Analysis Overview
SHA256
6b84caef4d653cc7277c91260b44c76644aea7ea0b427b10bdcc474a8361b15b
Threat Level: Known bad
The file e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 23:04
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 23:04
Reported
2024-04-07 23:06
Platform
win7-20240319-en
Max time kernel
150s
Max time network
123s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\nmvooh.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\nmvooh.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /q" | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /o" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /m" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /v" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /w" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /j" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /g" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /k" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /d" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /s" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /u" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /f" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /n" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /z" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /h" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /i" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /l" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /x" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /b" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /c" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /e" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /q" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /a" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /y" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /r" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /t" | C:\Users\Admin\nmvooh.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2610426812-2871295383-373749122-1000\Software\Microsoft\Windows\CurrentVersion\Run\nmvooh = "C:\\Users\\Admin\\nmvooh.exe /p" | C:\Users\Admin\nmvooh.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\nmvooh.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2004 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\nmvooh.exe |
| PID 2004 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\nmvooh.exe |
| PID 2004 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\nmvooh.exe |
| PID 2004 wrote to memory of 2212 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\nmvooh.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe"
C:\Users\Admin\nmvooh.exe
"C:\Users\Admin\nmvooh.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ns1.musiczipz.com | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.net | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.org | udp |
| US | 8.8.8.8:53 | ns1.musicmixb.co | udp |
| US | 8.8.8.8:53 | ns1.musicmixc.com | udp |
Files
\Users\Admin\nmvooh.exe
| MD5 | 351f4f1a86ae6b73258791e76fef3cb8 |
| SHA1 | ba8633b9afde02409ac996fdbd8e6c9d279c149d |
| SHA256 | 5c4f6323e00b0924eca867ae33c0d5a2d30fa53071cbfbb0fa5b494269b920a2 |
| SHA512 | 5773d2ea5e8a6068bbe1c3b10849172507462ffac97407920b817916413b27429dc1bc2b6588fbdbc2f68a3b0801a60982c5c3982481b30eeeb0d6a2ae6e90b7 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 23:04
Reported
2024-04-07 23:07
Platform
win10v2004-20240226-en
Max time kernel
157s
Max time network
162s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\riouj.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\riouj.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /k" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /g" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /f" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /s" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /u" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /x" | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /b" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /n" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /m" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /y" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /l" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /w" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /z" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /o" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /t" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /r" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /v" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /a" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /i" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /j" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /c" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /d" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /e" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /x" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /h" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /q" | C:\Users\Admin\riouj.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\riouj = "C:\\Users\\Admin\\riouj.exe /p" | C:\Users\Admin\riouj.exe | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\riouj.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1148 wrote to memory of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\riouj.exe |
| PID 1148 wrote to memory of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\riouj.exe |
| PID 1148 wrote to memory of 4476 | N/A | C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe | C:\Users\Admin\riouj.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e60ffa39a93bd2a1a17724fe215d770b_JaffaCakes118.exe"
C:\Users\Admin\riouj.exe
"C:\Users\Admin\riouj.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ns1.musiczipz.com | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.net | udp |
| US | 8.8.8.8:53 | ns1.musicmixa.org | udp |
| US | 8.8.8.8:53 | ns1.musicmixb.co | udp |
| US | 8.8.8.8:53 | ns1.musicmixc.com | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 121.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.73.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\riouj.exe
| MD5 | 15194ced0f6c85ab79c57aad1d3676b2 |
| SHA1 | 25af66fabeee4440e903a3df526a36bbeb1b84e3 |
| SHA256 | c0934d26cc650b4c2f6b3680d6d20bc2c873623a46cfd6635f148b06f93d2518 |
| SHA512 | fa61eda27ac52f4f1520abb2898e4f1832a1c71f82f65c149632acbdae85e1df7d39121981ee92ce88b3b1181f52b050304b23de787ca3915dc4d4aaf2c3e41d |