Analysis Overview
SHA256
7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0
Threat Level: Known bad
The file 7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
UAC bypass
Disables RegEdit via registry modification
Adds policy Run key to start application
Checks computer location settings
Impair Defenses: Safe Mode Boot
Loads dropped DLL
Executes dropped EXE
Hijack Execution Flow: Executable Installer File Permissions Weakness
Looks up external IP address via web service
Adds Run key to start application
Checks whether UAC is enabled
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
System policy modification
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 00:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 00:01
Reported
2024-11-14 00:04
Platform
win7-20240903-en
Max time kernel
120s
Max time network
123s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "oesmlbmferqeuqlvtc.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "oesmlbmferqeuqlvtc.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "fuhaynxpnzxkzuoxu.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "oesmlbmferqeuqlvtc.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "meuqrjwrshiyqolxxiia.exe ." | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "ymyqnbkbyjgsgatb.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe ." | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "bulikdrnpfhyrqobcopiz.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "ymyqnbkbyjgsgatb.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "meuqrjwrshiyqolxxiia.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "bulikdrnpfhyrqobcopiz.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "bulikdrnpfhyrqobcopiz.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "ymyqnbkbyjgsgatb.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "ymyqnbkbyjgsgatb.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "oesmlbmferqeuqlvtc.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe ." | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "bulikdrnpfhyrqobcopiz.exe" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\befmybzfrrdehqyvgcnqryknlrd.pqt | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File created | C:\Windows\SysWOW64\befmybzfrrdehqyvgcnqryknlrd.pqt | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File created | C:\Windows\SysWOW64\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File created | C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File created | C:\Program Files (x86)\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\befmybzfrrdehqyvgcnqryknlrd.pqt | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File opened for modification | C:\Windows\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File created | C:\Windows\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| File opened for modification | C:\Windows\befmybzfrrdehqyvgcnqryknlrd.pqt | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\mqsanr.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe
"C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe"
C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
"C:\Users\Admin\AppData\Local\Temp\mqsanr.exe" "-"
C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
"C:\Users\Admin\AppData\Local\Temp\mqsanr.exe" "-"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.21.74.56:80 | www.showmyipaddress.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.27.206.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.imdb.com | udp |
| FR | 52.222.159.143:80 | www.imdb.com | tcp |
| US | 8.8.8.8:53 | hklgkqwuttn.com | udp |
| IE | 34.246.200.160:80 | hklgkqwuttn.com | tcp |
| US | 8.8.8.8:53 | hajjemfwf.info | udp |
| US | 8.8.8.8:53 | xzvzarhjkjzv.info | udp |
| US | 8.8.8.8:53 | wljsua.net | udp |
| US | 8.8.8.8:53 | kczqzttce.net | udp |
| US | 8.8.8.8:53 | oavyfozyb.net | udp |
| US | 8.8.8.8:53 | aizbhirrwyz.net | udp |
| US | 8.8.8.8:53 | tcxqpovybip.org | udp |
| US | 8.8.8.8:53 | xuvaxmc.info | udp |
| US | 8.8.8.8:53 | yeqsceua.org | udp |
| US | 8.8.8.8:53 | mwkmmqcokium.com | udp |
| US | 8.8.8.8:53 | bnrgiul.net | udp |
| US | 8.8.8.8:53 | ulbbftlmpz.info | udp |
| US | 8.8.8.8:53 | sizvwaazrbbg.info | udp |
| US | 8.8.8.8:53 | ratirtqyspss.net | udp |
| US | 8.8.8.8:53 | jqbevqhsy.info | udp |
| US | 8.8.8.8:53 | mgjwzsl.net | udp |
| US | 8.8.8.8:53 | rgnyiunkepv.com | udp |
| US | 8.8.8.8:53 | lcsgfob.org | udp |
| US | 8.8.8.8:53 | zbfepsl.info | udp |
| US | 8.8.8.8:53 | iigccu.org | udp |
| US | 8.8.8.8:53 | ihtktczvf.net | udp |
| US | 8.8.8.8:53 | hnadhnfdya.info | udp |
| US | 8.8.8.8:53 | ginqeibkv.info | udp |
| US | 8.8.8.8:53 | efvwnivya.net | udp |
| US | 8.8.8.8:53 | kuxajxugfkr.net | udp |
| US | 8.8.8.8:53 | vpkakg.info | udp |
| US | 8.8.8.8:53 | axlqnmjvlxy.info | udp |
| US | 8.8.8.8:53 | yckhfg.info | udp |
| US | 8.8.8.8:53 | omgmayoa.com | udp |
| US | 8.8.8.8:53 | wkwkeicewo.org | udp |
| US | 8.8.8.8:53 | dfldpgpdiy.info | udp |
| US | 8.8.8.8:53 | cqiuai.org | udp |
| US | 8.8.8.8:53 | duguyowmbk.net | udp |
| US | 8.8.8.8:53 | vppoxrsumlwq.net | udp |
| US | 8.8.8.8:53 | azrakrbzpk.net | udp |
| US | 8.8.8.8:53 | seqawswo.org | udp |
| US | 8.8.8.8:53 | aiwyskuecmsk.org | udp |
| US | 8.8.8.8:53 | vjmyxpra.net | udp |
| US | 8.8.8.8:53 | qgdbnxdjhg.net | udp |
| US | 8.8.8.8:53 | nxnwpxhqyg.net | udp |
| US | 8.8.8.8:53 | mwvpbsdyrao.net | udp |
| US | 8.8.8.8:53 | rrelgkdkbl.net | udp |
| US | 8.8.8.8:53 | hrqqxhtqc.net | udp |
| US | 8.8.8.8:53 | oqlztme.net | udp |
| US | 8.8.8.8:53 | zxfznjjo.net | udp |
| US | 8.8.8.8:53 | wwqqcekq.org | udp |
| US | 8.8.8.8:53 | wgwgqi.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
| MD5 | e5475619dbbb7d62db81033f1e84cdcf |
| SHA1 | 12b545f4101388444a43207ffb0856de370fc642 |
| SHA256 | 424c85a6921d9643f62c17b3089e15ec2a4612241c37487b5d61626ae9525b5e |
| SHA512 | 1ee7fc097b4cb27b1b470ac67b280f246a8b1dd6253fad2fc513feef1f234929cfd3e4795243357029a57d28bec0675a9635dafa6de63f524e3c63747d22bbaa |
C:\Users\Admin\AppData\Local\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | e6c7bb944143d5a82585281db287c531 |
| SHA1 | 2fdc5f6fd029e00d928b285f061f2106e30d1ef1 |
| SHA256 | 9d06bc97fe2c548326656b240cefc030a2b47e8a2b78ef67a89cb6907021ca92 |
| SHA512 | ae9329b3f351bd08d3fd20e0151692c33b6576cabb2748b0999c36b6c8e4bf5ac35c7595d45bbbd10172fcf2cefab1b111251f2caa86e3092f82406cedc7c155 |
C:\Users\Admin\AppData\Local\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf
| MD5 | 32c3744f771353e2c849ff89cf71b565 |
| SHA1 | a968eb386a265b22ee6741f4f897c9a9a6be3663 |
| SHA256 | 006931f0fd378c9682bfd152102ca8834ac03d09dbbc4c99417a8c9892070e09 |
| SHA512 | 5812ded5499909a6d56d65e4d5662719094555c160bbcf4a563e47ec793b056d45cc0d959e2d8368c5e44a53f91b91f3ff8ee0cbb70e90a26a7771838b322c5c |
C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | e346f966e4ed242169e17923f888a244 |
| SHA1 | 1f1c12a0af888f11b3c7819ac3d92c1895999a66 |
| SHA256 | 5000990c9839f5559da4d239b9d65eab206e282a5bd012bef45c423b11a42572 |
| SHA512 | 25065c54e5006ebcd696c25b7ff21e0cc3bb0d08771205ff06609c0adaafcbe9a51aff33e3caca0bae3bcafc712121b93f1bcee0379705a0590f6294a1ec9380 |
C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | d2341f5ccbd40c8d794af480f9549b8e |
| SHA1 | 026f9c346635a5d5e9026cb2eaa723eb8a72e14f |
| SHA256 | f96c6b811d7a9fd0fa00ff713ccf89494bcde6b99eebcd128bd5051f7ffd0637 |
| SHA512 | a77d909f5ceb0e490c34b52e6cc09c451e86b498e8e313d4f2d9746a6bc67fe56b315a7898d342bf6db107dd6cd47a24442bebcf8b566ae1727276321231b3fa |
C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | e49b7e4c56b0de01a296401f319b5919 |
| SHA1 | 7035901aea5a3151201d2032587eeab549006555 |
| SHA256 | 29ed8ab39b374fbc1ba0b989a508990c2e48277332bb86dcc66b166bdf7fe26c |
| SHA512 | 1ee6f424f7ba92c5fa98cdcea30ea50489b048653b781f037091d2ac209b51a799bd0ec81dc0064cedcc5c572958fb39ab6c64cc6d25751d5b664426b2bf1e7d |
C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | ea458758c2eed7b919eda087de5af52c |
| SHA1 | 35c4241a693f47018780304a49a346dfaa3c57fb |
| SHA256 | 41c2283109adfb2d1df5eec49e6cc716d53198c263d42a4dafb50fc1a127f31b |
| SHA512 | 653250e5548f4cd6dd406c0f49d531b80d92358a05afcdf1d0eebaaff5e0255b7b18fbdf1272db53f610a3a89f0c4bffe6a426dd6c97e7c744ba826eefc8d001 |
C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | 6e452148ed325ef7823bfad7f3105dbf |
| SHA1 | a77acf9746d6d1f6f1d6f77ac5a60cfa6664dec1 |
| SHA256 | 957e1836c06ebe8fd0f36e36fc6ac80b5782054b385af308190bce73016d2e38 |
| SHA512 | 3704a083267ac2f5917cbf0bcb9f942e95b07700da0855c791f21867f1754e87eb045655046e0ab79513a14133e8f9439e64c901947d11bb7c0dbd6f33cfdcf9 |
C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt
| MD5 | 925046c3b104e6bc0094821339ce7134 |
| SHA1 | a46178d373341a1eb59cd68e2cbf5081037270d9 |
| SHA256 | e82aa94462b0a84faef3d6c01136362ec1b3214dce2c1cdc4316784732d0aa34 |
| SHA512 | 03291448d9a1c274efd2791fb20be4be41f32fc8bf9b53351159ea459b449b0859931f47854c7970c090760abc7e9dc5069dc05d5e73391a1ac24925680783e0 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-14 00:01
Reported
2024-11-14 00:04
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Adds policy Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Impair Defenses: Safe Mode Boot
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "cxmngexthdvovkfhdeqla.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "nhvvnkcxkfwouicdyyjd.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "atgfwsjdpjzqvibbvue.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "nhvvnkcxkfwouicdyyjd.exe ." | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "cxmngexthdvovkfhdeqla.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "cxmngexthdvovkfhdeqla.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "cxmngexthdvovkfhdeqla.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "phtrhcslwpeuykcbus.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "gxifuodvfxladofdv.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "zpzvjcqhqhuikukh.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "zpzvjcqhqhuikukh.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "atgfwsjdpjzqvibbvue.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "cxmngexthdvovkfhdeqla.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "phtrhcslwpeuykcbus.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "phtrhcslwpeuykcbus.exe ." | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "nhvvnkcxkfwouicdyyjd.exe" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
Hijack Execution Flow: Executable Installer File Permissions Weakness
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | www.showmyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyip.everdot.org | N/A | N/A |
| N/A | whatismyipaddress.com | N/A | N/A |
| N/A | www.whatismyip.ca | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\chgrucfljprulkpbhsotsdgorxv.dgx | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File created | C:\Windows\SysWOW64\chgrucfljprulkpbhsotsdgorxv.dgx | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File created | C:\Windows\SysWOW64\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File created | C:\Program Files (x86)\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File opened for modification | C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File created | C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File opened for modification | C:\Windows\chgrucfljprulkpbhsotsdgorxv.dgx | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File created | C:\Windows\chgrucfljprulkpbhsotsdgorxv.dgx | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| File opened for modification | C:\Windows\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" | C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" | C:\Users\Admin\AppData\Local\Temp\chgru.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe
"C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe"
C:\Users\Admin\AppData\Local\Temp\chgru.exe
"C:\Users\Admin\AppData\Local\Temp\chgru.exe" "-"
C:\Users\Admin\AppData\Local\Temp\chgru.exe
"C:\Users\Admin\AppData\Local\Temp\chgru.exe" "-"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 8.8.8.8:53 | www.whatismyip.com | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | 92.207.27.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | whatismyipaddress.com | udp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 8.8.8.8:53 | 79.222.19.104.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 104.19.222.79:80 | whatismyipaddress.com | tcp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.showmyipaddress.com | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | 175.155.67.172.in-addr.arpa | udp |
| US | 104.27.207.92:80 | www.whatismyip.com | tcp |
| US | 8.8.8.8:53 | www.whatismyip.ca | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | whatismyip.everdot.org | udp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 172.67.155.175:80 | www.showmyipaddress.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 216.58.201.100:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hklgkqwuttn.com | udp |
| IE | 34.246.200.160:80 | hklgkqwuttn.com | tcp |
| US | 8.8.8.8:53 | csobelc.net | udp |
| US | 8.8.8.8:53 | pcokpypibmd.org | udp |
| US | 8.8.8.8:53 | weqoeccagsew.org | udp |
| US | 8.8.8.8:53 | ruvyfoquzqp.info | udp |
| US | 8.8.8.8:53 | mmcuoyeq.org | udp |
| US | 8.8.8.8:53 | pxxpgetr.info | udp |
| US | 8.8.8.8:53 | wljsua.net | udp |
| US | 8.8.8.8:53 | zwruajzbtyau.info | udp |
| US | 8.8.8.8:53 | ymoozrw.info | udp |
| US | 8.8.8.8:53 | uaocieoqek.org | udp |
| US | 8.8.8.8:53 | 100.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.200.246.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yeqsceua.org | udp |
| US | 8.8.8.8:53 | ratirtqyspss.net | udp |
| US | 8.8.8.8:53 | mbjxcztusqv.info | udp |
| US | 8.8.8.8:53 | vdpxrmhyrnj.net | udp |
| US | 8.8.8.8:53 | aalxlabhmx.info | udp |
| US | 8.8.8.8:53 | weatdbv.info | udp |
| US | 8.8.8.8:53 | lcsgfob.org | udp |
| US | 8.8.8.8:53 | bwvfzozan.com | udp |
| US | 8.8.8.8:53 | hocczyz.com | udp |
| US | 8.8.8.8:53 | vfqpkqgs.net | udp |
| US | 8.8.8.8:53 | puhuhtu.info | udp |
| US | 8.8.8.8:53 | rsiwzxbzokg.net | udp |
| US | 8.8.8.8:53 | mpyyemxwkyg.info | udp |
| US | 8.8.8.8:53 | kuxajxugfkr.net | udp |
| US | 8.8.8.8:53 | qilrzhdfndvu.info | udp |
| US | 8.8.8.8:53 | ayuyek.com | udp |
| US | 198.185.159.145:80 | ayuyek.com | tcp |
| US | 8.8.8.8:53 | ijphqwyingb.info | udp |
| US | 8.8.8.8:53 | gebmtvxsy.info | udp |
| US | 8.8.8.8:53 | yniejss.info | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.159.185.198.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cqiuai.org | udp |
| US | 8.8.8.8:53 | suamwkcg.org | udp |
| US | 8.8.8.8:53 | moganyocf.net | udp |
| US | 8.8.8.8:53 | wjriikpxr.info | udp |
| US | 8.8.8.8:53 | xgzqhfuqh.info | udp |
| US | 8.8.8.8:53 | mmsqaoqm.com | udp |
| US | 8.8.8.8:53 | azrakrbzpk.net | udp |
| US | 8.8.8.8:53 | gwgowe.org | udp |
| US | 8.8.8.8:53 | fwbdbs.net | udp |
| US | 8.8.8.8:53 | tzfvpcwrnai.com | udp |
| US | 8.8.8.8:53 | vjmyxpra.net | udp |
| US | 8.8.8.8:53 | cjzmhyr.net | udp |
| US | 8.8.8.8:53 | sueecuaq.com | udp |
| US | 8.8.8.8:53 | owceiq.org | udp |
| US | 8.8.8.8:53 | cyaokomkkkia.org | udp |
| US | 8.8.8.8:53 | nxnwpxhqyg.net | udp |
| US | 8.8.8.8:53 | cumqayms.com | udp |
| US | 8.8.8.8:53 | zaqadkroz.org | udp |
| US | 8.8.8.8:53 | aonepyujjijm.net | udp |
| US | 8.8.8.8:53 | avdoawrwn.info | udp |
| US | 8.8.8.8:53 | zxfznjjo.net | udp |
| US | 8.8.8.8:53 | rdwlvumj.net | udp |
| US | 8.8.8.8:53 | bwhrvoaji.org | udp |
| US | 8.8.8.8:53 | spvfdtipky.net | udp |
| US | 8.8.8.8:53 | cuejqozyxczj.info | udp |
| US | 8.8.8.8:53 | osvvnqp.net | udp |
| US | 8.8.8.8:53 | pjqtcjxf.info | udp |
| US | 8.8.8.8:53 | gkqgpzdkdoq.info | udp |
| US | 8.8.8.8:53 | jwzmbv.info | udp |
| US | 8.8.8.8:53 | xwfmlmbmtaz.info | udp |
| DE | 85.214.228.140:80 | xwfmlmbmtaz.info | tcp |
| US | 8.8.8.8:53 | gquagaqoseui.org | udp |
| US | 8.8.8.8:53 | wokiyemewkmy.com | udp |
| US | 8.8.8.8:53 | lqwwziqlqc.net | udp |
| US | 8.8.8.8:53 | jmeeqgbe.info | udp |
| US | 8.8.8.8:53 | jevhvqo.org | udp |
| US | 8.8.8.8:53 | smbock.net | udp |
| US | 8.8.8.8:53 | yoiiwsismikc.org | udp |
| US | 8.8.8.8:53 | xxazro.net | udp |
| US | 8.8.8.8:53 | nafodwrwdqd.com | udp |
| US | 8.8.8.8:53 | joejzneksqfy.net | udp |
| US | 8.8.8.8:53 | yeckkmr.net | udp |
| US | 8.8.8.8:53 | eayymmweay.org | udp |
| US | 8.8.8.8:53 | 140.228.214.85.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jkkjvq.net | udp |
| US | 8.8.8.8:53 | huhzhgf.info | udp |
| US | 8.8.8.8:53 | eakwem.com | udp |
| US | 8.8.8.8:53 | lmjyjelbtdd.info | udp |
| US | 8.8.8.8:53 | ydqlnw.info | udp |
| US | 208.100.26.245:80 | ydqlnw.info | tcp |
| US | 8.8.8.8:53 | rsxrvix.com | udp |
| US | 8.8.8.8:53 | dsruyvng.net | udp |
| US | 8.8.8.8:53 | pmpchhz.com | udp |
| US | 8.8.8.8:53 | goqkkemayc.com | udp |
| US | 8.8.8.8:53 | wqmqueka.com | udp |
| US | 8.8.8.8:53 | rremszqwpf.net | udp |
| US | 8.8.8.8:53 | uncaephtnirx.info | udp |
| US | 8.8.8.8:53 | voxigowd.net | udp |
| US | 8.8.8.8:53 | reycjyv.com | udp |
| US | 8.8.8.8:53 | waihjonsrpp.info | udp |
| US | 8.8.8.8:53 | cueagi.org | udp |
| US | 8.8.8.8:53 | fmbejdrhntcm.net | udp |
| US | 8.8.8.8:53 | tnxivajml.com | udp |
| US | 8.8.8.8:53 | cyqywkeqqy.org | udp |
| US | 8.8.8.8:53 | vkwhttkdph.net | udp |
| US | 8.8.8.8:53 | nofwxkfwpsv.net | udp |
| US | 8.8.8.8:53 | vfrikja.info | udp |
| US | 8.8.8.8:53 | ogycwi.org | udp |
| US | 8.8.8.8:53 | nafxot.net | udp |
| US | 8.8.8.8:53 | fkshhhjgb.com | udp |
| US | 8.8.8.8:53 | iyiywyuc.org | udp |
| US | 8.8.8.8:53 | maiiycsk.com | udp |
| US | 8.8.8.8:53 | ywquuu.org | udp |
| US | 8.8.8.8:53 | xeiofmd.com | udp |
| US | 8.8.8.8:53 | rrrvnrqfug.info | udp |
| US | 8.8.8.8:53 | amoiuqmacw.com | udp |
| US | 8.8.8.8:53 | pencxrvurgl.net | udp |
| US | 8.8.8.8:53 | usgqka.org | udp |
| US | 8.8.8.8:53 | kaqjhcraz.info | udp |
| US | 8.8.8.8:53 | dwwiaouwgtnc.net | udp |
| US | 8.8.8.8:53 | hyfejyrqoenu.info | udp |
| US | 8.8.8.8:53 | toqaomi.net | udp |
| US | 8.8.8.8:53 | ewwquu.org | udp |
| US | 8.8.8.8:53 | pvxdhb.net | udp |
| US | 8.8.8.8:53 | mrzojticzj.info | udp |
| US | 8.8.8.8:53 | uyxejelmx.net | udp |
| US | 8.8.8.8:53 | eeyewusccy.com | udp |
| US | 8.8.8.8:53 | vwxupzvun.org | udp |
| US | 8.8.8.8:53 | nzkibs.info | udp |
| US | 8.8.8.8:53 | owfqxsrhtij.info | udp |
| US | 8.8.8.8:53 | xufrgadur.net | udp |
| US | 8.8.8.8:53 | gvqfgsuxfhli.net | udp |
| US | 8.8.8.8:53 | oveajp.info | udp |
| US | 8.8.8.8:53 | hajuccnwkx.net | udp |
| US | 8.8.8.8:53 | lgswzqbvc.org | udp |
| US | 8.8.8.8:53 | uqdqfwduxip.info | udp |
| US | 8.8.8.8:53 | ymjxuw.info | udp |
| US | 8.8.8.8:53 | eqvczix.net | udp |
| US | 8.8.8.8:53 | wxdfycx.net | udp |
| US | 8.8.8.8:53 | hnxhjwubwxfh.info | udp |
| US | 8.8.8.8:53 | qycyqysm.org | udp |
| US | 8.8.8.8:53 | wginvxsaisda.net | udp |
| US | 8.8.8.8:53 | lcxisgmewyk.net | udp |
| US | 8.8.8.8:53 | cikefqvitjps.net | udp |
| US | 8.8.8.8:53 | buhccn.info | udp |
| US | 8.8.8.8:53 | xofyhmwvlzb.net | udp |
| US | 8.8.8.8:53 | apekrazyzuf.net | udp |
| US | 8.8.8.8:53 | dezqlimcb.com | udp |
| US | 8.8.8.8:53 | aelxvivwnsg.info | udp |
| US | 8.8.8.8:53 | zitqjhy.net | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | yemsyeks.com | udp |
| US | 8.8.8.8:53 | rjqjuhtycrdu.info | udp |
| US | 8.8.8.8:53 | neyizica.net | udp |
| US | 8.8.8.8:53 | zxjmpkgvxeki.info | udp |
| US | 8.8.8.8:53 | nbaxzdcj.net | udp |
| US | 8.8.8.8:53 | cizioj.info | udp |
| US | 8.8.8.8:53 | tsmegomyxg.info | udp |
| US | 8.8.8.8:53 | kajlsxb.info | udp |
| US | 8.8.8.8:53 | aenouojr.info | udp |
| US | 8.8.8.8:53 | cebzvct.info | udp |
| US | 8.8.8.8:53 | uvzigfdvbr.info | udp |
| US | 8.8.8.8:53 | ogdltpnjn.info | udp |
| US | 8.8.8.8:53 | jxejpmtjj.org | udp |
| US | 8.8.8.8:53 | fvbwyoeyv.info | udp |
| US | 8.8.8.8:53 | kcairrggdeh.net | udp |
| US | 8.8.8.8:53 | yemmnnqqmxpz.net | udp |
| US | 8.8.8.8:53 | pjvhfbvoxpmi.net | udp |
| N/A | 192.168.28.2:445 | tcp | |
| US | 8.8.8.8:53 | ekuffx.net | udp |
| US | 8.8.8.8:53 | iqryofk.net | udp |
| US | 8.8.8.8:53 | aelubcv.info | udp |
| US | 8.8.8.8:53 | cfpbndbe.net | udp |
| US | 8.8.8.8:53 | pthdudluho.net | udp |
| US | 8.8.8.8:53 | tajdpdkpzsd.com | udp |
| US | 8.8.8.8:53 | kxkaruvdhyl.net | udp |
| US | 8.8.8.8:53 | fxbyxewqs.net | udp |
| US | 8.8.8.8:53 | kwkuieigscgg.org | udp |
| US | 8.8.8.8:53 | grjgraoeefhx.info | udp |
| US | 8.8.8.8:53 | dwsxlguf.net | udp |
| US | 8.8.8.8:53 | pzryostgtub.org | udp |
| US | 8.8.8.8:53 | ueqqcwoywwii.com | udp |
| US | 8.8.8.8:53 | wkcobav.info | udp |
| US | 8.8.8.8:53 | ndbrvahztx.info | udp |
| US | 8.8.8.8:53 | gygygzeulf.net | udp |
| US | 8.8.8.8:53 | dilmcmz.net | udp |
| US | 8.8.8.8:53 | icsguemoom.com | udp |
| US | 8.8.8.8:53 | xmplxe.info | udp |
| US | 8.8.8.8:53 | lgasvyxii.net | udp |
| US | 8.8.8.8:53 | dcpeqmy.info | udp |
| US | 8.8.8.8:53 | zihjhrditzc.info | udp |
| US | 8.8.8.8:53 | ecfgrmvop.info | udp |
| N/A | 192.168.28.2:139 | tcp | |
| US | 8.8.8.8:53 | zrvgxaroxd.net | udp |
| US | 8.8.8.8:53 | iimnkil.net | udp |
| US | 8.8.8.8:53 | pyaammoltdup.info | udp |
| US | 8.8.8.8:53 | vmylheoy.info | udp |
| US | 8.8.8.8:53 | wifnjctvb.net | udp |
| US | 8.8.8.8:53 | pwnolsz.org | udp |
| US | 8.8.8.8:53 | gjdhzk.info | udp |
| US | 8.8.8.8:53 | agrsbeuuebo.info | udp |
| US | 8.8.8.8:53 | cmsisw.org | udp |
| US | 8.8.8.8:53 | zbrznade.info | udp |
| US | 8.8.8.8:53 | oljsbwelwrr.net | udp |
| US | 8.8.8.8:53 | njelsmjbhc.net | udp |
| US | 8.8.8.8:53 | fpifnwraky.info | udp |
| US | 8.8.8.8:53 | mivaqahjbheb.info | udp |
| US | 8.8.8.8:53 | stxapuuba.info | udp |
| US | 8.8.8.8:53 | xmtzgqepyr.net | udp |
| US | 8.8.8.8:53 | ddrevhdcngvi.net | udp |
| US | 8.8.8.8:53 | orqshlzylb.info | udp |
| US | 8.8.8.8:53 | mlfmtdw.info | udp |
| US | 8.8.8.8:53 | zitdnohtzlnt.net | udp |
| US | 8.8.8.8:53 | ekouqagyuoyo.com | udp |
| US | 8.8.8.8:53 | jcglzvfv.net | udp |
| US | 8.8.8.8:53 | frzuwh.info | udp |
| US | 8.8.8.8:53 | gwfngsjywxf.net | udp |
| US | 8.8.8.8:53 | fooueehkz.net | udp |
| US | 8.8.8.8:53 | pmtoyk.info | udp |
| US | 8.8.8.8:53 | yavekefqtco.net | udp |
| US | 8.8.8.8:53 | xratiyvgj.net | udp |
| US | 8.8.8.8:53 | oklbjcrsbel.info | udp |
| US | 8.8.8.8:53 | cwqoie.org | udp |
| US | 8.8.8.8:53 | faayfoy.com | udp |
| US | 8.8.8.8:53 | idzulxnl.net | udp |
| US | 8.8.8.8:53 | womqgmww.com | udp |
| US | 8.8.8.8:53 | iiqbbhczqjec.net | udp |
| US | 8.8.8.8:53 | ycyofrit.net | udp |
| US | 8.8.8.8:53 | ysoecems.com | udp |
| US | 8.8.8.8:53 | kpyvvmntqn.net | udp |
| US | 8.8.8.8:53 | zglpad.net | udp |
| US | 8.8.8.8:53 | mgewikbea.info | udp |
| US | 8.8.8.8:53 | limamqsp.info | udp |
| US | 8.8.8.8:53 | nudslgskvez.com | udp |
| US | 8.8.8.8:53 | fmhknnhx.info | udp |
| US | 8.8.8.8:53 | yaukcyu.net | udp |
| US | 8.8.8.8:53 | pjdcumys.info | udp |
| US | 8.8.8.8:53 | ociauskg.org | udp |
| US | 8.8.8.8:53 | arlwxuzp.info | udp |
| US | 8.8.8.8:53 | dfjxnwtvhela.net | udp |
| US | 8.8.8.8:53 | rixkdktie.com | udp |
| US | 8.8.8.8:53 | danxxraz.info | udp |
| US | 8.8.8.8:53 | xqnbvgjtveb.org | udp |
| US | 8.8.8.8:53 | upbxtp.net | udp |
| US | 8.8.8.8:53 | btpypfipmac.info | udp |
| US | 8.8.8.8:53 | eghkopbbv.net | udp |
| US | 8.8.8.8:53 | sqmgigemkouw.com | udp |
| US | 8.8.8.8:53 | sgyegwqs.org | udp |
| US | 8.8.8.8:53 | turmtajce.com | udp |
| US | 8.8.8.8:53 | bbnwzh.info | udp |
| US | 8.8.8.8:53 | lsvkmhgzsmvh.net | udp |
| US | 8.8.8.8:53 | nkzezxfagjv.info | udp |
| US | 8.8.8.8:53 | sjzbdvpd.net | udp |
| US | 8.8.8.8:53 | hkpwyexfu.net | udp |
| US | 8.8.8.8:53 | ocqnyegm.net | udp |
| US | 8.8.8.8:53 | tlvbgia.com | udp |
| US | 8.8.8.8:53 | wmwkyuqoao.org | udp |
| US | 8.8.8.8:53 | kqqcdiurz.info | udp |
| US | 8.8.8.8:53 | dnpxxwqfhrh.net | udp |
| US | 8.8.8.8:53 | pihvjif.info | udp |
| US | 8.8.8.8:53 | juhdialej.net | udp |
| US | 8.8.8.8:53 | grsadobkaqi.info | udp |
| US | 8.8.8.8:53 | pikyhpboz.org | udp |
| US | 8.8.8.8:53 | hkdvbbxtdsbs.info | udp |
| US | 8.8.8.8:53 | gkosyeeu.com | udp |
| US | 8.8.8.8:53 | uqacdvhyr.net | udp |
| US | 8.8.8.8:53 | ozwmrxb.net | udp |
| US | 8.8.8.8:53 | brkzng.net | udp |
| US | 8.8.8.8:53 | bqrtugciv.info | udp |
| US | 8.8.8.8:53 | nxrxraeei.info | udp |
| US | 8.8.8.8:53 | tsriyip.info | udp |
| US | 8.8.8.8:53 | vnjnyyie.info | udp |
| US | 8.8.8.8:53 | sebkpyxjgko.info | udp |
| US | 8.8.8.8:53 | wcttvceungqf.info | udp |
| US | 8.8.8.8:53 | oaojfvtvek.info | udp |
| US | 8.8.8.8:53 | ccmeucsi.org | udp |
| US | 8.8.8.8:53 | ebbhyegabg.net | udp |
| US | 8.8.8.8:53 | ougwcc.com | udp |
| US | 8.8.8.8:53 | ilvcyellbvw.info | udp |
| US | 8.8.8.8:53 | gvkkvqdxj.info | udp |
| US | 8.8.8.8:53 | mrshnvywyy.net | udp |
| US | 8.8.8.8:53 | sjfgnzvkawh.net | udp |
| US | 8.8.8.8:53 | isgqekiu.com | udp |
| US | 8.8.8.8:53 | hpjbnijqdko.info | udp |
| US | 8.8.8.8:53 | imwsdvy.info | udp |
| US | 8.8.8.8:53 | ahyacz.info | udp |
| US | 8.8.8.8:53 | qmbwxclgd.info | udp |
| US | 8.8.8.8:53 | xkkbzzklwpmv.info | udp |
| US | 8.8.8.8:53 | qclydteyt.net | udp |
| US | 8.8.8.8:53 | depfbed.net | udp |
| US | 8.8.8.8:53 | vwnutke.info | udp |
| US | 8.8.8.8:53 | dbxybwh.info | udp |
| US | 8.8.8.8:53 | syymgscwoaik.com | udp |
| US | 8.8.8.8:53 | hhdcno.info | udp |
| US | 8.8.8.8:53 | iorttyujlrgy.net | udp |
| US | 8.8.8.8:53 | dqxqalekuybu.net | udp |
| US | 8.8.8.8:53 | izqscpyklqw.info | udp |
| US | 8.8.8.8:53 | oisfxztxhv.info | udp |
| US | 8.8.8.8:53 | ihixdqijzuyq.info | udp |
| US | 8.8.8.8:53 | obejsdvu.info | udp |
| US | 8.8.8.8:53 | igvefob.net | udp |
| US | 8.8.8.8:53 | dshwhdlvmmsa.net | udp |
| US | 8.8.8.8:53 | aygoag.com | udp |
| US | 8.8.8.8:53 | swoqicqwgq.org | udp |
| US | 8.8.8.8:53 | mgoemc.org | udp |
| US | 8.8.8.8:53 | oulbhzumtkp.info | udp |
| US | 8.8.8.8:53 | pwfgnxivigd.net | udp |
| US | 8.8.8.8:53 | rqgezhvw.net | udp |
| US | 8.8.8.8:53 | kquwbktvxki.net | udp |
| US | 8.8.8.8:53 | ouhsbnb.info | udp |
| US | 8.8.8.8:53 | zllype.net | udp |
| US | 8.8.8.8:53 | nobhtytkt.com | udp |
| US | 8.8.8.8:53 | mqjgwhr.net | udp |
| US | 8.8.8.8:53 | tfbqbob.org | udp |
| US | 8.8.8.8:53 | acbxcmcdn.info | udp |
| US | 8.8.8.8:53 | qhxmjsrlyk.net | udp |
| US | 8.8.8.8:53 | peeywjoj.net | udp |
| US | 8.8.8.8:53 | nxhphj.net | udp |
| US | 8.8.8.8:53 | vqcwbgyetrd.org | udp |
| US | 8.8.8.8:53 | uknwduhu.info | udp |
| US | 8.8.8.8:53 | waahpog.info | udp |
| US | 8.8.8.8:53 | cobggmnqnkd.info | udp |
| US | 8.8.8.8:53 | bbtbbofqujwe.net | udp |
| US | 8.8.8.8:53 | iercjfhgs.net | udp |
| US | 8.8.8.8:53 | xmczdhxnho.info | udp |
| US | 8.8.8.8:53 | eamiwqog.com | udp |
| US | 8.8.8.8:53 | dbvnelsbuy.info | udp |
| US | 8.8.8.8:53 | ygyqaqaeou.org | udp |
| US | 8.8.8.8:53 | wmecnijunwt.net | udp |
| US | 8.8.8.8:53 | zoematzt.net | udp |
| US | 8.8.8.8:53 | ystvtsnyrkg.info | udp |
| US | 8.8.8.8:53 | tzwflmeio.net | udp |
| US | 8.8.8.8:53 | omjrtwkaas.net | udp |
| US | 8.8.8.8:53 | ftavfa.info | udp |
| US | 8.8.8.8:53 | zqxavaf.net | udp |
| US | 8.8.8.8:53 | xfibkr.net | udp |
| US | 8.8.8.8:53 | fydwhccelch.info | udp |
| US | 8.8.8.8:53 | jybrxza.org | udp |
| US | 8.8.8.8:53 | awyesqryzsq.net | udp |
| US | 8.8.8.8:53 | dbpshjzans.info | udp |
| US | 8.8.8.8:53 | vrvwbieg.info | udp |
| US | 8.8.8.8:53 | yscqwikgai.com | udp |
| US | 8.8.8.8:53 | tvkvmwhx.info | udp |
| US | 8.8.8.8:53 | oieairbih.net | udp |
| US | 8.8.8.8:53 | jgtqto.info | udp |
| US | 8.8.8.8:53 | xcfbbdl.com | udp |
| US | 8.8.8.8:53 | skisyowswsco.org | udp |
| US | 8.8.8.8:53 | rgpfadam.info | udp |
| US | 8.8.8.8:53 | fnohkp.info | udp |
| US | 8.8.8.8:53 | mmagmseo.org | udp |
| US | 8.8.8.8:53 | rahnqeiicef.com | udp |
| US | 8.8.8.8:53 | wswosiyaag.com | udp |
| US | 8.8.8.8:53 | pmastcjpinw.net | udp |
| US | 8.8.8.8:53 | jysyad.info | udp |
| US | 8.8.8.8:53 | qmkeskgcaysg.com | udp |
| US | 8.8.8.8:53 | joeuxmrqpq.net | udp |
| US | 8.8.8.8:53 | fkpasureh.info | udp |
| US | 8.8.8.8:53 | swuynjfkbnv.net | udp |
| US | 8.8.8.8:53 | emngyyqxsv.net | udp |
| US | 8.8.8.8:53 | xthnja.net | udp |
| US | 8.8.8.8:53 | vvcnkqbports.info | udp |
| US | 8.8.8.8:53 | gjyfxnqk.net | udp |
| US | 8.8.8.8:53 | icktgabq.net | udp |
| US | 8.8.8.8:53 | dpfzndlsug.net | udp |
| US | 8.8.8.8:53 | jgufibeybs.info | udp |
| US | 8.8.8.8:53 | ekerwq.info | udp |
| US | 8.8.8.8:53 | gmvlab.info | udp |
| US | 8.8.8.8:53 | sizgksrav.net | udp |
| US | 8.8.8.8:53 | oxobnynz.net | udp |
| US | 8.8.8.8:53 | jcrinil.net | udp |
| US | 8.8.8.8:53 | cxtzzv.info | udp |
| US | 8.8.8.8:53 | yveovmlrlid.info | udp |
| US | 8.8.8.8:53 | dixdkchlne.net | udp |
| US | 8.8.8.8:53 | fkdkuts.com | udp |
| US | 8.8.8.8:53 | svncmmpy.net | udp |
| US | 8.8.8.8:53 | ffqttbibxd.info | udp |
| US | 8.8.8.8:53 | lwjfqrju.info | udp |
| US | 8.8.8.8:53 | thioiadp.net | udp |
| US | 8.8.8.8:53 | lqjhjwfx.info | udp |
| US | 8.8.8.8:53 | fpvilghmn.org | udp |
| US | 8.8.8.8:53 | eukcyqag.org | udp |
| US | 8.8.8.8:53 | ukbqmodyf.info | udp |
| US | 8.8.8.8:53 | vxrdnllomy.net | udp |
| US | 8.8.8.8:53 | dymincoifib.info | udp |
| US | 8.8.8.8:53 | eicuiu.com | udp |
| US | 8.8.8.8:53 | knzoyw.info | udp |
| US | 8.8.8.8:53 | bqrcbp.net | udp |
| US | 8.8.8.8:53 | pzgcwdjubpze.net | udp |
| US | 8.8.8.8:53 | bmuqenhwc.org | udp |
| US | 8.8.8.8:53 | aetgtwp.net | udp |
| US | 8.8.8.8:53 | ajdzrk.net | udp |
| US | 8.8.8.8:53 | rwohemoxhl.info | udp |
| US | 8.8.8.8:53 | dbtqls.info | udp |
| US | 8.8.8.8:53 | zsrsrkvtcyt.net | udp |
| US | 8.8.8.8:53 | sovgagdst.net | udp |
| US | 8.8.8.8:53 | zypcqkhhoy.net | udp |
| US | 8.8.8.8:53 | ycapczlmrz.info | udp |
| US | 8.8.8.8:53 | ydtztxjd.net | udp |
| US | 8.8.8.8:53 | ludirajox.net | udp |
| US | 8.8.8.8:53 | wqrvrtugx.net | udp |
| US | 8.8.8.8:53 | zaklnd.net | udp |
| US | 8.8.8.8:53 | jothjkhthqaz.net | udp |
| US | 8.8.8.8:53 | gvfonumqvxho.net | udp |
| US | 8.8.8.8:53 | gmkcquwmko.org | udp |
| US | 8.8.8.8:53 | brxcjcdgdjb.net | udp |
| US | 8.8.8.8:53 | tzcqgbhr.net | udp |
| US | 8.8.8.8:53 | lglnfwii.net | udp |
| US | 8.8.8.8:53 | eegxpqopfkd.net | udp |
| US | 8.8.8.8:53 | jwdistjflg.info | udp |
| US | 8.8.8.8:53 | rerzrcguwo.net | udp |
| US | 8.8.8.8:53 | iiltfqwpja.info | udp |
| US | 8.8.8.8:53 | ooseig.org | udp |
| US | 8.8.8.8:53 | utnrrwvpidd.info | udp |
| US | 8.8.8.8:53 | feyjrv.net | udp |
| US | 8.8.8.8:53 | wgbfpflialuz.info | udp |
| US | 8.8.8.8:53 | ijjvanxlxd.net | udp |
| US | 8.8.8.8:53 | zzircs.info | udp |
| US | 8.8.8.8:53 | rmzrhow.org | udp |
| US | 8.8.8.8:53 | mgovgqio.info | udp |
| US | 8.8.8.8:53 | tkmbjm.info | udp |
| US | 8.8.8.8:53 | qhgiyy.net | udp |
| US | 8.8.8.8:53 | wkmqykes.org | udp |
| US | 8.8.8.8:53 | fotunwugxup.net | udp |
| US | 8.8.8.8:53 | fgjwdazyr.net | udp |
| US | 8.8.8.8:53 | zwvqmiw.com | udp |
| US | 8.8.8.8:53 | pzixeoiqfbam.info | udp |
| US | 8.8.8.8:53 | wokyyoqk.com | udp |
| US | 8.8.8.8:53 | jadvey.info | udp |
| US | 8.8.8.8:53 | qcwowr.info | udp |
| US | 8.8.8.8:53 | dmkssar.net | udp |
| US | 8.8.8.8:53 | dcpanarel.org | udp |
| US | 8.8.8.8:53 | renmuav.net | udp |
| US | 8.8.8.8:53 | zjmcbwq.net | udp |
| US | 8.8.8.8:53 | dqssaohpd.net | udp |
| US | 8.8.8.8:53 | gcpesqo.net | udp |
| US | 8.8.8.8:53 | ujvyxcf.info | udp |
| US | 8.8.8.8:53 | aksrgnlgvpde.net | udp |
| US | 8.8.8.8:53 | qawwucp.net | udp |
| US | 8.8.8.8:53 | vddvru.net | udp |
| US | 8.8.8.8:53 | hjquhafia.com | udp |
| US | 8.8.8.8:53 | viaqdjrt.net | udp |
| US | 8.8.8.8:53 | aaxmpkban.net | udp |
| US | 8.8.8.8:53 | tquewjph.net | udp |
| US | 8.8.8.8:53 | tbqaksinhc.info | udp |
| US | 8.8.8.8:53 | hghifclbjmx.net | udp |
| US | 8.8.8.8:53 | nvsafdjr.net | udp |
| US | 8.8.8.8:53 | bypozmlklit.com | udp |
| US | 8.8.8.8:53 | vwuqrirf.net | udp |
| US | 8.8.8.8:53 | kioeebngfib.info | udp |
| US | 8.8.8.8:53 | ndvvtcfrjkdj.info | udp |
| US | 8.8.8.8:53 | itefzcr.net | udp |
| US | 8.8.8.8:53 | rlzwrxb.org | udp |
| US | 8.8.8.8:53 | dfvudx.net | udp |
| US | 8.8.8.8:53 | zbnlqhefhuvz.net | udp |
| US | 8.8.8.8:53 | bxelba.info | udp |
| US | 8.8.8.8:53 | rqcjorbuzh.info | udp |
| US | 8.8.8.8:53 | ubjqwppgrsr.info | udp |
| US | 8.8.8.8:53 | bbzepixgs.info | udp |
| US | 8.8.8.8:53 | cojijwxmw.net | udp |
| US | 8.8.8.8:53 | lyvmryh.org | udp |
| US | 8.8.8.8:53 | imaoqyceykmk.org | udp |
| US | 8.8.8.8:53 | palqeskwltlu.info | udp |
| US | 8.8.8.8:53 | rafbfgfcjqx.net | udp |
| US | 8.8.8.8:53 | agucqaug.com | udp |
| US | 8.8.8.8:53 | xeawzopltwei.info | udp |
| US | 8.8.8.8:53 | inbqbkvmd.info | udp |
| US | 8.8.8.8:53 | qaacgwgo.org | udp |
| US | 8.8.8.8:53 | ccvkhtqkt.info | udp |
| US | 8.8.8.8:53 | ksucxphdaan.net | udp |
| US | 8.8.8.8:53 | hdblbf.net | udp |
| US | 8.8.8.8:53 | nikljx.info | udp |
| US | 8.8.8.8:53 | fkzrfmbqx.info | udp |
| US | 8.8.8.8:53 | emgweaaeokqk.com | udp |
| US | 8.8.8.8:53 | ypburcjkw.info | udp |
| US | 8.8.8.8:53 | xkncznbot.net | udp |
| US | 8.8.8.8:53 | jnazjkog.info | udp |
| US | 8.8.8.8:53 | hfxblv.net | udp |
| US | 8.8.8.8:53 | xfajrxldsoda.info | udp |
| US | 8.8.8.8:53 | abkezcyzbibj.info | udp |
| US | 8.8.8.8:53 | oqeszcx.net | udp |
| US | 8.8.8.8:53 | ygtsfgqipcz.info | udp |
| US | 8.8.8.8:53 | zxlglmh.net | udp |
| US | 8.8.8.8:53 | iuyoacwmsy.com | udp |
| US | 8.8.8.8:53 | viaqdonjh.info | udp |
| US | 8.8.8.8:53 | qfsnxulbwy.net | udp |
| US | 8.8.8.8:53 | qmisgs.org | udp |
| US | 8.8.8.8:53 | rbxsjhvnsvyb.info | udp |
| US | 8.8.8.8:53 | aqcsuuqa.com | udp |
| US | 8.8.8.8:53 | iokcgugu.org | udp |
| US | 8.8.8.8:53 | zgpphxpy.net | udp |
| US | 8.8.8.8:53 | gwuyiogw.org | udp |
| US | 8.8.8.8:53 | jwpcniulign.net | udp |
| US | 8.8.8.8:53 | rkrelcj.org | udp |
| US | 8.8.8.8:53 | ruuypodq.info | udp |
| US | 8.8.8.8:53 | ehhqpo.net | udp |
| US | 8.8.8.8:53 | mprghmlzshb.net | udp |
| US | 8.8.8.8:53 | iuswqkcw.org | udp |
| US | 8.8.8.8:53 | donwgyxi.net | udp |
| US | 8.8.8.8:53 | cxvrnpxdtq.net | udp |
| US | 8.8.8.8:53 | ampknsksi.net | udp |
| US | 8.8.8.8:53 | oelqhkx.info | udp |
| US | 8.8.8.8:53 | gtkuzq.net | udp |
| US | 8.8.8.8:53 | ggbgzgqoxga.info | udp |
| US | 8.8.8.8:53 | pvlozf.info | udp |
| US | 8.8.8.8:53 | oipsxoj.net | udp |
| US | 8.8.8.8:53 | ysmqmq.com | udp |
| US | 8.8.8.8:53 | nmhwhmqqn.net | udp |
| US | 8.8.8.8:53 | uopagkzc.net | udp |
| US | 8.8.8.8:53 | nfxyloh.info | udp |
| US | 8.8.8.8:53 | aerdilpadro.info | udp |
| US | 8.8.8.8:53 | eygsaggkssus.org | udp |
| US | 8.8.8.8:53 | qsuswiv.info | udp |
| US | 8.8.8.8:53 | jeddpyceavfk.info | udp |
| US | 8.8.8.8:53 | ldxvqk.info | udp |
| US | 8.8.8.8:53 | hnjxytbzve.info | udp |
| US | 8.8.8.8:53 | mitebvn.info | udp |
| US | 8.8.8.8:53 | olrmzxsqnlex.net | udp |
| US | 8.8.8.8:53 | damjfutozebh.info | udp |
| US | 8.8.8.8:53 | vkhmvbr.net | udp |
| US | 8.8.8.8:53 | rjclmpza.info | udp |
| US | 8.8.8.8:53 | mtlqhvf.info | udp |
| US | 8.8.8.8:53 | mduslasjpiva.info | udp |
| US | 8.8.8.8:53 | xjzrnhr.net | udp |
| US | 8.8.8.8:53 | mwmmywoc.com | udp |
| US | 8.8.8.8:53 | pjipgaug.info | udp |
| US | 8.8.8.8:53 | vknseclqsiw.info | udp |
| US | 8.8.8.8:53 | ekuwooceimik.org | udp |
| US | 8.8.8.8:53 | ppxwvzcqyq.info | udp |
| US | 8.8.8.8:53 | vzerzd.info | udp |
| US | 8.8.8.8:53 | isvmhwzmiop.info | udp |
| US | 8.8.8.8:53 | cnfqglgbkg.info | udp |
| US | 8.8.8.8:53 | pubnzek.info | udp |
| US | 8.8.8.8:53 | kezydezmnqh.net | udp |
| US | 8.8.8.8:53 | eaggequqscyu.com | udp |
| US | 8.8.8.8:53 | idpxkegp.net | udp |
| US | 8.8.8.8:53 | yoscdg.net | udp |
| US | 8.8.8.8:53 | cbufao.info | udp |
| US | 8.8.8.8:53 | mmpiruvxhwv.net | udp |
| US | 8.8.8.8:53 | nrhzrcvzivtd.info | udp |
| US | 8.8.8.8:53 | yensgeomr.net | udp |
| US | 8.8.8.8:53 | weiywgnyeuj.info | udp |
| US | 8.8.8.8:53 | ttyrcm.info | udp |
| US | 8.8.8.8:53 | yswsygqygo.org | udp |
| US | 8.8.8.8:53 | rcahzg.info | udp |
| US | 8.8.8.8:53 | iihlhllwdizz.info | udp |
| US | 8.8.8.8:53 | gjjixay.net | udp |
| US | 8.8.8.8:53 | ecyiyscwgc.org | udp |
| US | 8.8.8.8:53 | wlvyrwp.net | udp |
| US | 8.8.8.8:53 | xsrjbcv.org | udp |
| US | 8.8.8.8:53 | imlrdztkks.info | udp |
| US | 8.8.8.8:53 | msmcdkdoc.info | udp |
| US | 8.8.8.8:53 | ekbxjfao.info | udp |
| US | 8.8.8.8:53 | rmqajzjcxef.org | udp |
| US | 8.8.8.8:53 | ljtjmxwljx.net | udp |
| US | 8.8.8.8:53 | efwialhc.net | udp |
| US | 8.8.8.8:53 | chbnlozpxf.net | udp |
| US | 8.8.8.8:53 | zsvvxclvju.net | udp |
| US | 8.8.8.8:53 | hahmtynehqj.com | udp |
| US | 8.8.8.8:53 | lenccfnakol.net | udp |
| US | 8.8.8.8:53 | djlyygiv.net | udp |
| US | 8.8.8.8:53 | lcsajubomur.net | udp |
| US | 8.8.8.8:53 | fifrik.net | udp |
| US | 8.8.8.8:53 | kzvesjfobmm.net | udp |
| US | 8.8.8.8:53 | kcijqx.net | udp |
| US | 8.8.8.8:53 | hiafiifvbcl.net | udp |
| US | 8.8.8.8:53 | aodctjrovpk.net | udp |
| US | 8.8.8.8:53 | qgrykfb.net | udp |
| US | 8.8.8.8:53 | lxhdsfnygn.net | udp |
| US | 8.8.8.8:53 | wuzghmr.info | udp |
| US | 8.8.8.8:53 | lrpafdozxh.net | udp |
| US | 8.8.8.8:53 | daqnlf.info | udp |
| US | 8.8.8.8:53 | xpfshz.info | udp |
| US | 8.8.8.8:53 | gnzfjcag.net | udp |
| US | 8.8.8.8:53 | qqnktkhemqhw.info | udp |
| US | 8.8.8.8:53 | osnujcbzugf.info | udp |
| US | 8.8.8.8:53 | mkohwsko.net | udp |
| US | 8.8.8.8:53 | dbetfa.net | udp |
| US | 8.8.8.8:53 | njhywrdypev.info | udp |
| US | 8.8.8.8:53 | fqjkdtn.com | udp |
| US | 8.8.8.8:53 | pnaooq.info | udp |
| US | 8.8.8.8:53 | ogphlyh.info | udp |
| US | 8.8.8.8:53 | jgnwdrpgqz.info | udp |
| US | 8.8.8.8:53 | vpfmkms.info | udp |
| US | 8.8.8.8:53 | gmmyasyo.com | udp |
| US | 8.8.8.8:53 | ueiljubqilx.net | udp |
| US | 8.8.8.8:53 | beeudebw.info | udp |
| US | 8.8.8.8:53 | qkmgeyiyay.com | udp |
| US | 8.8.8.8:53 | zmhhke.net | udp |
| US | 8.8.8.8:53 | xkpgfvxulgv.info | udp |
| US | 8.8.8.8:53 | wyoyam.org | udp |
| US | 8.8.8.8:53 | qaiioo.org | udp |
| US | 8.8.8.8:53 | kwzibqn.info | udp |
| US | 8.8.8.8:53 | paymtvnc.net | udp |
| US | 8.8.8.8:53 | rsbkfoh.org | udp |
| US | 8.8.8.8:53 | pvugutzdligu.net | udp |
| US | 8.8.8.8:53 | jcqifobiuq.net | udp |
| US | 8.8.8.8:53 | nszesxhhmf.net | udp |
| US | 8.8.8.8:53 | ndcgswir.info | udp |
| US | 8.8.8.8:53 | uazaigroc.net | udp |
| US | 8.8.8.8:53 | xoasrra.org | udp |
| US | 8.8.8.8:53 | frmjvb.net | udp |
| US | 8.8.8.8:53 | vkoslcf.com | udp |
| US | 8.8.8.8:53 | cqygmo.org | udp |
| US | 8.8.8.8:53 | osrgcgseu.net | udp |
| US | 8.8.8.8:53 | mkyckiwqwo.com | udp |
| US | 8.8.8.8:53 | hdfckbeo.net | udp |
| US | 8.8.8.8:53 | uitzjcwlzij.net | udp |
| US | 8.8.8.8:53 | sbtcqpoj.net | udp |
| US | 8.8.8.8:53 | vqdipea.info | udp |
| US | 8.8.8.8:53 | hoqadyl.info | udp |
| US | 8.8.8.8:53 | ckkmokqy.org | udp |
| US | 8.8.8.8:53 | fuorrcvgrjhw.info | udp |
| US | 8.8.8.8:53 | wstedal.net | udp |
| US | 8.8.8.8:53 | psqipiv.net | udp |
| US | 8.8.8.8:53 | lxbxupvn.net | udp |
| US | 8.8.8.8:53 | eokiwugiqi.org | udp |
| US | 8.8.8.8:53 | jufwsggat.net | udp |
| US | 8.8.8.8:53 | lctqvit.org | udp |
| US | 8.8.8.8:53 | dchspxphwk.net | udp |
| US | 8.8.8.8:53 | seqezmfwjlxm.net | udp |
| US | 8.8.8.8:53 | yhjhmkiew.info | udp |
| US | 8.8.8.8:53 | waokasia.com | udp |
| US | 8.8.8.8:53 | euykcoei.com | udp |
| US | 8.8.8.8:53 | rexbaqmap.org | udp |
| US | 8.8.8.8:53 | vqfepxnk.info | udp |
| US | 8.8.8.8:53 | clbydivkzbf.net | udp |
| US | 8.8.8.8:53 | vvlohl.net | udp |
| US | 8.8.8.8:53 | jifixuufm.net | udp |
| US | 8.8.8.8:53 | ikqkysf.net | udp |
| US | 8.8.8.8:53 | tubxlgzv.info | udp |
| US | 8.8.8.8:53 | abcygqv.info | udp |
| US | 8.8.8.8:53 | hnlmpqzdvup.net | udp |
| US | 8.8.8.8:53 | yojqfdnobcer.info | udp |
| US | 8.8.8.8:53 | szfunpdr.info | udp |
| US | 8.8.8.8:53 | jelzhlivcg.net | udp |
| US | 8.8.8.8:53 | zflyvlzn.net | udp |
| US | 8.8.8.8:53 | berkurgnr.info | udp |
| US | 8.8.8.8:53 | xelelqhlcgr.net | udp |
| US | 8.8.8.8:53 | xtmlvvuw.info | udp |
| US | 8.8.8.8:53 | tsicgl.net | udp |
| US | 8.8.8.8:53 | xeytjvfmmih.net | udp |
| US | 8.8.8.8:53 | rmehpm.net | udp |
| US | 8.8.8.8:53 | rgomjyp.com | udp |
| US | 8.8.8.8:53 | guhxvqcon.info | udp |
| US | 8.8.8.8:53 | qndvgpis.info | udp |
| US | 8.8.8.8:53 | mowqqsik.org | udp |
| US | 8.8.8.8:53 | xavwmyceinx.net | udp |
| US | 8.8.8.8:53 | zeckasheckv.com | udp |
| US | 8.8.8.8:53 | fwrkrwl.info | udp |
| US | 8.8.8.8:53 | wkiccc.com | udp |
| US | 8.8.8.8:53 | bcfcdma.net | udp |
| US | 8.8.8.8:53 | dssewtvxlota.info | udp |
| US | 8.8.8.8:53 | xiquoai.net | udp |
| US | 8.8.8.8:53 | xsvifqmwf.net | udp |
| US | 8.8.8.8:53 | txxnpo.net | udp |
| US | 8.8.8.8:53 | znxcicehho.info | udp |
| US | 8.8.8.8:53 | huttlcrgpa.info | udp |
| US | 8.8.8.8:53 | hldbybhapyoh.net | udp |
| US | 8.8.8.8:53 | cmqwow.org | udp |
| US | 8.8.8.8:53 | qbtrms.net | udp |
| US | 8.8.8.8:53 | jmqdmind.net | udp |
| US | 8.8.8.8:53 | eiedvh.info | udp |
| US | 8.8.8.8:53 | cenilkraziv.info | udp |
| US | 8.8.8.8:53 | yiciassipcp.net | udp |
| US | 8.8.8.8:53 | yutxrojgzxj.info | udp |
| US | 8.8.8.8:53 | ickicwos.com | udp |
| US | 8.8.8.8:53 | xuphzdrihjlf.net | udp |
| US | 8.8.8.8:53 | pyztbwm.com | udp |
| US | 8.8.8.8:53 | zwxepkxwbm.net | udp |
| US | 8.8.8.8:53 | twddgmsywp.net | udp |
| US | 8.8.8.8:53 | eggogaem.com | udp |
| US | 8.8.8.8:53 | auicoagggqqc.com | udp |
| US | 8.8.8.8:53 | fktcluc.org | udp |
| US | 8.8.8.8:53 | timwfizizqh.net | udp |
| US | 8.8.8.8:53 | hmhegotmcij.net | udp |
| US | 8.8.8.8:53 | prehpevjjo.net | udp |
| US | 8.8.8.8:53 | hvapjj.net | udp |
| US | 8.8.8.8:53 | vtvvtzvu.info | udp |
| US | 8.8.8.8:53 | bhxjdwbbjk.info | udp |
| US | 8.8.8.8:53 | nouhfv.info | udp |
| US | 8.8.8.8:53 | rsvvzwzix.org | udp |
| US | 8.8.8.8:53 | trtrgzzk.net | udp |
| US | 8.8.8.8:53 | eilehgywovm.net | udp |
| US | 8.8.8.8:53 | wksqzxiwjom.net | udp |
| US | 8.8.8.8:53 | tgryjwehtmy.net | udp |
| US | 8.8.8.8:53 | oylwrhv.info | udp |
| US | 8.8.8.8:53 | cwjsrwkyv.info | udp |
| US | 8.8.8.8:53 | tzqiefax.info | udp |
| US | 8.8.8.8:53 | qajnlqz.net | udp |
| US | 8.8.8.8:53 | epkmnkca.net | udp |
| US | 8.8.8.8:53 | oibkiixz.info | udp |
| US | 8.8.8.8:53 | vlsqrasay.info | udp |
| US | 8.8.8.8:53 | fhcploegczuq.net | udp |
| US | 8.8.8.8:53 | sceommucuy.org | udp |
| US | 8.8.8.8:53 | nuhnmc.info | udp |
| US | 8.8.8.8:53 | uzwaigl.net | udp |
| US | 8.8.8.8:53 | jclrzdvjqpfb.net | udp |
| US | 8.8.8.8:53 | pkjalzxk.info | udp |
| US | 8.8.8.8:53 | wqowcass.org | udp |
| US | 8.8.8.8:53 | hkevkbdrfqjn.info | udp |
| US | 8.8.8.8:53 | qmxcszgtph.info | udp |
| US | 8.8.8.8:53 | lgrnhqzhtoz.org | udp |
| US | 8.8.8.8:53 | chguvydftfh.info | udp |
| US | 8.8.8.8:53 | sckkqscssk.org | udp |
| US | 8.8.8.8:53 | jpifceju.info | udp |
| US | 8.8.8.8:53 | evxyhwkytkj.net | udp |
| US | 8.8.8.8:53 | eayacokbim.info | udp |
| US | 8.8.8.8:53 | euzcilyms.info | udp |
| US | 8.8.8.8:53 | ptdgdmn.com | udp |
| US | 8.8.8.8:53 | rzmhigdnhljb.info | udp |
| US | 8.8.8.8:53 | kvkmnyayn.info | udp |
| US | 8.8.8.8:53 | eoymekquce.com | udp |
| US | 8.8.8.8:53 | mqmupbf.net | udp |
| US | 8.8.8.8:53 | juaiaulfe.info | udp |
| US | 8.8.8.8:53 | cegdsgfnfihu.info | udp |
| US | 8.8.8.8:53 | omokos.com | udp |
| US | 8.8.8.8:53 | ywxnfih.net | udp |
| US | 8.8.8.8:53 | jkbttyi.org | udp |
| US | 8.8.8.8:53 | kufqvwt.net | udp |
| US | 8.8.8.8:53 | mdoarqnlsqw.net | udp |
| US | 8.8.8.8:53 | ijsubw.net | udp |
| US | 8.8.8.8:53 | kcawsmcyqq.com | udp |
| US | 8.8.8.8:53 | diqbzipbhwf.com | udp |
| US | 8.8.8.8:53 | lotvfcpofeb.net | udp |
| US | 8.8.8.8:53 | rfphhbt.net | udp |
| US | 8.8.8.8:53 | pnnoffl.net | udp |
| US | 8.8.8.8:53 | antgbdzwfh.net | udp |
| US | 8.8.8.8:53 | pqysnkfmt.net | udp |
| US | 8.8.8.8:53 | conzuujph.info | udp |
| US | 8.8.8.8:53 | pswagoquh.org | udp |
| US | 8.8.8.8:53 | ptvcdlxcdlb.info | udp |
| US | 8.8.8.8:53 | uedkvcebz.net | udp |
| US | 8.8.8.8:53 | gytkywwfz.net | udp |
| US | 8.8.8.8:53 | qrmercfrpyp.info | udp |
| US | 8.8.8.8:53 | xaufgfms.info | udp |
| US | 8.8.8.8:53 | ctalks.net | udp |
| US | 162.144.12.218:80 | ctalks.net | tcp |
| US | 8.8.8.8:53 | sekeaewejld.net | udp |
| US | 8.8.8.8:53 | umbvqqsxvs.info | udp |
| US | 8.8.8.8:53 | osdiqfls.net | udp |
| US | 8.8.8.8:53 | jazejwtkz.info | udp |
| US | 8.8.8.8:53 | givqjolnj.net | udp |
| US | 8.8.8.8:53 | eizclbcitq.info | udp |
| US | 8.8.8.8:53 | ertoyeh.info | udp |
| US | 8.8.8.8:53 | alrupcmupvqr.info | udp |
| US | 8.8.8.8:53 | kwdnko.info | udp |
| US | 8.8.8.8:53 | ukeojzfjdjh.net | udp |
| US | 8.8.8.8:53 | uiwqqgcasa.org | udp |
| US | 8.8.8.8:53 | tboctboyey.net | udp |
| US | 8.8.8.8:53 | lrxsrg.info | udp |
| US | 8.8.8.8:53 | ngdgocj.net | udp |
| US | 8.8.8.8:53 | sjixfknpj.net | udp |
| US | 8.8.8.8:53 | ucxrry.net | udp |
| US | 8.8.8.8:53 | borvdw.info | udp |
| US | 8.8.8.8:53 | rduffihs.net | udp |
| US | 8.8.8.8:53 | cgyuqcuk.com | udp |
| US | 8.8.8.8:53 | kmxknajhv.info | udp |
| US | 8.8.8.8:53 | 218.12.144.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | eatvxfvkb.info | udp |
| US | 8.8.8.8:53 | haeimo.net | udp |
| US | 8.8.8.8:53 | xivvfgn.com | udp |
| US | 8.8.8.8:53 | yizvlsrylmh.net | udp |
| US | 8.8.8.8:53 | bmgxquzf.info | udp |
| US | 8.8.8.8:53 | xekcooqbee.info | udp |
| US | 8.8.8.8:53 | fgvgjqqh.info | udp |
| US | 8.8.8.8:53 | kgklgudeaihe.net | udp |
| US | 8.8.8.8:53 | ucdsfupi.net | udp |
| US | 8.8.8.8:53 | bhxshjwwicyz.info | udp |
| US | 8.8.8.8:53 | jencnuj.com | udp |
| US | 8.8.8.8:53 | qmegakikie.com | udp |
| US | 8.8.8.8:53 | ndmipqjjrif.info | udp |
| US | 8.8.8.8:53 | pvbrvmvday.info | udp |
| US | 8.8.8.8:53 | kwcyekie.com | udp |
| US | 8.8.8.8:53 | igcueecskauq.org | udp |
| US | 8.8.8.8:53 | wzvalg.net | udp |
| US | 8.8.8.8:53 | domoyx.info | udp |
| US | 8.8.8.8:53 | rupizwzuouh.com | udp |
| US | 8.8.8.8:53 | msxmscvwu.info | udp |
| US | 8.8.8.8:53 | cmkqiuioieuq.com | udp |
| US | 8.8.8.8:53 | auexdebb.info | udp |
| US | 8.8.8.8:53 | oueoyumiis.com | udp |
| US | 8.8.8.8:53 | mmeqeeky.org | udp |
| US | 8.8.8.8:53 | zajmjnrzfac.org | udp |
| US | 8.8.8.8:53 | lgxwlyhtlmc.com | udp |
| US | 8.8.8.8:53 | giniqulibtr.net | udp |
| US | 8.8.8.8:53 | vqzkbtjhtf.net | udp |
| US | 8.8.8.8:53 | smwsoykssegu.com | udp |
| US | 8.8.8.8:53 | xkvyjabit.net | udp |
| US | 8.8.8.8:53 | ssygemq.net | udp |
| US | 8.8.8.8:53 | qpdnpbhcnyjz.info | udp |
| US | 8.8.8.8:53 | pspblt.net | udp |
| US | 8.8.8.8:53 | tetofxiyjvl.org | udp |
| US | 8.8.8.8:53 | rhvewl.net | udp |
| US | 8.8.8.8:53 | rllywrnuhc.info | udp |
| US | 8.8.8.8:53 | wqfhmkhoa.info | udp |
| US | 8.8.8.8:53 | bbgqtwbcw.info | udp |
| US | 8.8.8.8:53 | ycigbq.net | udp |
| US | 8.8.8.8:53 | pavfzkrx.net | udp |
| US | 8.8.8.8:53 | qqhnrxvznz.net | udp |
| US | 8.8.8.8:53 | xyntiulr.info | udp |
| US | 8.8.8.8:53 | cwimyw.org | udp |
| US | 8.8.8.8:53 | sopcrq.net | udp |
| US | 8.8.8.8:53 | mcwqkmoyka.com | udp |
| US | 8.8.8.8:53 | gmkoquoqiu.org | udp |
| US | 8.8.8.8:53 | lvjcjm.net | udp |
| US | 8.8.8.8:53 | rdwtne.net | udp |
| US | 8.8.8.8:53 | mkkiqgwe.com | udp |
| US | 8.8.8.8:53 | tkkuharszvj.info | udp |
| US | 8.8.8.8:53 | kwoymyaysuko.com | udp |
| US | 8.8.8.8:53 | eiitzlwdid.net | udp |
| US | 8.8.8.8:53 | naosmklpd.info | udp |
| US | 8.8.8.8:53 | pktfja.info | udp |
| US | 8.8.8.8:53 | rbtnmhsolvdg.info | udp |
| US | 8.8.8.8:53 | xgahfx.net | udp |
| US | 8.8.8.8:53 | juyctgmks.info | udp |
| US | 8.8.8.8:53 | pziaxyhojmu.org | udp |
| US | 8.8.8.8:53 | khouwklyt.net | udp |
| US | 8.8.8.8:53 | vzvhptjernro.info | udp |
| US | 8.8.8.8:53 | ysuccmooewwk.com | udp |
| US | 8.8.8.8:53 | ubpxnf.net | udp |
| US | 8.8.8.8:53 | miuszsddzqv.net | udp |
| US | 8.8.8.8:53 | muquom.org | udp |
| US | 8.8.8.8:53 | usyswygoac.com | udp |
| US | 8.8.8.8:53 | vghczgzgjkz.com | udp |
| US | 8.8.8.8:53 | dxsejffkklv.info | udp |
| US | 8.8.8.8:53 | egvuygnqxwj.net | udp |
| US | 8.8.8.8:53 | ioocteulq.net | udp |
| US | 8.8.8.8:53 | zibuzcw.net | udp |
| US | 8.8.8.8:53 | qaomyuokiumi.com | udp |
| US | 8.8.8.8:53 | sqzbbcvky.info | udp |
| US | 8.8.8.8:53 | ksuioiskkcww.com | udp |
| US | 8.8.8.8:53 | cvettwvszcy.net | udp |
| US | 8.8.8.8:53 | skagmwoc.org | udp |
| US | 8.8.8.8:53 | lwneymseicb.com | udp |
| US | 8.8.8.8:53 | xlbsnff.net | udp |
| US | 8.8.8.8:53 | cgaemuii.com | udp |
| US | 8.8.8.8:53 | ssoukaikmu.com | udp |
| US | 8.8.8.8:53 | lzkuzesjzq.info | udp |
| US | 8.8.8.8:53 | utqahssebfh.info | udp |
| US | 8.8.8.8:53 | aawqmcqeyuqs.org | udp |
| US | 8.8.8.8:53 | uzjmfwzzhoh.info | udp |
| US | 8.8.8.8:53 | suzarv.info | udp |
| US | 8.8.8.8:53 | ayaqwe.org | udp |
| US | 8.8.8.8:53 | zthkqotyf.com | udp |
| US | 8.8.8.8:53 | yzbmjgckwdyq.net | udp |
| US | 8.8.8.8:53 | ezennlxpdz.net | udp |
| US | 8.8.8.8:53 | kqzqdu.net | udp |
| US | 8.8.8.8:53 | bazbjsosg.info | udp |
| US | 8.8.8.8:53 | hsnarcfbr.net | udp |
| US | 8.8.8.8:53 | uqouomasemak.org | udp |
| US | 8.8.8.8:53 | fqtkvqd.com | udp |
| US | 8.8.8.8:53 | jzkgjrpq.net | udp |
| US | 8.8.8.8:53 | lwsmrwymlcr.com | udp |
| US | 8.8.8.8:53 | viswpalcj.info | udp |
| US | 8.8.8.8:53 | llywywfwt.info | udp |
| US | 8.8.8.8:53 | rxbejeoyfi.info | udp |
| US | 8.8.8.8:53 | nurwlqpkfya.info | udp |
| US | 8.8.8.8:53 | fargnupbr.info | udp |
| US | 8.8.8.8:53 | xeakzjhkqps.net | udp |
| US | 8.8.8.8:53 | rixwxexy.info | udp |
| US | 8.8.8.8:53 | vcethqpkncvu.net | udp |
| US | 8.8.8.8:53 | umfizqkfrxxy.net | udp |
| US | 8.8.8.8:53 | yszwduzrmxh.net | udp |
| US | 8.8.8.8:53 | amitfiuqake.info | udp |
| US | 8.8.8.8:53 | jwjczwogezz.com | udp |
| US | 8.8.8.8:53 | fopklqpga.net | udp |
| US | 8.8.8.8:53 | eclerbpld.net | udp |
| US | 8.8.8.8:53 | lvhllyoznd.net | udp |
| US | 8.8.8.8:53 | snhqhjfhxnbj.net | udp |
| US | 8.8.8.8:53 | swcabyqqewvt.net | udp |
| US | 8.8.8.8:53 | ldrdjarwjgbu.net | udp |
| US | 8.8.8.8:53 | issnsbtr.info | udp |
| US | 8.8.8.8:53 | hhxriekh.net | udp |
| US | 8.8.8.8:53 | ekeuifzmj.net | udp |
| US | 8.8.8.8:53 | vxzwcznp.net | udp |
| US | 8.8.8.8:53 | pokvfubl.net | udp |
| US | 8.8.8.8:53 | gbajqeibxafr.net | udp |
| US | 8.8.8.8:53 | iesowswoiq.com | udp |
| US | 8.8.8.8:53 | zvxcrfvmteb.net | udp |
| US | 8.8.8.8:53 | fmbspft.net | udp |
| US | 8.8.8.8:53 | svjbjrvhxn.info | udp |
| US | 8.8.8.8:53 | uipycariz.info | udp |
| US | 8.8.8.8:53 | ugyesgam.com | udp |
| US | 8.8.8.8:53 | dxspew.net | udp |
| US | 8.8.8.8:53 | rnvmaytah.net | udp |
| US | 8.8.8.8:53 | cogujyouf.net | udp |
| US | 8.8.8.8:53 | qdvygczim.net | udp |
| US | 8.8.8.8:53 | hwawbsx.org | udp |
| US | 8.8.8.8:53 | kqtgbwneuk.info | udp |
| US | 8.8.8.8:53 | geaowcyk.org | udp |
| US | 8.8.8.8:53 | nyeirtbon.org | udp |
| US | 8.8.8.8:53 | iqronap.net | udp |
| US | 8.8.8.8:53 | geyicyaeiiwq.com | udp |
| US | 8.8.8.8:53 | rzvalmk.com | udp |
| US | 8.8.8.8:53 | itjiqratgaqb.info | udp |
| US | 8.8.8.8:53 | aiuaeueagu.com | udp |
| US | 8.8.8.8:53 | bwzdbqmwl.com | udp |
| US | 8.8.8.8:53 | fqsyxh.net | udp |
| US | 8.8.8.8:53 | iuqyizrqjlng.net | udp |
| US | 8.8.8.8:53 | iizupqpcm.info | udp |
| US | 8.8.8.8:53 | ayawbzhst.net | udp |
| US | 8.8.8.8:53 | ajvdqvwi.net | udp |
| US | 8.8.8.8:53 | ufagpvrur.net | udp |
| US | 8.8.8.8:53 | yqgeyq.org | udp |
| US | 8.8.8.8:53 | rcmqvx.info | udp |
| US | 8.8.8.8:53 | ocrhgmvcg.info | udp |
| US | 8.8.8.8:53 | cdsfjo.info | udp |
| US | 8.8.8.8:53 | gyzavvyk.net | udp |
| US | 8.8.8.8:53 | lmcwdsx.info | udp |
| US | 8.8.8.8:53 | rqsqxlgdid.net | udp |
| US | 8.8.8.8:53 | bkncrel.net | udp |
| US | 8.8.8.8:53 | oqfowei.info | udp |
| US | 8.8.8.8:53 | ftggwuqb.info | udp |
| US | 8.8.8.8:53 | ngrcviizr.info | udp |
| US | 8.8.8.8:53 | utxeeho.info | udp |
| US | 8.8.8.8:53 | psvaltsupo.net | udp |
| US | 8.8.8.8:53 | zodiqotx.net | udp |
| US | 8.8.8.8:53 | oetclszet.info | udp |
| US | 8.8.8.8:53 | vivopfj.com | udp |
| US | 8.8.8.8:53 | bkryimrmvih.org | udp |
| US | 8.8.8.8:53 | ewkynv.net | udp |
| US | 8.8.8.8:53 | yedkxgkqe.info | udp |
| US | 8.8.8.8:53 | rmoupkxracb.com | udp |
| US | 8.8.8.8:53 | kbdefe.info | udp |
| US | 8.8.8.8:53 | ycwwayuewkqe.org | udp |
| US | 8.8.8.8:53 | xyyureh.info | udp |
| US | 8.8.8.8:53 | gulolyt.info | udp |
| US | 8.8.8.8:53 | xjlskyblm.com | udp |
| US | 8.8.8.8:53 | luzsjmb.com | udp |
| US | 8.8.8.8:53 | mcasckyawics.com | udp |
| US | 8.8.8.8:53 | lmwurudwmuy.org | udp |
| US | 8.8.8.8:53 | ytfydantwi.net | udp |
| US | 8.8.8.8:53 | qkwcqqgwes.org | udp |
| US | 8.8.8.8:53 | yhmuqtfepao.net | udp |
| US | 8.8.8.8:53 | aklxvjyiob.info | udp |
| US | 8.8.8.8:53 | ncryjwx.org | udp |
| US | 8.8.8.8:53 | zkhuxmkrh.net | udp |
| US | 8.8.8.8:53 | obfmfq.info | udp |
| US | 8.8.8.8:53 | mtecxwjgf.info | udp |
| US | 8.8.8.8:53 | apoorsdt.info | udp |
| US | 8.8.8.8:53 | fqzrdk.info | udp |
| US | 8.8.8.8:53 | ohrxngbxfz.info | udp |
| US | 8.8.8.8:53 | bkxonzbir.info | udp |
| US | 8.8.8.8:53 | cwokeaowmqwg.org | udp |
| US | 8.8.8.8:53 | zxyaowdealgh.info | udp |
| US | 8.8.8.8:53 | tsvtvqnm.net | udp |
| US | 8.8.8.8:53 | ekzdpbvh.net | udp |
| US | 8.8.8.8:53 | dozkzqoqi.info | udp |
| US | 8.8.8.8:53 | iieydqmnsdwa.net | udp |
| US | 8.8.8.8:53 | pgssyxpfdmo.net | udp |
| US | 8.8.8.8:53 | jpbtsj.net | udp |
| US | 8.8.8.8:53 | jzrywxqkygs.com | udp |
| US | 8.8.8.8:53 | wuinseudmt.info | udp |
| US | 8.8.8.8:53 | xdbdxm.net | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | wswgsuqkamyw.com | udp |
| US | 8.8.8.8:53 | gppivj.info | udp |
| US | 8.8.8.8:53 | buzfccaaw.org | udp |
| US | 8.8.8.8:53 | yqvpfdjibqdh.net | udp |
| US | 8.8.8.8:53 | mkqsiy.org | udp |
| US | 8.8.8.8:53 | myasmq.org | udp |
| US | 8.8.8.8:53 | ikkqgycw.org | udp |
| US | 8.8.8.8:53 | yqmuwawimk.com | udp |
| US | 8.8.8.8:53 | fejrfck.net | udp |
| US | 8.8.8.8:53 | jjxrjr.info | udp |
| US | 8.8.8.8:53 | ekujfjlo.net | udp |
| US | 8.8.8.8:53 | vwardmkoyi.net | udp |
| US | 8.8.8.8:53 | qkbkrqbhjxy.net | udp |
| US | 8.8.8.8:53 | qwmaqeyy.org | udp |
| US | 8.8.8.8:53 | oucgxmm.info | udp |
| US | 8.8.8.8:53 | pkkpkb.info | udp |
| US | 8.8.8.8:53 | jdzrkiwirggl.info | udp |
| US | 8.8.8.8:53 | ywpcxcy.info | udp |
| US | 8.8.8.8:53 | kqmskmmmyqea.com | udp |
| US | 8.8.8.8:53 | kulcviiqcqx.net | udp |
| US | 8.8.8.8:53 | eyefvgvmadsi.info | udp |
| US | 8.8.8.8:53 | ykdtut.net | udp |
| US | 8.8.8.8:53 | yugcamuk.com | udp |
| US | 8.8.8.8:53 | ogimkk.com | udp |
| US | 8.8.8.8:53 | sjljxgcdnqtr.info | udp |
| US | 8.8.8.8:53 | azrqvs.info | udp |
| US | 8.8.8.8:53 | ikmagway.org | udp |
| US | 8.8.8.8:53 | ssjqlzsql.net | udp |
| US | 8.8.8.8:53 | gemxqbiv.info | udp |
| US | 8.8.8.8:53 | fpybjumwcjri.net | udp |
| US | 8.8.8.8:53 | zwnkmqz.net | udp |
| US | 8.8.8.8:53 | hgjscui.net | udp |
| US | 8.8.8.8:53 | bpkesraugpzd.net | udp |
| US | 8.8.8.8:53 | ishaqypjxn.net | udp |
| US | 8.8.8.8:53 | hgokcyd.com | udp |
| US | 8.8.8.8:53 | wqsawmym.org | udp |
| US | 8.8.8.8:53 | htbdfwjodwp.com | udp |
| US | 8.8.8.8:53 | jmlelfxyjbzp.net | udp |
| US | 8.8.8.8:53 | fekavwpl.net | udp |
| US | 8.8.8.8:53 | abtvzsiqbpp.net | udp |
| US | 8.8.8.8:53 | smjyrqcod.info | udp |
| US | 8.8.8.8:53 | jwnadtd.info | udp |
| N/A | 192.168.28.2:445 | tcp | |
| IE | 34.246.200.160:80 | hklgkqwuttn.com | tcp |
| US | 8.8.8.8:53 | smoazswfywhy.net | udp |
| US | 8.8.8.8:53 | jvjaqdnci.info | udp |
| US | 8.8.8.8:53 | wljsua.net | udp |
| US | 8.8.8.8:53 | waqmsgog.com | udp |
| US | 8.8.8.8:53 | tcxqpovybip.org | udp |
| US | 8.8.8.8:53 | yeqsceua.org | udp |
| US | 8.8.8.8:53 | lihbcw.net | udp |
| US | 8.8.8.8:53 | wyonrvsa.net | udp |
| US | 8.8.8.8:53 | ratirtqyspss.net | udp |
| US | 8.8.8.8:53 | msaowaqq.com | udp |
| US | 8.8.8.8:53 | yxgcuupvjthn.net | udp |
| US | 8.8.8.8:53 | aalxlabhmx.info | udp |
| US | 8.8.8.8:53 | oyaoeguumcuo.org | udp |
| US | 8.8.8.8:53 | oeewyouyig.com | udp |
| US | 8.8.8.8:53 | lcsgfob.org | udp |
| US | 8.8.8.8:53 | smfubyruvzk.net | udp |
| US | 8.8.8.8:53 | twbntv.net | udp |
| US | 8.8.8.8:53 | hocczyz.com | udp |
| N/A | 192.168.28.2:139 | tcp | |
| US | 8.8.8.8:53 | kuxajxugfkr.net | udp |
| US | 8.8.8.8:53 | fmhkrqdorcz.com | udp |
| US | 8.8.8.8:53 | xxsnaynocj.net | udp |
| US | 8.8.8.8:53 | dtnzneqxdond.info | udp |
| US | 8.8.8.8:53 | iomcwq.com | udp |
| US | 8.8.8.8:53 | bspgtyu.net | udp |
| US | 8.8.8.8:53 | cqiuai.org | udp |
| US | 8.8.8.8:53 | ddsihmjhyhuf.net | udp |
| US | 8.8.8.8:53 | dfxklguz.info | udp |
| US | 8.8.8.8:53 | rmollojj.net | udp |
| US | 8.8.8.8:53 | vozsvfalv.org | udp |
| US | 8.8.8.8:53 | auyaeauacy.com | udp |
| US | 8.8.8.8:53 | quckkgyccyim.org | udp |
| US | 8.8.8.8:53 | azrakrbzpk.net | udp |
| US | 8.8.8.8:53 | dcfwvvbpbkyj.net | udp |
| US | 8.8.8.8:53 | acmqoeqa.org | udp |
| US | 8.8.8.8:53 | xhxmlogdbaw.org | udp |
| US | 8.8.8.8:53 | gulgnzuelyj.net | udp |
| US | 8.8.8.8:53 | vjmyxpra.net | udp |
| US | 8.8.8.8:53 | qkbqzsfcpgh.net | udp |
| US | 8.8.8.8:53 | hgjqxkcinmr.net | udp |
| US | 8.8.8.8:53 | lcpecaria.com | udp |
| US | 8.8.8.8:53 | odeqhqkldv.info | udp |
| US | 8.8.8.8:53 | jebtiavwphlk.info | udp |
| US | 8.8.8.8:53 | pftmlj.info | udp |
| US | 8.8.8.8:53 | kaqciyqa.com | udp |
| US | 8.8.8.8:53 | fqpafav.info | udp |
| US | 8.8.8.8:53 | zxfznjjo.net | udp |
| US | 8.8.8.8:53 | susaak.com | udp |
| US | 8.8.8.8:53 | spvfdtipky.net | udp |
| US | 8.8.8.8:53 | eykkomme.org | udp |
| US | 8.8.8.8:53 | tnaoyfpj.info | udp |
| US | 8.8.8.8:53 | jwzmbv.info | udp |
| DE | 85.214.228.140:80 | xwfmlmbmtaz.info | tcp |
| US | 8.8.8.8:53 | tkrcfwxlihn.info | udp |
| US | 8.8.8.8:53 | yschbuzlfa.info | udp |
| US | 8.8.8.8:53 | xxazro.net | udp |
| US | 8.8.8.8:53 | nafodwrwdqd.com | udp |
| US | 8.8.8.8:53 | kafyzhvlwt.net | udp |
| US | 8.8.8.8:53 | ksqqpw.info | udp |
| US | 8.8.8.8:53 | kipshgzba.info | udp |
| US | 8.8.8.8:53 | pghnlzfc.net | udp |
| US | 8.8.8.8:53 | jkkjvq.net | udp |
| US | 8.8.8.8:53 | huhzhgf.info | udp |
| US | 8.8.8.8:53 | pepbcrv.com | udp |
| US | 8.8.8.8:53 | ysewrhzoxwvs.net | udp |
| US | 208.100.26.245:80 | ydqlnw.info | tcp |
| US | 8.8.8.8:53 | xgfqjudcr.net | udp |
| US | 8.8.8.8:53 | lffdtowuzuga.net | udp |
| US | 8.8.8.8:53 | uncaephtnirx.info | udp |
| US | 8.8.8.8:53 | nkydzeyb.info | udp |
| US | 8.8.8.8:53 | vungtmxgtcj.org | udp |
| US | 8.8.8.8:53 | xmlfqezqyyfp.net | udp |
| US | 8.8.8.8:53 | reycjyv.com | udp |
| US | 8.8.8.8:53 | fybufer.org | udp |
| US | 8.8.8.8:53 | tnxivajml.com | udp |
| US | 8.8.8.8:53 | tkhgyfas.net | udp |
| US | 8.8.8.8:53 | ydhhvkoxgz.net | udp |
| US | 8.8.8.8:53 | ioitubtfdzdr.info | udp |
| US | 8.8.8.8:53 | nafxot.net | udp |
| US | 8.8.8.8:53 | vecjqcmv.info | udp |
| US | 8.8.8.8:53 | lbdiwkzzbe.net | udp |
| US | 8.8.8.8:53 | rqzblutm.net | udp |
| US | 8.8.8.8:53 | ywquuu.org | udp |
| US | 8.8.8.8:53 | wqrdvrhir.net | udp |
| US | 8.8.8.8:53 | ggsgbtfqnm.info | udp |
| US | 8.8.8.8:53 | stvqbetkw.info | udp |
| US | 8.8.8.8:53 | rkfljexepd.info | udp |
| US | 8.8.8.8:53 | ewwquu.org | udp |
| US | 8.8.8.8:53 | cosuqgggsw.org | udp |
| US | 8.8.8.8:53 | aoikblgop.net | udp |
| US | 8.8.8.8:53 | nzkibs.info | udp |
| US | 8.8.8.8:53 | oyymaiiqq.info | udp |
| US | 8.8.8.8:53 | qpjzsurz.net | udp |
| US | 8.8.8.8:53 | qoguqaseca.org | udp |
| US | 8.8.8.8:53 | vefbssdmhox.net | udp |
| US | 8.8.8.8:53 | zdjrdwjrvznf.net | udp |
| US | 8.8.8.8:53 | lgswzqbvc.org | udp |
| US | 8.8.8.8:53 | ylrcomte.net | udp |
| US | 8.8.8.8:53 | hnxhjwubwxfh.info | udp |
| US | 8.8.8.8:53 | qycyqysm.org | udp |
| US | 8.8.8.8:53 | cikefqvitjps.net | udp |
| US | 8.8.8.8:53 | buxzfavglgf.com | udp |
| US | 8.8.8.8:53 | nbqgflv.net | udp |
| US | 8.8.8.8:53 | zwrsnqkgg.info | udp |
| US | 8.8.8.8:53 | zmfxqnjlzl.net | udp |
| US | 8.8.8.8:53 | xofyhmwvlzb.net | udp |
| US | 8.8.8.8:53 | hvmcabtuvfvp.info | udp |
| US | 8.8.8.8:53 | ujuyag.info | udp |
| US | 8.8.8.8:53 | ilqfaj.net | udp |
| US | 8.8.8.8:53 | aelxvivwnsg.info | udp |
| US | 8.8.8.8:53 | tonlvtvbgvga.info | udp |
| US | 8.8.8.8:53 | csqcsqymuqko.org | udp |
| US | 8.8.8.8:53 | okrjdjb.info | udp |
| US | 8.8.8.8:53 | amqkukx.net | udp |
| US | 8.8.8.8:53 | iojowt.info | udp |
| US | 8.8.8.8:53 | dzvrjx.info | udp |
| US | 8.8.8.8:53 | rosgahry.info | udp |
| US | 8.8.8.8:53 | blbhdyhlvekd.net | udp |
| US | 8.8.8.8:53 | neyizica.net | udp |
| US | 8.8.8.8:53 | vwgohuq.com | udp |
| US | 8.8.8.8:53 | toewbixnerdd.info | udp |
| US | 8.8.8.8:53 | aqmccyyiyq.com | udp |
| US | 8.8.8.8:53 | lcsurlv.info | udp |
| US | 8.8.8.8:53 | kajlsxb.info | udp |
| US | 8.8.8.8:53 | dwvpyeaajc.net | udp |
| US | 8.8.8.8:53 | oqchuplq.info | udp |
| US | 8.8.8.8:53 | dxjoyvefaf.info | udp |
| US | 8.8.8.8:53 | uvzigfdvbr.info | udp |
| US | 8.8.8.8:53 | cykcmoewwuwi.com | udp |
| US | 8.8.8.8:53 | qmngrsn.net | udp |
| US | 8.8.8.8:53 | tdwjko.info | udp |
| US | 8.8.8.8:53 | uuwegxeadesb.net | udp |
| US | 8.8.8.8:53 | hjvovv.net | udp |
| US | 8.8.8.8:53 | svxijer.net | udp |
| US | 8.8.8.8:53 | ekuffx.net | udp |
| US | 8.8.8.8:53 | hviizu.net | udp |
| US | 8.8.8.8:53 | iqqbjc.net | udp |
| US | 8.8.8.8:53 | aelubcv.info | udp |
| US | 8.8.8.8:53 | jmmfpocllj.net | udp |
| US | 8.8.8.8:53 | dgxnlxhbapkp.net | udp |
| US | 8.8.8.8:53 | uquaqimaqs.com | udp |
| US | 8.8.8.8:53 | mjuife.net | udp |
| US | 8.8.8.8:53 | grjgraoeefhx.info | udp |
| US | 8.8.8.8:53 | mgageqycao.com | udp |
| US | 8.8.8.8:53 | pqfctqo.org | udp |
| US | 8.8.8.8:53 | rlbmlkhfbzmy.info | udp |
| US | 8.8.8.8:53 | pzryostgtub.org | udp |
| US | 8.8.8.8:53 | nodpyubvnv.info | udp |
| US | 8.8.8.8:53 | fkeumt.net | udp |
| US | 8.8.8.8:53 | fidjxg.net | udp |
| US | 8.8.8.8:53 | jwcqoekw.net | udp |
| US | 8.8.8.8:53 | dilmcmz.net | udp |
| US | 8.8.8.8:53 | yqdqladadbyk.net | udp |
| US | 8.8.8.8:53 | qdxxhcpsz.info | udp |
| US | 8.8.8.8:53 | ngbhfibwamh.net | udp |
| US | 8.8.8.8:53 | oybgrad.info | udp |
| US | 8.8.8.8:53 | txascvsgth.net | udp |
| US | 8.8.8.8:53 | sddygjjqxc.info | udp |
| US | 8.8.8.8:53 | lotjeouktwh.com | udp |
| US | 8.8.8.8:53 | tepnzlwrbfpl.net | udp |
| US | 8.8.8.8:53 | hiadzu.info | udp |
| US | 8.8.8.8:53 | hozrnz.info | udp |
| US | 8.8.8.8:53 | pyaammoltdup.info | udp |
| US | 8.8.8.8:53 | vmylheoy.info | udp |
| US | 8.8.8.8:53 | hnxdxrpmb.net | udp |
| US | 8.8.8.8:53 | tuzrfsnorblf.info | udp |
| US | 8.8.8.8:53 | wmphnaffu.net | udp |
| US | 8.8.8.8:53 | cmsisw.org | udp |
| US | 8.8.8.8:53 | cgsamoekwu.org | udp |
| US | 8.8.8.8:53 | wyydxnlupdju.info | udp |
| US | 8.8.8.8:53 | fpifnwraky.info | udp |
| US | 8.8.8.8:53 | stxapuuba.info | udp |
| US | 8.8.8.8:53 | ggmqkyayqu.org | udp |
| US | 8.8.8.8:53 | uppqxezqtqo.net | udp |
| US | 8.8.8.8:53 | jwjzuw.net | udp |
| US | 8.8.8.8:53 | tlnebh.net | udp |
| US | 8.8.8.8:53 | jjnaohrfdo.net | udp |
| US | 8.8.8.8:53 | bcbsnzis.info | udp |
| US | 8.8.8.8:53 | yavekefqtco.net | udp |
| US | 8.8.8.8:53 | xdbcjgnxd.com | udp |
| US | 8.8.8.8:53 | ouuqaskmsq.org | udp |
| US | 8.8.8.8:53 | bilksvh.net | udp |
| US | 8.8.8.8:53 | cdoszrlg.net | udp |
| US | 8.8.8.8:53 | nizqlctofwr.com | udp |
| US | 8.8.8.8:53 | ekdvzksara.net | udp |
| US | 8.8.8.8:53 | uuimwaon.net | udp |
| US | 8.8.8.8:53 | oopolyb.info | udp |
| US | 8.8.8.8:53 | cwqoie.org | udp |
| US | 8.8.8.8:53 | tabawol.com | udp |
| US | 8.8.8.8:53 | yzdihejhfog.net | udp |
| US | 8.8.8.8:53 | yavypjskb.info | udp |
| US | 8.8.8.8:53 | uyeyfyjmv.net | udp |
| US | 8.8.8.8:53 | kpyvvmntqn.net | udp |
| US | 8.8.8.8:53 | cekoqi.com | udp |
| US | 8.8.8.8:53 | kwvzjuxmjii.net | udp |
| US | 8.8.8.8:53 | tzpnzahhdfoo.net | udp |
| US | 8.8.8.8:53 | pedwrstnp.org | udp |
| US | 8.8.8.8:53 | nudslgskvez.com | udp |
| US | 8.8.8.8:53 | nzxciotfwndx.net | udp |
| US | 8.8.8.8:53 | uturlqeydnly.net | udp |
| US | 8.8.8.8:53 | fmhknnhx.info | udp |
| US | 8.8.8.8:53 | kaiesmkmuiuc.org | udp |
| US | 8.8.8.8:53 | eiszzaydggg.net | udp |
| US | 8.8.8.8:53 | dhvnhgghkgg.net | udp |
| US | 8.8.8.8:53 | ikytvhboo.net | udp |
| US | 8.8.8.8:53 | ecgbtozjw.net | udp |
| US | 8.8.8.8:53 | misikiea.org | udp |
| US | 8.8.8.8:53 | khgdildazmzl.net | udp |
| US | 8.8.8.8:53 | yaukcyu.net | udp |
| US | 8.8.8.8:53 | nkjqjkfaau.info | udp |
| US | 8.8.8.8:53 | jgtosyjaxxy.net | udp |
| US | 8.8.8.8:53 | rixkdktie.com | udp |
| US | 8.8.8.8:53 | nsupzwjecmg.org | udp |
| US | 8.8.8.8:53 | zdqkgh.net | udp |
| US | 8.8.8.8:53 | btpypfipmac.info | udp |
| US | 8.8.8.8:53 | dqijbfn.net | udp |
| US | 8.8.8.8:53 | tyvdrldqdq.info | udp |
| US | 8.8.8.8:53 | jiruwsbne.net | udp |
| US | 8.8.8.8:53 | sjzbdvpd.net | udp |
| US | 8.8.8.8:53 | bmrjvsxr.info | udp |
| US | 8.8.8.8:53 | lkyzcddn.info | udp |
| US | 8.8.8.8:53 | hymqlmpof.com | udp |
| US | 8.8.8.8:53 | kqqcdiurz.info | udp |
| US | 8.8.8.8:53 | svtipkvrp.info | udp |
| US | 8.8.8.8:53 | rjavdq.net | udp |
| US | 8.8.8.8:53 | toypvn.net | udp |
| US | 8.8.8.8:53 | hvbgxfzaicye.net | udp |
| US | 8.8.8.8:53 | pikyhpboz.org | udp |
| US | 8.8.8.8:53 | xulzcioegk.net | udp |
| US | 8.8.8.8:53 | brkzng.net | udp |
| US | 8.8.8.8:53 | qccsuwsqweea.org | udp |
| US | 8.8.8.8:53 | hilanmhel.org | udp |
| US | 8.8.8.8:53 | okkmwcccmuqc.com | udp |
| US | 8.8.8.8:53 | tkrvuzr.info | udp |
| US | 8.8.8.8:53 | jofojst.com | udp |
| US | 8.8.8.8:53 | vuccsbpkz.org | udp |
| US | 8.8.8.8:53 | kwjtvpguzk.net | udp |
| US | 8.8.8.8:53 | sjfgnzvkawh.net | udp |
| US | 8.8.8.8:53 | fmvmehf.net | udp |
| US | 8.8.8.8:53 | qmbwxclgd.info | udp |
| US | 8.8.8.8:53 | xpniwzopgz.info | udp |
| US | 8.8.8.8:53 | tcwybaf.com | udp |
| US | 8.8.8.8:53 | depfbed.net | udp |
| US | 8.8.8.8:53 | xaenzp.net | udp |
| US | 8.8.8.8:53 | hemydztqpef.net | udp |
| US | 8.8.8.8:53 | zycyyehsf.com | udp |
| US | 8.8.8.8:53 | leqnrvracx.info | udp |
| US | 8.8.8.8:53 | yuwqea.org | udp |
| US | 8.8.8.8:53 | hhdcno.info | udp |
| US | 8.8.8.8:53 | lsrkvytrqkp.com | udp |
| US | 8.8.8.8:53 | hevccubupgb.com | udp |
| US | 8.8.8.8:53 | iorttyujlrgy.net | udp |
| US | 8.8.8.8:53 | kuywyoag.com | udp |
| US | 8.8.8.8:53 | oisfxztxhv.info | udp |
| US | 8.8.8.8:53 | neetlr.net | udp |
| US | 8.8.8.8:53 | qkdehkkbxxn.info | udp |
| US | 8.8.8.8:53 | beqkfmm.net | udp |
| US | 8.8.8.8:53 | ekdnyevst.info | udp |
| US | 8.8.8.8:53 | pyaqhevoqyp.info | udp |
| US | 8.8.8.8:53 | tfzudcdph.net | udp |
| US | 8.8.8.8:53 | mgoemc.org | udp |
| US | 8.8.8.8:53 | rjhinmroj.info | udp |
| US | 8.8.8.8:53 | swwqouoowwqs.com | udp |
| US | 8.8.8.8:53 | rqgezhvw.net | udp |
| US | 8.8.8.8:53 | aqbciqsn.info | udp |
| US | 8.8.8.8:53 | bfodrkjz.net | udp |
| US | 8.8.8.8:53 | mqjgwhr.net | udp |
| US | 8.8.8.8:53 | ylxorvzolo.info | udp |
| US | 8.8.8.8:53 | hnywad.net | udp |
| US | 8.8.8.8:53 | kkjuqebxhsh.net | udp |
| US | 8.8.8.8:53 | fkfshbncp.net | udp |
| US | 8.8.8.8:53 | acbxcmcdn.info | udp |
| US | 8.8.8.8:53 | oooaaaoeyoqa.org | udp |
| US | 8.8.8.8:53 | nclmxk.net | udp |
| US | 8.8.8.8:53 | hkwinirsbx.net | udp |
| US | 8.8.8.8:53 | muytnc.info | udp |
| US | 8.8.8.8:53 | qhxmjsrlyk.net | udp |
| US | 8.8.8.8:53 | aotgxtgj.net | udp |
| US | 8.8.8.8:53 | peeywjoj.net | udp |
| US | 8.8.8.8:53 | kkvkvwsaoef.net | udp |
| US | 8.8.8.8:53 | bbtbbofqujwe.net | udp |
| US | 8.8.8.8:53 | ltmtwr.net | udp |
| US | 8.8.8.8:53 | perguob.info | udp |
| US | 8.8.8.8:53 | ffukxsp.org | udp |
| US | 8.8.8.8:53 | xmczdhxnho.info | udp |
| US | 8.8.8.8:53 | wqjuwirevof.net | udp |
| US | 8.8.8.8:53 | eamiwqog.com | udp |
| US | 8.8.8.8:53 | fnwogpkg.net | udp |
| US | 8.8.8.8:53 | bvjvhigwqw.info | udp |
| US | 8.8.8.8:53 | qysqee.com | udp |
| US | 8.8.8.8:53 | xvzgwfts.net | udp |
| US | 8.8.8.8:53 | tzwflmeio.net | udp |
| US | 8.8.8.8:53 | hfakpyjtrenq.info | udp |
| US | 8.8.8.8:53 | zqxavaf.net | udp |
| US | 8.8.8.8:53 | plltpewkteq.net | udp |
| US | 8.8.8.8:53 | xhxlmbbl.info | udp |
| US | 8.8.8.8:53 | fydwhccelch.info | udp |
| US | 8.8.8.8:53 | oboqvwocbzg.net | udp |
| US | 8.8.8.8:53 | vsachs.net | udp |
| US | 8.8.8.8:53 | vwxhbng.com | udp |
| US | 8.8.8.8:53 | uvwzpvisxn.info | udp |
| US | 8.8.8.8:53 | tvkvmwhx.info | udp |
| US | 8.8.8.8:53 | myocxzhsjj.net | udp |
| US | 8.8.8.8:53 | rahnqeiicef.com | udp |
| US | 8.8.8.8:53 | neyenyqmv.net | udp |
| US | 8.8.8.8:53 | qmkeskgcaysg.com | udp |
| US | 8.8.8.8:53 | zpidxm.net | udp |
| US | 8.8.8.8:53 | bbbsgxyqhp.info | udp |
| US | 8.8.8.8:53 | swuynjfkbnv.net | udp |
| US | 8.8.8.8:53 | gkqidyeboznx.net | udp |
| US | 8.8.8.8:53 | miudiglx.info | udp |
| US | 8.8.8.8:53 | obflzk.info | udp |
| US | 8.8.8.8:53 | xmqtbmimevp.net | udp |
| US | 8.8.8.8:53 | smenbgz.info | udp |
| US | 8.8.8.8:53 | vdpmdujklazl.net | udp |
| US | 8.8.8.8:53 | crhobevyx.net | udp |
| US | 8.8.8.8:53 | swmewyxf.info | udp |
| US | 8.8.8.8:53 | jgufibeybs.info | udp |
| US | 8.8.8.8:53 | ctsudbcsth.info | udp |
| US | 8.8.8.8:53 | aknkguaywd.net | udp |
| US | 8.8.8.8:53 | nzdqpkbsq.org | udp |
| US | 8.8.8.8:53 | gmvlab.info | udp |
| US | 8.8.8.8:53 | oxobnynz.net | udp |
| US | 8.8.8.8:53 | tjmyylzywqis.net | udp |
| US | 8.8.8.8:53 | yveovmlrlid.info | udp |
| US | 8.8.8.8:53 | dnhbrvrualyf.net | udp |
| US | 8.8.8.8:53 | lccnlwqcnel.org | udp |
| US | 8.8.8.8:53 | xsfctvikykh.info | udp |
| US | 8.8.8.8:53 | nezhmvamlup.net | udp |
| US | 8.8.8.8:53 | xcxxvvmr.info | udp |
| US | 8.8.8.8:53 | zsrozefczwmf.net | udp |
| US | 8.8.8.8:53 | dymincoifib.info | udp |
| US | 8.8.8.8:53 | lffqvzzo.info | udp |
| US | 8.8.8.8:53 | xkvrzkxuy.net | udp |
| US | 8.8.8.8:53 | hblddmicrx.net | udp |
| US | 8.8.8.8:53 | tidudv.info | udp |
| US | 8.8.8.8:53 | zsrsrkvtcyt.net | udp |
| US | 8.8.8.8:53 | sovgagdst.net | udp |
| US | 8.8.8.8:53 | wtyxxu.info | udp |
| US | 8.8.8.8:53 | nuoclqrug.info | udp |
| US | 8.8.8.8:53 | ddlkjxgwufl.info | udp |
| US | 8.8.8.8:53 | pdhxrk.info | udp |
| US | 8.8.8.8:53 | wqrvrtugx.net | udp |
| US | 8.8.8.8:53 | ysmeiu.org | udp |
| US | 8.8.8.8:53 | cgbpjcifav.info | udp |
| US | 8.8.8.8:53 | caaupirismk.net | udp |
| US | 8.8.8.8:53 | tmdikd.info | udp |
| US | 8.8.8.8:53 | mikgomiq.com | udp |
| US | 8.8.8.8:53 | xbfyyqyzbieb.info | udp |
| US | 8.8.8.8:53 | eegxpqopfkd.net | udp |
| US | 8.8.8.8:53 | hzkbrj.net | udp |
| US | 8.8.8.8:53 | tujyhkx.com | udp |
| US | 8.8.8.8:53 | yqikoyuc.org | udp |
| US | 8.8.8.8:53 | feyjrv.net | udp |
| US | 8.8.8.8:53 | ixvuqnviip.net | udp |
| US | 8.8.8.8:53 | aufedslzv.net | udp |
| US | 8.8.8.8:53 | zzircs.info | udp |
| US | 8.8.8.8:53 | pyuwnmuyj.info | udp |
| US | 8.8.8.8:53 | hucndqvhwh.net | udp |
| US | 8.8.8.8:53 | htwgjqts.info | udp |
| US | 8.8.8.8:53 | zevxlgfdhbin.net | udp |
| US | 8.8.8.8:53 | zdpxqkcoetaz.info | udp |
| US | 8.8.8.8:53 | fgjwdazyr.net | udp |
| US | 8.8.8.8:53 | latisuz.info | udp |
| US | 8.8.8.8:53 | nypcbqrgymx.net | udp |
| US | 8.8.8.8:53 | vvznhp.info | udp |
| US | 8.8.8.8:53 | uslvzzpcj.info | udp |
| US | 8.8.8.8:53 | wokyyoqk.com | udp |
| US | 8.8.8.8:53 | vibcboq.org | udp |
| US | 8.8.8.8:53 | kmqkao.org | udp |
| US | 8.8.8.8:53 | pyckslpsusgv.net | udp |
| US | 8.8.8.8:53 | renmuav.net | udp |
| US | 8.8.8.8:53 | wlbdndduxrjv.info | udp |
| US | 8.8.8.8:53 | fkxaqiekg.net | udp |
| US | 8.8.8.8:53 | aksrgnlgvpde.net | udp |
| US | 8.8.8.8:53 | qtboxuxqgsj.info | udp |
| US | 8.8.8.8:53 | wbdovmlrlid.info | udp |
| US | 8.8.8.8:53 | aeckkm.com | udp |
| US | 8.8.8.8:53 | mcmqugss.org | udp |
| US | 8.8.8.8:53 | wgdnlif.net | udp |
| US | 8.8.8.8:53 | ohskbojex.net | udp |
| US | 8.8.8.8:53 | sjiazk.info | udp |
| US | 8.8.8.8:53 | ztuktjb.net | udp |
| US | 8.8.8.8:53 | hghifclbjmx.net | udp |
| US | 8.8.8.8:53 | sjhyvdhixx.info | udp |
| US | 8.8.8.8:53 | vyvgpqxan.org | udp |
| US | 8.8.8.8:53 | rnbljgbalfwo.net | udp |
| US | 8.8.8.8:53 | qteshnclrm.info | udp |
| US | 8.8.8.8:53 | iragjo.net | udp |
| US | 8.8.8.8:53 | vwuqrirf.net | udp |
| US | 8.8.8.8:53 | kioeebngfib.info | udp |
| US | 8.8.8.8:53 | xjzaetxo.info | udp |
| US | 8.8.8.8:53 | dfvudx.net | udp |
| US | 8.8.8.8:53 | xrfssjij.net | udp |
| US | 8.8.8.8:53 | gkcycuukqqak.com | udp |
| US | 8.8.8.8:53 | wwuomu.com | udp |
| US | 8.8.8.8:53 | rqcjorbuzh.info | udp |
| US | 8.8.8.8:53 | kuvukue.net | udp |
| US | 8.8.8.8:53 | msqgam.com | udp |
| US | 8.8.8.8:53 | tohohczeb.com | udp |
| US | 8.8.8.8:53 | aqsukeum.com | udp |
| US | 8.8.8.8:53 | jcrlagexjabz.net | udp |
| US | 8.8.8.8:53 | rafbfgfcjqx.net | udp |
| US | 8.8.8.8:53 | dzjrpzgcwkat.info | udp |
| US | 8.8.8.8:53 | bwsbuonc.info | udp |
| US | 8.8.8.8:53 | yfawhy.info | udp |
| US | 8.8.8.8:53 | dudqnb.info | udp |
| US | 8.8.8.8:53 | alpizop.info | udp |
| US | 8.8.8.8:53 | qmwkkmwguuqm.org | udp |
| US | 8.8.8.8:53 | soyyceki.com | udp |
| US | 8.8.8.8:53 | rkzhgrty.info | udp |
| US | 8.8.8.8:53 | ckxyrue.info | udp |
| US | 8.8.8.8:53 | xkncznbot.net | udp |
| US | 8.8.8.8:53 | qsnolq.info | udp |
| US | 8.8.8.8:53 | dilylny.com | udp |
| US | 8.8.8.8:53 | nshdbdtumtn.com | udp |
| US | 8.8.8.8:53 | zxlglmh.net | udp |
Files
C:\Users\Admin\AppData\Local\Temp\chgru.exe
| MD5 | 2ba04f16c330ef19c5f5dbabda3f43f6 |
| SHA1 | d8b92263abc609722f38f14cb993c52da6c7b096 |
| SHA256 | cd83123c94b45409b84d82f6fc5264be7d95676d558669f3da9d130c99214a41 |
| SHA512 | d86dbc05e703068618aa2e555778bd59add660b3ef5b4c079fd18fb55a6ae87f15cc83cbfd1226f4d5dedd2348f020b62348035265ce873ab3dbaadc89d0bf42 |
C:\Users\Admin\AppData\Local\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | e095bfbaa7123984eacd6343ef62341a |
| SHA1 | cdb76ac68678f2e583b15e8e5e58a0e8700cf4d0 |
| SHA256 | 32e8124bb5e486da9f66b2921339891747e6f1cd56583d42887a818900345b95 |
| SHA512 | 085f662796160f9b9700f5c378225a26d6911143af0126c8fd4749cfd3fae2c339af5cb29cce2a2e8ec62604ceb87b777bab5879ebd7ef2622e699de2b1afb33 |
C:\Users\Admin\AppData\Local\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng
| MD5 | fd0c7763635aacac1cf5e4ecfb4fc01d |
| SHA1 | d998ec4ed316d29ea72c6a5543e54570642beed1 |
| SHA256 | 6411d5ef118e2cf6a332cf884e5c645eefec783cd73e4ad7ddc7193907fd0477 |
| SHA512 | a4a6709d7a6dae29ee3ec62aae2cc9aac0b56b815142a7b37e9b963a41f83b4048fbbd52a5db5b19f1e05f17df650d815513c07120bbdc7c3e2f82b2121e9753 |
C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | bab34a6fedd7f85d16815d64b7bb3612 |
| SHA1 | 83b850bb60ff13b7a0550a8c5d1ac75bc3c181d8 |
| SHA256 | 986e2aa5c888275ad7785f6d9c1de87a05e8ebbd2add563dbdc3c38e3dce321b |
| SHA512 | 2a12b04de34661394f0b8bd1434c5347d46267464a02723a2bfd2b66fbc6a4a671a649553cc915ac80985bd1246e4edab2161a82ccebeb776430f23f918fda71 |
C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | 99b5258b1ac0ddabe562f99294723b49 |
| SHA1 | 729531a431d0d4fa4394b77097357fdb0dcd15fb |
| SHA256 | c17d35a63e7a012af473c304b9f6f9291f66a7e59eaf883b37ad414d23683180 |
| SHA512 | 1a392cf6c532ea627721801810e2cda4fcb3a73d457fdd02983062ab4d847d21f65c34167898ce294ba97e9a4f565d0cd006cac158640a50ed1e534fb5a6a6ca |
C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | 0cbf8b7745b2198ee5831b64c45a9e5e |
| SHA1 | 6d6eaa4566334f4a4d9a7fd82df90c1b941690d7 |
| SHA256 | eed99bb98fce31271fd8cddd65e441d3fe3721d4493ad80a069d556c1ae35c48 |
| SHA512 | 2e446b9a99e5c1f217007bdac063ab6b39b117f1bb90a7b437c632ad8f95863dd6cb3b0eaa7ee795f466df12adec412e0942d1ed63cb942f07796a5d0a53326e |
C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | 4f85af66c2f97e982caf49712bb21fa9 |
| SHA1 | 894a2ed4ad8aa7c90ebd49ddc140654b768348cc |
| SHA256 | 00609e81039dee1922a83cf922446d342940690fab5f5c88ccc0b360fc221c1b |
| SHA512 | 5e412a4864c3da0d32079eacd2c8587f575a810a1bd9121117add0070617b206170508a8af4d956d7028a6f2b06ab404034cd97fdc55ab34127bc12ede489ae3 |
C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | 0c0bda58522cdcf438101500bc98cb77 |
| SHA1 | 796b49ba688ecb2fa46a194015ab9d539a2b19b4 |
| SHA256 | bcdb10661e9eef6614aa26d9a26aec739edfe18fd23f657e795793cc599d3712 |
| SHA512 | 24d398edff7b0cdf6444efb94dc5476b1820ce2cabe735858e67be99b8bca27a7ae63c97a1b38ad33b792dae3c183479416c57ee43262c4315026dd14a963f14 |
C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx
| MD5 | 55bd07524142ff2d00b5b460ebb413db |
| SHA1 | 1084b8c89aef9515200b110e72d8582dfcdad36e |
| SHA256 | 8b4ff85a2a515ecefe847aebcb55edef01b1eef8187c2ac407bf0e3cca75e353 |
| SHA512 | 12f138e541d307a8c625d81ea4c0c9aa98c8b8c37081f86912d48a1ac3327ac20901d3bf0a25b3d5fb03cc0e6a890ce3b503f9eaa730496d5d59c2146e9b0cbf |