Malware Analysis Report

2024-11-13 16:14

Sample ID 240413-v4rrmsab8v
Target kayflock-beta.rar
SHA256 9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504
Tags
persistence agilenet agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504

Threat Level: Known bad

The file kayflock-beta.rar was found to be: Known bad.

Malicious Activity Summary

persistence agilenet agenttesla

AgentTesla payload

Agenttesla family

Sets service image path in registry

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: LoadsDriver

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 17:33

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 98.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

140s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

memory/908-0-0x000001EAE03F0000-0x000001EAE130E000-memory.dmp

memory/908-1-0x00007FFDE75F0000-0x00007FFDE80B1000-memory.dmp

memory/908-2-0x00007FFDE75F0000-0x00007FFDE80B1000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240226-en

Max time kernel

140s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1324 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 10.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 2492 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 2596 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2596 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2596 wrote to memory of 2844 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2596 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2596 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2596 wrote to memory of 3036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2596 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2596 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2596 wrote to memory of 3016 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2492 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe
PID 2492 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe
PID 2492 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2492 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.0.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.73:80 apps.identrust.com tcp
N/A 127.0.0.1:49202 tcp
N/A 127.0.0.1:49204 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp

Files

memory/2492-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

157s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 23.53.113.159:80 tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.201.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win7-20240221-en

Max time kernel

122s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2188 -s 504

Network

N/A

Files

memory/2188-1-0x0000000000FF0000-0x0000000001F0E000-memory.dmp

memory/2188-0-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

memory/2188-2-0x000007FEF6270000-0x000007FEF6C5C000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win7-20231129-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

130s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe"

Signatures

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5020 wrote to memory of 4372 N/A C:\Windows\helppane.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 5020 wrote to memory of 4372 N/A C:\Windows\helppane.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe"

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=3860,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=4252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5608,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=5832 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=4080,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=5428 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --field-trial-handle=3564,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5444,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=5840 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=5960,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=5780 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=4520,i,7447082786332118630,10839110169592584063,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 104.109.143.24:443 bzib.nelreports.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 13.87.96.169:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 24.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
NL 72.246.172.127:443 support.microsoft.com tcp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 20.189.173.17:443 browser.events.data.microsoft.com tcp
US 23.53.113.225:443 c.s-microsoft.com tcp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 13.107.246.64:443 mem.gfx.ms tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 13.107.246.64:443 mem.gfx.ms tcp
NL 40.126.32.134:443 login.microsoftonline.com tcp
US 8.8.8.8:53 169.96.87.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 127.172.246.72.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 72.246.173.187:443 www.microsoft.com tcp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 225.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
NL 40.126.32.68:443 login.microsoftonline.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
NL 23.62.61.152:443 www.bing.com tcp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 152.199.23.37:443 aadcdn.msftauth.net tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 234.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 152.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 37.23.199.152.in-addr.arpa udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 support.microsoft.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 8.8.8.8:53 login.microsoftonline.com udp
US 20.189.173.17:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 192.229.221.185:443 logincdn.msftauth.net tcp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 13.107.246.64:443 acctcdn.msauth.net tcp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 192.229.221.185:443 lgincdnvzeuno.azureedge.net tcp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 mem.gfx.ms udp
US 8.8.8.8:53 support.microsoft.com udp
US 13.107.246.64:443 mem.gfx.ms tcp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 185.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 support.content.office.net udp
US 8.8.8.8:53 support.content.office.net udp
NL 23.38.21.64:443 support.content.office.net tcp
NL 23.38.21.64:443 support.content.office.net tcp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 64.21.38.23.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
NL 23.62.61.152:443 www.bing.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 10.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

100s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe"

C:\Program Files\Windows NT\Accessories\wordpad.exe

"C:\Program Files\Windows NT\Accessories\wordpad.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win7-20240221-en

Max time kernel

119s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b000000000200000000001066000000010000200000000d29f8c39f338025af0c373d429bbaf1242a54b8b1e14cfb063eab44b63b069c000000000e8000000002000020000000378a7071b0a63eff4dc4f291623f1dbf2b81fe23c7b79d38e816c6d2f3625eda20000000deb3f69eb5056bb34ad1070691334ca278371adb364e054674e82176473fbac840000000805f348822c08033db468d2d299b990324bbeeff3199410477488b83a471e1b0f5d6ed1234988041df4bee5b8d11933f463f0318ee12c8107fb6e9851feea705 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{0758CCA1-F9BC-11EE-8859-DE62917EBCA6} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000228f0f0f8ac12f3ddccfd065bdf07b2a1fcdd72ebd126e20403a6a5e440b3e91000000000e8000000002000020000000f9eba963f3da16dbb7fc5d3ef1c8e5620b081de6ff5f91984d9e9f5b18f4c934900000004b60bc089b3c7433cee699f528ae5c47789a9d95fe72473b8d44cec90abde16c9a499e29abea1d7f777ec6dd2ad9642c9f97b26e8ee8fe47a512a78185d8d389a54a1b83dfe8ab769a873e78516217ce294cd783e47f333bec48041ebedd672bed8d4a79c6c86d995bf12da90d382e631c044dba6a879430a9120f2beb48a76f47299a25fbf2915ee6002184c3671a4140000000af1da71e23f26dba6103d45f99b3a0f38704588e68646abc1d7f6b10cdf459ebf046671b9c0ca8b0e2978effe8ca7265884bbac712e9fefb6f0ed7aa45d0fbc1 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419191516" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4092a2dfc88dda01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.28&gui=true

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2828 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka.ms udp
IE 2.18.238.120:443 aka.ms tcp
IE 2.18.238.120:443 aka.ms tcp
IE 2.18.238.120:443 aka.ms tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabBC6C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarBEE5.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5fae59fdf8868fa8fa95eb04f97c54b8
SHA1 d3cb31b20dc2883bc097520643976c66e440dcc0
SHA256 5b41f4f5b212c137c89bbad488b17257e69e40b2936c27a6f2784a470548e1bb
SHA512 38a5ec3c051c473f8d073ced840f4d54aa6ea11b39a7c98dfd948a6fdc20650fe3b8b0b58bf18879bd0a7255d4398dcc0ee8b8e472165de52fade7280c28f300

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c759812e65928bdb3540f72fdf28cd2
SHA1 9762edc96bc4de91659a86930f0fe0bdb9521a96
SHA256 c7669cea6f0859305049f2b69114a00cdcddb4f1e983a5b8ae762f403e3fd231
SHA512 896a78eaab33f225be214c7398576d691c4d2612d5e4079ab949bdbc60965b16e2f38588aaafa07cf6389daa8c0edf92b29216d4f9a07b34e08fc5c115621b19

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 909a88b13d520df901a367a7182ea668
SHA1 a2913b3ddc324a62055be7d2e41aabbd108ac49f
SHA256 b2126293abb12df089cd5bcd13c2c4899ea6edc5a1f603e07245cdb38bad3344
SHA512 d1dd66e58c3a48a6f8704d7e29e9826854cb33fc24070b34b976234bed611a1136cc5149568a5b67256bcde9a8daa1257fa834748a4661f3b69c4763e2ce91af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8413caca55229f710321c3a02e3140f6
SHA1 e3edcf69262a1c7e830343f4dcd3cc5953280550
SHA256 dafba0e09b49577c1ec6d58ffe0c185ebc948df58657eaea03ae865d9100d760
SHA512 0d2b1c04f4025cabbd75275993c17f080dde3ff53c1cd856c5f08c1eef5128e0ba755c680521166b330c113f62cec393fe5124b38b708cc4d0ae994399814eac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dbcf6681e75dc616debe9579db0a3670
SHA1 8c329727a7b9831f4058c3abcc7fafae0a0acee9
SHA256 91eee3e763d0ae2c4755cb719089077ce0aaddc895e589cf13ab03e0ed140100
SHA512 c5721d49de3eaaa203810d74bcacca880992acc8d49d28063e7a231614107df700bf87e9c8607b01a49df9a99b1d7ba14e071b4309add52c21f7e5e6a9abc213

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3264efe8e3fdb6af5fa1ad3471767e88
SHA1 9679c2a759e5d24bcb6b1bf54a8949f0137949f0
SHA256 7d8edb7d95a5df7afff99a20733c79452609ea5bcbcbf38049f082f2649b686e
SHA512 b5572fe6e65c5893f5ed52f2c5d1bf735aac58cc5bf7aa6e072d14bca4d78d53ab634346b8b0b8984496a8002cb4c9f0722e259c04f902f5199d6030d90fd4e1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5ab4296d672130b27f7649716ffa6696
SHA1 c69f19d0c6f1eb10f55958b8fd51cada14145abe
SHA256 739d96b01228436eee4d321a5a05fbeafd4223ad8eee807b94d1e4f97cf3383f
SHA512 5f1a26dcd2c7beb2818eaa98ac3a01d600b9c8e9fbd393a0ae3825b94eff10acad81862918bdb811e7f1d010b4fb299333a55095300f7bda45ca7d574fa87ebf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c293db67d96e5ae708531842fa2df9e
SHA1 dbc90dc8f006e414306a038da381574ac33a813c
SHA256 385cf499d7a2c4e719743976a39f1eaf0434eebcb5ae8e2b71bc998062b9ba6b
SHA512 58acc0d5b3665914d1d74de7bb83592359cddb9d86600311216250b8182208c6cb4cc549c6cdf13e992ee78b39ab6d4f79d3ce7768a3265af681631f59bf28e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ea5d48c28a387ff922d1df10ba2ff59
SHA1 56d52076398fae0129887693366708f2e7dfcbff
SHA256 3319619712206150488a98a5d7585c5642c366e50f95f2351cb9e04534334f2e
SHA512 63218bf8252460dde78bff5648f1cce5902ea973f67664547f6758eb12e29044ab68b6a8af9908afaff53737247a3f9d6a8d6542f499474a82a6af404e733ef1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5bc98cd5b07ee3fddaf0ff3cdb0eca50
SHA1 6c68e230299d5118c5b98bc4818951f96568d183
SHA256 4fab006fac3068bd64e720871198979f3cb390ddb8264f50153092e67152b13e
SHA512 2cb826291bfb4f0b787fc380fad2365ef732b0e4d915e1462352ad7f8f7f6c694daae5899adff3e7cb479407dc28c9b2a5914ba0240c9162a36847908944a7fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb445a1277a3f93b1f570bfe4d1e8c4d
SHA1 e2f23891c24e70768537d40ca13db052490f5f90
SHA256 33865e2bff61324b6f02ec246c3489c04ccfb155d5c19ad86a71372380d749df
SHA512 f8d10588bf851a822b5eec1f6d3d38056938aa9ac1445b99fbed38f582c5dd7631f4b7bee4f2b41f2a1ea0c225e122fccb81be10cf36837a200720807eb168f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cd24d46d3f3fe7a1d642a9af221b3f9
SHA1 31f1ef9de06b5fedc962a91a01966b48531f2412
SHA256 d5fb6feb61fd9e3b112993cfbe7d618fd109cbcfff33d1206795ccf245c438db
SHA512 a343730c2ecd82b81b51ae1006ca54abefbcb0ae37d6a65f4a3808b1cf464363c4234fcfabecbc8f3de7a8f27fddb19b344d4f5bb92249c6834b3c447c0f5c46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1bebfa1fe4ae257fdaabf4fd28e7effc
SHA1 7dbab0a7ddce8e53f2e70ecde53bd739ed5d702d
SHA256 deac081dfffc5c6c4790bd9ef48abf76325ef8da2b0f7a19541ea24035dd48f2
SHA512 125d6620ac1e96225f67fe59fa52e1ed4fa05c98735c46d449a139e44494bfd57e2fed2cee9a5a2d716935e3e9ab32c314af1e86d78dda3b9c7ffaee555a7657

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6a86a6aa43502464745efe536e3d529b
SHA1 498cd811b20e972569ea91bb2868a0ea9519f67e
SHA256 33b5266a9396d3a709e4b0d0c6d05cc958cd6a55edb9b2e227d92d0266b4589f
SHA512 a56b127cba3b195d231601b7b937d0cc945859dd70004d1ecb3ab40f63933f5e692065b4064d8bd53853b09005eae9555ef4ca00962e02fe8ea9237319e4e7bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43ec1b1517ae3737ec21aebfb0f1461b
SHA1 f3ed22825b12c9f3a1547048680fe10fc1fc6b10
SHA256 99b57f07d203219b40b8ad8bf06699d5686ed744bb6eb000dc6750a515495ad4
SHA512 7010066f4788de5ad45a2894ca165009992f1d0abdb6373783e5ce9193ec21808997d69571287233d6836ca65f232e52c8901ab20980c70b7f2cd968078ffb93

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e189d4ad76db05a18f8a9778949bb01
SHA1 e1b0dff65571fd97f75c63546b557e6e9d7975a2
SHA256 ef3e193578d72f6aaf689283870b617365fc059bd2022198c1587d68de438e34
SHA512 eb6c5648d40c4ecc11b50ae97f8d850a9b9c18e4a63c7cc6f8dee2d811b52f3a78c248e83518984541fe1dd295ccf197b875760fc6632eed577abe9b3e6fa511

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3b853510cb7fc24830fd179c17c2e49
SHA1 7d72d03d3e57254717ac80b2d374884454240f0a
SHA256 28ed2b59f1462bf495f1f46c15949465f5927de74aa3d1c7312313d54a193a58
SHA512 8567d0ea076de2aa177bece59dac79f828eb812b6c224ad6064b8663f5d71037786abdcca91c2a0c99f136bc66bc98f8e30c66c0bd115375c0814a5d43a9c4fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c60fa2ff2fca5dae526499c20e6f8e23
SHA1 017ce8b061df24d6ff481727f89a2eb81dcb0f0c
SHA256 b1b78425d4af3fc5ecf6a2e36f10b9f7f2ebf00c0400cd0946f48701c5e61dc0
SHA512 74aee2d94e173d68cdff806a2c070766be076d5a2bd7f9e6d95d5ca1611d29eb2e6467960dafe683a379384f13a7fa0eff59eafd2d3f42881013d3419f1aea59

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 44b23bcff90b90e7f30b42d18ac50645
SHA1 cb51ad3de5f42adafb587777e3cf4b519a22bfc1
SHA256 e9971eda294bcf33ecac40ab894e513bed9b6978a158c392abc9ab543419dca5
SHA512 89a1b5dfbe8fe0d15a429b52b4a692b04a7a61da0fc189b9ec5d3f82d87590728c9ee0484489af9f6e37ae0264f0b4ca46d324d81245b776d52f6810931b96fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 12a92be3d6e53bdc76e58578c85630b4
SHA1 86ed0eca5ff27192372c5e5d0ecfec2e9e6ce67d
SHA256 664f8cbee9d567d275d77826dc44edb32e240beb0e6365922427b9f624cae8a8
SHA512 511cd1a721c1ac8443af911597709bd705e33b245e2e8b5d961451340f692c9e4860f5552f83dcc773a3b73945de0ea96b62e2440e505fd64ee2e29b460df995

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 790a8b9c039775f509d4a9141f9c9cd8
SHA1 9c379a08ade23446bd9b3979a042ab65e8cd1133
SHA256 de37d31ce43847ce56a058e04a05fcd0b0c91a4aff26981045aa3f5f1bf63b00
SHA512 aa21413ab229f3e3407adfbd78536552a96921faea46d3fb58a2847be5a14cf56372db78c891f87bab0828ede5580cb8f482e47b1374ca9e5371269a2e437bfa

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

106s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2288054676-1871194608-3559553667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 i.pinimg.com udp
NL 23.62.61.184:443 i.pinimg.com tcp
US 8.8.8.8:53 184.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp

Files

memory/3412-0-0x00007FFE2B2E0000-0x00007FFE2B7DE000-memory.dmp

memory/3412-1-0x00007FFE2B2E0000-0x00007FFE2B7DE000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

138s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
N/A 127.0.0.1:61236 tcp
N/A 127.0.0.1:61238 tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

148s

Max time network

158s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 147.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 174.117.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-13 17:32

Reported

2024-04-13 17:36

Platform

win10v2004-20240412-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 808 wrote to memory of 232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

N/A