Malware Analysis Report

2024-12-07 17:04

Sample ID 241113-cq531avepl
Target be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6
SHA256 be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6
Tags
defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6

Threat Level: Known bad

The file be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6 was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence privilege_escalation trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Adds policy Run key to start application

Loads dropped DLL

Impair Defenses: Safe Mode Boot

Executes dropped EXE

Checks computer location settings

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-13 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-13 02:17

Reported

2024-11-13 02:20

Platform

win7-20240903-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\odtaqkxhtjbfgw = "mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\rdquhyipyla = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvoyroergzubfyvue.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "xrmytskzqlirxsrsexb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "mfzkecthxrnvaussdv.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvsgdeypifepxuvymhnjg.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "dvoyroergzubfyvue.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "dvoyroergzubfyvue.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "mfzkecthxrnvaussdv.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "dvoyroergzubfyvue.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "zvsgdeypifepxuvymhnjg.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "dvoyroergzubfyvue.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmytskzqlirxsrsexb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "zvsgdeypifepxuvymhnjg.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "dvoyroergzubfyvue.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "wnfogcrdrjdjmeay.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfzkecthxrnvaussdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmytskzqlirxsrsexb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfzkecthxrnvaussdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfzkecthxrnvaussdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfzkecthxrnvaussdv.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\wnfogcrdrjdjmeay = "xrmytskzqlirxsrsexb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xrmytskzqlirxsrsexb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfzkecthxrnvaussdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dvoyroergzubfyvue.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfzkecthxrnvaussdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfzkecthxrnvaussdv.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "wnfogcrdrjdjmeay.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mfzkecthxrnvaussdv.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\obpuialtdrhj = "xrmytskzqlirxsrsexb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mfzkecthxrnvaussdv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kfbokkdtlhfpwssuhbgb.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\rhygxsgrevotvmh = "zvsgdeypifepxuvymhnjg.exe" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "wnfogcrdrjdjmeay.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\dvoyroergzubfyvue = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wnfogcrdrjdjmeay.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\nbqwleqzkzqtt = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zvsgdeypifepxuvymhnjg.exe ." C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\jnsotcedejqjzenyuxlpuqveg.gls C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File created C:\Windows\SysWOW64\jnsotcedejqjzenyuxlpuqveg.gls C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File opened for modification C:\Windows\SysWOW64\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File created C:\Windows\SysWOW64\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File created C:\Program Files (x86)\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File opened for modification C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File created C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\jnsotcedejqjzenyuxlpuqveg.gls C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File created C:\Windows\jnsotcedejqjzenyuxlpuqveg.gls C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File opened for modification C:\Windows\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
File created C:\Windows\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 1676 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe
PID 1968 wrote to memory of 380 N/A C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe

"C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe"

C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe

"C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe" "-"

C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe

"C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 216.58.213.14:80 www.youtube.com tcp
US 8.8.8.8:53 hklgkqwuttn.com udp
IE 34.246.200.160:80 hklgkqwuttn.com tcp
US 8.8.8.8:53 mgygkgsqge.com udp
US 8.8.8.8:53 vpwcpzrk.info udp
US 8.8.8.8:53 lcfllcilwtmy.net udp
US 8.8.8.8:53 yuitrvxbhgqa.net udp
US 8.8.8.8:53 zgkvjcolxwc.info udp
US 8.8.8.8:53 wljsua.net udp
US 8.8.8.8:53 qwkweuse.com udp
US 8.8.8.8:53 pqxntmosk.com udp
US 8.8.8.8:53 igique.com udp
US 8.8.8.8:53 guyiaq.org udp
US 8.8.8.8:53 yeqsceua.org udp
US 8.8.8.8:53 pouoyuyojoj.net udp
US 8.8.8.8:53 ratirtqyspss.net udp
US 8.8.8.8:53 xaxbbezav.org udp
US 8.8.8.8:53 pgfshpfkznvy.info udp
US 8.8.8.8:53 mkzfdx.net udp
US 8.8.8.8:53 hhvercv.info udp
US 8.8.8.8:53 xavxiovilc.net udp
US 8.8.8.8:53 lcsgfob.org udp
US 8.8.8.8:53 umtghoh.info udp
US 8.8.8.8:53 qphelvs.info udp
US 8.8.8.8:53 usqycm.org udp
US 8.8.8.8:53 mqhmycj.info udp
US 8.8.8.8:53 kuxajxugfkr.net udp
US 8.8.8.8:53 ijmwsjpkrqze.net udp
US 8.8.8.8:53 bqgwxwz.info udp
US 8.8.8.8:53 xqdjqvtche.net udp
US 8.8.8.8:53 cqiuai.org udp
US 8.8.8.8:53 uxxohu.info udp
US 8.8.8.8:53 pnbstkokimq.com udp
US 8.8.8.8:53 icyigccmac.org udp
US 8.8.8.8:53 azrakrbzpk.net udp
US 8.8.8.8:53 mwrmppqbn.info udp
US 8.8.8.8:53 frwnbyrqwc.net udp
US 8.8.8.8:53 ougqys.com udp
US 8.8.8.8:53 xtbuumlmt.org udp
US 8.8.8.8:53 gcwggsuouisc.com udp
US 8.8.8.8:53 fgpvxuwja.com udp
US 8.8.8.8:53 vjmyxpra.net udp
US 8.8.8.8:53 gclovk.net udp
US 8.8.8.8:53 ycmklmlqpad.info udp
US 8.8.8.8:53 nxnwpxhqyg.net udp
US 8.8.8.8:53 xlfavuzdrub.com udp
US 8.8.8.8:53 cchxivgz.net udp
US 8.8.8.8:53 iqbobb.net udp
US 8.8.8.8:53 oewakmwecoos.org udp
US 8.8.8.8:53 zxfznjjo.net udp
US 8.8.8.8:53 dakrsxggglmj.info udp
US 8.8.8.8:53 jejubc.info udp
US 8.8.8.8:53 crjtyy.info udp
US 8.8.8.8:53 kskaxbb.info udp
US 8.8.8.8:53 qohdzctj.info udp
US 8.8.8.8:53 fgwderlr.net udp
US 8.8.8.8:53 xwfmlmbmtaz.info udp
DE 85.214.228.140:80 xwfmlmbmtaz.info tcp
US 8.8.8.8:53 cyjjtlzjuev.info udp
US 8.8.8.8:53 nafodwrwdqd.com udp
US 8.8.8.8:53 rvdssifyejo.com udp
US 8.8.8.8:53 rbixvijx.net udp
US 8.8.8.8:53 zxtlzsdc.info udp
US 8.8.8.8:53 ewvokslm.info udp
US 8.8.8.8:53 iwfqjyt.net udp
US 8.8.8.8:53 jkkjvq.net udp
US 8.8.8.8:53 gaztfstohrq.net udp
US 8.8.8.8:53 jyxshwnl.net udp
US 8.8.8.8:53 bbhhtqchgepp.info udp
US 8.8.8.8:53 xnevexwojuzq.info udp
US 8.8.8.8:53 yvbitxlq.info udp
US 8.8.8.8:53 scuwvyz.net udp
US 8.8.8.8:53 bnzgzesvypeg.info udp
US 8.8.8.8:53 ydqlnw.info udp
US 208.100.26.245:80 ydqlnw.info tcp
US 8.8.8.8:53 dofmfoaqf.net udp

Files

C:\Users\Admin\AppData\Local\Temp\xfooxkq.exe

MD5 4e9173379c1a5f2bd310aed24d0173f7
SHA1 728dfe6ee560f6bf9f8f3c080bb37147306e0791
SHA256 d8945b7d4640adb92889f2bce214380c2ac4c0bf98c1bc497f68f71104c8ac4c
SHA512 49f1c09055dc8a1770d5829293f85c1015e35aeec2a316b895b35a51d8dc7bf1595683ab206c72da19e87507f4f06f714ac36f2a845025f0fea368d1acf06054

C:\Users\Admin\AppData\Local\jnsotcedejqjzenyuxlpuqveg.gls

MD5 9eac7b145307086750cdc0539fbf8729
SHA1 cd0b40d6125dbe768b2228c4db9001a6fb253072
SHA256 32e15c055b163eab9e1dcad44afd402395987e0961f705404ac17747488f1ddc
SHA512 81b11da6827ca41d73bfa838a1d7a7a08c20815c296c140a5ba16f4510086c79aa409b2d92e64fc1c3e01aecd87b3705165e766876fd1aec1232b6213b7ab25a

C:\Users\Admin\AppData\Local\odtaqkxhtjbfgwqmthgvlsicpzlbtxyoielz.ndk

MD5 963f2af9132c26a21166f4f05af0f3fe
SHA1 dcf360ac4d07856151470abede7acd7eb9ceb239
SHA256 d4981907b3b03ae2d5b673363d5571ced13d6d6e23fe55d9fe5c34c79bbb2aa6
SHA512 f09d9d63cb2c0a62c9c88c39f320aa6d72757d71543e54b647c5b683e5439805904842f23e4e6ac77311b1423f1d9e3428d849bff43d97e97c03d05137e6455d

C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

MD5 66476dec5271649ec1a250303a397dce
SHA1 c7653948d3c186de6bd9086c17b65e586ac24537
SHA256 077aaa472fe27e094cd77a2a393d127c2b3bf506dc66c385996079928728ed66
SHA512 37814be8dee6d32c13b0682fa105dd9152288692488c1989660a876257fcb69cf5a0679aae95ecdee642f63a8d103ec889778e19bf55ae9a0f440861f0d1c947

C:\Users\Admin\AppData\Local\jnsotcedejqjzenyuxlpuqveg.gls

MD5 66783162b5237395e47765d43f099f21
SHA1 e401cb433e1d5d37f93a0d401e42512d31154850
SHA256 4c94ce74130c9e608240f44886660896e9cfa10397b86cfc65b1b0ec6d0cde07
SHA512 197d9c985e29ae4e33843fee45adb248d7c2edb12e0ec029b79af3b7d96d3ec12af693d3c40147391abbe9ac3115e62c9cb815dda419b78813e1befdd78e5ea3

C:\Users\Admin\AppData\Local\jnsotcedejqjzenyuxlpuqveg.gls

MD5 bd3fb57702fc72224f6d28f3bc382af7
SHA1 d243f474c3ff146975cceaf4c0dcd75b42eba2f2
SHA256 37062e3d243495d6bde0cd9a9ef5f7758fe9851e3a8181af907fecdae57d644c
SHA512 7ba488d290c90bb566555992561826abcad3b9f5b1201698b0335622dc102689408d85309ba9a3594a4d9f5b2a1f8bf664bb75f6de2b00720befb9e2c7c9a273

C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

MD5 5b2332375cd8464dac503dcde53effa8
SHA1 321d9ab6130ea3d263a08a84500085b39a4cbaad
SHA256 b16ce95ea55c2d1add6c3055f21db59394e14cd65077564fff82d6efcc87a590
SHA512 d30e822dade839b209675985f0f2a80cb5896d41bee54e6cd09fff7cc0aa2cd10b96778e878d9283e17223bcbe4c0e2e1c6dbd334a7af9dc4dc97f6780a5adad

C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

MD5 2a1bf6e49f52dc89b0ef04144797813d
SHA1 8ee38356e90ab4b7ed17775cd78d2288692bd4b4
SHA256 30cb9a952965507d7037fe95cf30c4b35772fbf369021ecd2cf4bc23e10175c3
SHA512 1284e8d3b885aed5eac9c4a33223350bf928b3dbcae9d03be141a601ebab1824bac6544d30470e94c54a5106a5150e20239a202413b8d2a32d256e13ffd7d532

C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

MD5 7a1a34ba183575a6e7ccf4166fff4174
SHA1 c285613cc2500fa2f1869980a1d8fa9293bbc778
SHA256 ab37a518a4b3995403f57aeb70edc73398de66c303292d88caa3878e92753e4d
SHA512 cd70be07ee686f7fcc1941499b5f6f0a84210a14b61846d5c4f12a82afdb92456ad7b1107dd29b92917d873e516acca9ec805bf0e1e24638ad5a4a332c00dea9

C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

MD5 9a8c608f11a3ef7bafd176bb24a33d8c
SHA1 6b092fa7d34a40d770ae7eab2e4c355759710853
SHA256 f9b3f4439d9b9637b20f7dd883e2e5bcaafdf3f1a96184ebc012e011436cf6e7
SHA512 7e146c6b748e9dc81f1fc6152eb56d24e920a361e96f5079214aeb56a05f26138aa0767b12bb6e545f7badede450a86a00580d13130a4df04453b9de74215d09

C:\Program Files (x86)\jnsotcedejqjzenyuxlpuqveg.gls

MD5 96a8f71a254fbd7afb5d2f2f55fe3892
SHA1 b479d0fbdb259c88527d0d2c1aab6714cb19b9d0
SHA256 fe15b70982d65aa650c294f14a7e8af41b2266da0eebccd74812bb8efb489372
SHA512 ffafd965bd6fcd646137d9edb371648107880ebf27c25d5ea8ffab9cb0cea85449e7b34e0d440440a51fc28ef5c51c1d7711c507b756e2ab7366765eb6304b66

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-13 02:17

Reported

2024-11-13 02:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\bijot = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\oycksans = "yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "fylctkgujzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "miysmgfwohhurprsdfie.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgnyjuksblc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "zujcvomctlkwspqqabd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgnyjuksblc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zujcvomctlkwspqqabd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "oiwogyvkarpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "zujcvomctlkwspqqabd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgnyjuksblc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "bypkfaaslfgusruwilpmd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgnyjuksblc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "bypkfaaslfgusruwilpmd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "zujcvomctlkwspqqabd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ykqakujqyh = "yqcsiytgujfohbzw.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\muwcio = "C:\\Users\\Admin\\AppData\\Local\\Temp\\miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "oiwogyvkarpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "fylctkgujzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fqvenwkqx = "miysmgfwohhurprsdfie.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bypkfaaslfgusruwilpmd.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "bypkfaaslfgusruwilpmd.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\muwcio = "fylctkgujzwgavusa.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "zujcvomctlkwspqqabd.exe ." C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "miysmgfwohhurprsdfie.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zilszgs = "miysmgfwohhurprsdfie.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qemykwnwgrjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yqcsiytgujfohbzw.exe" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tgnyjuksblc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oiwogyvkarpavrrqzz.exe ." C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyip.everdot.org N/A N/A
N/A www.showmyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\syycgktuwzjgnvhsnzmsswaeno.tda C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File opened for modification C:\Windows\SysWOW64\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File created C:\Windows\SysWOW64\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File opened for modification C:\Windows\SysWOW64\syycgktuwzjgnvhsnzmsswaeno.tda C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File created C:\Program Files (x86)\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File opened for modification C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File created C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File created C:\Windows\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File opened for modification C:\Windows\syycgktuwzjgnvhsnzmsswaeno.tda C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
File created C:\Windows\syycgktuwzjgnvhsnzmsswaeno.tda C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\zilszgs.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe

"C:\Users\Admin\AppData\Local\Temp\be521f0a005a06837effbec40bb14824a0d6df50f981aa88e23e51f28121cbc6.exe"

C:\Users\Admin\AppData\Local\Temp\zilszgs.exe

"C:\Users\Admin\AppData\Local\Temp\zilszgs.exe" "-"

C:\Users\Admin\AppData\Local\Temp\zilszgs.exe

"C:\Users\Admin\AppData\Local\Temp\zilszgs.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.206.27.104.in-addr.arpa udp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 56.74.21.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 79.223.19.104.in-addr.arpa udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.19.223.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.imdb.com udp
FR 52.222.159.143:80 www.imdb.com tcp
US 8.8.8.8:53 hklgkqwuttn.com udp
IE 34.246.200.160:80 hklgkqwuttn.com tcp
US 8.8.8.8:53 bjjwjofer.info udp
US 8.8.8.8:53 ookysqemqm.org udp
US 8.8.8.8:53 myfnoibzmdew.info udp
US 8.8.8.8:53 wljsua.net udp
US 8.8.8.8:53 xuhoikbengf.info udp
US 8.8.8.8:53 pqxntmosk.com udp
US 8.8.8.8:53 unnyfpyaozz.net udp
US 8.8.8.8:53 akfabfcjflhc.info udp
US 8.8.8.8:53 mzxkrjdvjvkk.net udp
US 8.8.8.8:53 yeqsceua.org udp
US 8.8.8.8:53 tutthfndw.org udp
US 8.8.8.8:53 143.159.222.52.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 rvplvmpyqtkx.net udp
US 8.8.8.8:53 nbvtdhkfra.net udp
US 8.8.8.8:53 tipznzio.net udp
US 8.8.8.8:53 csqayceu.org udp
US 8.8.8.8:53 lavpuo.info udp
US 8.8.8.8:53 tcgsnwt.info udp
US 8.8.8.8:53 tywgsztrt.info udp
US 8.8.8.8:53 tkpelgo.com udp
US 8.8.8.8:53 ratirtqyspss.net udp
US 8.8.8.8:53 cwhjbrdyz.info udp
US 8.8.8.8:53 bsgqrktmz.com udp
US 8.8.8.8:53 rshatarwtxb.com udp
US 8.8.8.8:53 bsvdbcl.org udp
US 8.8.8.8:53 ekmmsayeiq.org udp
US 8.8.8.8:53 mwksemyuieuo.com udp
US 8.8.8.8:53 lcsgfob.org udp
US 8.8.8.8:53 nvtofbe.com udp
US 8.8.8.8:53 ceedun.info udp
US 8.8.8.8:53 dlwfnwiptr.net udp
US 8.8.8.8:53 ijqojswsrav.info udp
US 8.8.8.8:53 kuxajxugfkr.net udp
US 8.8.8.8:53 pflahzchin.net udp
US 8.8.8.8:53 fwpmpto.org udp
US 8.8.8.8:53 hufamsknhddp.net udp
US 8.8.8.8:53 rwdptulntzi.net udp
US 8.8.8.8:53 eigywysoqe.com udp
US 8.8.8.8:53 xqdjqvtche.net udp
US 8.8.8.8:53 cqiuai.org udp
US 8.8.8.8:53 noxauntoj.info udp
US 8.8.8.8:53 hjwbaaqkcyyf.net udp
US 8.8.8.8:53 occuxdwukfo.net udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 xeoycsrn.net udp
US 8.8.8.8:53 pnbstkokimq.com udp
US 8.8.8.8:53 rvgvsrtclw.net udp
US 8.8.8.8:53 vnxrwo.info udp
US 8.8.8.8:53 azrakrbzpk.net udp
US 8.8.8.8:53 dbbjbfwk.net udp
US 8.8.8.8:53 eslsgkjci.info udp
US 8.8.8.8:53 mcsuiyuecqac.com udp
US 8.8.8.8:53 xtbuumlmt.org udp
US 8.8.8.8:53 vjmyxpra.net udp
US 8.8.8.8:53 dsxpcudmquk.net udp
US 8.8.8.8:53 nxnwpxhqyg.net udp
US 8.8.8.8:53 byteksp.com udp
US 8.8.8.8:53 vefrhsuosgqy.info udp
US 8.8.8.8:53 vvfqvgz.info udp
US 8.8.8.8:53 nsrddavelav.net udp
US 8.8.8.8:53 vujotrecd.info udp
US 8.8.8.8:53 zxfznjjo.net udp
US 8.8.8.8:53 fptqgycroysm.net udp
US 8.8.8.8:53 nszwgofddwp.net udp
US 8.8.8.8:53 omxbxewvzq.info udp
US 8.8.8.8:53 xwfmlmbmtaz.info udp
DE 85.214.228.140:80 xwfmlmbmtaz.info tcp
US 8.8.8.8:53 griwhiprkehm.net udp
US 8.8.8.8:53 jksjjwcuno.info udp
US 8.8.8.8:53 qosxlqbekik.info udp
US 8.8.8.8:53 nafodwrwdqd.com udp
US 8.8.8.8:53 pqutlsceaw.info udp
US 8.8.8.8:53 ewvokslm.info udp
US 8.8.8.8:53 tphdrl.net udp
US 8.8.8.8:53 suyqsisiui.com udp
US 8.8.8.8:53 okiaykac.org udp
US 8.8.8.8:53 etkerlzprq.net udp
US 8.8.8.8:53 iosgkywkusys.com udp
US 8.8.8.8:53 jkkjvq.net udp
US 8.8.8.8:53 ouhxllf.info udp
US 8.8.8.8:53 lfdupldijpr.org udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 ftxaxqey.info udp
US 8.8.8.8:53 vbffgv.info udp
US 8.8.8.8:53 bbhhtqchgepp.info udp
US 8.8.8.8:53 ubbwxessv.info udp
US 8.8.8.8:53 ydqlnw.info udp
US 208.100.26.245:80 ydqlnw.info tcp
US 8.8.8.8:53 lqxhbsdwbwhj.info udp
US 8.8.8.8:53 xehavxbdpciu.net udp
US 8.8.8.8:53 zjnfqwkcdohh.net udp
US 8.8.8.8:53 iahzwr.net udp
US 8.8.8.8:53 hzhnny.info udp
US 8.8.8.8:53 uncaephtnirx.info udp
US 8.8.8.8:53 bjvckg.net udp
US 8.8.8.8:53 zorcpqrmzeu.com udp
US 8.8.8.8:53 zkmebqpkysg.info udp
US 8.8.8.8:53 tnxivajml.com udp
US 8.8.8.8:53 ynqoxs.net udp
US 8.8.8.8:53 245.26.100.208.in-addr.arpa udp
US 8.8.8.8:53 iwdkjrjkoij.net udp
US 8.8.8.8:53 vnbxzqnskn.info udp
US 8.8.8.8:53 mlzdqkeb.info udp
US 8.8.8.8:53 gqjssd.net udp
US 8.8.8.8:53 olrraj.net udp
US 8.8.8.8:53 nafxot.net udp
US 8.8.8.8:53 bynasp.info udp
US 8.8.8.8:53 eqdctkbow.info udp
US 8.8.8.8:53 ywquuu.org udp
US 8.8.8.8:53 nwthatyjpsji.net udp
US 8.8.8.8:53 popdxvxsj.info udp
US 8.8.8.8:53 hxvclsm.net udp
US 8.8.8.8:53 okjnxwz.net udp
US 8.8.8.8:53 pencxrvurgl.net udp
US 8.8.8.8:53 tufyte.info udp
US 8.8.8.8:53 inwdkw.info udp
US 8.8.8.8:53 vijubus.org udp
US 8.8.8.8:53 qfwojdsu.net udp
US 8.8.8.8:53 sgqciyowocge.org udp
US 8.8.8.8:53 noyqyu.net udp
US 8.8.8.8:53 nzkibs.info udp
US 8.8.8.8:53 sphdwerzxe.info udp
US 8.8.8.8:53 yecmcwasmw.com udp
US 8.8.8.8:53 aooeacso.org udp
US 8.8.8.8:53 zacqgcr.net udp
US 8.8.8.8:53 mfxvwgzshvzr.net udp
US 8.8.8.8:53 xcrabwwkdky.net udp
US 8.8.8.8:53 lgswzqbvc.org udp
US 8.8.8.8:53 ssgkvuhqd.info udp
US 8.8.8.8:53 ksujvrvghm.info udp
US 8.8.8.8:53 qiaccmiqeokc.com udp
US 8.8.8.8:53 vwruvqn.net udp
US 8.8.8.8:53 hxzohkrwubh.net udp
US 8.8.8.8:53 cikefqvitjps.net udp
US 8.8.8.8:53 wsbewgjqm.net udp
US 8.8.8.8:53 lvtntmix.info udp
US 8.8.8.8:53 gmcrrrl.net udp
US 8.8.8.8:53 xofyhmwvlzb.net udp
US 8.8.8.8:53 wdzvnewqv.info udp
US 8.8.8.8:53 gkiiykoyka.org udp
US 8.8.8.8:53 mpttpkrkatxe.net udp
US 8.8.8.8:53 quugwwom.com udp
US 8.8.8.8:53 aelxvivwnsg.info udp
US 8.8.8.8:53 arqvxeitjt.info udp
US 8.8.8.8:53 uatwbqnws.net udp
US 8.8.8.8:53 neyizica.net udp
US 8.8.8.8:53 kajlsxb.info udp
US 8.8.8.8:53 znecrurz.info udp
US 8.8.8.8:53 gbpznozznyjb.net udp
US 8.8.8.8:53 kujunzlu.info udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 gcpqepy.net udp
US 8.8.8.8:53 duaspovio.net udp
US 8.8.8.8:53 uvzigfdvbr.info udp
US 8.8.8.8:53 lktkzratlpdy.net udp
US 8.8.8.8:53 easavon.info udp
US 8.8.8.8:53 jtqxtyuyrcd.com udp
US 8.8.8.8:53 ppvrxwqcmibx.info udp
US 8.8.8.8:53 ekuffx.net udp
US 8.8.8.8:53 runvywriigs.org udp
US 8.8.8.8:53 qdbklsxbzqpy.net udp
US 8.8.8.8:53 xhmmhwrmthx.net udp
US 8.8.8.8:53 aelubcv.info udp
US 8.8.8.8:53 syrinkjdnuty.info udp
US 8.8.8.8:53 dvjangz.net udp
US 8.8.8.8:53 qsqgkuwg.com udp
US 8.8.8.8:53 lrjkhwgic.com udp
US 8.8.8.8:53 gknqbbbyo.info udp
US 8.8.8.8:53 grjgraoeefhx.info udp
US 8.8.8.8:53 uaygckksku.com udp
US 8.8.8.8:53 taorhq.info udp
US 8.8.8.8:53 gcoksqk.info udp
US 8.8.8.8:53 vdzggtsz.info udp
US 8.8.8.8:53 pzryostgtub.org udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 ccqoikwugmoi.com udp
US 8.8.8.8:53 seeamgtsj.net udp
US 8.8.8.8:53 bjrqccp.net udp
US 8.8.8.8:53 reznbyp.com udp
US 8.8.8.8:53 qrzgdqbd.info udp
US 8.8.8.8:53 dilmcmz.net udp
US 8.8.8.8:53 axecklffttqh.info udp
US 8.8.8.8:53 kkvrbzvi.info udp
US 8.8.8.8:53 ljvdwprwvkf.org udp
US 8.8.8.8:53 sekqsygosicu.org udp
US 8.8.8.8:53 tepnzlwrbfpl.net udp
US 8.8.8.8:53 wpeujqs.info udp
US 8.8.8.8:53 keaeecekqaas.com udp
US 8.8.8.8:53 vmylheoy.info udp
US 8.8.8.8:53 beeujstsjcw.info udp
US 8.8.8.8:53 fzmxtysclkq.net udp
US 8.8.8.8:53 nqtamifgpnb.info udp
US 8.8.8.8:53 qwuxnsdikndq.info udp
US 8.8.8.8:53 qkhqaqkex.net udp
US 8.8.8.8:53 jkwlvj.info udp
US 8.8.8.8:53 savpwudypi.net udp
US 8.8.8.8:53 cmsisw.org udp
US 8.8.8.8:53 jdvcixk.net udp
US 8.8.8.8:53 bwhwhozexm.info udp
US 8.8.8.8:53 lmexntpfa.org udp
US 8.8.8.8:53 scquuek.net udp
US 8.8.8.8:53 stxapuuba.info udp
US 8.8.8.8:53 scwgagyi.org udp
US 8.8.8.8:53 jscgvz.info udp
US 8.8.8.8:53 ekouqagyuoyo.com udp
US 8.8.8.8:53 wtxnaaltn.info udp
US 8.8.8.8:53 eoocacsuyugo.com udp
US 8.8.8.8:53 kseclqren.net udp
US 8.8.8.8:53 jnxuvuqktsv.net udp
US 8.8.8.8:53 tpjycws.com udp
US 8.8.8.8:53 yavekefqtco.net udp
US 8.8.8.8:53 zuacjkxkhhl.net udp
US 8.8.8.8:53 rzymlt.info udp
US 8.8.8.8:53 gjclvfpnhp.net udp
US 8.8.8.8:53 cwqoie.org udp
US 8.8.8.8:53 agtpkwhb.net udp
US 8.8.8.8:53 vpiebzrofazu.net udp
US 8.8.8.8:53 atbuawiglqkk.net udp
US 8.8.8.8:53 kpyvvmntqn.net udp
US 8.8.8.8:53 hlbjfp.net udp
US 8.8.8.8:53 yxlhbebgnf.net udp
US 8.8.8.8:53 dbnsgzvs.net udp
US 8.8.8.8:53 gcwjaou.info udp
US 8.8.8.8:53 lyykfcin.net udp
US 8.8.8.8:53 noazeosdavjp.info udp
US 8.8.8.8:53 nudslgskvez.com udp
US 8.8.8.8:53 uqeomc.org udp
US 8.8.8.8:53 zlmillul.info udp
US 8.8.8.8:53 yaukcyu.net udp
US 8.8.8.8:53 dcypmyhut.org udp
US 8.8.8.8:53 uczeiisoe.net udp
US 8.8.8.8:53 caoyeemkeccu.com udp
US 8.8.8.8:53 oqmeiukm.org udp
US 8.8.8.8:53 qeliqqd.info udp
US 8.8.8.8:53 rixkdktie.com udp
US 8.8.8.8:53 touyuh.info udp
US 8.8.8.8:53 hvzecrvq.net udp
US 8.8.8.8:53 uominug.info udp
US 8.8.8.8:53 sjwgud.info udp
US 8.8.8.8:53 ccpeteqkfcm.info udp
US 8.8.8.8:53 dwkrlwnlrh.net udp
US 8.8.8.8:53 vghtipdgbjbw.info udp
US 8.8.8.8:53 btpypfipmac.info udp
US 8.8.8.8:53 zvxurkzzvhty.info udp
US 8.8.8.8:53 xoimlyf.info udp
US 8.8.8.8:53 zxqtjwzfngun.info udp
US 8.8.8.8:53 wyzuadd.net udp
US 8.8.8.8:53 glgustogab.net udp
US 8.8.8.8:53 sjzbdvpd.net udp
US 8.8.8.8:53 yejwkviw.net udp
US 8.8.8.8:53 rukbhehbhyd.org udp
US 8.8.8.8:53 tujeokxesb.net udp
US 8.8.8.8:53 kxhohjl.info udp
US 8.8.8.8:53 ngnhps.net udp
US 8.8.8.8:53 kqqcdiurz.info udp
US 8.8.8.8:53 weaquoegacic.com udp
US 8.8.8.8:53 evlcpfpchf.net udp
US 8.8.8.8:53 bylwnpu.net udp
US 8.8.8.8:53 ywnixfbfrwt.net udp
US 8.8.8.8:53 iugekkcyoe.com udp
US 8.8.8.8:53 pikyhpboz.org udp
US 8.8.8.8:53 qcqadctgvxv.net udp
US 8.8.8.8:53 aenqkyh.net udp
US 8.8.8.8:53 uswgrz.info udp
US 8.8.8.8:53 xddkwoakwc.net udp
US 8.8.8.8:53 jzkgkar.com udp
US 8.8.8.8:53 lsdlwgdqht.info udp
US 8.8.8.8:53 brkzng.net udp
US 8.8.8.8:53 gqwyaoausqyk.com udp
US 8.8.8.8:53 gljqjnj.info udp
US 8.8.8.8:53 jilbwqlziqo.org udp
US 8.8.8.8:53 ccmeucsi.org udp
US 8.8.8.8:53 bwyyfdtt.net udp
US 8.8.8.8:53 rkfxkwp.com udp
US 8.8.8.8:53 kteajfs.net udp
US 8.8.8.8:53 sjfgnzvkawh.net udp
US 8.8.8.8:53 cqeqkqayyc.org udp
US 8.8.8.8:53 feyxxrkz.net udp
US 8.8.8.8:53 gwxmbqd.info udp
US 8.8.8.8:53 qmbwxclgd.info udp
US 8.8.8.8:53 depfbed.net udp
US 8.8.8.8:53 uaoylee.info udp
US 8.8.8.8:53 lgiqnrwmr.info udp
US 8.8.8.8:53 hhdcno.info udp
US 8.8.8.8:53 dbvhlkndez.net udp
US 8.8.8.8:53 btvhlvft.net udp
US 8.8.8.8:53 hnvmpz.info udp
US 8.8.8.8:53 vdmtswsdfyl.org udp
US 8.8.8.8:53 rtafph.info udp
US 8.8.8.8:53 oisfxztxhv.info udp
US 8.8.8.8:53 pvprtymg.net udp
US 8.8.8.8:53 tezhargcl.org udp
US 8.8.8.8:53 hmzhqd.net udp
US 8.8.8.8:53 mgoemc.org udp
US 8.8.8.8:53 wihefwnpha.net udp
US 8.8.8.8:53 wosiekkkcg.org udp
US 8.8.8.8:53 latbowhcu.com udp
US 8.8.8.8:53 imases.org udp
FI 94.237.17.29:80 imases.org tcp
US 8.8.8.8:53 ouauowcmiqcm.org udp
US 8.8.8.8:53 umyijit.info udp
US 8.8.8.8:53 aablgppino.info udp
US 8.8.8.8:53 rqgezhvw.net udp
US 8.8.8.8:53 puerojuyiqq.com udp
US 8.8.8.8:53 axpjoitp.net udp
US 8.8.8.8:53 rtjvvnpasshg.net udp
US 8.8.8.8:53 kmsggkcu.org udp
US 8.8.8.8:53 xnvvzd.net udp
US 8.8.8.8:53 lyxuyph.info udp
US 8.8.8.8:53 mqjgwhr.net udp
US 8.8.8.8:53 dmnocv.info udp
US 8.8.8.8:53 twhdeznb.net udp
US 8.8.8.8:53 29.17.237.94.in-addr.arpa udp
US 8.8.8.8:53 kqbgfspmu.info udp
US 8.8.8.8:53 igbunwhhzd.net udp
US 8.8.8.8:53 wovntmxv.info udp
US 8.8.8.8:53 uwdsjlvyncd.info udp
US 8.8.8.8:53 ladcxdxmbw.info udp
US 8.8.8.8:53 acbxcmcdn.info udp
US 8.8.8.8:53 rkjwbtsn.net udp
US 8.8.8.8:53 caryabspw.net udp
US 8.8.8.8:53 oduoqoveb.info udp
US 8.8.8.8:53 rskzbimsfyt.net udp
US 8.8.8.8:53 peeywjoj.net udp
US 8.8.8.8:53 kkcqnylyzxc.info udp
US 8.8.8.8:53 igowgkuaeqmw.com udp
US 8.8.8.8:53 jadjqefez.net udp
US 8.8.8.8:53 yoksaxzujpu.net udp
US 8.8.8.8:53 aoskqookyuge.com udp
US 8.8.8.8:53 yumhekvpeknh.net udp
US 8.8.8.8:53 jypwhwggp.info udp
US 8.8.8.8:53 jyjxskjbhhb.org udp
US 8.8.8.8:53 qcomuekk.org udp
US 8.8.8.8:53 hwkpdwl.info udp
US 8.8.8.8:53 nitqnhz.com udp
US 8.8.8.8:53 eamiwqog.com udp
US 8.8.8.8:53 bxrsgminbopa.net udp
US 8.8.8.8:53 tzwflmeio.net udp
US 8.8.8.8:53 jttxnoo.net udp
US 8.8.8.8:53 jzdmqv.net udp
US 8.8.8.8:53 oejbsistly.net udp
US 8.8.8.8:53 fydwhccelch.info udp
US 8.8.8.8:53 tawaluhlxui.net udp
US 8.8.8.8:53 tuwyabxqtort.net udp
US 8.8.8.8:53 tvkvmwhx.info udp
US 8.8.8.8:53 yogrzldfbk.info udp
US 8.8.8.8:53 prrczpvcpsl.com udp
US 8.8.8.8:53 rahnqeiicef.com udp
US 8.8.8.8:53 mgtjtdscccc.info udp
US 8.8.8.8:53 luigmwv.net udp
US 8.8.8.8:53 swcvcsqq.info udp
US 8.8.8.8:53 swuynjfkbnv.net udp
US 8.8.8.8:53 wgwyssimgkoq.com udp
US 8.8.8.8:53 gomsusyyuycc.com udp
US 8.8.8.8:53 lgyxzxyldb.info udp
US 8.8.8.8:53 trtrplgnvrtd.info udp
US 8.8.8.8:53 xcupwwwpyxli.net udp
US 8.8.8.8:53 xthnja.net udp
US 8.8.8.8:53 rqjezml.org udp
US 8.8.8.8:53 zbduhqatno.info udp
US 8.8.8.8:53 nvckbmqn.net udp
US 8.8.8.8:53 xxwotnbfpsri.net udp
US 8.8.8.8:53 vzkgywhmru.info udp
US 8.8.8.8:53 jgufibeybs.info udp
US 8.8.8.8:53 iykomuoiso.org udp
US 8.8.8.8:53 zqgewctiuah.org udp
US 8.8.8.8:53 yaeenpdxwm.net udp
US 8.8.8.8:53 snvmuytr.net udp
US 8.8.8.8:53 ysuzcmb.net udp
US 8.8.8.8:53 juczyab.info udp
US 8.8.8.8:53 yveovmlrlid.info udp
US 8.8.8.8:53 yswrwt.net udp
US 8.8.8.8:53 tmbgdxjgf.org udp
US 8.8.8.8:53 xcxxvvmr.info udp
US 8.8.8.8:53 nrfeuo.info udp
US 8.8.8.8:53 tmzjhmaahmz.info udp
US 8.8.8.8:53 anwkhqzupqu.info udp
US 8.8.8.8:53 qiwmesgw.net udp
US 8.8.8.8:53 fpvilghmn.org udp
US 8.8.8.8:53 apzqxiynpejr.info udp
US 8.8.8.8:53 dymincoifib.info udp
US 8.8.8.8:53 pxjhbvwnnvsp.net udp
US 8.8.8.8:53 lspedol.com udp
US 8.8.8.8:53 fidulrw.info udp
US 8.8.8.8:53 igyyrpj.info udp
US 8.8.8.8:53 redwzwuqjku.net udp
US 8.8.8.8:53 bmuqenhwc.org udp
US 8.8.8.8:53 egsqwwio.org udp
US 8.8.8.8:53 fxogzqrc.info udp
US 8.8.8.8:53 iqqawmueyu.com udp
US 8.8.8.8:53 sovgagdst.net udp
US 8.8.8.8:53 rslnfomn.info udp
US 8.8.8.8:53 wqrvrtugx.net udp
US 8.8.8.8:53 jeqqus.info udp
US 8.8.8.8:53 dkgsyaflln.net udp
US 8.8.8.8:53 hqforzfdjnbw.net udp
US 8.8.8.8:53 kqsikakk.com udp
US 8.8.8.8:53 omhirn.net udp
US 8.8.8.8:53 zmhanin.info udp
US 8.8.8.8:53 xrfznlhptk.info udp
US 8.8.8.8:53 cprfvcxl.info udp
US 8.8.8.8:53 ggdonmbae.info udp
US 8.8.8.8:53 ooseig.org udp
US 8.8.8.8:53 pyrzjqztsc.net udp
US 8.8.8.8:53 feyjrv.net udp
US 8.8.8.8:53 lcmtpekoupi.info udp
US 8.8.8.8:53 ebboql.info udp
US 8.8.8.8:53 miqskekq.org udp
US 8.8.8.8:53 ysreqsa.info udp
US 8.8.8.8:53 mexaexjog.info udp
US 8.8.8.8:53 vuvdlax.com udp
US 8.8.8.8:53 myuymkyasmmu.com udp
US 8.8.8.8:53 wbqtkcxy.net udp
US 8.8.8.8:53 rmzrhow.org udp
US 8.8.8.8:53 oeskeaye.com udp
US 8.8.8.8:53 abqsvxvpbczm.info udp
US 8.8.8.8:53 aaieooykee.org udp
US 8.8.8.8:53 djpalkoig.info udp
US 8.8.8.8:53 kegwiq.com udp
US 8.8.8.8:53 idfqpe.info udp
US 8.8.8.8:53 fgjwdazyr.net udp
US 8.8.8.8:53 xyxktcigcjb.org udp
US 8.8.8.8:53 nwmttinssns.com udp
US 8.8.8.8:53 fhmkstt.net udp
US 8.8.8.8:53 ppoitft.info udp
US 8.8.8.8:53 hgvifktkt.net udp
US 8.8.8.8:53 wokyyoqk.com udp
US 8.8.8.8:53 pyhuldb.net udp
US 8.8.8.8:53 jktzplakb.info udp
US 8.8.8.8:53 hcuuovzzryhv.net udp
US 8.8.8.8:53 wnrwbf.info udp
US 8.8.8.8:53 usortbvkrqd.info udp
US 8.8.8.8:53 kcavttiegg.info udp
US 8.8.8.8:53 renmuav.net udp
US 8.8.8.8:53 eymmhjxv.info udp
US 8.8.8.8:53 aksrgnlgvpde.net udp
US 8.8.8.8:53 kogewmhyy.net udp
US 8.8.8.8:53 bkfpjbvftkpb.info udp
US 8.8.8.8:53 zchuaxz.org udp
US 8.8.8.8:53 wbdovmlrlid.info udp
US 8.8.8.8:53 ywuetjpwd.net udp
US 8.8.8.8:53 dilwotf.net udp
US 8.8.8.8:53 lqlefyqnf.net udp
US 8.8.8.8:53 cqgyquymow.com udp
US 8.8.8.8:53 hghifclbjmx.net udp
US 8.8.8.8:53 mywuuwkasige.com udp
US 8.8.8.8:53 mmyqpsbqbkf.info udp
US 8.8.8.8:53 kioeebngfib.info udp
US 8.8.8.8:53 qkacqu.com udp
US 8.8.8.8:53 dircxmsib.net udp
US 8.8.8.8:53 dfvudx.net udp
US 8.8.8.8:53 xocbsrhhhxvs.info udp
US 8.8.8.8:53 abvrfonzpnmo.info udp
US 8.8.8.8:53 rqcjorbuzh.info udp
US 8.8.8.8:53 tajzruzcu.com udp
US 8.8.8.8:53 rafbfgfcjqx.net udp
US 8.8.8.8:53 zwkrpf.info udp
US 8.8.8.8:53 dudqnb.info udp
US 8.8.8.8:53 glhavybkt.info udp
US 8.8.8.8:53 ozucvuzax.info udp
US 8.8.8.8:53 bmzlzmpumie.com udp
US 8.8.8.8:53 xkncznbot.net udp
US 8.8.8.8:53 fgzlfkf.com udp
US 8.8.8.8:53 ukihjahlgmng.info udp
US 8.8.8.8:53 fctcxi.info udp
US 8.8.8.8:53 vunwxpptcq.net udp
US 8.8.8.8:53 zbfeqcxvcxrb.net udp
US 8.8.8.8:53 cyykucjsn.info udp
US 8.8.8.8:53 bocxqln.info udp
US 8.8.8.8:53 jtdcfw.net udp
US 8.8.8.8:53 zxlglmh.net udp
US 8.8.8.8:53 cjfzqcmctvne.info udp
US 8.8.8.8:53 ypmnjzuang.net udp
US 8.8.8.8:53 xsjldtrmipnj.net udp
US 8.8.8.8:53 viykqurkro.net udp
US 8.8.8.8:53 iyfgdobzlbz.info udp
US 8.8.8.8:53 rjdfkcjbybhm.info udp
US 8.8.8.8:53 hhnyxvgqzexk.info udp
US 8.8.8.8:53 dpfllt.net udp
US 8.8.8.8:53 ahwlsjlt.info udp
US 8.8.8.8:53 kalifavej.net udp
US 8.8.8.8:53 lldynpblh.com udp
US 8.8.8.8:53 aksaewcf.info udp
US 8.8.8.8:53 kxcregpfeoqa.net udp
US 8.8.8.8:53 jwpcniulign.net udp
US 8.8.8.8:53 yvtvawa.info udp
US 8.8.8.8:53 rkmakp.info udp
US 8.8.8.8:53 bjyprc.info udp
US 8.8.8.8:53 rsdupgl.net udp
US 8.8.8.8:53 iuswqkcw.org udp
US 8.8.8.8:53 ekfybkui.info udp
US 8.8.8.8:53 dmdlqkno.net udp
US 8.8.8.8:53 axjfnc.net udp
US 8.8.8.8:53 julfppzljvdt.info udp
US 8.8.8.8:53 oelqhkx.info udp
US 8.8.8.8:53 vhrcycrh.net udp
US 8.8.8.8:53 zwhcpepgxix.info udp
US 8.8.8.8:53 gaowmec.info udp
US 8.8.8.8:53 anxqrqhdbwf.net udp
US 8.8.8.8:53 mgtsgnz.net udp
US 8.8.8.8:53 jlnrffxvtbis.info udp
US 8.8.8.8:53 aerdilpadro.info udp
US 8.8.8.8:53 mycaagwkky.com udp
US 8.8.8.8:53 muyeqksowm.com udp
US 8.8.8.8:53 feddhjfdzb.info udp
US 8.8.8.8:53 qsuswiv.info udp
US 8.8.8.8:53 jeddpyceavfk.info udp
US 8.8.8.8:53 ywuebj.net udp
US 8.8.8.8:53 verqplh.com udp
US 8.8.8.8:53 hnjxytbzve.info udp
US 8.8.8.8:53 jgtjyq.net udp
US 8.8.8.8:53 damjfutozebh.info udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 jwbydygkx.org udp
US 8.8.8.8:53 mwmmywoc.com udp
US 8.8.8.8:53 ipzhxhyqjmy.net udp
US 8.8.8.8:53 sgvtwecwfgy.info udp
US 8.8.8.8:53 cdympugxeqk.info udp
US 8.8.8.8:53 ekzvyztn.info udp
US 8.8.8.8:53 pjipgaug.info udp
US 8.8.8.8:53 lajibuebocbd.info udp
US 8.8.8.8:53 whlokow.info udp
US 8.8.8.8:53 ggkysskgwaoe.com udp
US 8.8.8.8:53 ohvlqczkcwx.info udp
US 8.8.8.8:53 nydzdaqqby.info udp
US 8.8.8.8:53 eaggequqscyu.com udp
US 8.8.8.8:53 ypcvzitd.net udp
US 8.8.8.8:53 damuvayii.com udp
US 8.8.8.8:53 tsoneriiysb.net udp
US 8.8.8.8:53 xplapqbl.info udp
US 8.8.8.8:53 yensgeomr.net udp
US 8.8.8.8:53 aecicfvipvi.info udp
US 8.8.8.8:53 fcbxlvvx.net udp
US 8.8.8.8:53 yabunofpixc.info udp
US 8.8.8.8:53 ecyiyscwgc.org udp
US 8.8.8.8:53 divvvugafs.net udp
US 8.8.8.8:53 xxxrftze.info udp
US 8.8.8.8:53 dhuyjhloz.net udp
US 8.8.8.8:53 jkqqtapgxcd.com udp
US 8.8.8.8:53 khhztgno.info udp
US 8.8.8.8:53 msmcdkdoc.info udp
US 8.8.8.8:53 wijekixin.info udp
US 8.8.8.8:53 iqmetivduaz.net udp
US 8.8.8.8:53 sqkbpfwd.info udp
US 8.8.8.8:53 huesdsbdp.info udp
US 8.8.8.8:53 ammewepycled.info udp
US 8.8.8.8:53 hahmtynehqj.com udp
US 8.8.8.8:53 wapcbawcsri.net udp
US 8.8.8.8:53 xzphjzderx.info udp
US 8.8.8.8:53 tezeganfqi.net udp
US 8.8.8.8:53 kcijqx.net udp
US 8.8.8.8:53 guaoooh.net udp
US 8.8.8.8:53 ryxswstapfex.info udp
US 8.8.8.8:53 qnfoeorhv.net udp
US 8.8.8.8:53 vebufa.info udp
US 8.8.8.8:53 aodctjrovpk.net udp
US 8.8.8.8:53 socoiamyumow.com udp
US 8.8.8.8:53 lffrtdl.org udp
US 8.8.8.8:53 iroivcx.info udp
US 8.8.8.8:53 xzhgsuemflx.org udp
US 8.8.8.8:53 gnzfjcag.net udp
US 8.8.8.8:53 mvwlxuli.info udp
US 8.8.8.8:53 iygjnusqvuy.net udp
US 8.8.8.8:53 bgnyewjus.info udp
US 8.8.8.8:53 xmjoifqmzd.net udp
US 8.8.8.8:53 gbjatyzspgbt.info udp
US 8.8.8.8:53 zwlzgexjmm.net udp
US 8.8.8.8:53 pnaooq.info udp
US 8.8.8.8:53 amgwwobyz.info udp
US 8.8.8.8:53 mivgjzr.net udp
US 8.8.8.8:53 uotztgzaf.net udp
US 8.8.8.8:53 quwuyc.com udp
US 8.8.8.8:53 airqbcdytol.net udp
US 8.8.8.8:53 twhckkb.net udp
US 8.8.8.8:53 ogoktiz.info udp
US 8.8.8.8:53 rkfcpoj.org udp
US 8.8.8.8:53 lgkofbioin.info udp
US 8.8.8.8:53 jgnwdrpgqz.info udp
US 8.8.8.8:53 lgzqjyj.com udp
US 8.8.8.8:53 leulcjxdb.com udp
US 8.8.8.8:53 hehchqxqv.info udp
US 8.8.8.8:53 wyzwnksgker.net udp
US 8.8.8.8:53 kdyavux.net udp
US 8.8.8.8:53 qkmgeyiyay.com udp
US 8.8.8.8:53 dzsahhohpvz.net udp
US 8.8.8.8:53 paymtvnc.net udp
US 8.8.8.8:53 schmmyl.info udp
US 8.8.8.8:53 ldqifwi.info udp
US 8.8.8.8:53 lkfzkgn.info udp
US 8.8.8.8:53 kyncwupixmn.net udp
US 8.8.8.8:53 aptvjyedhs.net udp
US 8.8.8.8:53 xoasrra.org udp
US 8.8.8.8:53 bqrfbsfnx.info udp
US 8.8.8.8:53 gxrfhqtzmqsq.net udp
US 8.8.8.8:53 aybpxyivvx.info udp
US 8.8.8.8:53 sbtcqpoj.net udp
US 8.8.8.8:53 igqsueqwkwyg.org udp
US 8.8.8.8:53 tijkbbfwdbbf.info udp
US 8.8.8.8:53 osnobczahxb.info udp
US 8.8.8.8:53 balcxkcqb.com udp
US 8.8.8.8:53 eqiunsmzyf.net udp
US 8.8.8.8:53 psqipiv.net udp
US 8.8.8.8:53 cvcfqxncfjh.info udp
US 8.8.8.8:53 iwnmgwh.info udp
US 8.8.8.8:53 eprebs.info udp
US 8.8.8.8:53 dchspxphwk.net udp
US 8.8.8.8:53 oobalsrsrab.net udp
US 8.8.8.8:53 koruzdvsm.info udp
US 8.8.8.8:53 thfunvzbyauf.net udp
US 8.8.8.8:53 kkwmwy.com udp
US 8.8.8.8:53 rexbaqmap.org udp
US 8.8.8.8:53 yukmsmyw.com udp
US 8.8.8.8:53 yoxnjnzuud.net udp
US 8.8.8.8:53 azbonwokt.net udp
US 8.8.8.8:53 gannlztuzvtc.info udp
US 8.8.8.8:53 jszwvgp.org udp
US 8.8.8.8:53 aomjkapm.info udp
US 8.8.8.8:53 pplmmcrwncz.info udp
US 8.8.8.8:53 nhwsjfh.info udp
US 8.8.8.8:53 fulwkorypno.com udp
US 8.8.8.8:53 iqoiqq.com udp
US 8.8.8.8:53 jifixuufm.net udp
US 8.8.8.8:53 uuocwocwsaqo.com udp
US 8.8.8.8:53 uikmeg.com udp
US 8.8.8.8:53 nmlfykvgyqz.info udp
US 8.8.8.8:53 jelzhlivcg.net udp
US 8.8.8.8:53 xcesnqnmtmp.com udp
US 8.8.8.8:53 dwtpjmitygn.net udp
US 8.8.8.8:53 odspco.net udp
US 8.8.8.8:53 sktpzs.net udp
US 8.8.8.8:53 guhxvqcon.info udp
US 8.8.8.8:53 cceoxwr.net udp
US 8.8.8.8:53 twvxzofmxqhn.info udp
US 8.8.8.8:53 fwrkrwl.info udp
US 8.8.8.8:53 aqfzbnqmt.net udp
US 8.8.8.8:53 aakggyacik.com udp
US 8.8.8.8:53 eavubkp.info udp
US 8.8.8.8:53 ykqqrofoofk.net udp
US 8.8.8.8:53 lrfjbtdidpdn.net udp
US 8.8.8.8:53 xsvifqmwf.net udp
US 8.8.8.8:53 rvuekumtj.com udp
US 8.8.8.8:53 jmqdmind.net udp
US 8.8.8.8:53 ekagqeuwwuas.org udp
US 8.8.8.8:53 hubpis.net udp
US 8.8.8.8:53 kkbcikrd.info udp
US 8.8.8.8:53 kujoaz.info udp
US 8.8.8.8:53 ickicwos.com udp
US 8.8.8.8:53 yecntej.net udp
US 8.8.8.8:53 robmtayaqd.net udp
US 8.8.8.8:53 xoqyjxbuopup.info udp
US 8.8.8.8:53 twddgmsywp.net udp
US 8.8.8.8:53 uegyjegav.info udp
US 8.8.8.8:53 dznelepal.info udp
US 8.8.8.8:53 tlrabkrlgw.net udp
US 8.8.8.8:53 wwtloxsa.net udp
US 8.8.8.8:53 haxaomiuj.info udp
US 8.8.8.8:53 timwfizizqh.net udp
US 8.8.8.8:53 bcdpgnokwj.info udp
US 8.8.8.8:53 ltlhpalbtntx.info udp
US 8.8.8.8:53 fuvynes.info udp
US 8.8.8.8:53 rmcpkun.net udp
US 8.8.8.8:53 davtjx.net udp
US 8.8.8.8:53 hvapjj.net udp
US 8.8.8.8:53 ptsxldpo.net udp
US 8.8.8.8:53 bsgsvqnkdhdo.info udp
US 8.8.8.8:53 sguaqw.com udp
US 8.8.8.8:53 trtrgzzk.net udp
US 8.8.8.8:53 swvwxqlcroo.net udp
US 8.8.8.8:53 xunzsihfd.com udp
US 8.8.8.8:53 oylwrhv.info udp
US 8.8.8.8:53 orfwjuidoigl.info udp
US 8.8.8.8:53 vynexfe.org udp
US 8.8.8.8:53 sceommucuy.org udp
US 8.8.8.8:53 ougwkg.org udp
US 8.8.8.8:53 djjebefijn.info udp
US 8.8.8.8:53 pkjalzxk.info udp
US 8.8.8.8:53 qidbobwqej.net udp
US 8.8.8.8:53 oemgaoms.org udp
US 8.8.8.8:53 sqsegav.net udp
US 8.8.8.8:53 mhzzjq.net udp
US 8.8.8.8:53 ihryrovffyz.info udp
US 8.8.8.8:53 hsuitgu.com udp
US 8.8.8.8:53 rqtslc.net udp
US 8.8.8.8:53 urcoqwfqz.info udp
US 8.8.8.8:53 fwvrmypd.net udp
US 8.8.8.8:53 eayacokbim.info udp
US 8.8.8.8:53 uuwaimuyug.com udp
US 8.8.8.8:53 wirqhnhph.info udp
US 8.8.8.8:53 xzqpbm.net udp
US 8.8.8.8:53 xthigsubue.net udp
US 8.8.8.8:53 eoymekquce.com udp
US 8.8.8.8:53 ogogayawumkq.org udp
US 8.8.8.8:53 acfvnmtwud.info udp
US 8.8.8.8:53 wwvatecsfov.net udp
US 8.8.8.8:53 jkscoh.net udp
US 8.8.8.8:53 ueiisgsikawg.com udp
US 8.8.8.8:53 kufqvwt.net udp
US 8.8.8.8:53 uqzsbt.info udp
US 8.8.8.8:53 qktmookkd.info udp
US 8.8.8.8:53 jbtubuihpmzw.net udp
US 8.8.8.8:53 cyicaukkmu.com udp
US 8.8.8.8:53 cmuaemwq.org udp
US 8.8.8.8:53 utmtjxvk.info udp
US 8.8.8.8:53 aakqsm.com udp
US 8.8.8.8:53 yyquokaugswy.org udp
US 8.8.8.8:53 behkxihtr.org udp
US 8.8.8.8:53 bufaojsi.info udp
US 8.8.8.8:53 wmaaywwmqk.org udp
US 8.8.8.8:53 txgiwser.info udp
US 8.8.8.8:53 pnnoffl.net udp
US 8.8.8.8:53 ysbqwwuuzso.info udp
US 8.8.8.8:53 bblbsg.info udp
US 8.8.8.8:53 wotczsv.net udp
US 8.8.8.8:53 zxsezgcl.net udp
US 8.8.8.8:53 pswagoquh.org udp
US 8.8.8.8:53 jbpert.info udp
US 8.8.8.8:53 scaqcgwyau.org udp
US 8.8.8.8:53 iwyisrjkfwn.info udp
US 8.8.8.8:53 skkllu.net udp
US 8.8.8.8:53 icjybkaul.info udp
US 8.8.8.8:53 gytkywwfz.net udp
US 8.8.8.8:53 ociozivpz.info udp
US 8.8.8.8:53 foigiunibrbp.net udp
US 8.8.8.8:53 bqxikoxv.net udp
US 8.8.8.8:53 zapyqerszet.info udp
US 8.8.8.8:53 tqubthmzair.info udp
US 8.8.8.8:53 pebmrsfnf.info udp
US 8.8.8.8:53 jazejwtkz.info udp
US 8.8.8.8:53 owtjis.info udp
US 8.8.8.8:53 hdrcgvu.org udp
US 8.8.8.8:53 idstdwfkeq.net udp
US 8.8.8.8:53 lrxsrg.info udp
US 8.8.8.8:53 jozuhyt.com udp
US 8.8.8.8:53 sxqllijuns.net udp
US 8.8.8.8:53 ooagogisko.com udp
US 8.8.8.8:53 petpuwlrx.org udp
US 8.8.8.8:53 zfrgmmex.info udp
US 8.8.8.8:53 borvdw.info udp
US 8.8.8.8:53 lvnkjguul.net udp
US 8.8.8.8:53 fgvwoveunq.net udp
US 8.8.8.8:53 wgpjmvkyri.net udp
US 8.8.8.8:53 ebwyksntlp.net udp
US 8.8.8.8:53 kmxknajhv.info udp
US 8.8.8.8:53 pohfzultakeb.info udp
US 8.8.8.8:53 uqasmqui.org udp
US 8.8.8.8:53 cibtgo.net udp
US 8.8.8.8:53 arueuskxncdd.info udp
US 8.8.8.8:53 ekitriwi.info udp
US 8.8.8.8:53 kaoeim.com udp
US 8.8.8.8:53 xivvfgn.com udp
US 8.8.8.8:53 npenpqkznchv.info udp
US 8.8.8.8:53 vbbevy.net udp
US 8.8.8.8:53 symqdyrnomq.info udp
US 8.8.8.8:53 batkuc.net udp
US 8.8.8.8:53 vckssryhvh.info udp
US 8.8.8.8:53 kgklgudeaihe.net udp
US 8.8.8.8:53 zijyjzz.net udp
US 8.8.8.8:53 jsqmsdcoxwdi.net udp
US 8.8.8.8:53 eafsvbbkt.info udp
US 8.8.8.8:53 hlckhav.org udp
US 8.8.8.8:53 zlziedplifbq.info udp
US 8.8.8.8:53 igcueecskauq.org udp
US 8.8.8.8:53 amvxnt.info udp
US 8.8.8.8:53 kgllwstxeg.net udp
US 8.8.8.8:53 gokqeylmp.info udp
US 8.8.8.8:53 oeumlkzqn.net udp
US 8.8.8.8:53 auexdebb.info udp
US 8.8.8.8:53 retyrmgwpop.net udp
US 8.8.8.8:53 rgftxgtbd.info udp
US 8.8.8.8:53 lgxwlyhtlmc.com udp
US 8.8.8.8:53 jscljauq.net udp
US 8.8.8.8:53 aiggoioa.com udp
US 8.8.8.8:53 xcyqmsewq.info udp
US 8.8.8.8:53 pspblt.net udp
US 8.8.8.8:53 foxzqiual.com udp
US 8.8.8.8:53 zoxslsnvuqk.net udp
US 8.8.8.8:53 wqfhmkhoa.info udp
US 8.8.8.8:53 bunarmcbz.info udp
US 8.8.8.8:53 eejrorok.info udp
US 8.8.8.8:53 pavfzkrx.net udp
US 8.8.8.8:53 okewckaoekcc.org udp
US 8.8.8.8:53 gspctihstyn.net udp
US 8.8.8.8:53 tuiufvrokozb.net udp
US 8.8.8.8:53 wdzglrduz.net udp
US 8.8.8.8:53 upidozwx.net udp
US 8.8.8.8:53 mcwqkmoyka.com udp
US 8.8.8.8:53 gwukccwgco.com udp
US 8.8.8.8:53 gqessmgy.com udp
US 8.8.8.8:53 ngzdsfvud.net udp
US 8.8.8.8:53 pylced.info udp
US 8.8.8.8:53 hfhdjfpl.info udp
US 8.8.8.8:53 rdwtne.net udp
US 8.8.8.8:53 oxdiigsqhjs.net udp
US 8.8.8.8:53 micbgbllgr.info udp
US 8.8.8.8:53 eiitzlwdid.net udp
US 8.8.8.8:53 yavlxe.net udp
US 8.8.8.8:53 ksskaooo.org udp
US 8.8.8.8:53 pktfja.info udp
US 8.8.8.8:53 vmdmkch.com udp
US 8.8.8.8:53 pziaxyhojmu.org udp
US 8.8.8.8:53 zuqerkw.com udp
US 8.8.8.8:53 bmnifdalvrfh.info udp
US 8.8.8.8:53 rodvrshbdi.info udp
US 8.8.8.8:53 vxhrykncj.net udp
US 8.8.8.8:53 ubpxnf.net udp
US 8.8.8.8:53 lmjfeaasyab.net udp
US 8.8.8.8:53 usyswygoac.com udp
US 8.8.8.8:53 ywswnufqbid.info udp
US 8.8.8.8:53 pkfwysoyjqd.info udp
US 8.8.8.8:53 pjitqhdeor.info udp
US 8.8.8.8:53 vacsgebcg.org udp
US 8.8.8.8:53 bjwhkm.net udp
US 8.8.8.8:53 sqzbbcvky.info udp
US 8.8.8.8:53 gkjamgs.net udp
US 8.8.8.8:53 sjxclehch.info udp
US 8.8.8.8:53 cojyxkykh.info udp
US 8.8.8.8:53 fkynlfmejlwm.info udp
US 8.8.8.8:53 dlbytjdqbwr.info udp
US 8.8.8.8:53 lzkuzesjzq.info udp
US 8.8.8.8:53 muuogmeoce.org udp
US 8.8.8.8:53 iasuxfeqzr.info udp
US 8.8.8.8:53 scgmsouiic.org udp
US 8.8.8.8:53 pjicma.info udp
US 8.8.8.8:53 yoseikgg.com udp
US 8.8.8.8:53 uivmxxmlain.info udp
US 8.8.8.8:53 uzjmfwzzhoh.info udp
US 8.8.8.8:53 zmvwlin.net udp
US 8.8.8.8:53 tgcmkqtch.com udp
US 8.8.8.8:53 kzyumgzlr.info udp
US 8.8.8.8:53 xsmabcngj.net udp
US 8.8.8.8:53 pizveubsm.info udp
US 8.8.8.8:53 qlamsp.info udp
US 8.8.8.8:53 jvecrlnf.net udp
US 8.8.8.8:53 qdpyuolsll.net udp
US 8.8.8.8:53 oukgqyaococa.org udp
US 8.8.8.8:53 zqenypvhdiip.net udp
US 8.8.8.8:53 wmcaec.info udp
US 8.8.8.8:53 hsnarcfbr.net udp
US 8.8.8.8:53 tjhjjmmxfvdb.net udp
US 8.8.8.8:53 zcgkukd.org udp
US 8.8.8.8:53 dbvpxrzzcr.net udp
US 8.8.8.8:53 qglaprqgvd.net udp
US 8.8.8.8:53 yavcshvgp.net udp
US 8.8.8.8:53 njpufbn.net udp
US 8.8.8.8:53 lwsmrwymlcr.com udp
US 8.8.8.8:53 radpzuqn.net udp
US 8.8.8.8:53 uenurlwyrexs.net udp
US 8.8.8.8:53 hqvfvllm.info udp
US 8.8.8.8:53 blvqvwtzswfi.info udp
US 8.8.8.8:53 hzrhfxmmoeb.net udp
US 8.8.8.8:53 vxcfoy.info udp
US 8.8.8.8:53 ashomoi.net udp
US 8.8.8.8:53 uhzvxuhejt.net udp
US 8.8.8.8:53 pmjpozskp.info udp
US 8.8.8.8:53 vcethqpkncvu.net udp
US 8.8.8.8:53 soluwgefv.net udp
US 8.8.8.8:53 cubdesjkr.info udp
US 8.8.8.8:53 cjzhdwbrjl.info udp
US 8.8.8.8:53 ywygmewqys.org udp
US 8.8.8.8:53 amitfiuqake.info udp
US 8.8.8.8:53 zotirebcu.org udp
US 8.8.8.8:53 otkxpar.info udp
US 8.8.8.8:53 xwqgthqgh.org udp
US 8.8.8.8:53 snhqhjfhxnbj.net udp
US 8.8.8.8:53 esvonmrqu.info udp
US 8.8.8.8:53 zfmfzhgfgt.info udp
US 8.8.8.8:53 xolcjetmnon.com udp
US 8.8.8.8:53 rnykduhg.info udp
US 8.8.8.8:53 issnsbtr.info udp
US 8.8.8.8:53 svjbjrvhxn.info udp
US 8.8.8.8:53 yansygzbxix.net udp
US 8.8.8.8:53 zdbkfqbsp.info udp
US 8.8.8.8:53 imoays.com udp
US 8.8.8.8:53 cwrajl.net udp
US 8.8.8.8:53 bhvvae.info udp
US 8.8.8.8:53 rnvmaytah.net udp
US 8.8.8.8:53 iobhhcqalq.info udp
US 8.8.8.8:53 iwayuo.com udp
US 8.8.8.8:53 czjoef.info udp
US 8.8.8.8:53 ncdhbupe.info udp
US 8.8.8.8:53 qbnivxhql.info udp
US 8.8.8.8:53 hxnyem.info udp
US 8.8.8.8:53 aqeuoauiei.com udp
US 8.8.8.8:53 mihcmkh.info udp
US 8.8.8.8:53 iqronap.net udp
US 8.8.8.8:53 omewoqieaa.com udp
US 8.8.8.8:53 pmvsbx.net udp
US 8.8.8.8:53 osgsawwewi.com udp
US 8.8.8.8:53 kvjgbyxowal.net udp
US 8.8.8.8:53 geyicyaeiiwq.com udp
US 8.8.8.8:53 nmxxlwx.info udp
US 8.8.8.8:53 ziytugrnbm.info udp
US 8.8.8.8:53 ayawbzhst.net udp
US 8.8.8.8:53 mubcfacbriv.net udp
US 8.8.8.8:53 fyvnlnbuc.com udp
US 8.8.8.8:53 ngmofvvxsze.org udp
US 8.8.8.8:53 zcaltun.net udp
US 8.8.8.8:53 nfrpputoua.net udp
US 8.8.8.8:53 lzckdzrw.info udp
US 8.8.8.8:53 yqgeyq.org udp
US 8.8.8.8:53 tawvtyuw.info udp
US 8.8.8.8:53 fifqhwhizdw.org udp
US 8.8.8.8:53 navyoyrwpc.info udp
US 8.8.8.8:53 hnkjjmfof.net udp
US 8.8.8.8:53 rwkmlknghug.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 rqsqxlgdid.net udp
US 8.8.8.8:53 lwqulegiaxbz.info udp
US 8.8.8.8:53 wmtrpybepsu.info udp
US 8.8.8.8:53 uifaxrnigwtn.net udp
US 8.8.8.8:53 mqcscqiuuowq.com udp
US 8.8.8.8:53 otdvvtl.info udp
US 8.8.8.8:53 iuyglxovekb.net udp
US 8.8.8.8:53 psvaltsupo.net udp
US 8.8.8.8:53 qegpglqn.info udp
US 8.8.8.8:53 vqjqam.net udp
US 8.8.8.8:53 oetclszet.info udp
US 8.8.8.8:53 mikdqqboet.net udp
US 8.8.8.8:53 ftsmrvmecqz.net udp
US 8.8.8.8:53 bmtutaekdy.net udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 omhotscflej.info udp
US 8.8.8.8:53 yedkxgkqe.info udp
US 8.8.8.8:53 hnderchv.net udp
US 8.8.8.8:53 nhamjsc.com udp
US 8.8.8.8:53 adsurleu.net udp
US 8.8.8.8:53 kbdefe.info udp
US 8.8.8.8:53 tamnvpocwhx.com udp
US 8.8.8.8:53 ythauppywex.net udp
US 8.8.8.8:53 lgjhlptj.info udp
US 8.8.8.8:53 gccvdetqfxgg.net udp
US 8.8.8.8:53 lbarmiaq.net udp
US 8.8.8.8:53 jdpshq.net udp
US 8.8.8.8:53 jydsiwdwwmx.info udp
US 8.8.8.8:53 luzsjmb.com udp
US 8.8.8.8:53 ugbiruw.info udp
US 8.8.8.8:53 kocityn.info udp
US 8.8.8.8:53 lkpvfulyqkl.net udp
US 8.8.8.8:53 btfrphbyd.info udp
US 8.8.8.8:53 nytoijinuqw.com udp
US 8.8.8.8:53 axftup.net udp
US 8.8.8.8:53 llvmsjxrf.net udp
US 8.8.8.8:53 dyhvkht.info udp
US 8.8.8.8:53 hzrqsujcn.com udp
US 8.8.8.8:53 yhmuqtfepao.net udp
US 8.8.8.8:53 rlqcqjv.com udp
US 8.8.8.8:53 bsemkanqad.info udp
US 8.8.8.8:53 tahtdo.net udp
US 8.8.8.8:53 ndpabbxqrb.net udp
US 8.8.8.8:53 obfmfq.info udp
US 8.8.8.8:53 jsvsaux.net udp
US 8.8.8.8:53 rqpqxfshjcgz.net udp
US 8.8.8.8:53 bkxonzbir.info udp
US 8.8.8.8:53 zdmubq.info udp
US 8.8.8.8:53 ojdtvuej.net udp
US 8.8.8.8:53 kyvyblad.net udp
US 8.8.8.8:53 guosyc.org udp
US 8.8.8.8:53 pgssyxpfdmo.net udp
US 8.8.8.8:53 cijcgu.net udp
US 8.8.8.8:53 qkkhjosinane.info udp
US 8.8.8.8:53 zayejqhwmkn.net udp
US 8.8.8.8:53 gppivj.info udp
US 8.8.8.8:53 dedaek.info udp
US 8.8.8.8:53 zusnnnlpmjl.org udp
US 8.8.8.8:53 gjhfevhg.net udp
US 8.8.8.8:53 myasmq.org udp
US 8.8.8.8:53 kwlbfrhinuh.net udp
US 8.8.8.8:53 kueaiseqga.org udp
US 8.8.8.8:53 qkbkrqbhjxy.net udp
US 8.8.8.8:53 ksncaoh.net udp
US 8.8.8.8:53 mmmewa.com udp
US 8.8.8.8:53 ywpcxcy.info udp
US 8.8.8.8:53 womsaysoei.org udp
US 8.8.8.8:53 xtxzgdlc.net udp
US 8.8.8.8:53 ueusmcsiewsi.org udp
US 8.8.8.8:53 kitzoi.net udp
US 8.8.8.8:53 vkegfbbeamr.com udp
US 8.8.8.8:53 eyefvgvmadsi.info udp
US 8.8.8.8:53 ftqrnsld.net udp
US 8.8.8.8:53 jpsyqx.info udp
US 8.8.8.8:53 xubvvsvcdv.info udp
US 8.8.8.8:53 adekbmbgzsx.net udp
US 8.8.8.8:53 pafvtp.info udp
US 8.8.8.8:53 hujgxodqod.net udp
US 8.8.8.8:53 azrqvs.info udp
US 8.8.8.8:53 lcynrsykn.info udp
US 8.8.8.8:53 tnbmlcn.info udp
US 8.8.8.8:53 ztlwxflnyd.net udp
US 8.8.8.8:53 xudjbnraryr.com udp
US 8.8.8.8:53 qpghtoeb.net udp
US 8.8.8.8:53 wsjepoi.info udp
US 8.8.8.8:53 iymknoxslen.info udp
US 8.8.8.8:53 fpybjumwcjri.net udp
US 8.8.8.8:53 pfutrvtyjzao.info udp
US 8.8.8.8:53 mczavynsf.info udp
US 8.8.8.8:53 lsqxfg.info udp
US 8.8.8.8:53 nbbouyliw.info udp
US 8.8.8.8:53 wqsawmym.org udp
US 8.8.8.8:53 lhdofxlqzmf.org udp
US 8.8.8.8:53 tmlijov.com udp
US 8.8.8.8:53 ruxotab.info udp
US 8.8.8.8:53 abtvzsiqbpp.net udp
US 8.8.8.8:53 umeyss.com udp
US 8.8.8.8:53 qwwuegosuk.com udp
US 8.8.8.8:53 owciic.org udp
IE 34.246.200.160:80 hklgkqwuttn.com tcp
US 8.8.8.8:53 ynhkizxrb.info udp
US 8.8.8.8:53 fohikmlszed.net udp
US 8.8.8.8:53 pyhmvensb.com udp
US 8.8.8.8:53 coimxcawkhk.info udp
US 8.8.8.8:53 zwrukksq.info udp
US 8.8.8.8:53 hwovggambow.com udp
US 8.8.8.8:53 wljsua.net udp
US 8.8.8.8:53 qncmxclozeac.net udp
US 8.8.8.8:53 bcjllw.info udp
US 8.8.8.8:53 baektt.net udp
US 8.8.8.8:53 otdyxilyr.net udp
US 8.8.8.8:53 buhujg.net udp
US 8.8.8.8:53 mfxkpvnuf.net udp
US 8.8.8.8:53 yeqsceua.org udp
US 8.8.8.8:53 qacnmoumhkl.info udp
US 8.8.8.8:53 dvfybv.info udp
US 8.8.8.8:53 xnqvzbhhlw.net udp
US 8.8.8.8:53 tmwdik.net udp
US 8.8.8.8:53 ratirtqyspss.net udp
US 8.8.8.8:53 uogiseewsq.com udp
US 8.8.8.8:53 udzcihkj.info udp
US 8.8.8.8:53 mysies.org udp
US 8.8.8.8:53 ogpnvkkwz.net udp
US 8.8.8.8:53 bqqkvac.org udp
US 8.8.8.8:53 lcsgfob.org udp
US 8.8.8.8:53 xmcixkdjs.com udp
US 8.8.8.8:53 umtghoh.info udp
US 8.8.8.8:53 khptjbjfyxbi.net udp
US 8.8.8.8:53 vftqhzowtgpw.info udp
US 8.8.8.8:53 mqhmycj.info udp
US 8.8.8.8:53 ervibdlorej.info udp
US 8.8.8.8:53 fvldzmbrio.net udp
US 8.8.8.8:53 kuxajxugfkr.net udp
US 8.8.8.8:53 rwdptulntzi.net udp
US 8.8.8.8:53 ieeuwsmseo.org udp
US 8.8.8.8:53 cqiuai.org udp
US 8.8.8.8:53 dqbaztb.net udp
US 8.8.8.8:53 xbbuzxdannlj.net udp
US 8.8.8.8:53 azrakrbzpk.net udp
US 8.8.8.8:53 iivuqtezuqdc.info udp
US 8.8.8.8:53 axtkwhlz.info udp
US 8.8.8.8:53 vfpbztgbiz.net udp
US 8.8.8.8:53 ncfohkf.net udp
US 8.8.8.8:53 gpnuueumxpds.info udp
US 8.8.8.8:53 hydrjdcb.net udp
US 8.8.8.8:53 vjmyxpra.net udp
US 8.8.8.8:53 dewxsww.org udp
US 8.8.8.8:53 ffuxxckcqhkg.net udp
US 8.8.8.8:53 ehbjwcwvlw.net udp
US 8.8.8.8:53 ogyizghstqv.info udp
US 8.8.8.8:53 nxnwpxhqyg.net udp
US 8.8.8.8:53 snsgxjvdyqbd.info udp
US 8.8.8.8:53 ohlpoijc.info udp
US 8.8.8.8:53 ypjlfxnqow.net udp
US 8.8.8.8:53 vujotrecd.info udp
US 8.8.8.8:53 gwbwhbb.net udp
US 8.8.8.8:53 amcxxf.info udp
US 8.8.8.8:53 kjqhdj.info udp
US 8.8.8.8:53 kskaxbb.info udp
DE 85.214.228.140:80 xwfmlmbmtaz.info tcp
US 8.8.8.8:53 ouaehqp.net udp
US 8.8.8.8:53 dldipcc.net udp
US 8.8.8.8:53 ojpldppsetiu.info udp
US 8.8.8.8:53 cdgjthsabrta.info udp
US 8.8.8.8:53 nafodwrwdqd.com udp
US 8.8.8.8:53 wmvisyvgd.info udp
US 8.8.8.8:53 pwqitjxwgdlh.net udp
US 8.8.8.8:53 cpiuxxgqpy.net udp
US 8.8.8.8:53 mhvqgavwc.info udp
US 8.8.8.8:53 vaakyelsc.org udp
US 8.8.8.8:53 okiaykac.org udp
US 8.8.8.8:53 eisqnaint.net udp
US 8.8.8.8:53 jkkjvq.net udp
US 8.8.8.8:53 rttebtovrq.info udp
US 8.8.8.8:53 qhdpfsuizgb.net udp
US 8.8.8.8:53 aalczsobt.info udp
US 208.100.26.245:80 ydqlnw.info tcp
US 8.8.8.8:53 gkewoqyy.com udp
US 8.8.8.8:53 xehavxbdpciu.net udp
US 8.8.8.8:53 uncaephtnirx.info udp
US 8.8.8.8:53 ooackcoyaq.org udp
US 8.8.8.8:53 fafgmmnazyd.org udp
US 8.8.8.8:53 nytybqvrzz.net udp
US 8.8.8.8:53 gelmxgdpjei.net udp
US 8.8.8.8:53 idyzzbdtzemm.info udp
US 8.8.8.8:53 scauus.org udp
US 8.8.8.8:53 zhfsxb.net udp
US 8.8.8.8:53 rpiblkjcmlln.info udp
US 8.8.8.8:53 tnxivajml.com udp
US 8.8.8.8:53 xylmvuj.net udp
US 8.8.8.8:53 qsxyponp.net udp
US 8.8.8.8:53 wagsgoiawc.org udp
US 8.8.8.8:53 ygaerwzousp.net udp
US 8.8.8.8:53 waaugi.org udp
US 8.8.8.8:53 nafxot.net udp
US 8.8.8.8:53 uoeciooykyuk.com udp
US 8.8.8.8:53 xmxzfpimkwyo.info udp
US 8.8.8.8:53 gqwmacocsc.com udp
US 8.8.8.8:53 pbcfvfld.info udp
US 8.8.8.8:53 vgjtlcfgdil.com udp
US 8.8.8.8:53 ywquuu.org udp
US 8.8.8.8:53 tahfzwgbnkfm.info udp
US 8.8.8.8:53 penmlub.org udp
US 8.8.8.8:53 wocikoyyoycu.org udp
US 8.8.8.8:53 pencxrvurgl.net udp
US 8.8.8.8:53 pmuahnxb.net udp
US 8.8.8.8:53 ulaywmloklcr.net udp
US 8.8.8.8:53 lybfvtvz.net udp
US 8.8.8.8:53 ewwquu.org udp
US 8.8.8.8:53 wwnqnuben.net udp
US 8.8.8.8:53 uvanksrjdlvc.info udp
US 8.8.8.8:53 typqgupsx.info udp
US 8.8.8.8:53 ayhuxgq.info udp
US 8.8.8.8:53 blfromcxtg.net udp
US 8.8.8.8:53 nzkibs.info udp
US 8.8.8.8:53 hprlbdveivwi.info udp
US 8.8.8.8:53 whpjfbsd.info udp
US 8.8.8.8:53 puwtoct.info udp
US 8.8.8.8:53 lgswzqbvc.org udp
US 8.8.8.8:53 escsgg.com udp
US 8.8.8.8:53 xgfccgxmj.com udp
US 8.8.8.8:53 znbmhmkarc.info udp
US 8.8.8.8:53 hwvhmcsvde.net udp
US 8.8.8.8:53 hcvcguhfl.net udp
US 8.8.8.8:53 pwxjraiicmng.info udp
US 8.8.8.8:53 cikefqvitjps.net udp
US 8.8.8.8:53 amysiuossa.com udp
US 8.8.8.8:53 ywgqbwrghyb.info udp
US 8.8.8.8:53 cgfnfejd.info udp
US 8.8.8.8:53 wiekdsrmdol.info udp
US 8.8.8.8:53 bsxaloa.com udp
US 8.8.8.8:53 wsntfcy.info udp
US 8.8.8.8:53 siewtsrkrgq.info udp
US 8.8.8.8:53 ktyugsataa.info udp
US 8.8.8.8:53 xofyhmwvlzb.net udp
US 8.8.8.8:53 aelxvivwnsg.info udp
US 8.8.8.8:53 jkhaximadsg.org udp
US 8.8.8.8:53 neyizica.net udp
US 8.8.8.8:53 xfaqyaxm.info udp
US 8.8.8.8:53 vacxwzinzu.info udp
US 8.8.8.8:53 bxvnfdvjbs.net udp
US 8.8.8.8:53 rvtefrvr.net udp
US 8.8.8.8:53 ziraysd.org udp
US 8.8.8.8:53 uvzigfdvbr.info udp
US 8.8.8.8:53 kgezzfon.info udp
US 8.8.8.8:53 qgkzxqt.info udp
US 8.8.8.8:53 ekuffx.net udp
US 8.8.8.8:53 qpblntzy.net udp
US 8.8.8.8:53 fmitkryaxzef.net udp
US 8.8.8.8:53 difuullyzpd.org udp
US 8.8.8.8:53 oiiorrz.info udp
US 8.8.8.8:53 kakgsgcasq.org udp
US 8.8.8.8:53 rsfvzlbm.info udp
US 8.8.8.8:53 aelubcv.info udp
US 8.8.8.8:53 ksysaiigmcsg.org udp
US 8.8.8.8:53 ortkioqbqavt.net udp
US 8.8.8.8:53 ecwikuom.org udp
US 8.8.8.8:53 yyogeguwwg.org udp
US 8.8.8.8:53 grjgraoeefhx.info udp
US 8.8.8.8:53 eegcgi.com udp
US 8.8.8.8:53 cepjhztuprh.net udp
US 8.8.8.8:53 pzryostgtub.org udp
US 8.8.8.8:53 dfzudewgyi.net udp
US 8.8.8.8:53 oyfbggi.net udp
US 8.8.8.8:53 dilmcmz.net udp
US 8.8.8.8:53 uyoomgkqaoeo.com udp
US 8.8.8.8:53 tepnzlwrbfpl.net udp
US 8.8.8.8:53 yykjfj.net udp
US 8.8.8.8:53 jtrpqkp.com udp
US 8.8.8.8:53 xqubrmyz.info udp
US 8.8.8.8:53 lhgalyr.com udp
US 8.8.8.8:53 jaxuyzkiudlt.net udp
US 8.8.8.8:53 vmylheoy.info udp
US 8.8.8.8:53 vppwsurncik.info udp
US 8.8.8.8:53 bojotnepbsia.info udp
US 8.8.8.8:53 mbxlwhde.info udp
US 8.8.8.8:53 sotchhwccdk.net udp
US 8.8.8.8:53 jkwlvj.info udp
US 8.8.8.8:53 bdnydvjuqs.info udp
US 8.8.8.8:53 cmsisw.org udp
US 8.8.8.8:53 rjbgdgzizv.info udp
US 8.8.8.8:53 mpbcsreq.net udp
US 8.8.8.8:53 vmauhmj.org udp
US 8.8.8.8:53 ygrctafwdtlf.info udp
US 8.8.8.8:53 hgnpdrnc.info udp
US 8.8.8.8:53 cafatfv.net udp
US 8.8.8.8:53 ukxjxzli.info udp
US 8.8.8.8:53 uuxzzmljcxfb.net udp
US 8.8.8.8:53 ekouqagyuoyo.com udp
US 8.8.8.8:53 kvdweovox.net udp
US 8.8.8.8:53 bgrimgqa.info udp
US 8.8.8.8:53 dvbkeojodiat.net udp
US 8.8.8.8:53 trnkouhj.net udp
US 8.8.8.8:53 yavekefqtco.net udp
US 8.8.8.8:53 rzymlt.info udp
US 8.8.8.8:53 auoylp.net udp
US 8.8.8.8:53 mcyckaqqck.com udp
US 8.8.8.8:53 cwqoie.org udp
US 8.8.8.8:53 vyvvdj.info udp
US 8.8.8.8:53 adggmnzehw.info udp
US 8.8.8.8:53 pqnhocjarh.info udp
US 8.8.8.8:53 nudslgskvez.com udp
US 8.8.8.8:53 bgvxggw.org udp
US 8.8.8.8:53 tmjppcf.info udp
US 8.8.8.8:53 yaukcyu.net udp
US 8.8.8.8:53 iszudgfgvmd.net udp
US 8.8.8.8:53 rixkdktie.com udp
US 8.8.8.8:53 xegwhcyyysyz.net udp
US 8.8.8.8:53 btpypfipmac.info udp
US 8.8.8.8:53 vzdjep.info udp
US 8.8.8.8:53 xikxpjiqxxlr.net udp
US 8.8.8.8:53 wxsqqk.net udp
US 8.8.8.8:53 nvuudh.info udp
US 8.8.8.8:53 sjzbdvpd.net udp
US 8.8.8.8:53 hsdmngcey.org udp
US 8.8.8.8:53 pyzgmgxtn.org udp
US 8.8.8.8:53 qdnczevvcef.info udp
US 8.8.8.8:53 ibtbwocs.net udp
US 8.8.8.8:53 fvlphddsumf.net udp
US 8.8.8.8:53 kqqcdiurz.info udp
US 8.8.8.8:53 eunkhfm.info udp
US 8.8.8.8:53 bylwnpu.net udp
US 8.8.8.8:53 qdlmtpwdi.info udp
US 8.8.8.8:53 pikyhpboz.org udp
US 8.8.8.8:53 ccqmkcusuggc.com udp
US 8.8.8.8:53 cnpqquv.net udp
US 8.8.8.8:53 xdzqhkj.info udp
US 8.8.8.8:53 rexwpuanrk.info udp
US 8.8.8.8:53 brkzng.net udp
US 8.8.8.8:53 njfoqgfukwlu.net udp
US 8.8.8.8:53 modqvapgvns.net udp
US 8.8.8.8:53 qioumk.com udp
US 8.8.8.8:53 smhezsemz.net udp
US 8.8.8.8:53 nulbfbvqxp.info udp
US 8.8.8.8:53 vqzhbwmeqgfx.info udp
US 8.8.8.8:53 emwgmc.org udp
US 8.8.8.8:53 gjdtdmpqjn.net udp
US 8.8.8.8:53 sjfgnzvkawh.net udp
US 8.8.8.8:53 pukedcb.info udp
US 8.8.8.8:53 pehmhas.org udp
US 8.8.8.8:53 hqgrrur.com udp
US 8.8.8.8:53 bdxqegrcj.org udp
US 8.8.8.8:53 ikkeciew.org udp
US 8.8.8.8:53 nprncnklobho.net udp
US 8.8.8.8:53 haewzszexqp.org udp
US 8.8.8.8:53 hhdcno.info udp
US 8.8.8.8:53 qptdbd.net udp
US 8.8.8.8:53 rtrxokdybkn.info udp
US 8.8.8.8:53 efiqrkuv.net udp
US 8.8.8.8:53 xnyxhq.net udp
US 8.8.8.8:53 svayds.info udp
US 8.8.8.8:53 oisfxztxhv.info udp
US 8.8.8.8:53 zrjjipriul.info udp
US 8.8.8.8:53 skzjbjbv.net udp
US 8.8.8.8:53 wlwsdx.info udp
US 8.8.8.8:53 eencaoj.info udp
US 8.8.8.8:53 bqlmowtvpge.net udp
US 8.8.8.8:53 ibhqdp.info udp
US 8.8.8.8:53 pezmhxnqy.net udp
US 8.8.8.8:53 uulmlinyo.info udp
US 8.8.8.8:53 bezxqyajqi.info udp
US 8.8.8.8:53 vowsimp.com udp
US 8.8.8.8:53 mqjgwhr.net udp
US 8.8.8.8:53 nuboqaggwoe.net udp
US 8.8.8.8:53 vzhbealsne.net udp
US 8.8.8.8:53 acbxcmcdn.info udp
US 8.8.8.8:53 iuoucqgamkam.org udp
US 8.8.8.8:53 rsbqxqwzvsx.info udp
US 8.8.8.8:53 cywieeweyguc.com udp
US 8.8.8.8:53 peeywjoj.net udp
US 8.8.8.8:53 jmrfbmjmhbr.org udp
US 8.8.8.8:53 fhvunaltdiil.info udp
US 8.8.8.8:53 uooaqkqg.com udp
US 8.8.8.8:53 bbtbbofqujwe.net udp
US 8.8.8.8:53 vmhqbmdwzuf.info udp
US 8.8.8.8:53 geijqasxls.info udp
US 8.8.8.8:53 ryzejtxchic.net udp
US 8.8.8.8:53 hwkpdwl.info udp
US 8.8.8.8:53 tivwobhqf.net udp
US 8.8.8.8:53 eamiwqog.com udp
US 8.8.8.8:53 qmnaxnn.net udp
US 8.8.8.8:53 komrbxjeo.net udp
US 8.8.8.8:53 tzwflmeio.net udp
US 8.8.8.8:53 fvdqbwpibkj.net udp
US 8.8.8.8:53 lgxctr.info udp
US 8.8.8.8:53 tkwavwajngv.info udp
US 8.8.8.8:53 bcdxpevdz.info udp
US 8.8.8.8:53 tuwyabxqtort.net udp
US 8.8.8.8:53 tvkvmwhx.info udp
US 8.8.8.8:53 sxusydhjnzzx.info udp
US 8.8.8.8:53 yeaogask.org udp
US 8.8.8.8:53 pyhsazmmep.net udp
US 8.8.8.8:53 tmisdij.net udp
US 8.8.8.8:53 rahnqeiicef.com udp
US 8.8.8.8:53 qitutpqlz.net udp
US 8.8.8.8:53 csciocso.org udp
US 8.8.8.8:53 suxopzxqy.net udp
US 8.8.8.8:53 baeztrkemetm.info udp
US 8.8.8.8:53 jczaquhdrsz.org udp
US 8.8.8.8:53 swuynjfkbnv.net udp
US 8.8.8.8:53 bitorllfugvo.net udp
US 8.8.8.8:53 qlfysqqq.net udp
US 8.8.8.8:53 xthnja.net udp
US 8.8.8.8:53 ismiqi.com udp
US 8.8.8.8:53 xmzhhsaju.net udp
US 8.8.8.8:53 jgufibeybs.info udp
US 8.8.8.8:53 mldntszvro.info udp
US 8.8.8.8:53 czsmvjv.net udp
US 8.8.8.8:53 yveovmlrlid.info udp
US 8.8.8.8:53 verkrjrmmwn.com udp
US 8.8.8.8:53 fktcfmkeh.info udp
US 8.8.8.8:53 oeiqause.org udp
US 8.8.8.8:53 xcxxvvmr.info udp
US 8.8.8.8:53 gwfurip.info udp
US 8.8.8.8:53 kmcioo.org udp
US 8.8.8.8:53 fpvilghmn.org udp
US 8.8.8.8:53 twbateruz.info udp
US 8.8.8.8:53 dcmmnld.net udp
US 8.8.8.8:53 umvzmnedseny.info udp
US 8.8.8.8:53 aqyseigeeqgc.org udp
US 8.8.8.8:53 mwxgvhz.info udp
US 8.8.8.8:53 dymincoifib.info udp
US 8.8.8.8:53 acdbfvn.net udp
US 8.8.8.8:53 lyvlbq.net udp
US 8.8.8.8:53 baqecnrrosyu.net udp
US 8.8.8.8:53 pnlyuidyblzl.net udp
US 8.8.8.8:53 bmokptbwmwd.info udp
US 8.8.8.8:53 yozquch.info udp
US 8.8.8.8:53 wqcyiyoswkik.org udp
US 8.8.8.8:53 bmuqenhwc.org udp
US 8.8.8.8:53 jaibgv.net udp
US 8.8.8.8:53 cuamruqnbl.info udp
US 8.8.8.8:53 zrkbajzk.info udp
US 8.8.8.8:53 cclxfgpil.info udp
US 8.8.8.8:53 sapsroajmxdy.net udp
US 8.8.8.8:53 qcoehqccrnc.net udp
US 8.8.8.8:53 fjpnlmwmp.net udp
US 8.8.8.8:53 sovgagdst.net udp
US 8.8.8.8:53 uuaclgzdp.net udp
US 8.8.8.8:53 ziralf.net udp
US 8.8.8.8:53 nidmzhlgn.org udp
US 8.8.8.8:53 lajmwgtyrlt.net udp
US 8.8.8.8:53 hqforzfdjnbw.net udp
US 8.8.8.8:53 astckxiobab.info udp
US 8.8.8.8:53 byqoteha.net udp
US 8.8.8.8:53 ipsgemxfxxp.info udp
US 8.8.8.8:53 uggcckouguok.org udp
US 8.8.8.8:53 eegxpqopfkd.net udp
US 8.8.8.8:53 sysyuguqkuge.com udp
US 8.8.8.8:53 ooseig.org udp
US 8.8.8.8:53 buredxrotal.org udp
US 8.8.8.8:53 qaswusis.org udp
US 8.8.8.8:53 vxkocnovzf.net udp
US 8.8.8.8:53 ihdoxos.net udp
US 8.8.8.8:53 rsncdhg.com udp
US 8.8.8.8:53 jjjpvvwdmjbv.net udp
US 8.8.8.8:53 mxgopb.info udp
US 8.8.8.8:53 onjixhvqj.net udp
US 8.8.8.8:53 feyjrv.net udp
US 8.8.8.8:53 qqtoltnrhyfn.info udp
US 8.8.8.8:53 zsnkfboyt.info udp
US 8.8.8.8:53 rmzrhow.org udp
US 8.8.8.8:53 fhtlpwohsx.info udp
US 8.8.8.8:53 fussqcfityjs.info udp
US 8.8.8.8:53 xutobygt.info udp
US 8.8.8.8:53 fgjwdazyr.net udp
US 8.8.8.8:53 afbihp.info udp
US 8.8.8.8:53 molgqkp.info udp
US 8.8.8.8:53 wokyyoqk.com udp
US 8.8.8.8:53 fdypoqxctyx.net udp
US 8.8.8.8:53 xmblohfzxm.info udp
US 8.8.8.8:53 renmuav.net udp
US 8.8.8.8:53 aksrgnlgvpde.net udp
US 8.8.8.8:53 fkfdgulofku.net udp
US 8.8.8.8:53 zbjltrit.info udp
US 8.8.8.8:53 zwvhmopufdnn.info udp
US 8.8.8.8:53 ypxidsq.net udp
US 8.8.8.8:53 nlxprrvb.info udp
US 8.8.8.8:53 vqxkmyleqas.info udp
US 8.8.8.8:53 bgzeqigzr.info udp
US 8.8.8.8:53 wbdovmlrlid.info udp
US 8.8.8.8:53 dgbkjfkopqz.com udp
US 8.8.8.8:53 hghifclbjmx.net udp
US 8.8.8.8:53 pfvbkl.info udp
US 8.8.8.8:53 ddmukfxjdk.info udp
US 8.8.8.8:53 ayvofpmalr.info udp
US 8.8.8.8:53 mkemocmugi.org udp
US 8.8.8.8:53 kioeebngfib.info udp
US 8.8.8.8:53 turfolmwhyy.info udp
US 8.8.8.8:53 isosgewwmmai.org udp
US 8.8.8.8:53 mfxbtbnhwy.net udp
US 8.8.8.8:53 dfvudx.net udp
US 8.8.8.8:53 nnhujmnhmi.net udp
US 8.8.8.8:53 tjwkxxqc.net udp
US 8.8.8.8:53 easmicuqasiu.org udp
US 8.8.8.8:53 aqkooa.net udp
US 8.8.8.8:53 zkjbpeurfb.net udp
US 8.8.8.8:53 vqjeykfob.info udp
US 8.8.8.8:53 hmevgoxljrti.net udp
US 8.8.8.8:53 umgwueuyqaui.com udp
US 8.8.8.8:53 cvtctmtcrdp.info udp
US 8.8.8.8:53 tlgebcn.net udp
US 8.8.8.8:53 phlmpyv.info udp
US 8.8.8.8:53 oxmfry.net udp
US 8.8.8.8:53 spwgsqjwdvog.net udp
US 8.8.8.8:53 dudqnb.info udp
US 8.8.8.8:53 zytcvyh.net udp
US 8.8.8.8:53 yodypig.info udp
US 8.8.8.8:53 pnnqnuwqknx.com udp
US 8.8.8.8:53 xkncznbot.net udp
US 8.8.8.8:53 kpxhlhxc.net udp
US 8.8.8.8:53 oqlwlqzmn.net udp
US 8.8.8.8:53 fctcxi.info udp
US 8.8.8.8:53 vunwxpptcq.net udp
US 8.8.8.8:53 mofvvghgryb.net udp
US 8.8.8.8:53 zbfeqcxvcxrb.net udp
US 8.8.8.8:53 oxlmpyjgow.info udp
US 8.8.8.8:53 zxlglmh.net udp
US 8.8.8.8:53 eabtnvldfpe.info udp
US 8.8.8.8:53 gerblx.info udp
US 8.8.8.8:53 xevmkitn.info udp
US 8.8.8.8:53 hsbcblj.info udp
US 8.8.8.8:53 iysfbtdmfsr.info udp
US 8.8.8.8:53 qmisgs.org udp
US 8.8.8.8:53 jwpcniulign.net udp
US 8.8.8.8:53 msiamquw.org udp
US 8.8.8.8:53 kcrgngi.info udp
US 8.8.8.8:53 rqsjbuz.info udp
US 8.8.8.8:53 iuswqkcw.org udp
US 8.8.8.8:53 pddohvvew.org udp
US 8.8.8.8:53 tpacqtduy.com udp
US 8.8.8.8:53 tscuvbzsmhwj.info udp
US 8.8.8.8:53 oelqhkx.info udp
US 8.8.8.8:53 cvvgjxnbyyv.net udp
US 8.8.8.8:53 dqnnce.info udp
US 8.8.8.8:53 oipsxoj.net udp
US 8.8.8.8:53 rwxotsdl.net udp
US 8.8.8.8:53 mbujyp.info udp
US 8.8.8.8:53 yagagokgwmqe.org udp
US 8.8.8.8:53 mnpyegnjck.info udp
US 8.8.8.8:53 qqgmmkykgw.org udp
US 8.8.8.8:53 ewmyyqyeywuc.org udp
US 8.8.8.8:53 imggague.org udp
US 8.8.8.8:53 vduocxspgb.info udp
US 8.8.8.8:53 kebjxvt.net udp
US 8.8.8.8:53 qsuswiv.info udp
US 8.8.8.8:53 fzsjrovyph.info udp
US 8.8.8.8:53 jeddpyceavfk.info udp
US 8.8.8.8:53 hadotbgncsfx.net udp
US 8.8.8.8:53 jvnsej.info udp
US 8.8.8.8:53 tgbqzmhgd.info udp
US 8.8.8.8:53 hnjxytbzve.info udp
US 8.8.8.8:53 zncqpfestd.info udp
US 8.8.8.8:53 aajavebafq.net udp
US 8.8.8.8:53 saalyezyxhnu.net udp
US 8.8.8.8:53 damjfutozebh.info udp
US 8.8.8.8:53 xfdrxwvxtx.net udp
US 8.8.8.8:53 qmwyeeqcko.org udp
US 8.8.8.8:53 jwbydygkx.org udp
US 8.8.8.8:53 osguanrtleof.net udp
US 8.8.8.8:53 eqgiqwesoagm.com udp
US 8.8.8.8:53 mwmmywoc.com udp
US 8.8.8.8:53 iyzolkj.net udp
US 8.8.8.8:53 zrhyur.net udp
US 8.8.8.8:53 kmqcpiwgzh.net udp
US 8.8.8.8:53 pjipgaug.info udp
US 8.8.8.8:53 vfvmbqdwgie.info udp
US 8.8.8.8:53 iesoaygaqy.com udp
US 8.8.8.8:53 eiohsadhra.info udp
US 8.8.8.8:53 imgstrbtgtw.net udp
US 8.8.8.8:53 jyhqnzvnccab.net udp
US 8.8.8.8:53 eaggequqscyu.com udp
US 8.8.8.8:53 dnhlzlftlmbh.info udp
US 8.8.8.8:53 fdmcyd.net udp
US 8.8.8.8:53 ypcvzitd.net udp
US 8.8.8.8:53 fisylefiv.net udp
US 8.8.8.8:53 yensgeomr.net udp
US 8.8.8.8:53 cdchrcpa.net udp
US 8.8.8.8:53 wooqkcou.com udp
US 8.8.8.8:53 nqwnlt.net udp
US 8.8.8.8:53 sswksemmam.com udp
US 8.8.8.8:53 ecyiyscwgc.org udp
US 8.8.8.8:53 ccuuacewecew.com udp
US 8.8.8.8:53 gaiacwkkccuw.org udp
US 8.8.8.8:53 zjgatneodv.net udp
US 8.8.8.8:53 ovrsqojh.info udp
US 8.8.8.8:53 xopsjytuhsf.com udp
US 8.8.8.8:53 txdtdpalwz.net udp
US 8.8.8.8:53 ipncpsluq.net udp
US 8.8.8.8:53 ealnjtg.info udp
US 8.8.8.8:53 msmcdkdoc.info udp
US 8.8.8.8:53 uwvzzyfyrrv.net udp
US 8.8.8.8:53 teejbp.info udp
US 8.8.8.8:53 vvjwtl.net udp
US 8.8.8.8:53 cosutwnub.net udp
US 8.8.8.8:53 hahmtynehqj.com udp
US 8.8.8.8:53 wxmodgv.info udp
US 8.8.8.8:53 aeqakceiwawe.org udp
US 8.8.8.8:53 pvhzojtk.info udp
US 8.8.8.8:53 kcijqx.net udp
US 8.8.8.8:53 lolduiagf.org udp
US 8.8.8.8:53 oufapsi.info udp
US 8.8.8.8:53 aodctjrovpk.net udp
US 8.8.8.8:53 qskcponybeu.info udp
US 8.8.8.8:53 ssgcvez.net udp
US 8.8.8.8:53 ujwxcoprscdo.info udp
US 8.8.8.8:53 wkpmhihqbok.net udp
US 8.8.8.8:53 zwoaoz.info udp
US 8.8.8.8:53 gnzfjcag.net udp
US 8.8.8.8:53 xcrydeamagn.info udp
US 8.8.8.8:53 ilhyan.info udp
US 8.8.8.8:53 ljjujjhvvgid.net udp
US 8.8.8.8:53 dmyafhrjwih.org udp
US 8.8.8.8:53 brxcqworosfa.info udp
US 8.8.8.8:53 bhvgxprwt.info udp
US 8.8.8.8:53 quwuyc.com udp
US 8.8.8.8:53 vurtdlxgerbs.info udp
US 8.8.8.8:53 jgnwdrpgqz.info udp
US 8.8.8.8:53 wupmrwsqwil.net udp
US 8.8.8.8:53 bsyrdwzaltzt.net udp
US 8.8.8.8:53 wokoewiccc.org udp
US 8.8.8.8:53 kedinuvon.net udp
US 8.8.8.8:53 eanjci.info udp
US 8.8.8.8:53 qkmgeyiyay.com udp
US 8.8.8.8:53 bxohzdwj.info udp
US 8.8.8.8:53 dirqiuxbhwd.com udp
US 8.8.8.8:53 paymtvnc.net udp
US 8.8.8.8:53 lhyiphrh.info udp
US 8.8.8.8:53 kssisesopujl.net udp
US 8.8.8.8:53 vnyjrcam.net udp
US 8.8.8.8:53 xoasrra.org udp
US 8.8.8.8:53 gggqdseij.info udp
US 8.8.8.8:53 iowwoanapxl.net udp
US 8.8.8.8:53 fnfnjych.net udp
US 8.8.8.8:53 sbtcqpoj.net udp
US 8.8.8.8:53 ngffpgkqtslm.net udp
US 8.8.8.8:53 tijkbbfwdbbf.info udp
US 8.8.8.8:53 osnobczahxb.info udp
US 8.8.8.8:53 lkpyawfvtcp.com udp
US 8.8.8.8:53 psqipiv.net udp
US 8.8.8.8:53 ygdqbmsivbz.info udp
US 8.8.8.8:53 pydunsrcmww.info udp
US 8.8.8.8:53 ibpxpcdm.net udp
US 8.8.8.8:53 ljqqwhuybpnl.info udp
US 8.8.8.8:53 nfwdvw.net udp
US 8.8.8.8:53 dchspxphwk.net udp
US 8.8.8.8:53 ferpfadwqmz.org udp
US 8.8.8.8:53 purcqlzd.net udp
US 8.8.8.8:53 kmsoekes.com udp
US 8.8.8.8:53 zpvjdwrflbir.info udp
US 8.8.8.8:53 tgirrcaau.com udp
US 8.8.8.8:53 wsqwoo.info udp
US 8.8.8.8:53 thfunvzbyauf.net udp
US 8.8.8.8:53 wmgoskoksiqw.org udp
US 8.8.8.8:53 nghniidqtu.info udp
US 8.8.8.8:53 ifzsrezkc.info udp
US 8.8.8.8:53 rexbaqmap.org udp
US 8.8.8.8:53 psmskbrik.info udp
US 8.8.8.8:53 nhwsjfh.info udp
US 8.8.8.8:53 mgaoksmasccc.org udp
US 8.8.8.8:53 siumqyr.info udp
US 8.8.8.8:53 jifixuufm.net udp
US 8.8.8.8:53 bclohtxrsrhb.net udp
US 8.8.8.8:53 uikmeg.com udp
US 8.8.8.8:53 ascosmecyk.org udp
US 8.8.8.8:53 xgboeeuqfwh.info udp
US 8.8.8.8:53 eiwwikhft.net udp
US 8.8.8.8:53 jelzhlivcg.net udp
US 8.8.8.8:53 nvvahsb.com udp
US 8.8.8.8:53 skkcam.org udp
US 8.8.8.8:53 xelelqhlcgr.net udp
US 8.8.8.8:53 ugiyaisk.org udp
US 8.8.8.8:53 kyqgqcagiu.com udp
US 8.8.8.8:53 cksrwc.net udp
US 8.8.8.8:53 guhxvqcon.info udp
US 8.8.8.8:53 xpxqtymwjcp.org udp
US 8.8.8.8:53 jihakqhn.info udp
US 8.8.8.8:53 igzaiessf.info udp
US 8.8.8.8:53 fwrkrwl.info udp
US 8.8.8.8:53 ayswtyhozyo.net udp
US 8.8.8.8:53 ckcqzkb.net udp
US 8.8.8.8:53 pljbnept.net udp
US 8.8.8.8:53 xsvifqmwf.net udp
US 8.8.8.8:53 wioeucor.info udp
US 8.8.8.8:53 bzfgtzmwv.net udp
US 8.8.8.8:53 eusalev.net udp
US 8.8.8.8:53 buncmyff.info udp
US 8.8.8.8:53 uzhiswzkjn.info udp
US 8.8.8.8:53 ickicwos.com udp
US 8.8.8.8:53 kcsock.com udp
US 8.8.8.8:53 abyhtipjrcnu.info udp
US 8.8.8.8:53 twddgmsywp.net udp
US 8.8.8.8:53 sgtpmx.net udp
US 8.8.8.8:53 mibycbx.info udp
US 8.8.8.8:53 tunsdefcaod.net udp
US 8.8.8.8:53 rezrrwbhkdsl.info udp
US 8.8.8.8:53 zudmqqr.info udp
US 8.8.8.8:53 hammkdxemrkw.info udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 timwfizizqh.net udp
US 8.8.8.8:53 aukygm.com udp
US 8.8.8.8:53 igyswucssm.org udp
US 8.8.8.8:53 fuzvpun.net udp
US 8.8.8.8:53 hvapjj.net udp
US 8.8.8.8:53 jctpvezuh.net udp
US 8.8.8.8:53 pylegqjt.net udp
US 8.8.8.8:53 tkkcexfg.net udp
US 8.8.8.8:53 juxqlsfrpybd.net udp
US 8.8.8.8:53 trtrgzzk.net udp
US 8.8.8.8:53 akjcajbgnkr.net udp
US 8.8.8.8:53 wacmoaki.com udp
US 8.8.8.8:53 ydvnqwmktito.net udp
US 8.8.8.8:53 dlsoon.net udp
US 8.8.8.8:53 lpjdnvvu.net udp
US 8.8.8.8:53 oylwrhv.info udp
US 8.8.8.8:53 vgbquct.com udp
US 8.8.8.8:53 xnqhessfsqkj.info udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 uadorujkaga.net udp
US 8.8.8.8:53 vankgrdnr.info udp
US 8.8.8.8:53 sceommucuy.org udp
US 8.8.8.8:53 gmmckoku.org udp
US 8.8.8.8:53 kfejvykzmo.info udp
US 8.8.8.8:53 ovhqijqinem.info udp
US 8.8.8.8:53 piehwh.info udp
US 8.8.8.8:53 pkjalzxk.info udp
US 8.8.8.8:53 bsbagozwaeg.org udp
US 8.8.8.8:53 ypyhhqcplrnr.info udp
US 8.8.8.8:53 rqtslc.net udp
US 8.8.8.8:53 kjuaiw.info udp
US 8.8.8.8:53 unfndmkenrlw.info udp
US 8.8.8.8:53 aodenmn.info udp
US 8.8.8.8:53 eayacokbim.info udp
US 8.8.8.8:53 uuwaimuyug.com udp
US 8.8.8.8:53 lqsubgmse.org udp
US 8.8.8.8:53 eoymekquce.com udp
US 8.8.8.8:53 juqodx.info udp
US 8.8.8.8:53 ndujxk.net udp
US 8.8.8.8:53 kufqvwt.net udp
US 8.8.8.8:53 ezzejwtthw.net udp
US 8.8.8.8:53 ppqcyvqpja.net udp
US 8.8.8.8:53 hieyfaxuk.net udp
US 8.8.8.8:53 cnrbpd.info udp
US 8.8.8.8:53 yyquokaugswy.org udp
US 8.8.8.8:53 fnyxmguvyhys.net udp
US 8.8.8.8:53 ugksayaioyiw.org udp
US 8.8.8.8:53 iqesomckiiuy.org udp
US 8.8.8.8:53 pnnoffl.net udp
US 8.8.8.8:53 entawwdwsjp.info udp
US 8.8.8.8:53 lmpmvfb.org udp
US 8.8.8.8:53 wyiaueimqq.org udp
US 8.8.8.8:53 jlosxmrybyb.net udp
US 8.8.8.8:53 pyjwxyt.com udp
US 8.8.8.8:53 lcgcphpi.info udp
US 8.8.8.8:53 pswagoquh.org udp
US 8.8.8.8:53 xozlqrfpnt.net udp
US 8.8.8.8:53 xzkcectkyn.net udp
US 8.8.8.8:53 lescaz.info udp
US 8.8.8.8:53 wrqddxxtaefd.net udp
US 8.8.8.8:53 gytkywwfz.net udp
US 8.8.8.8:53 eaoiyeiwmcyo.org udp
US 8.8.8.8:53 iwafqdikiyj.info udp
US 8.8.8.8:53 esyqiueg.com udp
US 8.8.8.8:53 jazejwtkz.info udp
US 8.8.8.8:53 ncgihigyl.info udp
US 8.8.8.8:53 baqsericro.info udp
US 8.8.8.8:53 eykooiqs.org udp
US 8.8.8.8:53 lrxsrg.info udp
US 8.8.8.8:53 piaxlbikekf.org udp
US 8.8.8.8:53 jcblthzfcgte.info udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\zilszgs.exe

MD5 979162ec5187e7dce7c5c6fe9383d5a4
SHA1 9f3b9046be083403b378d8cd2998ee399e12cd21
SHA256 e379b18e73c370a4ef27fb9d7c7844d3cdf300b3b2d47e3f5777161a19ab71d0
SHA512 f664185447aa0d89ac680f9b01cd5904a6eb0d5e16d4fe0a5ced208667cee2e12f5a2e48f8f32eaa42892cd1e0101bb90161e563d55832947941aef46f1c85c4

C:\Users\Admin\AppData\Local\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 6878790f713a7b8f01f0642aac043f01
SHA1 627a445154ff9a956d2ff7bb4f2908413b847ac2
SHA256 8479ced68258e604453f49580638912ba277f6262c9349e4af4bd529c817aeab
SHA512 2dced776ac1dbfd20abec07b1f87a73307650b51ab7e33fc84985267504e6d6fd8e517d74c75dc3e9790a620967b9920c639398c2aae13cc187a80a9727c115f

C:\Users\Admin\AppData\Local\tkvkzoiuhvqyqjgcifdufujyserfaiatqmspn.pet

MD5 e4d3f414f1cd20c1073c7e7bb3ddc669
SHA1 a360f2fa2fdedef02ae41f14180b10bf230957d2
SHA256 a9618b5dc3f6600594bc14634f40425d618675fa4259092b2bb3ba3c055b0e67
SHA512 b10dce9da849b7d044a3b3c68d707bb26cdfb3cb9e2d897462c76920ca17cd1a8bf27b31bcad5ed5f4d153d67459dd65f2568b7487f1cf77f687ca0434f132b7

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 cc05cc22c461092b35c2a74ed5cc50d1
SHA1 ce16bdf4f2524b27605a0988dea9e72a28300b9c
SHA256 f5805a400e1158b8e0879341d0825dec0f2bef384c5274f430bbc89299de9499
SHA512 21cfb2d3d6fa6149004dd00f064fb07e472705355292bfbd61d60c2187890579cb0d361a3523fce10df130fb8bcd96ea5d0937fc29f5c1d8a312a16bd1e18193

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 f0080f3d8992fd14cad3f118a0336500
SHA1 29aa75868c9f1d5a1bb58f1deccd0011f5fc8b3d
SHA256 a85c87c305ed36cc9a1d579a2ab65bdc8305d9fd06a6f90936c05cdef28d5d40
SHA512 33ba390482def90a9ab5c5e0d67df455651ad0c691c6979194459430db1fb7892da1914553e1f0d9e0bf00e5cb9a8af54936376181ce9b761257898f4030e205

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 6c3de8497c66555c2c275bd84162006f
SHA1 aa1e6ffd49adb39085291a27bc2a8d6d0bedd103
SHA256 7a11f2a964e06c30803ff1b8aa867cb71b6cc8412b4e2b14e394f9e5f49f37fa
SHA512 deae1303d5b49c50445a7482f724ade619c35fab566e9d6865c03b6ee657f23205bef93d011ca9683bb3551837f11cf876db6278480ba743e3726e5330ce4137

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 608e9a205ce20f9c635bef7254d5b11b
SHA1 c14b2cd46ccbc0a9e85b6538d3c0a84b159f1a6f
SHA256 40f2b81cc985083e8f4884c2ebc0ff94997bfbe454494a3762632ccab296b473
SHA512 d0b42dfe4e285e9495b87e190d0ef6d1b5e78b676578b64eb7bae47a141e2c47b42cb3cee72ebc41ac2460c35aba16db090bdb47faef129bbb526a1970846052

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 5761815c5e52104aec0f8835241f36bf
SHA1 6c041f0f317c99cdc9c8c9283c28336e0a1af0aa
SHA256 89dd88f0d4111f5f20a290d3a8cbe88f73b7c7e2f4a299a01335f7e1cc4a88ea
SHA512 b3c611ea032a1aa93d468e1e9d3d8c511602cf1b2678059e713263a650bdd405a6caf4d6a3d4a7d83b8cc28548b7f5227f0ca8994fddeecade4652d6990f8400

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 690d99f5e077fc55f8db96747ffe6889
SHA1 c30c439b29042b0cb063508dd45e521250f5165d
SHA256 87780f6577242d547afef8ccd5f66904f00eefcdae2340b9fe6c973964e7bb89
SHA512 237df60540d2003535aa30a25b05c40b8af0fc095b48d8d3eb5847c2a1190e4002cb4520a749613302da13eef0c1f0cc5bae718e1ed5111be93ea04c1d484785

C:\Program Files (x86)\syycgktuwzjgnvhsnzmsswaeno.tda

MD5 972a4c43a286309ac7f98a9c57962aae
SHA1 30a2006d7a8e01d5f2a81c579e44eb53785581b5
SHA256 26bc0b9248aa38a991d3f78debd11ebab3bd7b54ec92117986a11b52559416ee
SHA512 38248e024be8d9518dcf11f534b1d3e53fae02976e3844404f91a290784e7281a3011e44971efd99eb2d5a0403c2adf32d4cfcd5310eaf3ecaf6e37be1efbd8c