Malware Analysis Report

2024-12-07 16:34

Sample ID 241114-abc3kasajr
Target 7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe
SHA256 7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0
Tags
defense_evasion discovery evasion persistence privilege_escalation trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0

Threat Level: Known bad

The file 7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery evasion persistence privilege_escalation trojan

Modifies WinLogon for persistence

UAC bypass

Disables RegEdit via registry modification

Adds policy Run key to start application

Checks computer location settings

Impair Defenses: Safe Mode Boot

Loads dropped DLL

Executes dropped EXE

Hijack Execution Flow: Executable Installer File Permissions Weakness

Looks up external IP address via web service

Adds Run key to start application

Checks whether UAC is enabled

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 00:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 00:01

Reported

2024-11-14 00:04

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "oesmlbmferqeuqlvtc.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "oesmlbmferqeuqlvtc.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ouyixden = "bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\befmy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "fuhaynxpnzxkzuoxu.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "oesmlbmferqeuqlvtc.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "meuqrjwrshiyqolxxiia.exe ." C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "ymyqnbkbyjgsgatb.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe ." C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "bulikdrnpfhyrqobcopiz.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "ymyqnbkbyjgsgatb.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "meuqrjwrshiyqolxxiia.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "bulikdrnpfhyrqobcopiz.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ygmypxalch = "zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "bulikdrnpfhyrqobcopiz.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\mqsanr = "fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\qaiwpzerkrks = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "ymyqnbkbyjgsgatb.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zehqejj = "ymyqnbkbyjgsgatb.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "oesmlbmferqeuqlvtc.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zqfaardxxllarokvued.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\meuqrjwrshiyqolxxiia.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\mqsanr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\fuhaynxpnzxkzuoxu.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tcjwoxbnfld = "C:\\Users\\Admin\\AppData\\Local\\Temp\\oesmlbmferqeuqlvtc.exe ." C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\fmrcszblb = "bulikdrnpfhyrqobcopiz.exe" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A whatismyip.everdot.org N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\befmybzfrrdehqyvgcnqryknlrd.pqt C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File created C:\Windows\SysWOW64\befmybzfrrdehqyvgcnqryknlrd.pqt C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File opened for modification C:\Windows\SysWOW64\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File created C:\Windows\SysWOW64\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File created C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File opened for modification C:\Program Files (x86)\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File created C:\Program Files (x86)\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\befmybzfrrdehqyvgcnqryknlrd.pqt C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File opened for modification C:\Windows\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File created C:\Windows\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
File opened for modification C:\Windows\befmybzfrrdehqyvgcnqryknlrd.pqt C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2172 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe
PID 2172 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe C:\Users\Admin\AppData\Local\Temp\mqsanr.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\mqsanr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe

"C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe"

C:\Users\Admin\AppData\Local\Temp\mqsanr.exe

"C:\Users\Admin\AppData\Local\Temp\mqsanr.exe" "-"

C:\Users\Admin\AppData\Local\Temp\mqsanr.exe

"C:\Users\Admin\AppData\Local\Temp\mqsanr.exe" "-"

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.206.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.21.74.56:80 www.showmyipaddress.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.27.206.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.imdb.com udp
FR 52.222.159.143:80 www.imdb.com tcp
US 8.8.8.8:53 hklgkqwuttn.com udp
IE 34.246.200.160:80 hklgkqwuttn.com tcp
US 8.8.8.8:53 hajjemfwf.info udp
US 8.8.8.8:53 xzvzarhjkjzv.info udp
US 8.8.8.8:53 wljsua.net udp
US 8.8.8.8:53 kczqzttce.net udp
US 8.8.8.8:53 oavyfozyb.net udp
US 8.8.8.8:53 aizbhirrwyz.net udp
US 8.8.8.8:53 tcxqpovybip.org udp
US 8.8.8.8:53 xuvaxmc.info udp
US 8.8.8.8:53 yeqsceua.org udp
US 8.8.8.8:53 mwkmmqcokium.com udp
US 8.8.8.8:53 bnrgiul.net udp
US 8.8.8.8:53 ulbbftlmpz.info udp
US 8.8.8.8:53 sizvwaazrbbg.info udp
US 8.8.8.8:53 ratirtqyspss.net udp
US 8.8.8.8:53 jqbevqhsy.info udp
US 8.8.8.8:53 mgjwzsl.net udp
US 8.8.8.8:53 rgnyiunkepv.com udp
US 8.8.8.8:53 lcsgfob.org udp
US 8.8.8.8:53 zbfepsl.info udp
US 8.8.8.8:53 iigccu.org udp
US 8.8.8.8:53 ihtktczvf.net udp
US 8.8.8.8:53 hnadhnfdya.info udp
US 8.8.8.8:53 ginqeibkv.info udp
US 8.8.8.8:53 efvwnivya.net udp
US 8.8.8.8:53 kuxajxugfkr.net udp
US 8.8.8.8:53 vpkakg.info udp
US 8.8.8.8:53 axlqnmjvlxy.info udp
US 8.8.8.8:53 yckhfg.info udp
US 8.8.8.8:53 omgmayoa.com udp
US 8.8.8.8:53 wkwkeicewo.org udp
US 8.8.8.8:53 dfldpgpdiy.info udp
US 8.8.8.8:53 cqiuai.org udp
US 8.8.8.8:53 duguyowmbk.net udp
US 8.8.8.8:53 vppoxrsumlwq.net udp
US 8.8.8.8:53 azrakrbzpk.net udp
US 8.8.8.8:53 seqawswo.org udp
US 8.8.8.8:53 aiwyskuecmsk.org udp
US 8.8.8.8:53 vjmyxpra.net udp
US 8.8.8.8:53 qgdbnxdjhg.net udp
US 8.8.8.8:53 nxnwpxhqyg.net udp
US 8.8.8.8:53 mwvpbsdyrao.net udp
US 8.8.8.8:53 rrelgkdkbl.net udp
US 8.8.8.8:53 hrqqxhtqc.net udp
US 8.8.8.8:53 oqlztme.net udp
US 8.8.8.8:53 zxfznjjo.net udp
US 8.8.8.8:53 wwqqcekq.org udp
US 8.8.8.8:53 wgwgqi.org udp

Files

C:\Users\Admin\AppData\Local\Temp\mqsanr.exe

MD5 e5475619dbbb7d62db81033f1e84cdcf
SHA1 12b545f4101388444a43207ffb0856de370fc642
SHA256 424c85a6921d9643f62c17b3089e15ec2a4612241c37487b5d61626ae9525b5e
SHA512 1ee7fc097b4cb27b1b470ac67b280f246a8b1dd6253fad2fc513feef1f234929cfd3e4795243357029a57d28bec0675a9635dafa6de63f524e3c63747d22bbaa

C:\Users\Admin\AppData\Local\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 e6c7bb944143d5a82585281db287c531
SHA1 2fdc5f6fd029e00d928b285f061f2106e30d1ef1
SHA256 9d06bc97fe2c548326656b240cefc030a2b47e8a2b78ef67a89cb6907021ca92
SHA512 ae9329b3f351bd08d3fd20e0151692c33b6576cabb2748b0999c36b6c8e4bf5ac35c7595d45bbbd10172fcf2cefab1b111251f2caa86e3092f82406cedc7c155

C:\Users\Admin\AppData\Local\ymyqnbkbyjgsgatbxeaoaspdmdaliuicvdzgcq.urf

MD5 32c3744f771353e2c849ff89cf71b565
SHA1 a968eb386a265b22ee6741f4f897c9a9a6be3663
SHA256 006931f0fd378c9682bfd152102ca8834ac03d09dbbc4c99417a8c9892070e09
SHA512 5812ded5499909a6d56d65e4d5662719094555c160bbcf4a563e47ec793b056d45cc0d959e2d8368c5e44a53f91b91f3ff8ee0cbb70e90a26a7771838b322c5c

C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 e346f966e4ed242169e17923f888a244
SHA1 1f1c12a0af888f11b3c7819ac3d92c1895999a66
SHA256 5000990c9839f5559da4d239b9d65eab206e282a5bd012bef45c423b11a42572
SHA512 25065c54e5006ebcd696c25b7ff21e0cc3bb0d08771205ff06609c0adaafcbe9a51aff33e3caca0bae3bcafc712121b93f1bcee0379705a0590f6294a1ec9380

C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 d2341f5ccbd40c8d794af480f9549b8e
SHA1 026f9c346635a5d5e9026cb2eaa723eb8a72e14f
SHA256 f96c6b811d7a9fd0fa00ff713ccf89494bcde6b99eebcd128bd5051f7ffd0637
SHA512 a77d909f5ceb0e490c34b52e6cc09c451e86b498e8e313d4f2d9746a6bc67fe56b315a7898d342bf6db107dd6cd47a24442bebcf8b566ae1727276321231b3fa

C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 e49b7e4c56b0de01a296401f319b5919
SHA1 7035901aea5a3151201d2032587eeab549006555
SHA256 29ed8ab39b374fbc1ba0b989a508990c2e48277332bb86dcc66b166bdf7fe26c
SHA512 1ee6f424f7ba92c5fa98cdcea30ea50489b048653b781f037091d2ac209b51a799bd0ec81dc0064cedcc5c572958fb39ab6c64cc6d25751d5b664426b2bf1e7d

C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 ea458758c2eed7b919eda087de5af52c
SHA1 35c4241a693f47018780304a49a346dfaa3c57fb
SHA256 41c2283109adfb2d1df5eec49e6cc716d53198c263d42a4dafb50fc1a127f31b
SHA512 653250e5548f4cd6dd406c0f49d531b80d92358a05afcdf1d0eebaaff5e0255b7b18fbdf1272db53f610a3a89f0c4bffe6a426dd6c97e7c744ba826eefc8d001

C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 6e452148ed325ef7823bfad7f3105dbf
SHA1 a77acf9746d6d1f6f1d6f77ac5a60cfa6664dec1
SHA256 957e1836c06ebe8fd0f36e36fc6ac80b5782054b385af308190bce73016d2e38
SHA512 3704a083267ac2f5917cbf0bcb9f942e95b07700da0855c791f21867f1754e87eb045655046e0ab79513a14133e8f9439e64c901947d11bb7c0dbd6f33cfdcf9

C:\Program Files (x86)\befmybzfrrdehqyvgcnqryknlrd.pqt

MD5 925046c3b104e6bc0094821339ce7134
SHA1 a46178d373341a1eb59cd68e2cbf5081037270d9
SHA256 e82aa94462b0a84faef3d6c01136362ec1b3214dce2c1cdc4316784732d0aa34
SHA512 03291448d9a1c274efd2791fb20be4be41f32fc8bf9b53351159ea459b449b0859931f47854c7970c090760abc7e9dc5069dc05d5e73391a1ac24925680783e0

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-14 00:01

Reported

2024-11-14 00:04

Platform

win10v2004-20241007-en

Max time kernel

120s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Adds policy Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ahivakp = "gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\txvf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Impair Defenses: Safe Mode Boot

defense_evasion
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "cxmngexthdvovkfhdeqla.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "nhvvnkcxkfwouicdyyjd.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "atgfwsjdpjzqvibbvue.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "nhvvnkcxkfwouicdyyjd.exe ." C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gxifuodvfxladofdv.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "cxmngexthdvovkfhdeqla.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "cxmngexthdvovkfhdeqla.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "cxmngexthdvovkfhdeqla.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\atgfwsjdpjzqvibbvue.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "phtrhcslwpeuykcbus.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ufkbkyhtxjr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\phtrhcslwpeuykcbus.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\chgru = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "gxifuodvfxladofdv.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "zpzvjcqhqhuikukh.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\nttfjs = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cxmngexthdvovkfhdeqla.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\zjndlygruf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nhvvnkcxkfwouicdyyjd.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "zpzvjcqhqhuikukh.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "atgfwsjdpjzqvibbvue.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pxzntekt = "cxmngexthdvovkfhdeqla.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "phtrhcslwpeuykcbus.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\gpshoahrt = "phtrhcslwpeuykcbus.exe ." C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\chgru = "nhvvnkcxkfwouicdyyjd.exe" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A

Hijack Execution Flow: Executable Installer File Permissions Weakness

defense_evasion persistence privilege_escalation
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A www.showmyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyip.everdot.org N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A www.whatismyip.ca N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\chgrucfljprulkpbhsotsdgorxv.dgx C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File created C:\Windows\SysWOW64\chgrucfljprulkpbhsotsdgorxv.dgx C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File opened for modification C:\Windows\SysWOW64\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File created C:\Windows\SysWOW64\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File created C:\Program Files (x86)\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File opened for modification C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File created C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File opened for modification C:\Windows\chgrucfljprulkpbhsotsdgorxv.dgx C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File created C:\Windows\chgrucfljprulkpbhsotsdgorxv.dgx C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
File opened for modification C:\Windows\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" C:\Users\Admin\AppData\Local\Temp\chgru.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe

"C:\Users\Admin\AppData\Local\Temp\7bf69188ae195642b23a8903128726200413395d607643f85fd8921ada3919e0.exe"

C:\Users\Admin\AppData\Local\Temp\chgru.exe

"C:\Users\Admin\AppData\Local\Temp\chgru.exe" "-"

C:\Users\Admin\AppData\Local\Temp\chgru.exe

"C:\Users\Admin\AppData\Local\Temp\chgru.exe" "-"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 8.8.8.8:53 www.whatismyip.com udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 92.207.27.104.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 8.8.8.8:53 79.222.19.104.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 104.19.222.79:80 whatismyipaddress.com tcp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.showmyipaddress.com udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 175.155.67.172.in-addr.arpa udp
US 104.27.207.92:80 www.whatismyip.com tcp
US 8.8.8.8:53 www.whatismyip.ca udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 whatismyip.everdot.org udp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 172.67.155.175:80 www.showmyipaddress.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.201.100:80 www.google.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 hklgkqwuttn.com udp
IE 34.246.200.160:80 hklgkqwuttn.com tcp
US 8.8.8.8:53 csobelc.net udp
US 8.8.8.8:53 pcokpypibmd.org udp
US 8.8.8.8:53 weqoeccagsew.org udp
US 8.8.8.8:53 ruvyfoquzqp.info udp
US 8.8.8.8:53 mmcuoyeq.org udp
US 8.8.8.8:53 pxxpgetr.info udp
US 8.8.8.8:53 wljsua.net udp
US 8.8.8.8:53 zwruajzbtyau.info udp
US 8.8.8.8:53 ymoozrw.info udp
US 8.8.8.8:53 uaocieoqek.org udp
US 8.8.8.8:53 100.201.58.216.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 160.200.246.34.in-addr.arpa udp
US 8.8.8.8:53 yeqsceua.org udp
US 8.8.8.8:53 ratirtqyspss.net udp
US 8.8.8.8:53 mbjxcztusqv.info udp
US 8.8.8.8:53 vdpxrmhyrnj.net udp
US 8.8.8.8:53 aalxlabhmx.info udp
US 8.8.8.8:53 weatdbv.info udp
US 8.8.8.8:53 lcsgfob.org udp
US 8.8.8.8:53 bwvfzozan.com udp
US 8.8.8.8:53 hocczyz.com udp
US 8.8.8.8:53 vfqpkqgs.net udp
US 8.8.8.8:53 puhuhtu.info udp
US 8.8.8.8:53 rsiwzxbzokg.net udp
US 8.8.8.8:53 mpyyemxwkyg.info udp
US 8.8.8.8:53 kuxajxugfkr.net udp
US 8.8.8.8:53 qilrzhdfndvu.info udp
US 8.8.8.8:53 ayuyek.com udp
US 198.185.159.145:80 ayuyek.com tcp
US 8.8.8.8:53 ijphqwyingb.info udp
US 8.8.8.8:53 gebmtvxsy.info udp
US 8.8.8.8:53 yniejss.info udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 145.159.185.198.in-addr.arpa udp
US 8.8.8.8:53 cqiuai.org udp
US 8.8.8.8:53 suamwkcg.org udp
US 8.8.8.8:53 moganyocf.net udp
US 8.8.8.8:53 wjriikpxr.info udp
US 8.8.8.8:53 xgzqhfuqh.info udp
US 8.8.8.8:53 mmsqaoqm.com udp
US 8.8.8.8:53 azrakrbzpk.net udp
US 8.8.8.8:53 gwgowe.org udp
US 8.8.8.8:53 fwbdbs.net udp
US 8.8.8.8:53 tzfvpcwrnai.com udp
US 8.8.8.8:53 vjmyxpra.net udp
US 8.8.8.8:53 cjzmhyr.net udp
US 8.8.8.8:53 sueecuaq.com udp
US 8.8.8.8:53 owceiq.org udp
US 8.8.8.8:53 cyaokomkkkia.org udp
US 8.8.8.8:53 nxnwpxhqyg.net udp
US 8.8.8.8:53 cumqayms.com udp
US 8.8.8.8:53 zaqadkroz.org udp
US 8.8.8.8:53 aonepyujjijm.net udp
US 8.8.8.8:53 avdoawrwn.info udp
US 8.8.8.8:53 zxfznjjo.net udp
US 8.8.8.8:53 rdwlvumj.net udp
US 8.8.8.8:53 bwhrvoaji.org udp
US 8.8.8.8:53 spvfdtipky.net udp
US 8.8.8.8:53 cuejqozyxczj.info udp
US 8.8.8.8:53 osvvnqp.net udp
US 8.8.8.8:53 pjqtcjxf.info udp
US 8.8.8.8:53 gkqgpzdkdoq.info udp
US 8.8.8.8:53 jwzmbv.info udp
US 8.8.8.8:53 xwfmlmbmtaz.info udp
DE 85.214.228.140:80 xwfmlmbmtaz.info tcp
US 8.8.8.8:53 gquagaqoseui.org udp
US 8.8.8.8:53 wokiyemewkmy.com udp
US 8.8.8.8:53 lqwwziqlqc.net udp
US 8.8.8.8:53 jmeeqgbe.info udp
US 8.8.8.8:53 jevhvqo.org udp
US 8.8.8.8:53 smbock.net udp
US 8.8.8.8:53 yoiiwsismikc.org udp
US 8.8.8.8:53 xxazro.net udp
US 8.8.8.8:53 nafodwrwdqd.com udp
US 8.8.8.8:53 joejzneksqfy.net udp
US 8.8.8.8:53 yeckkmr.net udp
US 8.8.8.8:53 eayymmweay.org udp
US 8.8.8.8:53 140.228.214.85.in-addr.arpa udp
US 8.8.8.8:53 jkkjvq.net udp
US 8.8.8.8:53 huhzhgf.info udp
US 8.8.8.8:53 eakwem.com udp
US 8.8.8.8:53 lmjyjelbtdd.info udp
US 8.8.8.8:53 ydqlnw.info udp
US 208.100.26.245:80 ydqlnw.info tcp
US 8.8.8.8:53 rsxrvix.com udp
US 8.8.8.8:53 dsruyvng.net udp
US 8.8.8.8:53 pmpchhz.com udp
US 8.8.8.8:53 goqkkemayc.com udp
US 8.8.8.8:53 wqmqueka.com udp
US 8.8.8.8:53 rremszqwpf.net udp
US 8.8.8.8:53 uncaephtnirx.info udp
US 8.8.8.8:53 voxigowd.net udp
US 8.8.8.8:53 reycjyv.com udp
US 8.8.8.8:53 waihjonsrpp.info udp
US 8.8.8.8:53 cueagi.org udp
US 8.8.8.8:53 fmbejdrhntcm.net udp
US 8.8.8.8:53 tnxivajml.com udp
US 8.8.8.8:53 cyqywkeqqy.org udp
US 8.8.8.8:53 vkwhttkdph.net udp
US 8.8.8.8:53 nofwxkfwpsv.net udp
US 8.8.8.8:53 vfrikja.info udp
US 8.8.8.8:53 ogycwi.org udp
US 8.8.8.8:53 nafxot.net udp
US 8.8.8.8:53 fkshhhjgb.com udp
US 8.8.8.8:53 iyiywyuc.org udp
US 8.8.8.8:53 maiiycsk.com udp
US 8.8.8.8:53 ywquuu.org udp
US 8.8.8.8:53 xeiofmd.com udp
US 8.8.8.8:53 rrrvnrqfug.info udp
US 8.8.8.8:53 amoiuqmacw.com udp
US 8.8.8.8:53 pencxrvurgl.net udp
US 8.8.8.8:53 usgqka.org udp
US 8.8.8.8:53 kaqjhcraz.info udp
US 8.8.8.8:53 dwwiaouwgtnc.net udp
US 8.8.8.8:53 hyfejyrqoenu.info udp
US 8.8.8.8:53 toqaomi.net udp
US 8.8.8.8:53 ewwquu.org udp
US 8.8.8.8:53 pvxdhb.net udp
US 8.8.8.8:53 mrzojticzj.info udp
US 8.8.8.8:53 uyxejelmx.net udp
US 8.8.8.8:53 eeyewusccy.com udp
US 8.8.8.8:53 vwxupzvun.org udp
US 8.8.8.8:53 nzkibs.info udp
US 8.8.8.8:53 owfqxsrhtij.info udp
US 8.8.8.8:53 xufrgadur.net udp
US 8.8.8.8:53 gvqfgsuxfhli.net udp
US 8.8.8.8:53 oveajp.info udp
US 8.8.8.8:53 hajuccnwkx.net udp
US 8.8.8.8:53 lgswzqbvc.org udp
US 8.8.8.8:53 uqdqfwduxip.info udp
US 8.8.8.8:53 ymjxuw.info udp
US 8.8.8.8:53 eqvczix.net udp
US 8.8.8.8:53 wxdfycx.net udp
US 8.8.8.8:53 hnxhjwubwxfh.info udp
US 8.8.8.8:53 qycyqysm.org udp
US 8.8.8.8:53 wginvxsaisda.net udp
US 8.8.8.8:53 lcxisgmewyk.net udp
US 8.8.8.8:53 cikefqvitjps.net udp
US 8.8.8.8:53 buhccn.info udp
US 8.8.8.8:53 xofyhmwvlzb.net udp
US 8.8.8.8:53 apekrazyzuf.net udp
US 8.8.8.8:53 dezqlimcb.com udp
US 8.8.8.8:53 aelxvivwnsg.info udp
US 8.8.8.8:53 zitqjhy.net udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 yemsyeks.com udp
US 8.8.8.8:53 rjqjuhtycrdu.info udp
US 8.8.8.8:53 neyizica.net udp
US 8.8.8.8:53 zxjmpkgvxeki.info udp
US 8.8.8.8:53 nbaxzdcj.net udp
US 8.8.8.8:53 cizioj.info udp
US 8.8.8.8:53 tsmegomyxg.info udp
US 8.8.8.8:53 kajlsxb.info udp
US 8.8.8.8:53 aenouojr.info udp
US 8.8.8.8:53 cebzvct.info udp
US 8.8.8.8:53 uvzigfdvbr.info udp
US 8.8.8.8:53 ogdltpnjn.info udp
US 8.8.8.8:53 jxejpmtjj.org udp
US 8.8.8.8:53 fvbwyoeyv.info udp
US 8.8.8.8:53 kcairrggdeh.net udp
US 8.8.8.8:53 yemmnnqqmxpz.net udp
US 8.8.8.8:53 pjvhfbvoxpmi.net udp
N/A 192.168.28.2:445 tcp
US 8.8.8.8:53 ekuffx.net udp
US 8.8.8.8:53 iqryofk.net udp
US 8.8.8.8:53 aelubcv.info udp
US 8.8.8.8:53 cfpbndbe.net udp
US 8.8.8.8:53 pthdudluho.net udp
US 8.8.8.8:53 tajdpdkpzsd.com udp
US 8.8.8.8:53 kxkaruvdhyl.net udp
US 8.8.8.8:53 fxbyxewqs.net udp
US 8.8.8.8:53 kwkuieigscgg.org udp
US 8.8.8.8:53 grjgraoeefhx.info udp
US 8.8.8.8:53 dwsxlguf.net udp
US 8.8.8.8:53 pzryostgtub.org udp
US 8.8.8.8:53 ueqqcwoywwii.com udp
US 8.8.8.8:53 wkcobav.info udp
US 8.8.8.8:53 ndbrvahztx.info udp
US 8.8.8.8:53 gygygzeulf.net udp
US 8.8.8.8:53 dilmcmz.net udp
US 8.8.8.8:53 icsguemoom.com udp
US 8.8.8.8:53 xmplxe.info udp
US 8.8.8.8:53 lgasvyxii.net udp
US 8.8.8.8:53 dcpeqmy.info udp
US 8.8.8.8:53 zihjhrditzc.info udp
US 8.8.8.8:53 ecfgrmvop.info udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 zrvgxaroxd.net udp
US 8.8.8.8:53 iimnkil.net udp
US 8.8.8.8:53 pyaammoltdup.info udp
US 8.8.8.8:53 vmylheoy.info udp
US 8.8.8.8:53 wifnjctvb.net udp
US 8.8.8.8:53 pwnolsz.org udp
US 8.8.8.8:53 gjdhzk.info udp
US 8.8.8.8:53 agrsbeuuebo.info udp
US 8.8.8.8:53 cmsisw.org udp
US 8.8.8.8:53 zbrznade.info udp
US 8.8.8.8:53 oljsbwelwrr.net udp
US 8.8.8.8:53 njelsmjbhc.net udp
US 8.8.8.8:53 fpifnwraky.info udp
US 8.8.8.8:53 mivaqahjbheb.info udp
US 8.8.8.8:53 stxapuuba.info udp
US 8.8.8.8:53 xmtzgqepyr.net udp
US 8.8.8.8:53 ddrevhdcngvi.net udp
US 8.8.8.8:53 orqshlzylb.info udp
US 8.8.8.8:53 mlfmtdw.info udp
US 8.8.8.8:53 zitdnohtzlnt.net udp
US 8.8.8.8:53 ekouqagyuoyo.com udp
US 8.8.8.8:53 jcglzvfv.net udp
US 8.8.8.8:53 frzuwh.info udp
US 8.8.8.8:53 gwfngsjywxf.net udp
US 8.8.8.8:53 fooueehkz.net udp
US 8.8.8.8:53 pmtoyk.info udp
US 8.8.8.8:53 yavekefqtco.net udp
US 8.8.8.8:53 xratiyvgj.net udp
US 8.8.8.8:53 oklbjcrsbel.info udp
US 8.8.8.8:53 cwqoie.org udp
US 8.8.8.8:53 faayfoy.com udp
US 8.8.8.8:53 idzulxnl.net udp
US 8.8.8.8:53 womqgmww.com udp
US 8.8.8.8:53 iiqbbhczqjec.net udp
US 8.8.8.8:53 ycyofrit.net udp
US 8.8.8.8:53 ysoecems.com udp
US 8.8.8.8:53 kpyvvmntqn.net udp
US 8.8.8.8:53 zglpad.net udp
US 8.8.8.8:53 mgewikbea.info udp
US 8.8.8.8:53 limamqsp.info udp
US 8.8.8.8:53 nudslgskvez.com udp
US 8.8.8.8:53 fmhknnhx.info udp
US 8.8.8.8:53 yaukcyu.net udp
US 8.8.8.8:53 pjdcumys.info udp
US 8.8.8.8:53 ociauskg.org udp
US 8.8.8.8:53 arlwxuzp.info udp
US 8.8.8.8:53 dfjxnwtvhela.net udp
US 8.8.8.8:53 rixkdktie.com udp
US 8.8.8.8:53 danxxraz.info udp
US 8.8.8.8:53 xqnbvgjtveb.org udp
US 8.8.8.8:53 upbxtp.net udp
US 8.8.8.8:53 btpypfipmac.info udp
US 8.8.8.8:53 eghkopbbv.net udp
US 8.8.8.8:53 sqmgigemkouw.com udp
US 8.8.8.8:53 sgyegwqs.org udp
US 8.8.8.8:53 turmtajce.com udp
US 8.8.8.8:53 bbnwzh.info udp
US 8.8.8.8:53 lsvkmhgzsmvh.net udp
US 8.8.8.8:53 nkzezxfagjv.info udp
US 8.8.8.8:53 sjzbdvpd.net udp
US 8.8.8.8:53 hkpwyexfu.net udp
US 8.8.8.8:53 ocqnyegm.net udp
US 8.8.8.8:53 tlvbgia.com udp
US 8.8.8.8:53 wmwkyuqoao.org udp
US 8.8.8.8:53 kqqcdiurz.info udp
US 8.8.8.8:53 dnpxxwqfhrh.net udp
US 8.8.8.8:53 pihvjif.info udp
US 8.8.8.8:53 juhdialej.net udp
US 8.8.8.8:53 grsadobkaqi.info udp
US 8.8.8.8:53 pikyhpboz.org udp
US 8.8.8.8:53 hkdvbbxtdsbs.info udp
US 8.8.8.8:53 gkosyeeu.com udp
US 8.8.8.8:53 uqacdvhyr.net udp
US 8.8.8.8:53 ozwmrxb.net udp
US 8.8.8.8:53 brkzng.net udp
US 8.8.8.8:53 bqrtugciv.info udp
US 8.8.8.8:53 nxrxraeei.info udp
US 8.8.8.8:53 tsriyip.info udp
US 8.8.8.8:53 vnjnyyie.info udp
US 8.8.8.8:53 sebkpyxjgko.info udp
US 8.8.8.8:53 wcttvceungqf.info udp
US 8.8.8.8:53 oaojfvtvek.info udp
US 8.8.8.8:53 ccmeucsi.org udp
US 8.8.8.8:53 ebbhyegabg.net udp
US 8.8.8.8:53 ougwcc.com udp
US 8.8.8.8:53 ilvcyellbvw.info udp
US 8.8.8.8:53 gvkkvqdxj.info udp
US 8.8.8.8:53 mrshnvywyy.net udp
US 8.8.8.8:53 sjfgnzvkawh.net udp
US 8.8.8.8:53 isgqekiu.com udp
US 8.8.8.8:53 hpjbnijqdko.info udp
US 8.8.8.8:53 imwsdvy.info udp
US 8.8.8.8:53 ahyacz.info udp
US 8.8.8.8:53 qmbwxclgd.info udp
US 8.8.8.8:53 xkkbzzklwpmv.info udp
US 8.8.8.8:53 qclydteyt.net udp
US 8.8.8.8:53 depfbed.net udp
US 8.8.8.8:53 vwnutke.info udp
US 8.8.8.8:53 dbxybwh.info udp
US 8.8.8.8:53 syymgscwoaik.com udp
US 8.8.8.8:53 hhdcno.info udp
US 8.8.8.8:53 iorttyujlrgy.net udp
US 8.8.8.8:53 dqxqalekuybu.net udp
US 8.8.8.8:53 izqscpyklqw.info udp
US 8.8.8.8:53 oisfxztxhv.info udp
US 8.8.8.8:53 ihixdqijzuyq.info udp
US 8.8.8.8:53 obejsdvu.info udp
US 8.8.8.8:53 igvefob.net udp
US 8.8.8.8:53 dshwhdlvmmsa.net udp
US 8.8.8.8:53 aygoag.com udp
US 8.8.8.8:53 swoqicqwgq.org udp
US 8.8.8.8:53 mgoemc.org udp
US 8.8.8.8:53 oulbhzumtkp.info udp
US 8.8.8.8:53 pwfgnxivigd.net udp
US 8.8.8.8:53 rqgezhvw.net udp
US 8.8.8.8:53 kquwbktvxki.net udp
US 8.8.8.8:53 ouhsbnb.info udp
US 8.8.8.8:53 zllype.net udp
US 8.8.8.8:53 nobhtytkt.com udp
US 8.8.8.8:53 mqjgwhr.net udp
US 8.8.8.8:53 tfbqbob.org udp
US 8.8.8.8:53 acbxcmcdn.info udp
US 8.8.8.8:53 qhxmjsrlyk.net udp
US 8.8.8.8:53 peeywjoj.net udp
US 8.8.8.8:53 nxhphj.net udp
US 8.8.8.8:53 vqcwbgyetrd.org udp
US 8.8.8.8:53 uknwduhu.info udp
US 8.8.8.8:53 waahpog.info udp
US 8.8.8.8:53 cobggmnqnkd.info udp
US 8.8.8.8:53 bbtbbofqujwe.net udp
US 8.8.8.8:53 iercjfhgs.net udp
US 8.8.8.8:53 xmczdhxnho.info udp
US 8.8.8.8:53 eamiwqog.com udp
US 8.8.8.8:53 dbvnelsbuy.info udp
US 8.8.8.8:53 ygyqaqaeou.org udp
US 8.8.8.8:53 wmecnijunwt.net udp
US 8.8.8.8:53 zoematzt.net udp
US 8.8.8.8:53 ystvtsnyrkg.info udp
US 8.8.8.8:53 tzwflmeio.net udp
US 8.8.8.8:53 omjrtwkaas.net udp
US 8.8.8.8:53 ftavfa.info udp
US 8.8.8.8:53 zqxavaf.net udp
US 8.8.8.8:53 xfibkr.net udp
US 8.8.8.8:53 fydwhccelch.info udp
US 8.8.8.8:53 jybrxza.org udp
US 8.8.8.8:53 awyesqryzsq.net udp
US 8.8.8.8:53 dbpshjzans.info udp
US 8.8.8.8:53 vrvwbieg.info udp
US 8.8.8.8:53 yscqwikgai.com udp
US 8.8.8.8:53 tvkvmwhx.info udp
US 8.8.8.8:53 oieairbih.net udp
US 8.8.8.8:53 jgtqto.info udp
US 8.8.8.8:53 xcfbbdl.com udp
US 8.8.8.8:53 skisyowswsco.org udp
US 8.8.8.8:53 rgpfadam.info udp
US 8.8.8.8:53 fnohkp.info udp
US 8.8.8.8:53 mmagmseo.org udp
US 8.8.8.8:53 rahnqeiicef.com udp
US 8.8.8.8:53 wswosiyaag.com udp
US 8.8.8.8:53 pmastcjpinw.net udp
US 8.8.8.8:53 jysyad.info udp
US 8.8.8.8:53 qmkeskgcaysg.com udp
US 8.8.8.8:53 joeuxmrqpq.net udp
US 8.8.8.8:53 fkpasureh.info udp
US 8.8.8.8:53 swuynjfkbnv.net udp
US 8.8.8.8:53 emngyyqxsv.net udp
US 8.8.8.8:53 xthnja.net udp
US 8.8.8.8:53 vvcnkqbports.info udp
US 8.8.8.8:53 gjyfxnqk.net udp
US 8.8.8.8:53 icktgabq.net udp
US 8.8.8.8:53 dpfzndlsug.net udp
US 8.8.8.8:53 jgufibeybs.info udp
US 8.8.8.8:53 ekerwq.info udp
US 8.8.8.8:53 gmvlab.info udp
US 8.8.8.8:53 sizgksrav.net udp
US 8.8.8.8:53 oxobnynz.net udp
US 8.8.8.8:53 jcrinil.net udp
US 8.8.8.8:53 cxtzzv.info udp
US 8.8.8.8:53 yveovmlrlid.info udp
US 8.8.8.8:53 dixdkchlne.net udp
US 8.8.8.8:53 fkdkuts.com udp
US 8.8.8.8:53 svncmmpy.net udp
US 8.8.8.8:53 ffqttbibxd.info udp
US 8.8.8.8:53 lwjfqrju.info udp
US 8.8.8.8:53 thioiadp.net udp
US 8.8.8.8:53 lqjhjwfx.info udp
US 8.8.8.8:53 fpvilghmn.org udp
US 8.8.8.8:53 eukcyqag.org udp
US 8.8.8.8:53 ukbqmodyf.info udp
US 8.8.8.8:53 vxrdnllomy.net udp
US 8.8.8.8:53 dymincoifib.info udp
US 8.8.8.8:53 eicuiu.com udp
US 8.8.8.8:53 knzoyw.info udp
US 8.8.8.8:53 bqrcbp.net udp
US 8.8.8.8:53 pzgcwdjubpze.net udp
US 8.8.8.8:53 bmuqenhwc.org udp
US 8.8.8.8:53 aetgtwp.net udp
US 8.8.8.8:53 ajdzrk.net udp
US 8.8.8.8:53 rwohemoxhl.info udp
US 8.8.8.8:53 dbtqls.info udp
US 8.8.8.8:53 zsrsrkvtcyt.net udp
US 8.8.8.8:53 sovgagdst.net udp
US 8.8.8.8:53 zypcqkhhoy.net udp
US 8.8.8.8:53 ycapczlmrz.info udp
US 8.8.8.8:53 ydtztxjd.net udp
US 8.8.8.8:53 ludirajox.net udp
US 8.8.8.8:53 wqrvrtugx.net udp
US 8.8.8.8:53 zaklnd.net udp
US 8.8.8.8:53 jothjkhthqaz.net udp
US 8.8.8.8:53 gvfonumqvxho.net udp
US 8.8.8.8:53 gmkcquwmko.org udp
US 8.8.8.8:53 brxcjcdgdjb.net udp
US 8.8.8.8:53 tzcqgbhr.net udp
US 8.8.8.8:53 lglnfwii.net udp
US 8.8.8.8:53 eegxpqopfkd.net udp
US 8.8.8.8:53 jwdistjflg.info udp
US 8.8.8.8:53 rerzrcguwo.net udp
US 8.8.8.8:53 iiltfqwpja.info udp
US 8.8.8.8:53 ooseig.org udp
US 8.8.8.8:53 utnrrwvpidd.info udp
US 8.8.8.8:53 feyjrv.net udp
US 8.8.8.8:53 wgbfpflialuz.info udp
US 8.8.8.8:53 ijjvanxlxd.net udp
US 8.8.8.8:53 zzircs.info udp
US 8.8.8.8:53 rmzrhow.org udp
US 8.8.8.8:53 mgovgqio.info udp
US 8.8.8.8:53 tkmbjm.info udp
US 8.8.8.8:53 qhgiyy.net udp
US 8.8.8.8:53 wkmqykes.org udp
US 8.8.8.8:53 fotunwugxup.net udp
US 8.8.8.8:53 fgjwdazyr.net udp
US 8.8.8.8:53 zwvqmiw.com udp
US 8.8.8.8:53 pzixeoiqfbam.info udp
US 8.8.8.8:53 wokyyoqk.com udp
US 8.8.8.8:53 jadvey.info udp
US 8.8.8.8:53 qcwowr.info udp
US 8.8.8.8:53 dmkssar.net udp
US 8.8.8.8:53 dcpanarel.org udp
US 8.8.8.8:53 renmuav.net udp
US 8.8.8.8:53 zjmcbwq.net udp
US 8.8.8.8:53 dqssaohpd.net udp
US 8.8.8.8:53 gcpesqo.net udp
US 8.8.8.8:53 ujvyxcf.info udp
US 8.8.8.8:53 aksrgnlgvpde.net udp
US 8.8.8.8:53 qawwucp.net udp
US 8.8.8.8:53 vddvru.net udp
US 8.8.8.8:53 hjquhafia.com udp
US 8.8.8.8:53 viaqdjrt.net udp
US 8.8.8.8:53 aaxmpkban.net udp
US 8.8.8.8:53 tquewjph.net udp
US 8.8.8.8:53 tbqaksinhc.info udp
US 8.8.8.8:53 hghifclbjmx.net udp
US 8.8.8.8:53 nvsafdjr.net udp
US 8.8.8.8:53 bypozmlklit.com udp
US 8.8.8.8:53 vwuqrirf.net udp
US 8.8.8.8:53 kioeebngfib.info udp
US 8.8.8.8:53 ndvvtcfrjkdj.info udp
US 8.8.8.8:53 itefzcr.net udp
US 8.8.8.8:53 rlzwrxb.org udp
US 8.8.8.8:53 dfvudx.net udp
US 8.8.8.8:53 zbnlqhefhuvz.net udp
US 8.8.8.8:53 bxelba.info udp
US 8.8.8.8:53 rqcjorbuzh.info udp
US 8.8.8.8:53 ubjqwppgrsr.info udp
US 8.8.8.8:53 bbzepixgs.info udp
US 8.8.8.8:53 cojijwxmw.net udp
US 8.8.8.8:53 lyvmryh.org udp
US 8.8.8.8:53 imaoqyceykmk.org udp
US 8.8.8.8:53 palqeskwltlu.info udp
US 8.8.8.8:53 rafbfgfcjqx.net udp
US 8.8.8.8:53 agucqaug.com udp
US 8.8.8.8:53 xeawzopltwei.info udp
US 8.8.8.8:53 inbqbkvmd.info udp
US 8.8.8.8:53 qaacgwgo.org udp
US 8.8.8.8:53 ccvkhtqkt.info udp
US 8.8.8.8:53 ksucxphdaan.net udp
US 8.8.8.8:53 hdblbf.net udp
US 8.8.8.8:53 nikljx.info udp
US 8.8.8.8:53 fkzrfmbqx.info udp
US 8.8.8.8:53 emgweaaeokqk.com udp
US 8.8.8.8:53 ypburcjkw.info udp
US 8.8.8.8:53 xkncznbot.net udp
US 8.8.8.8:53 jnazjkog.info udp
US 8.8.8.8:53 hfxblv.net udp
US 8.8.8.8:53 xfajrxldsoda.info udp
US 8.8.8.8:53 abkezcyzbibj.info udp
US 8.8.8.8:53 oqeszcx.net udp
US 8.8.8.8:53 ygtsfgqipcz.info udp
US 8.8.8.8:53 zxlglmh.net udp
US 8.8.8.8:53 iuyoacwmsy.com udp
US 8.8.8.8:53 viaqdonjh.info udp
US 8.8.8.8:53 qfsnxulbwy.net udp
US 8.8.8.8:53 qmisgs.org udp
US 8.8.8.8:53 rbxsjhvnsvyb.info udp
US 8.8.8.8:53 aqcsuuqa.com udp
US 8.8.8.8:53 iokcgugu.org udp
US 8.8.8.8:53 zgpphxpy.net udp
US 8.8.8.8:53 gwuyiogw.org udp
US 8.8.8.8:53 jwpcniulign.net udp
US 8.8.8.8:53 rkrelcj.org udp
US 8.8.8.8:53 ruuypodq.info udp
US 8.8.8.8:53 ehhqpo.net udp
US 8.8.8.8:53 mprghmlzshb.net udp
US 8.8.8.8:53 iuswqkcw.org udp
US 8.8.8.8:53 donwgyxi.net udp
US 8.8.8.8:53 cxvrnpxdtq.net udp
US 8.8.8.8:53 ampknsksi.net udp
US 8.8.8.8:53 oelqhkx.info udp
US 8.8.8.8:53 gtkuzq.net udp
US 8.8.8.8:53 ggbgzgqoxga.info udp
US 8.8.8.8:53 pvlozf.info udp
US 8.8.8.8:53 oipsxoj.net udp
US 8.8.8.8:53 ysmqmq.com udp
US 8.8.8.8:53 nmhwhmqqn.net udp
US 8.8.8.8:53 uopagkzc.net udp
US 8.8.8.8:53 nfxyloh.info udp
US 8.8.8.8:53 aerdilpadro.info udp
US 8.8.8.8:53 eygsaggkssus.org udp
US 8.8.8.8:53 qsuswiv.info udp
US 8.8.8.8:53 jeddpyceavfk.info udp
US 8.8.8.8:53 ldxvqk.info udp
US 8.8.8.8:53 hnjxytbzve.info udp
US 8.8.8.8:53 mitebvn.info udp
US 8.8.8.8:53 olrmzxsqnlex.net udp
US 8.8.8.8:53 damjfutozebh.info udp
US 8.8.8.8:53 vkhmvbr.net udp
US 8.8.8.8:53 rjclmpza.info udp
US 8.8.8.8:53 mtlqhvf.info udp
US 8.8.8.8:53 mduslasjpiva.info udp
US 8.8.8.8:53 xjzrnhr.net udp
US 8.8.8.8:53 mwmmywoc.com udp
US 8.8.8.8:53 pjipgaug.info udp
US 8.8.8.8:53 vknseclqsiw.info udp
US 8.8.8.8:53 ekuwooceimik.org udp
US 8.8.8.8:53 ppxwvzcqyq.info udp
US 8.8.8.8:53 vzerzd.info udp
US 8.8.8.8:53 isvmhwzmiop.info udp
US 8.8.8.8:53 cnfqglgbkg.info udp
US 8.8.8.8:53 pubnzek.info udp
US 8.8.8.8:53 kezydezmnqh.net udp
US 8.8.8.8:53 eaggequqscyu.com udp
US 8.8.8.8:53 idpxkegp.net udp
US 8.8.8.8:53 yoscdg.net udp
US 8.8.8.8:53 cbufao.info udp
US 8.8.8.8:53 mmpiruvxhwv.net udp
US 8.8.8.8:53 nrhzrcvzivtd.info udp
US 8.8.8.8:53 yensgeomr.net udp
US 8.8.8.8:53 weiywgnyeuj.info udp
US 8.8.8.8:53 ttyrcm.info udp
US 8.8.8.8:53 yswsygqygo.org udp
US 8.8.8.8:53 rcahzg.info udp
US 8.8.8.8:53 iihlhllwdizz.info udp
US 8.8.8.8:53 gjjixay.net udp
US 8.8.8.8:53 ecyiyscwgc.org udp
US 8.8.8.8:53 wlvyrwp.net udp
US 8.8.8.8:53 xsrjbcv.org udp
US 8.8.8.8:53 imlrdztkks.info udp
US 8.8.8.8:53 msmcdkdoc.info udp
US 8.8.8.8:53 ekbxjfao.info udp
US 8.8.8.8:53 rmqajzjcxef.org udp
US 8.8.8.8:53 ljtjmxwljx.net udp
US 8.8.8.8:53 efwialhc.net udp
US 8.8.8.8:53 chbnlozpxf.net udp
US 8.8.8.8:53 zsvvxclvju.net udp
US 8.8.8.8:53 hahmtynehqj.com udp
US 8.8.8.8:53 lenccfnakol.net udp
US 8.8.8.8:53 djlyygiv.net udp
US 8.8.8.8:53 lcsajubomur.net udp
US 8.8.8.8:53 fifrik.net udp
US 8.8.8.8:53 kzvesjfobmm.net udp
US 8.8.8.8:53 kcijqx.net udp
US 8.8.8.8:53 hiafiifvbcl.net udp
US 8.8.8.8:53 aodctjrovpk.net udp
US 8.8.8.8:53 qgrykfb.net udp
US 8.8.8.8:53 lxhdsfnygn.net udp
US 8.8.8.8:53 wuzghmr.info udp
US 8.8.8.8:53 lrpafdozxh.net udp
US 8.8.8.8:53 daqnlf.info udp
US 8.8.8.8:53 xpfshz.info udp
US 8.8.8.8:53 gnzfjcag.net udp
US 8.8.8.8:53 qqnktkhemqhw.info udp
US 8.8.8.8:53 osnujcbzugf.info udp
US 8.8.8.8:53 mkohwsko.net udp
US 8.8.8.8:53 dbetfa.net udp
US 8.8.8.8:53 njhywrdypev.info udp
US 8.8.8.8:53 fqjkdtn.com udp
US 8.8.8.8:53 pnaooq.info udp
US 8.8.8.8:53 ogphlyh.info udp
US 8.8.8.8:53 jgnwdrpgqz.info udp
US 8.8.8.8:53 vpfmkms.info udp
US 8.8.8.8:53 gmmyasyo.com udp
US 8.8.8.8:53 ueiljubqilx.net udp
US 8.8.8.8:53 beeudebw.info udp
US 8.8.8.8:53 qkmgeyiyay.com udp
US 8.8.8.8:53 zmhhke.net udp
US 8.8.8.8:53 xkpgfvxulgv.info udp
US 8.8.8.8:53 wyoyam.org udp
US 8.8.8.8:53 qaiioo.org udp
US 8.8.8.8:53 kwzibqn.info udp
US 8.8.8.8:53 paymtvnc.net udp
US 8.8.8.8:53 rsbkfoh.org udp
US 8.8.8.8:53 pvugutzdligu.net udp
US 8.8.8.8:53 jcqifobiuq.net udp
US 8.8.8.8:53 nszesxhhmf.net udp
US 8.8.8.8:53 ndcgswir.info udp
US 8.8.8.8:53 uazaigroc.net udp
US 8.8.8.8:53 xoasrra.org udp
US 8.8.8.8:53 frmjvb.net udp
US 8.8.8.8:53 vkoslcf.com udp
US 8.8.8.8:53 cqygmo.org udp
US 8.8.8.8:53 osrgcgseu.net udp
US 8.8.8.8:53 mkyckiwqwo.com udp
US 8.8.8.8:53 hdfckbeo.net udp
US 8.8.8.8:53 uitzjcwlzij.net udp
US 8.8.8.8:53 sbtcqpoj.net udp
US 8.8.8.8:53 vqdipea.info udp
US 8.8.8.8:53 hoqadyl.info udp
US 8.8.8.8:53 ckkmokqy.org udp
US 8.8.8.8:53 fuorrcvgrjhw.info udp
US 8.8.8.8:53 wstedal.net udp
US 8.8.8.8:53 psqipiv.net udp
US 8.8.8.8:53 lxbxupvn.net udp
US 8.8.8.8:53 eokiwugiqi.org udp
US 8.8.8.8:53 jufwsggat.net udp
US 8.8.8.8:53 lctqvit.org udp
US 8.8.8.8:53 dchspxphwk.net udp
US 8.8.8.8:53 seqezmfwjlxm.net udp
US 8.8.8.8:53 yhjhmkiew.info udp
US 8.8.8.8:53 waokasia.com udp
US 8.8.8.8:53 euykcoei.com udp
US 8.8.8.8:53 rexbaqmap.org udp
US 8.8.8.8:53 vqfepxnk.info udp
US 8.8.8.8:53 clbydivkzbf.net udp
US 8.8.8.8:53 vvlohl.net udp
US 8.8.8.8:53 jifixuufm.net udp
US 8.8.8.8:53 ikqkysf.net udp
US 8.8.8.8:53 tubxlgzv.info udp
US 8.8.8.8:53 abcygqv.info udp
US 8.8.8.8:53 hnlmpqzdvup.net udp
US 8.8.8.8:53 yojqfdnobcer.info udp
US 8.8.8.8:53 szfunpdr.info udp
US 8.8.8.8:53 jelzhlivcg.net udp
US 8.8.8.8:53 zflyvlzn.net udp
US 8.8.8.8:53 berkurgnr.info udp
US 8.8.8.8:53 xelelqhlcgr.net udp
US 8.8.8.8:53 xtmlvvuw.info udp
US 8.8.8.8:53 tsicgl.net udp
US 8.8.8.8:53 xeytjvfmmih.net udp
US 8.8.8.8:53 rmehpm.net udp
US 8.8.8.8:53 rgomjyp.com udp
US 8.8.8.8:53 guhxvqcon.info udp
US 8.8.8.8:53 qndvgpis.info udp
US 8.8.8.8:53 mowqqsik.org udp
US 8.8.8.8:53 xavwmyceinx.net udp
US 8.8.8.8:53 zeckasheckv.com udp
US 8.8.8.8:53 fwrkrwl.info udp
US 8.8.8.8:53 wkiccc.com udp
US 8.8.8.8:53 bcfcdma.net udp
US 8.8.8.8:53 dssewtvxlota.info udp
US 8.8.8.8:53 xiquoai.net udp
US 8.8.8.8:53 xsvifqmwf.net udp
US 8.8.8.8:53 txxnpo.net udp
US 8.8.8.8:53 znxcicehho.info udp
US 8.8.8.8:53 huttlcrgpa.info udp
US 8.8.8.8:53 hldbybhapyoh.net udp
US 8.8.8.8:53 cmqwow.org udp
US 8.8.8.8:53 qbtrms.net udp
US 8.8.8.8:53 jmqdmind.net udp
US 8.8.8.8:53 eiedvh.info udp
US 8.8.8.8:53 cenilkraziv.info udp
US 8.8.8.8:53 yiciassipcp.net udp
US 8.8.8.8:53 yutxrojgzxj.info udp
US 8.8.8.8:53 ickicwos.com udp
US 8.8.8.8:53 xuphzdrihjlf.net udp
US 8.8.8.8:53 pyztbwm.com udp
US 8.8.8.8:53 zwxepkxwbm.net udp
US 8.8.8.8:53 twddgmsywp.net udp
US 8.8.8.8:53 eggogaem.com udp
US 8.8.8.8:53 auicoagggqqc.com udp
US 8.8.8.8:53 fktcluc.org udp
US 8.8.8.8:53 timwfizizqh.net udp
US 8.8.8.8:53 hmhegotmcij.net udp
US 8.8.8.8:53 prehpevjjo.net udp
US 8.8.8.8:53 hvapjj.net udp
US 8.8.8.8:53 vtvvtzvu.info udp
US 8.8.8.8:53 bhxjdwbbjk.info udp
US 8.8.8.8:53 nouhfv.info udp
US 8.8.8.8:53 rsvvzwzix.org udp
US 8.8.8.8:53 trtrgzzk.net udp
US 8.8.8.8:53 eilehgywovm.net udp
US 8.8.8.8:53 wksqzxiwjom.net udp
US 8.8.8.8:53 tgryjwehtmy.net udp
US 8.8.8.8:53 oylwrhv.info udp
US 8.8.8.8:53 cwjsrwkyv.info udp
US 8.8.8.8:53 tzqiefax.info udp
US 8.8.8.8:53 qajnlqz.net udp
US 8.8.8.8:53 epkmnkca.net udp
US 8.8.8.8:53 oibkiixz.info udp
US 8.8.8.8:53 vlsqrasay.info udp
US 8.8.8.8:53 fhcploegczuq.net udp
US 8.8.8.8:53 sceommucuy.org udp
US 8.8.8.8:53 nuhnmc.info udp
US 8.8.8.8:53 uzwaigl.net udp
US 8.8.8.8:53 jclrzdvjqpfb.net udp
US 8.8.8.8:53 pkjalzxk.info udp
US 8.8.8.8:53 wqowcass.org udp
US 8.8.8.8:53 hkevkbdrfqjn.info udp
US 8.8.8.8:53 qmxcszgtph.info udp
US 8.8.8.8:53 lgrnhqzhtoz.org udp
US 8.8.8.8:53 chguvydftfh.info udp
US 8.8.8.8:53 sckkqscssk.org udp
US 8.8.8.8:53 jpifceju.info udp
US 8.8.8.8:53 evxyhwkytkj.net udp
US 8.8.8.8:53 eayacokbim.info udp
US 8.8.8.8:53 euzcilyms.info udp
US 8.8.8.8:53 ptdgdmn.com udp
US 8.8.8.8:53 rzmhigdnhljb.info udp
US 8.8.8.8:53 kvkmnyayn.info udp
US 8.8.8.8:53 eoymekquce.com udp
US 8.8.8.8:53 mqmupbf.net udp
US 8.8.8.8:53 juaiaulfe.info udp
US 8.8.8.8:53 cegdsgfnfihu.info udp
US 8.8.8.8:53 omokos.com udp
US 8.8.8.8:53 ywxnfih.net udp
US 8.8.8.8:53 jkbttyi.org udp
US 8.8.8.8:53 kufqvwt.net udp
US 8.8.8.8:53 mdoarqnlsqw.net udp
US 8.8.8.8:53 ijsubw.net udp
US 8.8.8.8:53 kcawsmcyqq.com udp
US 8.8.8.8:53 diqbzipbhwf.com udp
US 8.8.8.8:53 lotvfcpofeb.net udp
US 8.8.8.8:53 rfphhbt.net udp
US 8.8.8.8:53 pnnoffl.net udp
US 8.8.8.8:53 antgbdzwfh.net udp
US 8.8.8.8:53 pqysnkfmt.net udp
US 8.8.8.8:53 conzuujph.info udp
US 8.8.8.8:53 pswagoquh.org udp
US 8.8.8.8:53 ptvcdlxcdlb.info udp
US 8.8.8.8:53 uedkvcebz.net udp
US 8.8.8.8:53 gytkywwfz.net udp
US 8.8.8.8:53 qrmercfrpyp.info udp
US 8.8.8.8:53 xaufgfms.info udp
US 8.8.8.8:53 ctalks.net udp
US 162.144.12.218:80 ctalks.net tcp
US 8.8.8.8:53 sekeaewejld.net udp
US 8.8.8.8:53 umbvqqsxvs.info udp
US 8.8.8.8:53 osdiqfls.net udp
US 8.8.8.8:53 jazejwtkz.info udp
US 8.8.8.8:53 givqjolnj.net udp
US 8.8.8.8:53 eizclbcitq.info udp
US 8.8.8.8:53 ertoyeh.info udp
US 8.8.8.8:53 alrupcmupvqr.info udp
US 8.8.8.8:53 kwdnko.info udp
US 8.8.8.8:53 ukeojzfjdjh.net udp
US 8.8.8.8:53 uiwqqgcasa.org udp
US 8.8.8.8:53 tboctboyey.net udp
US 8.8.8.8:53 lrxsrg.info udp
US 8.8.8.8:53 ngdgocj.net udp
US 8.8.8.8:53 sjixfknpj.net udp
US 8.8.8.8:53 ucxrry.net udp
US 8.8.8.8:53 borvdw.info udp
US 8.8.8.8:53 rduffihs.net udp
US 8.8.8.8:53 cgyuqcuk.com udp
US 8.8.8.8:53 kmxknajhv.info udp
US 8.8.8.8:53 218.12.144.162.in-addr.arpa udp
US 8.8.8.8:53 eatvxfvkb.info udp
US 8.8.8.8:53 haeimo.net udp
US 8.8.8.8:53 xivvfgn.com udp
US 8.8.8.8:53 yizvlsrylmh.net udp
US 8.8.8.8:53 bmgxquzf.info udp
US 8.8.8.8:53 xekcooqbee.info udp
US 8.8.8.8:53 fgvgjqqh.info udp
US 8.8.8.8:53 kgklgudeaihe.net udp
US 8.8.8.8:53 ucdsfupi.net udp
US 8.8.8.8:53 bhxshjwwicyz.info udp
US 8.8.8.8:53 jencnuj.com udp
US 8.8.8.8:53 qmegakikie.com udp
US 8.8.8.8:53 ndmipqjjrif.info udp
US 8.8.8.8:53 pvbrvmvday.info udp
US 8.8.8.8:53 kwcyekie.com udp
US 8.8.8.8:53 igcueecskauq.org udp
US 8.8.8.8:53 wzvalg.net udp
US 8.8.8.8:53 domoyx.info udp
US 8.8.8.8:53 rupizwzuouh.com udp
US 8.8.8.8:53 msxmscvwu.info udp
US 8.8.8.8:53 cmkqiuioieuq.com udp
US 8.8.8.8:53 auexdebb.info udp
US 8.8.8.8:53 oueoyumiis.com udp
US 8.8.8.8:53 mmeqeeky.org udp
US 8.8.8.8:53 zajmjnrzfac.org udp
US 8.8.8.8:53 lgxwlyhtlmc.com udp
US 8.8.8.8:53 giniqulibtr.net udp
US 8.8.8.8:53 vqzkbtjhtf.net udp
US 8.8.8.8:53 smwsoykssegu.com udp
US 8.8.8.8:53 xkvyjabit.net udp
US 8.8.8.8:53 ssygemq.net udp
US 8.8.8.8:53 qpdnpbhcnyjz.info udp
US 8.8.8.8:53 pspblt.net udp
US 8.8.8.8:53 tetofxiyjvl.org udp
US 8.8.8.8:53 rhvewl.net udp
US 8.8.8.8:53 rllywrnuhc.info udp
US 8.8.8.8:53 wqfhmkhoa.info udp
US 8.8.8.8:53 bbgqtwbcw.info udp
US 8.8.8.8:53 ycigbq.net udp
US 8.8.8.8:53 pavfzkrx.net udp
US 8.8.8.8:53 qqhnrxvznz.net udp
US 8.8.8.8:53 xyntiulr.info udp
US 8.8.8.8:53 cwimyw.org udp
US 8.8.8.8:53 sopcrq.net udp
US 8.8.8.8:53 mcwqkmoyka.com udp
US 8.8.8.8:53 gmkoquoqiu.org udp
US 8.8.8.8:53 lvjcjm.net udp
US 8.8.8.8:53 rdwtne.net udp
US 8.8.8.8:53 mkkiqgwe.com udp
US 8.8.8.8:53 tkkuharszvj.info udp
US 8.8.8.8:53 kwoymyaysuko.com udp
US 8.8.8.8:53 eiitzlwdid.net udp
US 8.8.8.8:53 naosmklpd.info udp
US 8.8.8.8:53 pktfja.info udp
US 8.8.8.8:53 rbtnmhsolvdg.info udp
US 8.8.8.8:53 xgahfx.net udp
US 8.8.8.8:53 juyctgmks.info udp
US 8.8.8.8:53 pziaxyhojmu.org udp
US 8.8.8.8:53 khouwklyt.net udp
US 8.8.8.8:53 vzvhptjernro.info udp
US 8.8.8.8:53 ysuccmooewwk.com udp
US 8.8.8.8:53 ubpxnf.net udp
US 8.8.8.8:53 miuszsddzqv.net udp
US 8.8.8.8:53 muquom.org udp
US 8.8.8.8:53 usyswygoac.com udp
US 8.8.8.8:53 vghczgzgjkz.com udp
US 8.8.8.8:53 dxsejffkklv.info udp
US 8.8.8.8:53 egvuygnqxwj.net udp
US 8.8.8.8:53 ioocteulq.net udp
US 8.8.8.8:53 zibuzcw.net udp
US 8.8.8.8:53 qaomyuokiumi.com udp
US 8.8.8.8:53 sqzbbcvky.info udp
US 8.8.8.8:53 ksuioiskkcww.com udp
US 8.8.8.8:53 cvettwvszcy.net udp
US 8.8.8.8:53 skagmwoc.org udp
US 8.8.8.8:53 lwneymseicb.com udp
US 8.8.8.8:53 xlbsnff.net udp
US 8.8.8.8:53 cgaemuii.com udp
US 8.8.8.8:53 ssoukaikmu.com udp
US 8.8.8.8:53 lzkuzesjzq.info udp
US 8.8.8.8:53 utqahssebfh.info udp
US 8.8.8.8:53 aawqmcqeyuqs.org udp
US 8.8.8.8:53 uzjmfwzzhoh.info udp
US 8.8.8.8:53 suzarv.info udp
US 8.8.8.8:53 ayaqwe.org udp
US 8.8.8.8:53 zthkqotyf.com udp
US 8.8.8.8:53 yzbmjgckwdyq.net udp
US 8.8.8.8:53 ezennlxpdz.net udp
US 8.8.8.8:53 kqzqdu.net udp
US 8.8.8.8:53 bazbjsosg.info udp
US 8.8.8.8:53 hsnarcfbr.net udp
US 8.8.8.8:53 uqouomasemak.org udp
US 8.8.8.8:53 fqtkvqd.com udp
US 8.8.8.8:53 jzkgjrpq.net udp
US 8.8.8.8:53 lwsmrwymlcr.com udp
US 8.8.8.8:53 viswpalcj.info udp
US 8.8.8.8:53 llywywfwt.info udp
US 8.8.8.8:53 rxbejeoyfi.info udp
US 8.8.8.8:53 nurwlqpkfya.info udp
US 8.8.8.8:53 fargnupbr.info udp
US 8.8.8.8:53 xeakzjhkqps.net udp
US 8.8.8.8:53 rixwxexy.info udp
US 8.8.8.8:53 vcethqpkncvu.net udp
US 8.8.8.8:53 umfizqkfrxxy.net udp
US 8.8.8.8:53 yszwduzrmxh.net udp
US 8.8.8.8:53 amitfiuqake.info udp
US 8.8.8.8:53 jwjczwogezz.com udp
US 8.8.8.8:53 fopklqpga.net udp
US 8.8.8.8:53 eclerbpld.net udp
US 8.8.8.8:53 lvhllyoznd.net udp
US 8.8.8.8:53 snhqhjfhxnbj.net udp
US 8.8.8.8:53 swcabyqqewvt.net udp
US 8.8.8.8:53 ldrdjarwjgbu.net udp
US 8.8.8.8:53 issnsbtr.info udp
US 8.8.8.8:53 hhxriekh.net udp
US 8.8.8.8:53 ekeuifzmj.net udp
US 8.8.8.8:53 vxzwcznp.net udp
US 8.8.8.8:53 pokvfubl.net udp
US 8.8.8.8:53 gbajqeibxafr.net udp
US 8.8.8.8:53 iesowswoiq.com udp
US 8.8.8.8:53 zvxcrfvmteb.net udp
US 8.8.8.8:53 fmbspft.net udp
US 8.8.8.8:53 svjbjrvhxn.info udp
US 8.8.8.8:53 uipycariz.info udp
US 8.8.8.8:53 ugyesgam.com udp
US 8.8.8.8:53 dxspew.net udp
US 8.8.8.8:53 rnvmaytah.net udp
US 8.8.8.8:53 cogujyouf.net udp
US 8.8.8.8:53 qdvygczim.net udp
US 8.8.8.8:53 hwawbsx.org udp
US 8.8.8.8:53 kqtgbwneuk.info udp
US 8.8.8.8:53 geaowcyk.org udp
US 8.8.8.8:53 nyeirtbon.org udp
US 8.8.8.8:53 iqronap.net udp
US 8.8.8.8:53 geyicyaeiiwq.com udp
US 8.8.8.8:53 rzvalmk.com udp
US 8.8.8.8:53 itjiqratgaqb.info udp
US 8.8.8.8:53 aiuaeueagu.com udp
US 8.8.8.8:53 bwzdbqmwl.com udp
US 8.8.8.8:53 fqsyxh.net udp
US 8.8.8.8:53 iuqyizrqjlng.net udp
US 8.8.8.8:53 iizupqpcm.info udp
US 8.8.8.8:53 ayawbzhst.net udp
US 8.8.8.8:53 ajvdqvwi.net udp
US 8.8.8.8:53 ufagpvrur.net udp
US 8.8.8.8:53 yqgeyq.org udp
US 8.8.8.8:53 rcmqvx.info udp
US 8.8.8.8:53 ocrhgmvcg.info udp
US 8.8.8.8:53 cdsfjo.info udp
US 8.8.8.8:53 gyzavvyk.net udp
US 8.8.8.8:53 lmcwdsx.info udp
US 8.8.8.8:53 rqsqxlgdid.net udp
US 8.8.8.8:53 bkncrel.net udp
US 8.8.8.8:53 oqfowei.info udp
US 8.8.8.8:53 ftggwuqb.info udp
US 8.8.8.8:53 ngrcviizr.info udp
US 8.8.8.8:53 utxeeho.info udp
US 8.8.8.8:53 psvaltsupo.net udp
US 8.8.8.8:53 zodiqotx.net udp
US 8.8.8.8:53 oetclszet.info udp
US 8.8.8.8:53 vivopfj.com udp
US 8.8.8.8:53 bkryimrmvih.org udp
US 8.8.8.8:53 ewkynv.net udp
US 8.8.8.8:53 yedkxgkqe.info udp
US 8.8.8.8:53 rmoupkxracb.com udp
US 8.8.8.8:53 kbdefe.info udp
US 8.8.8.8:53 ycwwayuewkqe.org udp
US 8.8.8.8:53 xyyureh.info udp
US 8.8.8.8:53 gulolyt.info udp
US 8.8.8.8:53 xjlskyblm.com udp
US 8.8.8.8:53 luzsjmb.com udp
US 8.8.8.8:53 mcasckyawics.com udp
US 8.8.8.8:53 lmwurudwmuy.org udp
US 8.8.8.8:53 ytfydantwi.net udp
US 8.8.8.8:53 qkwcqqgwes.org udp
US 8.8.8.8:53 yhmuqtfepao.net udp
US 8.8.8.8:53 aklxvjyiob.info udp
US 8.8.8.8:53 ncryjwx.org udp
US 8.8.8.8:53 zkhuxmkrh.net udp
US 8.8.8.8:53 obfmfq.info udp
US 8.8.8.8:53 mtecxwjgf.info udp
US 8.8.8.8:53 apoorsdt.info udp
US 8.8.8.8:53 fqzrdk.info udp
US 8.8.8.8:53 ohrxngbxfz.info udp
US 8.8.8.8:53 bkxonzbir.info udp
US 8.8.8.8:53 cwokeaowmqwg.org udp
US 8.8.8.8:53 zxyaowdealgh.info udp
US 8.8.8.8:53 tsvtvqnm.net udp
US 8.8.8.8:53 ekzdpbvh.net udp
US 8.8.8.8:53 dozkzqoqi.info udp
US 8.8.8.8:53 iieydqmnsdwa.net udp
US 8.8.8.8:53 pgssyxpfdmo.net udp
US 8.8.8.8:53 jpbtsj.net udp
US 8.8.8.8:53 jzrywxqkygs.com udp
US 8.8.8.8:53 wuinseudmt.info udp
US 8.8.8.8:53 xdbdxm.net udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 wswgsuqkamyw.com udp
US 8.8.8.8:53 gppivj.info udp
US 8.8.8.8:53 buzfccaaw.org udp
US 8.8.8.8:53 yqvpfdjibqdh.net udp
US 8.8.8.8:53 mkqsiy.org udp
US 8.8.8.8:53 myasmq.org udp
US 8.8.8.8:53 ikkqgycw.org udp
US 8.8.8.8:53 yqmuwawimk.com udp
US 8.8.8.8:53 fejrfck.net udp
US 8.8.8.8:53 jjxrjr.info udp
US 8.8.8.8:53 ekujfjlo.net udp
US 8.8.8.8:53 vwardmkoyi.net udp
US 8.8.8.8:53 qkbkrqbhjxy.net udp
US 8.8.8.8:53 qwmaqeyy.org udp
US 8.8.8.8:53 oucgxmm.info udp
US 8.8.8.8:53 pkkpkb.info udp
US 8.8.8.8:53 jdzrkiwirggl.info udp
US 8.8.8.8:53 ywpcxcy.info udp
US 8.8.8.8:53 kqmskmmmyqea.com udp
US 8.8.8.8:53 kulcviiqcqx.net udp
US 8.8.8.8:53 eyefvgvmadsi.info udp
US 8.8.8.8:53 ykdtut.net udp
US 8.8.8.8:53 yugcamuk.com udp
US 8.8.8.8:53 ogimkk.com udp
US 8.8.8.8:53 sjljxgcdnqtr.info udp
US 8.8.8.8:53 azrqvs.info udp
US 8.8.8.8:53 ikmagway.org udp
US 8.8.8.8:53 ssjqlzsql.net udp
US 8.8.8.8:53 gemxqbiv.info udp
US 8.8.8.8:53 fpybjumwcjri.net udp
US 8.8.8.8:53 zwnkmqz.net udp
US 8.8.8.8:53 hgjscui.net udp
US 8.8.8.8:53 bpkesraugpzd.net udp
US 8.8.8.8:53 ishaqypjxn.net udp
US 8.8.8.8:53 hgokcyd.com udp
US 8.8.8.8:53 wqsawmym.org udp
US 8.8.8.8:53 htbdfwjodwp.com udp
US 8.8.8.8:53 jmlelfxyjbzp.net udp
US 8.8.8.8:53 fekavwpl.net udp
US 8.8.8.8:53 abtvzsiqbpp.net udp
US 8.8.8.8:53 smjyrqcod.info udp
US 8.8.8.8:53 jwnadtd.info udp
N/A 192.168.28.2:445 tcp
IE 34.246.200.160:80 hklgkqwuttn.com tcp
US 8.8.8.8:53 smoazswfywhy.net udp
US 8.8.8.8:53 jvjaqdnci.info udp
US 8.8.8.8:53 wljsua.net udp
US 8.8.8.8:53 waqmsgog.com udp
US 8.8.8.8:53 tcxqpovybip.org udp
US 8.8.8.8:53 yeqsceua.org udp
US 8.8.8.8:53 lihbcw.net udp
US 8.8.8.8:53 wyonrvsa.net udp
US 8.8.8.8:53 ratirtqyspss.net udp
US 8.8.8.8:53 msaowaqq.com udp
US 8.8.8.8:53 yxgcuupvjthn.net udp
US 8.8.8.8:53 aalxlabhmx.info udp
US 8.8.8.8:53 oyaoeguumcuo.org udp
US 8.8.8.8:53 oeewyouyig.com udp
US 8.8.8.8:53 lcsgfob.org udp
US 8.8.8.8:53 smfubyruvzk.net udp
US 8.8.8.8:53 twbntv.net udp
US 8.8.8.8:53 hocczyz.com udp
N/A 192.168.28.2:139 tcp
US 8.8.8.8:53 kuxajxugfkr.net udp
US 8.8.8.8:53 fmhkrqdorcz.com udp
US 8.8.8.8:53 xxsnaynocj.net udp
US 8.8.8.8:53 dtnzneqxdond.info udp
US 8.8.8.8:53 iomcwq.com udp
US 8.8.8.8:53 bspgtyu.net udp
US 8.8.8.8:53 cqiuai.org udp
US 8.8.8.8:53 ddsihmjhyhuf.net udp
US 8.8.8.8:53 dfxklguz.info udp
US 8.8.8.8:53 rmollojj.net udp
US 8.8.8.8:53 vozsvfalv.org udp
US 8.8.8.8:53 auyaeauacy.com udp
US 8.8.8.8:53 quckkgyccyim.org udp
US 8.8.8.8:53 azrakrbzpk.net udp
US 8.8.8.8:53 dcfwvvbpbkyj.net udp
US 8.8.8.8:53 acmqoeqa.org udp
US 8.8.8.8:53 xhxmlogdbaw.org udp
US 8.8.8.8:53 gulgnzuelyj.net udp
US 8.8.8.8:53 vjmyxpra.net udp
US 8.8.8.8:53 qkbqzsfcpgh.net udp
US 8.8.8.8:53 hgjqxkcinmr.net udp
US 8.8.8.8:53 lcpecaria.com udp
US 8.8.8.8:53 odeqhqkldv.info udp
US 8.8.8.8:53 jebtiavwphlk.info udp
US 8.8.8.8:53 pftmlj.info udp
US 8.8.8.8:53 kaqciyqa.com udp
US 8.8.8.8:53 fqpafav.info udp
US 8.8.8.8:53 zxfznjjo.net udp
US 8.8.8.8:53 susaak.com udp
US 8.8.8.8:53 spvfdtipky.net udp
US 8.8.8.8:53 eykkomme.org udp
US 8.8.8.8:53 tnaoyfpj.info udp
US 8.8.8.8:53 jwzmbv.info udp
DE 85.214.228.140:80 xwfmlmbmtaz.info tcp
US 8.8.8.8:53 tkrcfwxlihn.info udp
US 8.8.8.8:53 yschbuzlfa.info udp
US 8.8.8.8:53 xxazro.net udp
US 8.8.8.8:53 nafodwrwdqd.com udp
US 8.8.8.8:53 kafyzhvlwt.net udp
US 8.8.8.8:53 ksqqpw.info udp
US 8.8.8.8:53 kipshgzba.info udp
US 8.8.8.8:53 pghnlzfc.net udp
US 8.8.8.8:53 jkkjvq.net udp
US 8.8.8.8:53 huhzhgf.info udp
US 8.8.8.8:53 pepbcrv.com udp
US 8.8.8.8:53 ysewrhzoxwvs.net udp
US 208.100.26.245:80 ydqlnw.info tcp
US 8.8.8.8:53 xgfqjudcr.net udp
US 8.8.8.8:53 lffdtowuzuga.net udp
US 8.8.8.8:53 uncaephtnirx.info udp
US 8.8.8.8:53 nkydzeyb.info udp
US 8.8.8.8:53 vungtmxgtcj.org udp
US 8.8.8.8:53 xmlfqezqyyfp.net udp
US 8.8.8.8:53 reycjyv.com udp
US 8.8.8.8:53 fybufer.org udp
US 8.8.8.8:53 tnxivajml.com udp
US 8.8.8.8:53 tkhgyfas.net udp
US 8.8.8.8:53 ydhhvkoxgz.net udp
US 8.8.8.8:53 ioitubtfdzdr.info udp
US 8.8.8.8:53 nafxot.net udp
US 8.8.8.8:53 vecjqcmv.info udp
US 8.8.8.8:53 lbdiwkzzbe.net udp
US 8.8.8.8:53 rqzblutm.net udp
US 8.8.8.8:53 ywquuu.org udp
US 8.8.8.8:53 wqrdvrhir.net udp
US 8.8.8.8:53 ggsgbtfqnm.info udp
US 8.8.8.8:53 stvqbetkw.info udp
US 8.8.8.8:53 rkfljexepd.info udp
US 8.8.8.8:53 ewwquu.org udp
US 8.8.8.8:53 cosuqgggsw.org udp
US 8.8.8.8:53 aoikblgop.net udp
US 8.8.8.8:53 nzkibs.info udp
US 8.8.8.8:53 oyymaiiqq.info udp
US 8.8.8.8:53 qpjzsurz.net udp
US 8.8.8.8:53 qoguqaseca.org udp
US 8.8.8.8:53 vefbssdmhox.net udp
US 8.8.8.8:53 zdjrdwjrvznf.net udp
US 8.8.8.8:53 lgswzqbvc.org udp
US 8.8.8.8:53 ylrcomte.net udp
US 8.8.8.8:53 hnxhjwubwxfh.info udp
US 8.8.8.8:53 qycyqysm.org udp
US 8.8.8.8:53 cikefqvitjps.net udp
US 8.8.8.8:53 buxzfavglgf.com udp
US 8.8.8.8:53 nbqgflv.net udp
US 8.8.8.8:53 zwrsnqkgg.info udp
US 8.8.8.8:53 zmfxqnjlzl.net udp
US 8.8.8.8:53 xofyhmwvlzb.net udp
US 8.8.8.8:53 hvmcabtuvfvp.info udp
US 8.8.8.8:53 ujuyag.info udp
US 8.8.8.8:53 ilqfaj.net udp
US 8.8.8.8:53 aelxvivwnsg.info udp
US 8.8.8.8:53 tonlvtvbgvga.info udp
US 8.8.8.8:53 csqcsqymuqko.org udp
US 8.8.8.8:53 okrjdjb.info udp
US 8.8.8.8:53 amqkukx.net udp
US 8.8.8.8:53 iojowt.info udp
US 8.8.8.8:53 dzvrjx.info udp
US 8.8.8.8:53 rosgahry.info udp
US 8.8.8.8:53 blbhdyhlvekd.net udp
US 8.8.8.8:53 neyizica.net udp
US 8.8.8.8:53 vwgohuq.com udp
US 8.8.8.8:53 toewbixnerdd.info udp
US 8.8.8.8:53 aqmccyyiyq.com udp
US 8.8.8.8:53 lcsurlv.info udp
US 8.8.8.8:53 kajlsxb.info udp
US 8.8.8.8:53 dwvpyeaajc.net udp
US 8.8.8.8:53 oqchuplq.info udp
US 8.8.8.8:53 dxjoyvefaf.info udp
US 8.8.8.8:53 uvzigfdvbr.info udp
US 8.8.8.8:53 cykcmoewwuwi.com udp
US 8.8.8.8:53 qmngrsn.net udp
US 8.8.8.8:53 tdwjko.info udp
US 8.8.8.8:53 uuwegxeadesb.net udp
US 8.8.8.8:53 hjvovv.net udp
US 8.8.8.8:53 svxijer.net udp
US 8.8.8.8:53 ekuffx.net udp
US 8.8.8.8:53 hviizu.net udp
US 8.8.8.8:53 iqqbjc.net udp
US 8.8.8.8:53 aelubcv.info udp
US 8.8.8.8:53 jmmfpocllj.net udp
US 8.8.8.8:53 dgxnlxhbapkp.net udp
US 8.8.8.8:53 uquaqimaqs.com udp
US 8.8.8.8:53 mjuife.net udp
US 8.8.8.8:53 grjgraoeefhx.info udp
US 8.8.8.8:53 mgageqycao.com udp
US 8.8.8.8:53 pqfctqo.org udp
US 8.8.8.8:53 rlbmlkhfbzmy.info udp
US 8.8.8.8:53 pzryostgtub.org udp
US 8.8.8.8:53 nodpyubvnv.info udp
US 8.8.8.8:53 fkeumt.net udp
US 8.8.8.8:53 fidjxg.net udp
US 8.8.8.8:53 jwcqoekw.net udp
US 8.8.8.8:53 dilmcmz.net udp
US 8.8.8.8:53 yqdqladadbyk.net udp
US 8.8.8.8:53 qdxxhcpsz.info udp
US 8.8.8.8:53 ngbhfibwamh.net udp
US 8.8.8.8:53 oybgrad.info udp
US 8.8.8.8:53 txascvsgth.net udp
US 8.8.8.8:53 sddygjjqxc.info udp
US 8.8.8.8:53 lotjeouktwh.com udp
US 8.8.8.8:53 tepnzlwrbfpl.net udp
US 8.8.8.8:53 hiadzu.info udp
US 8.8.8.8:53 hozrnz.info udp
US 8.8.8.8:53 pyaammoltdup.info udp
US 8.8.8.8:53 vmylheoy.info udp
US 8.8.8.8:53 hnxdxrpmb.net udp
US 8.8.8.8:53 tuzrfsnorblf.info udp
US 8.8.8.8:53 wmphnaffu.net udp
US 8.8.8.8:53 cmsisw.org udp
US 8.8.8.8:53 cgsamoekwu.org udp
US 8.8.8.8:53 wyydxnlupdju.info udp
US 8.8.8.8:53 fpifnwraky.info udp
US 8.8.8.8:53 stxapuuba.info udp
US 8.8.8.8:53 ggmqkyayqu.org udp
US 8.8.8.8:53 uppqxezqtqo.net udp
US 8.8.8.8:53 jwjzuw.net udp
US 8.8.8.8:53 tlnebh.net udp
US 8.8.8.8:53 jjnaohrfdo.net udp
US 8.8.8.8:53 bcbsnzis.info udp
US 8.8.8.8:53 yavekefqtco.net udp
US 8.8.8.8:53 xdbcjgnxd.com udp
US 8.8.8.8:53 ouuqaskmsq.org udp
US 8.8.8.8:53 bilksvh.net udp
US 8.8.8.8:53 cdoszrlg.net udp
US 8.8.8.8:53 nizqlctofwr.com udp
US 8.8.8.8:53 ekdvzksara.net udp
US 8.8.8.8:53 uuimwaon.net udp
US 8.8.8.8:53 oopolyb.info udp
US 8.8.8.8:53 cwqoie.org udp
US 8.8.8.8:53 tabawol.com udp
US 8.8.8.8:53 yzdihejhfog.net udp
US 8.8.8.8:53 yavypjskb.info udp
US 8.8.8.8:53 uyeyfyjmv.net udp
US 8.8.8.8:53 kpyvvmntqn.net udp
US 8.8.8.8:53 cekoqi.com udp
US 8.8.8.8:53 kwvzjuxmjii.net udp
US 8.8.8.8:53 tzpnzahhdfoo.net udp
US 8.8.8.8:53 pedwrstnp.org udp
US 8.8.8.8:53 nudslgskvez.com udp
US 8.8.8.8:53 nzxciotfwndx.net udp
US 8.8.8.8:53 uturlqeydnly.net udp
US 8.8.8.8:53 fmhknnhx.info udp
US 8.8.8.8:53 kaiesmkmuiuc.org udp
US 8.8.8.8:53 eiszzaydggg.net udp
US 8.8.8.8:53 dhvnhgghkgg.net udp
US 8.8.8.8:53 ikytvhboo.net udp
US 8.8.8.8:53 ecgbtozjw.net udp
US 8.8.8.8:53 misikiea.org udp
US 8.8.8.8:53 khgdildazmzl.net udp
US 8.8.8.8:53 yaukcyu.net udp
US 8.8.8.8:53 nkjqjkfaau.info udp
US 8.8.8.8:53 jgtosyjaxxy.net udp
US 8.8.8.8:53 rixkdktie.com udp
US 8.8.8.8:53 nsupzwjecmg.org udp
US 8.8.8.8:53 zdqkgh.net udp
US 8.8.8.8:53 btpypfipmac.info udp
US 8.8.8.8:53 dqijbfn.net udp
US 8.8.8.8:53 tyvdrldqdq.info udp
US 8.8.8.8:53 jiruwsbne.net udp
US 8.8.8.8:53 sjzbdvpd.net udp
US 8.8.8.8:53 bmrjvsxr.info udp
US 8.8.8.8:53 lkyzcddn.info udp
US 8.8.8.8:53 hymqlmpof.com udp
US 8.8.8.8:53 kqqcdiurz.info udp
US 8.8.8.8:53 svtipkvrp.info udp
US 8.8.8.8:53 rjavdq.net udp
US 8.8.8.8:53 toypvn.net udp
US 8.8.8.8:53 hvbgxfzaicye.net udp
US 8.8.8.8:53 pikyhpboz.org udp
US 8.8.8.8:53 xulzcioegk.net udp
US 8.8.8.8:53 brkzng.net udp
US 8.8.8.8:53 qccsuwsqweea.org udp
US 8.8.8.8:53 hilanmhel.org udp
US 8.8.8.8:53 okkmwcccmuqc.com udp
US 8.8.8.8:53 tkrvuzr.info udp
US 8.8.8.8:53 jofojst.com udp
US 8.8.8.8:53 vuccsbpkz.org udp
US 8.8.8.8:53 kwjtvpguzk.net udp
US 8.8.8.8:53 sjfgnzvkawh.net udp
US 8.8.8.8:53 fmvmehf.net udp
US 8.8.8.8:53 qmbwxclgd.info udp
US 8.8.8.8:53 xpniwzopgz.info udp
US 8.8.8.8:53 tcwybaf.com udp
US 8.8.8.8:53 depfbed.net udp
US 8.8.8.8:53 xaenzp.net udp
US 8.8.8.8:53 hemydztqpef.net udp
US 8.8.8.8:53 zycyyehsf.com udp
US 8.8.8.8:53 leqnrvracx.info udp
US 8.8.8.8:53 yuwqea.org udp
US 8.8.8.8:53 hhdcno.info udp
US 8.8.8.8:53 lsrkvytrqkp.com udp
US 8.8.8.8:53 hevccubupgb.com udp
US 8.8.8.8:53 iorttyujlrgy.net udp
US 8.8.8.8:53 kuywyoag.com udp
US 8.8.8.8:53 oisfxztxhv.info udp
US 8.8.8.8:53 neetlr.net udp
US 8.8.8.8:53 qkdehkkbxxn.info udp
US 8.8.8.8:53 beqkfmm.net udp
US 8.8.8.8:53 ekdnyevst.info udp
US 8.8.8.8:53 pyaqhevoqyp.info udp
US 8.8.8.8:53 tfzudcdph.net udp
US 8.8.8.8:53 mgoemc.org udp
US 8.8.8.8:53 rjhinmroj.info udp
US 8.8.8.8:53 swwqouoowwqs.com udp
US 8.8.8.8:53 rqgezhvw.net udp
US 8.8.8.8:53 aqbciqsn.info udp
US 8.8.8.8:53 bfodrkjz.net udp
US 8.8.8.8:53 mqjgwhr.net udp
US 8.8.8.8:53 ylxorvzolo.info udp
US 8.8.8.8:53 hnywad.net udp
US 8.8.8.8:53 kkjuqebxhsh.net udp
US 8.8.8.8:53 fkfshbncp.net udp
US 8.8.8.8:53 acbxcmcdn.info udp
US 8.8.8.8:53 oooaaaoeyoqa.org udp
US 8.8.8.8:53 nclmxk.net udp
US 8.8.8.8:53 hkwinirsbx.net udp
US 8.8.8.8:53 muytnc.info udp
US 8.8.8.8:53 qhxmjsrlyk.net udp
US 8.8.8.8:53 aotgxtgj.net udp
US 8.8.8.8:53 peeywjoj.net udp
US 8.8.8.8:53 kkvkvwsaoef.net udp
US 8.8.8.8:53 bbtbbofqujwe.net udp
US 8.8.8.8:53 ltmtwr.net udp
US 8.8.8.8:53 perguob.info udp
US 8.8.8.8:53 ffukxsp.org udp
US 8.8.8.8:53 xmczdhxnho.info udp
US 8.8.8.8:53 wqjuwirevof.net udp
US 8.8.8.8:53 eamiwqog.com udp
US 8.8.8.8:53 fnwogpkg.net udp
US 8.8.8.8:53 bvjvhigwqw.info udp
US 8.8.8.8:53 qysqee.com udp
US 8.8.8.8:53 xvzgwfts.net udp
US 8.8.8.8:53 tzwflmeio.net udp
US 8.8.8.8:53 hfakpyjtrenq.info udp
US 8.8.8.8:53 zqxavaf.net udp
US 8.8.8.8:53 plltpewkteq.net udp
US 8.8.8.8:53 xhxlmbbl.info udp
US 8.8.8.8:53 fydwhccelch.info udp
US 8.8.8.8:53 oboqvwocbzg.net udp
US 8.8.8.8:53 vsachs.net udp
US 8.8.8.8:53 vwxhbng.com udp
US 8.8.8.8:53 uvwzpvisxn.info udp
US 8.8.8.8:53 tvkvmwhx.info udp
US 8.8.8.8:53 myocxzhsjj.net udp
US 8.8.8.8:53 rahnqeiicef.com udp
US 8.8.8.8:53 neyenyqmv.net udp
US 8.8.8.8:53 qmkeskgcaysg.com udp
US 8.8.8.8:53 zpidxm.net udp
US 8.8.8.8:53 bbbsgxyqhp.info udp
US 8.8.8.8:53 swuynjfkbnv.net udp
US 8.8.8.8:53 gkqidyeboznx.net udp
US 8.8.8.8:53 miudiglx.info udp
US 8.8.8.8:53 obflzk.info udp
US 8.8.8.8:53 xmqtbmimevp.net udp
US 8.8.8.8:53 smenbgz.info udp
US 8.8.8.8:53 vdpmdujklazl.net udp
US 8.8.8.8:53 crhobevyx.net udp
US 8.8.8.8:53 swmewyxf.info udp
US 8.8.8.8:53 jgufibeybs.info udp
US 8.8.8.8:53 ctsudbcsth.info udp
US 8.8.8.8:53 aknkguaywd.net udp
US 8.8.8.8:53 nzdqpkbsq.org udp
US 8.8.8.8:53 gmvlab.info udp
US 8.8.8.8:53 oxobnynz.net udp
US 8.8.8.8:53 tjmyylzywqis.net udp
US 8.8.8.8:53 yveovmlrlid.info udp
US 8.8.8.8:53 dnhbrvrualyf.net udp
US 8.8.8.8:53 lccnlwqcnel.org udp
US 8.8.8.8:53 xsfctvikykh.info udp
US 8.8.8.8:53 nezhmvamlup.net udp
US 8.8.8.8:53 xcxxvvmr.info udp
US 8.8.8.8:53 zsrozefczwmf.net udp
US 8.8.8.8:53 dymincoifib.info udp
US 8.8.8.8:53 lffqvzzo.info udp
US 8.8.8.8:53 xkvrzkxuy.net udp
US 8.8.8.8:53 hblddmicrx.net udp
US 8.8.8.8:53 tidudv.info udp
US 8.8.8.8:53 zsrsrkvtcyt.net udp
US 8.8.8.8:53 sovgagdst.net udp
US 8.8.8.8:53 wtyxxu.info udp
US 8.8.8.8:53 nuoclqrug.info udp
US 8.8.8.8:53 ddlkjxgwufl.info udp
US 8.8.8.8:53 pdhxrk.info udp
US 8.8.8.8:53 wqrvrtugx.net udp
US 8.8.8.8:53 ysmeiu.org udp
US 8.8.8.8:53 cgbpjcifav.info udp
US 8.8.8.8:53 caaupirismk.net udp
US 8.8.8.8:53 tmdikd.info udp
US 8.8.8.8:53 mikgomiq.com udp
US 8.8.8.8:53 xbfyyqyzbieb.info udp
US 8.8.8.8:53 eegxpqopfkd.net udp
US 8.8.8.8:53 hzkbrj.net udp
US 8.8.8.8:53 tujyhkx.com udp
US 8.8.8.8:53 yqikoyuc.org udp
US 8.8.8.8:53 feyjrv.net udp
US 8.8.8.8:53 ixvuqnviip.net udp
US 8.8.8.8:53 aufedslzv.net udp
US 8.8.8.8:53 zzircs.info udp
US 8.8.8.8:53 pyuwnmuyj.info udp
US 8.8.8.8:53 hucndqvhwh.net udp
US 8.8.8.8:53 htwgjqts.info udp
US 8.8.8.8:53 zevxlgfdhbin.net udp
US 8.8.8.8:53 zdpxqkcoetaz.info udp
US 8.8.8.8:53 fgjwdazyr.net udp
US 8.8.8.8:53 latisuz.info udp
US 8.8.8.8:53 nypcbqrgymx.net udp
US 8.8.8.8:53 vvznhp.info udp
US 8.8.8.8:53 uslvzzpcj.info udp
US 8.8.8.8:53 wokyyoqk.com udp
US 8.8.8.8:53 vibcboq.org udp
US 8.8.8.8:53 kmqkao.org udp
US 8.8.8.8:53 pyckslpsusgv.net udp
US 8.8.8.8:53 renmuav.net udp
US 8.8.8.8:53 wlbdndduxrjv.info udp
US 8.8.8.8:53 fkxaqiekg.net udp
US 8.8.8.8:53 aksrgnlgvpde.net udp
US 8.8.8.8:53 qtboxuxqgsj.info udp
US 8.8.8.8:53 wbdovmlrlid.info udp
US 8.8.8.8:53 aeckkm.com udp
US 8.8.8.8:53 mcmqugss.org udp
US 8.8.8.8:53 wgdnlif.net udp
US 8.8.8.8:53 ohskbojex.net udp
US 8.8.8.8:53 sjiazk.info udp
US 8.8.8.8:53 ztuktjb.net udp
US 8.8.8.8:53 hghifclbjmx.net udp
US 8.8.8.8:53 sjhyvdhixx.info udp
US 8.8.8.8:53 vyvgpqxan.org udp
US 8.8.8.8:53 rnbljgbalfwo.net udp
US 8.8.8.8:53 qteshnclrm.info udp
US 8.8.8.8:53 iragjo.net udp
US 8.8.8.8:53 vwuqrirf.net udp
US 8.8.8.8:53 kioeebngfib.info udp
US 8.8.8.8:53 xjzaetxo.info udp
US 8.8.8.8:53 dfvudx.net udp
US 8.8.8.8:53 xrfssjij.net udp
US 8.8.8.8:53 gkcycuukqqak.com udp
US 8.8.8.8:53 wwuomu.com udp
US 8.8.8.8:53 rqcjorbuzh.info udp
US 8.8.8.8:53 kuvukue.net udp
US 8.8.8.8:53 msqgam.com udp
US 8.8.8.8:53 tohohczeb.com udp
US 8.8.8.8:53 aqsukeum.com udp
US 8.8.8.8:53 jcrlagexjabz.net udp
US 8.8.8.8:53 rafbfgfcjqx.net udp
US 8.8.8.8:53 dzjrpzgcwkat.info udp
US 8.8.8.8:53 bwsbuonc.info udp
US 8.8.8.8:53 yfawhy.info udp
US 8.8.8.8:53 dudqnb.info udp
US 8.8.8.8:53 alpizop.info udp
US 8.8.8.8:53 qmwkkmwguuqm.org udp
US 8.8.8.8:53 soyyceki.com udp
US 8.8.8.8:53 rkzhgrty.info udp
US 8.8.8.8:53 ckxyrue.info udp
US 8.8.8.8:53 xkncznbot.net udp
US 8.8.8.8:53 qsnolq.info udp
US 8.8.8.8:53 dilylny.com udp
US 8.8.8.8:53 nshdbdtumtn.com udp
US 8.8.8.8:53 zxlglmh.net udp

Files

C:\Users\Admin\AppData\Local\Temp\chgru.exe

MD5 2ba04f16c330ef19c5f5dbabda3f43f6
SHA1 d8b92263abc609722f38f14cb993c52da6c7b096
SHA256 cd83123c94b45409b84d82f6fc5264be7d95676d558669f3da9d130c99214a41
SHA512 d86dbc05e703068618aa2e555778bd59add660b3ef5b4c079fd18fb55a6ae87f15cc83cbfd1226f4d5dedd2348f020b62348035265ce873ab3dbaadc89d0bf42

C:\Users\Admin\AppData\Local\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 e095bfbaa7123984eacd6343ef62341a
SHA1 cdb76ac68678f2e583b15e8e5e58a0e8700cf4d0
SHA256 32e8124bb5e486da9f66b2921339891747e6f1cd56583d42887a818900345b95
SHA512 085f662796160f9b9700f5c378225a26d6911143af0126c8fd4749cfd3fae2c339af5cb29cce2a2e8ec62604ceb87b777bab5879ebd7ef2622e699de2b1afb33

C:\Users\Admin\AppData\Local\zpzvjcqhqhuikukhyubrbxlesjsjwkmwmjawdt.zng

MD5 fd0c7763635aacac1cf5e4ecfb4fc01d
SHA1 d998ec4ed316d29ea72c6a5543e54570642beed1
SHA256 6411d5ef118e2cf6a332cf884e5c645eefec783cd73e4ad7ddc7193907fd0477
SHA512 a4a6709d7a6dae29ee3ec62aae2cc9aac0b56b815142a7b37e9b963a41f83b4048fbbd52a5db5b19f1e05f17df650d815513c07120bbdc7c3e2f82b2121e9753

C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 bab34a6fedd7f85d16815d64b7bb3612
SHA1 83b850bb60ff13b7a0550a8c5d1ac75bc3c181d8
SHA256 986e2aa5c888275ad7785f6d9c1de87a05e8ebbd2add563dbdc3c38e3dce321b
SHA512 2a12b04de34661394f0b8bd1434c5347d46267464a02723a2bfd2b66fbc6a4a671a649553cc915ac80985bd1246e4edab2161a82ccebeb776430f23f918fda71

C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 99b5258b1ac0ddabe562f99294723b49
SHA1 729531a431d0d4fa4394b77097357fdb0dcd15fb
SHA256 c17d35a63e7a012af473c304b9f6f9291f66a7e59eaf883b37ad414d23683180
SHA512 1a392cf6c532ea627721801810e2cda4fcb3a73d457fdd02983062ab4d847d21f65c34167898ce294ba97e9a4f565d0cd006cac158640a50ed1e534fb5a6a6ca

C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 0cbf8b7745b2198ee5831b64c45a9e5e
SHA1 6d6eaa4566334f4a4d9a7fd82df90c1b941690d7
SHA256 eed99bb98fce31271fd8cddd65e441d3fe3721d4493ad80a069d556c1ae35c48
SHA512 2e446b9a99e5c1f217007bdac063ab6b39b117f1bb90a7b437c632ad8f95863dd6cb3b0eaa7ee795f466df12adec412e0942d1ed63cb942f07796a5d0a53326e

C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 4f85af66c2f97e982caf49712bb21fa9
SHA1 894a2ed4ad8aa7c90ebd49ddc140654b768348cc
SHA256 00609e81039dee1922a83cf922446d342940690fab5f5c88ccc0b360fc221c1b
SHA512 5e412a4864c3da0d32079eacd2c8587f575a810a1bd9121117add0070617b206170508a8af4d956d7028a6f2b06ab404034cd97fdc55ab34127bc12ede489ae3

C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 0c0bda58522cdcf438101500bc98cb77
SHA1 796b49ba688ecb2fa46a194015ab9d539a2b19b4
SHA256 bcdb10661e9eef6614aa26d9a26aec739edfe18fd23f657e795793cc599d3712
SHA512 24d398edff7b0cdf6444efb94dc5476b1820ce2cabe735858e67be99b8bca27a7ae63c97a1b38ad33b792dae3c183479416c57ee43262c4315026dd14a963f14

C:\Program Files (x86)\chgrucfljprulkpbhsotsdgorxv.dgx

MD5 55bd07524142ff2d00b5b460ebb413db
SHA1 1084b8c89aef9515200b110e72d8582dfcdad36e
SHA256 8b4ff85a2a515ecefe847aebcb55edef01b1eef8187c2ac407bf0e3cca75e353
SHA512 12f138e541d307a8c625d81ea4c0c9aa98c8b8c37081f86912d48a1ac3327ac20901d3bf0a25b3d5fb03cc0e6a890ce3b503f9eaa730496d5d59c2146e9b0cbf