 qbjtrl.info udp
US 8.8.8.8:53 axymmbtdurtr.info udp
US 8.8.8.8:53 qwmgsisouk.org udp
US 8.8.8.8:53 ajeufitgtoe.info udp
US 8.8.8.8:53 gwmseoioyy.org udp
US 8.8.8.8:53 dklezylud.net udp
US 8.8.8.8:53 ektmnkvub.info udp
US 8.8.8.8:53 onzovzd.info udp
US 8.8.8.8:53 oesaeigqwuki.com udp
US 8.8.8.8:53 lrjiyvhkpad.net udp
US 8.8.8.8:53 bsoypkhpfo.net udp
US 8.8.8.8:53 hhbibsteqcn.info udp
US 8.8.8.8:53 wwleihr.info udp
US 8.8.8.8:53 czsexcrsz.net udp
US 8.8.8.8:53 varxirlszfv.org udp
US 8.8.8.8:53 qcttocuciv.net udp
US 8.8.8.8:53 gytyfrhwlmw.net udp
US 8.8.8.8:53 qcaequgeic.org udp
US 8.8.8.8:53 qhktjptk.net udp
US 8.8.8.8:53 xwpxanbmqfuk.info udp
US 8.8.8.8:53 teaacdtqjap.net udp
US 8.8.8.8:53 xcdedoiyntx.org udp
US 8.8.8.8:53 wkkwkkmw.org udp
US 8.8.8.8:53 lrvcjxdsa.info udp
US 8.8.8.8:53 eebcemndfbu.net udp
US 8.8.8.8:53 kycmiu.com udp
US 8.8.8.8:53 xwqowmqjhuy.info udp
US 8.8.8.8:53 hwznjnnc.info udp
US 8.8.8.8:53 mdainrbbifun.net udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\bhhrejn.exe

MD5 92fed7521129bd635097c0790c2dee8a
SHA1 8548b39b7f34783d260cab61401413992cd0ae95
SHA256 721eac4c690533ed896b3ec2c6251b59f07b10d10c8648d1681fcc94384b7a1a
SHA512 64ff8ea5f00e24261214092dc3817cc6df5e1ea7dc2d75f785b5b19c280b6f26fd4f7643ce164514d5b3b505839f43f03a0e259049a0b43e0a619949af45ccca

C:\Users\Admin\AppData\Local\fdvxczvuuqooptcyjdnld.khd

MD5 ab8654b07f180f4dab536cee4622f81b
SHA1 a93691167a1a8b0c601e798b8210193e5dac96ba
SHA256 eda4080fa975f15201efba273bd58b690736dfb03aa0318a7862ff4b596fa902
SHA512 2cc4cafba25e1dc44370417229daf861d4a9ab92204e326abc1bc999bc968e65609d264348b3949ceb2aa265d91d30603563956ae30fdfabefb11a816d47c3f6

C:\Users\Admin\AppData\Local\ajmzpxeozgpambvcydyhkxnvcmxenykz.awb

MD5 229dd9c5581596dc76c4c61ffe7e6f44
SHA1 0eb307d98d0a83665709c3621eb92ae7de99220a
SHA256 b51c192bac5849ddeec85f0bc9f65a692ba4332b5911cfcabaa8a1dc38ab4d04
SHA512 38b4ce99a7b6f2661dd94e490a0e932d0862667d089a2adfe43abccc7c34af77affa71038afbb62bfd8e6acd63de3377a34483ae996159c8a302e10090dbcb3a

C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

MD5 df5aa2624534cd11411c127bbe7eeb84
SHA1 88e049c829f58ebf5ca9639f23b4634a24be7952
SHA256 2578a5bf688dc8ee78eebc26ae73138a524295040999b3f1501034d6598becc7
SHA512 bf82ee46c03a35fed0d752188ae780945ee02d139b03a0833e306b382bf311ccb24a8301e31cafc63823120771d779e484bbbaf34afa32934b18082b17d1a560

C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

MD5 cef31abac405a5242d482de0585fd3e8
SHA1 989751aed20af6ddd93a7c75e2e1ddb6dee87c66
SHA256 186d3aff0d3fee32679cf6641d42c1f6ea61065592d1bfa1c52081093aa7ec53
SHA512 4e9856cb46d777d93c55b849e5e6caa31dd4f409d896e5dc39ec16028b2a00447a460d24b557c0fc5a5e79a00138c67d310181ddfc08b880059e0426b4decc3e

C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

MD5 def9682b0acdaf1006737dec10c6b131
SHA1 d59b43fa1e42cb64ba26b7b2e86228c3f1f2db14
SHA256 1031071db80371e628841bbd8e137748bced0dd752067af6915a1bd57934bf3d
SHA512 a62d5af33e48a5cf99df7893abddc7e90857bac3013325125a44c4202cd3ac207e52aa3ec5e5b642b4b79eca2a6a236e397b05d59afe40a8a0f5ca113d159c36

C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

MD5 7e835d81dbb79b602ba8fe3b43471997
SHA1 8e9f529a62a1cf04283aacca0ec1384e1300c290
SHA256 39a104e8b02c7eb35c15e6443138dae09b210ab43c49274f452d08e03d3df2d3
SHA512 181e41124e53852e6842994fd6f63e1edee8220592beb01aefbbfc93a5147d99bd4a0ab2a8e15ae8ba50b7435b2c971580d70b43bd4c5a5e0be86b26fff317bd

C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

MD5 b728f74676dfc87628f6f9599010dac2
SHA1 4e296ba99521ce2776cc9924374056a22a866667
SHA256 939298081be30fcb9aac7ccbf306dbe884fd3652475e511b12d36eb538eed11a
SHA512 b3f5b078b3ab2be404edd8302fd5b2a560f0593cfafb60099123a399759f22f68aaefb59d9befb70c3ce0808accb7ec3e60e352b73b0b9ebf77dcbe757d5e4ab

C:\Program Files (x86)\fdvxczvuuqooptcyjdnld.khd

MD5 8918ce30c8bf8f6255e5410daa42c135
SHA1 da3e1f86abd31a71c3e6f9cb5ad12749c7922190
SHA256 ff6d1a6645fa3e3b25aee3299ee81766cd053b42fa1e67a450cd17cbb2b21b1c
SHA512 8cb4257bf4c7a76b0392cb37380200f4ccfd6b3db8fd840534bf8b33d887d3be8eee451cac8a9efbda28556ed7e194ae1a78c908babefbc2e211b8d458c7b3f1