Analysis Overview
score
10/10
SHA256
50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca
Threat Level: Known bad
The file 50bb137dc5dc91ece4a31d01787c0db3361853f2e7b559ff731c05d102bec0ca was found to be: Known bad.
Malicious Activity Summary
Process spawned unexpected child process
Bazar Loader
Nloader
Cobaltstrike
Bazar/Team9 Loader payload
Nloader payload
Blocklisted process makes network request
Suspicious Office macro
Executes dropped EXE
Deletes itself
Loads dropped DLL
Adds Run key to start application
Looks up external IP address via web service
Unsigned PE
Program crash
Modifies Internet Explorer settings
Delays execution with timeout.exe
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Runs ping.exe
NTFS ADS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Checks processor information in registry
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-27 11:22
Signatures
Suspicious Office macro
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240221-en
Max time kernel
118s
Max time network
119s
Command Line
"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\V7KMT82MD = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v HH4OHMRRW7 /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCUEC0.exe\\\" NLI7RQB\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ZCUEC0.exe\" NLI7RQB" | C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe
"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"
C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe LGPDB
C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe LGPDB
C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe ZY3E
C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe ZY3E
C:\Windows\system32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe NLI7RQB
C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe
C:\Users\Admin\AppData\Local\Temp\ZCUEC0.exe NLI7RQB
Network
| Country | Destination | Domain | Proto |
| US | 54.184.119.29:443 | tcp |
Files
memory/2388-0-0x0000000000420000-0x0000000000423000-memory.dmp
memory/2388-1-0x0000000000460000-0x0000000000462000-memory.dmp
memory/2388-2-0x0000000180000000-0x0000000180032000-memory.dmp
\Users\Admin\AppData\Local\Temp\ZCUEC0.exe
| MD5 | efa4b2e7d7016a1f80efff5840de3a18 |
| SHA1 | 04606786daa6313867c7ada1f0c9c925d9b602fb |
| SHA256 | 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b |
| SHA512 | 11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240611-en
Max time kernel
132s
Max time network
128s
Command Line
"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"
Signatures
Bazar Loader
Bazar/Team9 Loader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\N25LKZ5PURO = "cmd.exe /c reg.exe add HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v JV9P0E8X /t REG_SZ /d \"\\\"C:\\Users\\Admin\\AppData\\Local\\Temp\\V2T35B1.exe\\\" RMBCR\" & start \"H\" \"C:\\Users\\Admin\\AppData\\Local\\Temp\\V2T35B1.exe\" RMBCR" | C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe
"C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe PUOIU91
C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe
C:\Users\Admin\AppData\Local\Temp\ProgramData\huqvg\huqvg.exe PUOIU91
C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe VVSHBC
C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe VVSHBC
C:\Windows\SYSTEM32\cmd.exe
cmd /c ping 8.8.8.8 -n 2 & C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe RMBCR
C:\Windows\system32\PING.EXE
ping 8.8.8.8 -n 2
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe RMBCR
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.171:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 54.184.119.29:443 | tcp |
Files
memory/4840-2-0x0000000180000000-0x0000000180032000-memory.dmp
memory/4840-1-0x00000224B0650000-0x00000224B0652000-memory.dmp
memory/4840-0-0x00000224B0640000-0x00000224B0643000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\V2T35B1.exe
| MD5 | efa4b2e7d7016a1f80efff5840de3a18 |
| SHA1 | 04606786daa6313867c7ada1f0c9c925d9b602fb |
| SHA256 | 291c573996c647508544e8e21bd2764e6e4c834d53d6d2c8903a0001c783764b |
| SHA512 | 11446166922efb329d547ce329fb3ed70a3a99c1c037533beaecefd16d4a67c9dc9201592b0428a06fd956e4bb5caf3f7997a86200792e3e29a041f0963b2ced |
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240508-en
Max time kernel
117s
Max time network
122s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.dll,#1
Signatures
Nloader
Nloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 452
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | veso2.xyz | udp |
Files
memory/1428-3-0x00000000000E0000-0x00000000000E9000-memory.dmp
memory/1428-14-0x00000000000D0000-0x00000000000D6000-memory.dmp
memory/1428-11-0x0000000000200000-0x0000000000205000-memory.dmp
memory/1428-7-0x00000000000F0000-0x00000000000F7000-memory.dmp
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240611-en
Max time kernel
131s
Max time network
105s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
Signatures
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c timeout 3 && del C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
C:\Windows\system32\timeout.exe
timeout 3
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.104:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/1508-0-0x00007FFD9C9B3000-0x00007FFD9C9B5000-memory.dmp
memory/1508-6-0x00000173F68B0000-0x00000173F68D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xgid3aiv.gft.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1508-11-0x00007FFD9C9B0000-0x00007FFD9D471000-memory.dmp
memory/1508-12-0x00007FFD9C9B0000-0x00007FFD9D471000-memory.dmp
memory/1508-15-0x00007FFD9C9B0000-0x00007FFD9D471000-memory.dmp
memory/1508-16-0x00007FFD9C9B0000-0x00007FFD9D471000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
155s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe"
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $data | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $file | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4628,i,1400471177590024469,587385956640537806,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe -u
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.58:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 58.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 13.107.42.16:443 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 13.107.42.16:443 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 63.35.170.17:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvnrudczb2dshbqlki.aohiqmhplaeoeihydf6td5ndgasjggcq.howc3andmjjdr5cf2nltlaqpdadjpgbe3.oqszygndzp3glhsnojiqgdgdddygdddddwkkb.ymuzsulfu339chnlncagpugxlg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | a2s6dptfteyqcmgfzygl.uzgwkpa4ilmfuno6df4jhmrd2eqqmgmjuh.diczruh3dcgbvwgf4dlviu2tdjgzllul.cjhgqh2psqrglcjhyiggq6hz.scjfvjzlydlbcu2odjjmmcjmdddld2gtb.ymuzsulfu339chnlncagpugxlg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ymmhbimjifndh25dxgmq.bfmchgawzf4h6fvjzlti2amw2ymhtmmu.cy4jibydddldufug.ymuzsulfu339chnlncagpugxlg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddydddddd6o4d.xgzivtp2wo6dcq6otksgf5c2pb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddybsb.94o3votdca6bc22ichab9myrai.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpeyc.qp53ykbdyvn2skuwyxiagxal5b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyzxx.uhhin9vyhpdgczwgetpxpmguzg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 17.170.35.63.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlsok.ly4ipxajckrgszhd4zmif3vqbb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpq3j.2ypvd3rhxpyksg2ljtwamgo6ud.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy63q.w2x5y2hxqqccc5e5jn4gb9rwlc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlo9n.agpor3imacgbsrwvvcydcnobji.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpdoq.phlbcfpd2ojfsiehryarlhznyc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpuhg.k2a3gr96rryucuw9byixy4agnh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddweh.s9xlo6apdahushhyayg4w2k6wc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyy5g.3wtvyee5awawsrwir2tng2bp4b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddldgw.dlu5lwiaerazsk2sru5xbti44j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddn3f.r5vmsoca2g2wc5utgbqd4bxzab.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlypr.952bqxmer2ebcewppu9g2wdvac.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddygfg.ghkzme93mckcsdjhgaizv2yftc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpu2l.p4uubofhto4jcghqvkdxcv2eub.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpewk.4irjrvv5rbbtconxhuagl9un5k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpv2f.vbicvgsevkcasdnxekzkzentqd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddloxq.ign22khdfgcqcwegqehnmuwx5c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp4md.ey9o32ntg5aycvwtmdosfmzd4k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyzeq.kate4d6nfyaxsyuilf9ztnnmhg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddywti.pkjdafiiqlu4cdj3uz5z4zi2sk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyjol.qrod5guvkxjlssndkxsei62rbg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlkor.6ggxvavuucrlcfntfsvmpqndcb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyxxx.sspj5v5vizbnse2nsomzqmpt4j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyn5f.xebbelvnqfylco6pw3tlpkbpri.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlhgd.cxsmplsg2myzct2iz9raphhfnb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp29r.s5a3dzo2ug9wcxeonfdts2dzbc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp62h.ckrbig395tgocrhrywqisnyric.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddluwd.jtznya9ghzoksknrciadpkv43c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlgmq.3jl2lh3sr36cchel4jabi3evqi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl3fq.lh3mywnafycocj6hamx5rcxfzb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyzjk.jfnpsdatkgv6sz2vuefx6se49h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp4rg.gleajtuf6uvks9jlu5t44dimwh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpklf.bjc2fq4dbalfsvnqtydmvzhdpi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlpdb.ssrgwqukdcelsvnosb9q63ovrb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpedr.xxslbbvhhymlsdwfjyhbq33w6g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyeci.rmpslyob2fd3cgw2y9mau2tk9c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddypod.ouljdnj3pjsxc5heqka9oojm4g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddxtr.r92zvaezaop6scw2h3iavlwd3b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyorg.m3tsbl4ayaotsgu5grzdlpt26j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyojf.i6l3j9pptocosowdpo2yiqad3h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp5yd.fhvajxzelqtxswj9dikwyzwakc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpssd.nxme5czf3tlasnn2cqhjebe5qi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlwdq.2qlicw593zg2sk2hn3nkwpe3bk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpctc.n5vivtvufdpuslhwitmr9ar4rc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddqxw.v4qxfajzot3ts6jcqebzun2t6g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddruh.hwlcrun6snqjcqwtch6anjjkzg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlcbn.2en4qyvkqtt3c4uuirhiqpd6ri.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpbif.xxeo3kqtofjtcgnj3c4zduhxcd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvnrudczb2ds.hbqlkiaohiqmhplaeoeihydf6t.d5ndgasjggcqhowc3andmj.jdr5cf2nltlaqpdadjpgbe3oqszygndzp3glh.snojiqif2ebdyddddpdddddd9lhd.qg6pca6qdkjiche9o24apsym2d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | yfontgal2huhgbyqbb4wy3af.y2uqtw5guprc2edctap2h2qq.idnlhvqijglhju5hupgyufqifgqhhzyqzlqc.hpcczmaehylqcdfhhp4ihmmquurhzdgyjl.qixgqq22lq2dddydptdk.qg6pca6qdkjiche9o24apsym2d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ymmhbimjifndh25dxgmq.bfmchgawzf4h6fvjzlti2amw2ymhtmmucy4j.ibydddldmo6g.qg6pca6qdkjiche9o24apsym2d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddydddddd2xag.hscpcuystqsacze9h4y4igxotb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyx3w.4ytcmp5wd2l6sbel4ysbklkdic.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddwgd.ekd2ex4sw4gvsg2lztj3vqimoj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddybyc.evauektitxnmsij53rqmawnmad.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyx9c.riukv9qzye3dc4wiaodbtrvgdi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlfob.ulnjx2hnmoghsmjlhiraoe69bk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy9sh.jmieu9ea42rqsbwqij53atyymj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy5vq.qpws2ne5sgxps6nwbyii2jjz4k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddy4h.k2l4eqsmjo4gsrefnmszkk5uzh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddmpg.ob3z3292sf4scqhebdjgtbqrpj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy6br.t5vj5vge4jdwcahlbgjycwzdnd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpjin.4ymbt9prw2cisxhecyg4ostvbj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddykni.6ex6p6usg43fc46zs35tut25sh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddxtn.clqcnacsouihsxe2hlre2snopg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddsqk.gjas9h2dr9ybccn4xxalifrpeg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddb2h.rrnzlumkwt5asnjoizgj2ou9qd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyeun.uexarmy3urkssiuz6ghyalmlsd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlulc.rikmahr2l5xmsc6nxbecudvn2j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddylmh.kmehx6wtke6qcgn3d5hfq5qydg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp2km.uzpady3bew25s22rp35wggcnyk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl55l.nlx3feina5cuslwknjsqovanjg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddmzd.huog4346ejzicyhgwbiiqsm2sj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddyzi.opahp2aosb49s6huau55hup2qh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd5gj.dr6atgnlih32cfnhokj35mk92g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp3hb.t54ezprr5iwhskecs3dxpsmlmc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddydpd.wigl3vybeadesmu4yw453bk5bc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyltg.bovhw4zb5gj9cgw5hvue3ymcod.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd3jw.cbhynfhvhoswclnrcryr4z35kd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddppum.kq3ew6dk6q6dcr6qrs623axo5i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddnir.ejmjnzz9s9sssieos53e2yol4d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl6jg.di3rrwcx6bi4c6wbyatlhxfyfj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpbtf.h4oiukoqdl39clwivl9yo4bhcc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp3pf.nql6uqet5c9hsyjm6efmcuo96c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlfkf.2hh3mtxshgztsh2ajznno2x2dc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddehg.cvlwiywnatwgcseadqm45kdpbh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyjpc.mrreitt5ldgncbulnyzcsl4kkh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddycwn.ctc26mkq6riws56qtf392cmdcc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyicx.jyh9oipwvcrasljcjyrdhny4kg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddliix.nek45gziwehwsij52y4wdbxssk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddygth.2qyzwm6dbvhocsegg2cbg22jlj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlfdh.9c3cxyna2x2ysghrj9r6vneswb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddoah.dzc3ay5thadfcuni3ugv92fq3k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddphtw.2yfyivymk2ctcljv3fabcbbwyh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpvrl.xagsbwp4magpczugihr4tu5fcj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpxrx.26f3yabeqa9msgjqlkvhx3zoob.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpu6m.b64hje5w9n2tsq6otvkecxzsob.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpvkg.6d2tlxkw94j9c5wtzx5fv2oc3d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy6kb.ye24jcd2uopdce22ltmufukwlc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddlgf.ielipjsfffbds9utqqctub3mkd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyaic.2f6myb2mpetas6njtyrj52mjug.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlc2c.xjvdqn5j6kubcwjvmqtfnb5eai.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvnrudczb2ds.hbqlkiaohiqmhplaeoeihydf6td5ndgasjggc.qhowc3andmjjdr5cf2nltlaqpdadjpgb.e3oqszygndzp3glhsnojiqif2ebdy.ddddpddddddrn9d.egxnzuuc4jaccj6wcv5zkwjhrh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | yfontgal2huhgbyqbb4wy3afy2uqt.w5guprc2edctap2h2qqidnlhvq.ijglhju5hupgyufqifgqhh.zyqzlqchpcczmaehylqcdfhhp4ihmmqu.urhzdgyjlqixgddydd4oc.egxnzuuc4jaccj6wcv5zkwjhrh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | yzmnhzmhymmhbimjifndh25dxgmqbfmchgawzf4.h6fvjzlti2amw2ymhtmmucy4jibydddlddqld.egxnzuuc4jaccj6wcv5zkwjhrh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddw4xg.bfbwxmyn3yc9s3ucibziqui66h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddnuh.kozm9xkynanlckeffedgsd4dni.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddq5q.tmlr4tgbmo5asn2malbeiw9vrg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddllfr.ar4mkslei3nqs32pf6u9k6sb2i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddngk.3co5323imfzwsf2v4nrj5orb9d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpgpr.3yje65grjt5hcwh5jmdqn25b9h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp9si.ob5zbqgl4ox9c9ea4ifwca95ai.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddmck.jqs9urwttek9caunuyigupwlki.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddbbf.nwkjhbkmuz52ct2grgbqu9agjh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddymjg.wkmpbldl32cjszhou2pvlqvsjg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddczk.fzqc3roec9xkcu6ymyeawejsnd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlwnc.olixfqjv2rn3confmzpxexiiij.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddynmk.2ks5ciozyhkscl66djy4vmp6fj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddligi.us2sco94nj5xcjnwzw2bgudv6j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpt3d.xi4oz22tm92qck6ima4h9ay3ld.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd5jl.bvnrpvllykfoc3e4f9lniaevhd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpdkm.xqtyevhxov46swurtel5j2hewi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl9lj.ofjvn6nuvdxssqng24vykb2pfk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd5hx.6jdmslyyhh3ecqewr5vzgi5fik.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddejq.gjhuxjyochiwc9ncolnqyudisi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd39b.w6bnxi5zrscac4wzpzeeknxm9j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyqnq.csgmlh4ukxqgcxnb6cnicw6osd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyftb.fhwtisvy2vmps9us6lz5njwnqb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddpsm.rcekkx5x6p5ksd2pdg95n2zw3b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddezr.bsl6r2tj2ijkck2mwh5kxglcld.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyrwq.tqth44b9je2sc3namndo6u4k6h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddytxk.vwdcnxv2iim4cmnv6wqn63c55i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpqnf.3g493pl43qksssunoozwgxqzyg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlevc.pqvzslfis6gzc5efxzll9hb4xc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddppsd.zzcpvfnvly42seu6sfcshvrrxk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpiax.weewqu3rfjovccnyygoeb4c6jk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlz6i.6rezgjqtfysdc2wkah5w5353dk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyfcx.me9l9nx53ozisbejclqaa3yerh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlcjg.dbwwiios5bu2c5jpaymyev4d9k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyjdj.wudvmedwqawisg2bqnpi24ql6d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpsal.hdt4lhfu3r35soh629jhxnf3mg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd3vf.ikpxrotlxe93c2wreopsfgmm3j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddjpq.xvetj5svtg4hct2iznewffsorj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyl3n.9jtyu4aqebdlcku29ftijivopc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddmur.9reukhkzkhtpcbjclgekt4bqlb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddli2w.9fbfyg3zje6nsqnwmoe6ssnjek.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddprhl.id5ymlghiewfcg23zz6dxf3twg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp4nb.cs364fh2goirs6eyu43pfatwdk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddngr.yesc6459dz3lc4h5jsvptzkksj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp6el.llfzxsxdpsv3st6amocz6hyd3d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddywxn.5r5wal2oto4gsmuzfpt4rt64wh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyjrg.3bbuau9aqhc4cguxo3ix4akgdc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl4pd.mqgjzsrvbwc6cruv2qbyfn5yyj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpthr.uouovajyf9mkck6iyzipopitdi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd6pk.hcbaq4phkp5kc9wi3v5sh5p36c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvnrudczb2dshb.qlkiaohiqmhplaeoeihydf6t.d5ndgasjggcqhowc3andmjjdr5cf2nltl.aqpdadjpgbe3oqszygndzp3glhsnojiqif.2ebdkdcddddjdddddlgvh.dqn3msltnznbcphncnnoa2mwyg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 5ntjcbmnpncqd2rqyvgwjxgne2tetkphozln.bysjbfnl2ztdlgmq3tpcdmppufphk.dewztqiymlch2ihzzld3ycjiff.dhzzdqmld3olcizaeumchcdedztdddldcbnh.dqn3msltnznbcphncnnoa2mwyg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | xgqq22lq2dqn2plm2ma2hyyqkpflhvpn.hzlluf4hoy9eumcnrzqw23cq2lrn2igco.madcdddhlmem.dqn3msltnznbcphncnnoa2mwyg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddhb2b.fq6xdkxou9l5s6hz3vgn64awwg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddposq.ri3sc4bkvlw3ct63uprkaz445i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyeef.i5qgicfftw5acqh6v6x54ygxuj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddptdw.63g99o6bfd3csfn3tzp4papmqj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl2gk.vi4569qeoqyvca2vqpswxrbpvh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp64k.sbhj3x6y4ac3c9uqy3o5wtpfkc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl4ek.xztehvnu4j5yso699kdjjvu6ad.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddbhh.4mjwzvjwvfgxcb64fgh9gebs4i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy5ni.jjn9n9shaez4clep3jn4etcu5i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddvjb.sb93wytjy3vcs3nozlztjhxj3c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddl9x.ycgzsry93fzrc92uprwswdkeqi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpulh.ggsetzihyjqycy6pmmobr3bf3c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlqxm.o6brmwlfq6d6sih93huv425ttd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpsoj.e5k9ybv43ozys4ufmr9mroergg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpwgk.sjgpq4m55wfmsoeu4mazbcr9wc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlxwg.u2kvkbdbyoqbca2y9bnqz6vdjg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlhmw.q3c3hj4p2zods5uz4f543z4nrh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlubr.ohkw9s9mho9jsentujt42jyyob.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyf2x.usdh5nyjlvklcyh235rw9a3dod.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpzwx.23nbtqu5oqalcrhc5yu25xgy9i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlrwh.ku2ygjssy6iysmnrusrcelvq3b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl9vc.rfhgv6yo5iaccnexril4pw2y4c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddbqj.rmkiszzvjonvskupg6yb266gig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddktl.5csq46kubm9esdu2u4e5iqljyi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlezg.dqnoushnw2qxcfwwbbvo2ijz9g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd4gd.mc2nw4yhe4ccc52ivlsicqafig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpcix.o4w6nykheupusun5sbvcrsnhyg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddjak.6ahmptlzv3qdc9eict9ih5wluk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddaex.4oa5c6wpbbbjcbuh4o2og54btc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpfvw.njzhjnupxnyxskji4oaopvgk2g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy33h.r5kmyi329latsd6z3eqeipfswj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy5sk.r4cbuuqsbfj9chnrhxekztougd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddywtx.hd5sds2c9p6lsnhyjpxwqh2ztj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpjtm.zte5rxul9ihycdnvdbtrte9m3g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddynyn.49d252fz9ep3szhxjp3oiyavzj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpcuh.oohhoomc66jdcg6mj3eajwreoc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddptdk.dyiagm3lrw4tslhxngrnna2kpc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlkfb.b245klet2mipsjuwut9fzdwyei.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlkfx.v6mc3s3kglpzcgwremwoxm24ch.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl2bi.xskw3n5ahg6xsi6lgxhgrhxr4h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlu3g.2qqhuz2e6netcjwu5lc6ybu3wj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyhox.qvu2qwj6i4locpncenybkuijzj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddcuc.t2ptlaw3bnhbsmndus3i4w3ijb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpmhf.crgrxf5x2uc4s66f692oxnd26h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyy2w.39m2dpore5smcw645swrasolld.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyy6n.5o9xfleqfrdfsjeqnssa3uws2h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlcrx.4ggp2kla6momshelf3k64b3ijd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp6bj.as523kmtzsh6czwnsxqwe2acig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddbjn.tizaglvt9iqnswerv2kh4xtttb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvnrudczb2d.shbqlkiaohiqmhplaeoe.ihydf6td5ndgasjggcqhowc3a.ndmjjdr5cf2nltlaqpdadjpgbe3oq.szygndzp3glhsnojiqifdlddddqddddddhkb.tl2md5cs56tas4264jqekou4uj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 2ebdowtnb2zciqihjdajjp5.dk3odiran5ebqzvlctgln3ziicapndsycuanqh.ycqqviqzbdropnuhpcchg.ahzplcymlh32tidzplduccyafc22pqrvchg.hdrypn6hppcizpcgpdddldwqmd.tl2md5cs56tas4264jqekou4uj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | imqscasqmgllub4iczrqi.zlccviwzfpxrvchtuljkamhjm.sjia2d2vsqdhdddgdrec.tl2md5cs56tas4264jqekou4uj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddenzd.xupnbtypoy69cx6o2pa3s66mli.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl69i.k45wmaf6bolrs2nh2shweog4kh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlyri.vfstu69wlfqysz6pqfe3crvjgc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpepd.dtmwsxajuvonszwym34gvi5aab.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddy3x.qgrphfrvf4wncg2scuaopokwwg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddljuf.o5b4juw929ifcxuccdv4s6j9zb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyd3h.orwa9aeslgkes6eibx2j39t22k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpylh.93fwcgwy9xkscc2ldx6vlsskid.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpc6x.apsoqkucct56suw5q46swqgxvc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlxki.n6kgxikpwr99sl6awjugd3rolc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp5ni.yzpacmxa4stuck6rwfzh5cfjad.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp6hn.vxu9vkhixxracvwf9gmi5ykdgc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddtql.neqiavxriko3sawwrcolcjo2ik.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy9ax.wcu9sslb5yh5ckjxptootarjvb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpxdh.c5ohmn3qfnlnctuoie62u5ofki.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpnaq.exi69v59xxr6s9naqqzkfgdfih.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlv5m.uhn4jiahjkzxcajgu2q65bocpg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddk9x.umncyru3eu2lcdnsvb2hk9jewh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy29b.g6anrnmdmakdskurw3gvvgcsyk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpzen.ffil9cvekbxkcnexxrkfduwkkg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyppm.rz36al54226icr2wa4vsvknedh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlweh.hseve5ej3zdrcw2cfascnyqwug.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpwtf.eoxnntpslrfjs9ugiyb3lzcpri.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpfsr.ql9tym3ebfylcbn33vrx5hywxb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddnfx.2nlszubnolhyswjywkhdpgvs6d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddn5w.mvp66bjrdzo2shnjcjqgd4arsi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlprw.l2ii9zeivkh4cvjgnjt9numijb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy5kn.cknu4f9cstf9swebbfyuxedevc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddnsx.iukf3dqs2vwicjez4yyus2ft3g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyf5g.fnxspld3l5v2cbu2bfovhdxroc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlspi.bb6ofniiggk2ssjrg95mhuwtkg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpg4n.uhmy5ynxqufbc2ngwlg39vocib.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddylkl.65uzva2n45baczeodacskt2cxb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd5in.a3ms3ena3zcls2wcdlenydix6c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyl5b.vvjajnihzc4tcon9jdnjbwbmxb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddywik.pxsrowirahbncdn2t6hwxaqjfi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlq9j.pim5bv4xigzsc5hb9nubi5l95h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlgvm.6tq95fffh5wishuhwzsteofjhc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlvun.igyfvkuqxweucsetwihxfxvsug.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp9tw.duuy63ovhxppcdufxl5lrlffcb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp2oc.x2jwrft44u6osa6kfgtfds6o6h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddj4d.llblosi29eu4s5wcd3etxilxyh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpnyg.ueovtleeiktysrwmk2ntcuvcxd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpiqx.rjdfexgqnxelsdhoedag9qdovg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyt3b.3ghlch2d99yfspnhzwncr9wihi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd2xd.faknobqbbpkiclejj6iuzrzqgj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpeob.gelp45bjpbvqsvuja9on9do92h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyshd.4jmcscjsllmqciuacuzvwdktdk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddenh.qkx9akjezuqrcc6xabwf3c55rh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpacj.r55h2q25pdulc9uhkhlglckmsc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvnrudczb2dshbqlkia.ohiqmhplaeoeihydf6td5ndgasjggc.qhowc3andmjjdr5cf2nltlaqpdadjpgbe3oq.szygndzp3glhsnojiqifdlddddqdddddys99.yf6sb6mi4rbuci2mwjlimkctmj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 2ebdowtnb2zciqihjdajjp.5dk3odiran5ebqzvlctgln3ziica.pndsycuanqhycqqviqzbdrop.nuhpcchgahzplcymlh32tidzpl.duccyafc22pqrvchghdrypn6hppcizpcgpdd.dldelsb.yf6sb6mi4rbuci2mwjlimkctmj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | imqscasqmgllub4iczrqizlccviwzfp.xrvchtuljkamhjmsjia2d2vsqdhdddglpik.yf6sb6mi4rbuci2mwjlimkctmj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddy5jg.tjgtw693oqdtsuhqarp2y2p5ph.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyfvd.cypqbjmynk2nsduuxqadv6b5zc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp4ww.g3kfflzft5zacrnq2nzpyor9vg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyhti.x5k3m29sdqursqjdfjirfa9wbb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpfhd.6yqncpxf5e6usbhxwik6ipmagi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddjmr.pt293z9d5sskspjju5vpmz2dxk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp9md.ltowie6awtq4cu2y5vf3lxl52i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddytyw.6dkhvzsxo5c6snjzwjwd34cu2h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy6cc.q3ajdml6t54ec4wb9lokfhaapc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp6ih.rgb4lrer3un3cgns2nrffezvxh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddydpf.lx6yzt654ljjcynfry9mv9f5gb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlc2f.vyka9xdwzkalcnnbbz9t6jwf6j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddnyf.zxz2lsctvjotcwnjc6x6sjhfmg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyqjf.esbneug6iwclcxnw9cnf2bifjh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlwkn.ax6c94wp5iw5cgwleyecygl9fc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddoxg.njtzoo93ppvccwuzyz53zpc6xc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl2mw.afkmfgchlxyuschxktb5p9fnyc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyo6m.ijvbk5n3ofwmshn4t6iubgyfpd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddle9d.rkkvgmiehppmstnal2oznbmnki.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpg9b.rtlqtyzssg3lstj5vdaalgfxib.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddleeh.gxvfis5r6bz2c3wv6ywcniitvc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp4ck.utxp9c4csd56sqjinf4dswo5xk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd4lc.ihsnrco3dqx3sqhj4zlo6z23hi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddsyk.cdw3ik4vt9b9cs6s2ob5xmazmb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy2xr.akn36ahyy6s5s5u5dwnmoez9wi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddvjd.s4xorjn6kdodsz233saw9s3wdg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddqjn.g95toqomvyascawkysfrp3jewh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpkhn.ocpdzi4ul6cwsaubb4hlhckwsh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl6uq.d5ppzzjpjz4sshwbgcc4vmvxwg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy6rx.mxlkxmxmwtntsxuvkcxobdnhxg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp2vb.tdmr9ibng56qsmuz6y9itxecsk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpqrh.yijyidu6vunlcfwaesmf2a4hph.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddk5x.teyaycevy6hnscjbllmrsn6szd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyked.olaxi5sng6krcpw342klcu2rxi.xyskencevli.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
| MD5 | 86fefa2e8be486a49782d4d04095015e |
| SHA1 | f29d6b5c8777028eeef161729b153b4d6e8ba28a |
| SHA256 | a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634 |
| SHA512 | 272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c |
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240508-en
Max time kernel
132s
Max time network
144s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\AppData\Local\Temp\C618.tmp.dll,#1
Signatures
Cobaltstrike
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\AppData\Local\Temp\C618.tmp.dll,#1
Network
| Country | Destination | Domain | Proto |
| NL | 217.12.218.46:80 | tcp | |
| NL | 217.12.218.46:80 | tcp | |
| NL | 217.12.218.46:80 | tcp | |
| NL | 217.12.218.46:80 | tcp | |
| NL | 217.12.218.46:80 | tcp | |
| NL | 217.12.218.46:80 | tcp | |
| NL | 217.12.218.46:80 | tcp |
Files
memory/1940-0-0x0000000000120000-0x0000000000121000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240508-en
Max time kernel
94s
Max time network
130s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\AppData\Local\Temp\C618.tmp.dll,#1
Signatures
Cobaltstrike
Blocklisted process makes network request
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\AppData\Local\Temp\C618.tmp.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| NL | 217.12.218.46:80 | 217.12.218.46 | tcp |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| NL | 217.12.218.46:443 | tcp | |
| US | 8.8.8.8:53 | 46.218.12.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/3100-0-0x0000027865DC0000-0x0000027865DC1000-memory.dmp
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240508-en
Max time kernel
121s
Max time network
126s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorAsjuster_x64.exe"
Signatures
N/A
Processes
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorAsjuster_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorAsjuster_x64.exe"
Network
N/A
Files
N/A
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
153s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorAsjuster_x64.exe"
Signatures
N/A
Processes
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorAsjuster_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorAsjuster_x64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.169:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
N/A
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240611-en
Max time kernel
128s
Max time network
99s
Command Line
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.dll,#1
Signatures
Nloader
Nloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2564 wrote to memory of 5044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2564 wrote to memory of 5044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2564 wrote to memory of 5044 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5044 -ip 5044
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 912
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | veso2.xyz | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
Files
memory/5044-13-0x0000000000490000-0x0000000000496000-memory.dmp
memory/5044-10-0x0000000000BE0000-0x0000000000BE5000-memory.dmp
memory/5044-8-0x0000000000BC0000-0x0000000000BC7000-memory.dmp
memory/5044-3-0x00000000004A0000-0x00000000004A9000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240611-en
Max time kernel
121s
Max time network
122s
Command Line
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.xlsb
Signatures
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\htmlfile | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.xlsb
Network
N/A
Files
memory/2132-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2132-1-0x000000007208D000-0x0000000072098000-memory.dmp
memory/2132-3-0x000000007208D000-0x0000000072098000-memory.dmp
memory/2132-4-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2132-5-0x000000007208D000-0x0000000072098000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240508-en
Max time kernel
101s
Max time network
154s
Command Line
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.xlsb"
Signatures
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Users\Public\4123.xlsb"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| GB | 52.109.28.47:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 47.28.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp |
Files
memory/1956-0-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-2-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-3-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-4-0x00007FFAFF12D000-0x00007FFAFF12E000-memory.dmp
memory/1956-5-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-1-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-6-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-9-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-8-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-7-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-11-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-10-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-12-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-13-0x00007FFABCC90000-0x00007FFABCCA0000-memory.dmp
memory/1956-14-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-17-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-16-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-15-0x00007FFABCC90000-0x00007FFABCCA0000-memory.dmp
memory/1956-18-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-19-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-33-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
memory/1956-47-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-49-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-50-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-48-0x00007FFABF110000-0x00007FFABF120000-memory.dmp
memory/1956-51-0x00007FFAFF090000-0x00007FFAFF285000-memory.dmp
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240611-en
Max time kernel
150s
Max time network
124s
Command Line
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\Downloads\subscription_1617056233.xlsb
Signatures
Nloader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\cmd.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
| Parent C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SysWOW64\rundll32.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE |
Nloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\"" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print" | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\Downloads\subscription_1617056233.xlsb
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1
C:\Windows\SysWOW64\certutil.exe
certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\4123.do1,DF1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 456
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | veso2.xyz | udp |
Files
memory/2780-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
memory/2780-1-0x00000000725CD000-0x00000000725D8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | 1efb46d22876efb5343f27c214cc1eb9 |
| SHA1 | 0196f817e04d61dd980c0fe5ad9a9cd92dbd2f02 |
| SHA256 | b3ece35826a7ec732e505b8473774a302a5b7268a620bdb0f3517398098e1a45 |
| SHA512 | 5e2da9734330809c6f4826c4bd61f01520a96be68306f6485141459e82940f7c95c0082bb2b9817de6ece833a75757fd088a40a43894966950ed1c51c0a87143 |
C:\Users\Public\4123.xsg
| MD5 | c87e1dee1275fed1f7ee813b97ccb17b |
| SHA1 | e8313978e3c0dff6355b843cd470949c719032c6 |
| SHA256 | 92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d |
| SHA512 | 2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35 |
C:\Users\Public\4123.do1
| MD5 | f776deb4df137b37dcae5406c8f3a07a |
| SHA1 | f6a31b594fca39c118927405fa4d14353b8fd49a |
| SHA256 | 93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e |
| SHA512 | 4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2 |
memory/2476-52-0x0000000000180000-0x0000000000187000-memory.dmp
memory/2476-56-0x00000000001B0000-0x00000000001B5000-memory.dmp
memory/2476-48-0x0000000000170000-0x0000000000179000-memory.dmp
memory/2780-59-0x00000000725CD000-0x00000000725D8000-memory.dmp
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win10v2004-20240611-en
Max time kernel
150s
Max time network
155s
Command Line
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\Downloads\subscription_1617056233.xlsb"
Signatures
Nloader
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
| Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process | N/A | C:\Windows\SYSTEM32\rundll32.exe | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE |
Nloader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
| N/A | N/A | C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\Users\wilmer.coughlin\Downloads\subscription_1617056233.xlsb"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c certutil -decode %PUBLIC%\4123.xsg %PUBLIC%\4123.do1
C:\Windows\system32\certutil.exe
certutil -decode C:\Users\Public\4123.xsg C:\Users\Public\4123.do1
C:\Windows\SYSTEM32\rundll32.exe
rundll32 C:\Users\Public\4123.do1,DF1
C:\Windows\SysWOW64\rundll32.exe
rundll32 C:\Users\Public\4123.do1,DF1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 420 -ip 420
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 420 -s 916
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.32.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | roaming.officeapps.live.com | udp |
| NL | 52.109.89.19:443 | roaming.officeapps.live.com | tcp |
| US | 8.8.8.8:53 | 19.89.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.169:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | veso2.xyz | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 169.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/1052-0-0x00007FFA8BC30000-0x00007FFA8BC40000-memory.dmp
memory/1052-2-0x00007FFA8BC30000-0x00007FFA8BC40000-memory.dmp
memory/1052-1-0x00007FFA8BC30000-0x00007FFA8BC40000-memory.dmp
memory/1052-3-0x00007FFACBC4D000-0x00007FFACBC4E000-memory.dmp
memory/1052-4-0x00007FFA8BC30000-0x00007FFA8BC40000-memory.dmp
memory/1052-7-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-8-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-6-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-5-0x00007FFA8BC30000-0x00007FFA8BC40000-memory.dmp
memory/1052-11-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-10-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-9-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-12-0x00007FFA89490000-0x00007FFA894A0000-memory.dmp
memory/1052-14-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-16-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-15-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-13-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
memory/1052-17-0x00007FFA89490000-0x00007FFA894A0000-memory.dmp
memory/1052-18-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
C:\Users\Public\4123.xsg
| MD5 | c87e1dee1275fed1f7ee813b97ccb17b |
| SHA1 | e8313978e3c0dff6355b843cd470949c719032c6 |
| SHA256 | 92bb3324b68e8780d718ed808cb9633dc1ef1f7988d2b85cc0f9f431ed63a63d |
| SHA512 | 2d2177413ed0767651789363c2b952ff8fba26de6ebb84a6390af6bc87927577bedf08b802f5bd6e937e7462bddbd707100108ccf6ef4f39ded65bdcb8b40f35 |
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
| MD5 | a188a499da13fb427e5605c4ae483fbb |
| SHA1 | 0ce006ddb4ff2493bb8f653cdc3cf19a137c9d1d |
| SHA256 | c2d5c1d3cdf35eda18f430cda01344e15ef0d690585dc997d2a2c5112ef91231 |
| SHA512 | d7a0255f1c7a6a0e51f4252a485a8344a1204ba7811b83fc258ed5e2c6aa32e798b61c4a7fddfd11ee27c9a8aa139bb3b8b237071bbc5f40943d86efc9b19dcd |
C:\Users\Public\4123.do1
| MD5 | f776deb4df137b37dcae5406c8f3a07a |
| SHA1 | f6a31b594fca39c118927405fa4d14353b8fd49a |
| SHA256 | 93cc5e6a6b671d9b0124ade32ae8b09269de9f03c5c5e66347fbfc7a8c3b305e |
| SHA512 | 4077b4214b4683bb4776d470027e61fcc3cb3e78beb9377674e4a4de9115d52911e39cb29a566ab446c6962a252ce01020ffd616b5854a9d8230414262bfafe2 |
memory/420-82-0x00000000013A0000-0x00000000013A9000-memory.dmp
memory/420-85-0x0000000001530000-0x0000000001537000-memory.dmp
memory/420-88-0x0000000001550000-0x0000000001555000-memory.dmp
memory/1052-96-0x00007FFACBBB0000-0x00007FFACBDA5000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240419-en
Max time kernel
120s
Max time network
125s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c timeout 3 && del C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe
C:\Windows\system32\cmd.exe
cmd.exe /C PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PowerShell "Start-Sleep 3; Remove-Item C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchorDNS_x64.exe"
C:\Windows\system32\timeout.exe
timeout 3
Network
N/A
Files
memory/1972-4-0x000007FEF5ECE000-0x000007FEF5ECF000-memory.dmp
memory/1972-5-0x000000001B5A0000-0x000000001B882000-memory.dmp
memory/1972-6-0x0000000002730000-0x0000000002738000-memory.dmp
memory/1972-7-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
memory/1972-8-0x000007FEF5C10000-0x000007FEF65AD000-memory.dmp
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-27 11:22
Reported
2024-06-27 11:25
Platform
win7-20240221-en
Max time kernel
150s
Max time network
151s
Command Line
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe"
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskeng.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.amazonaws.com | N/A | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $data | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: $file | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskeng.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2800 wrote to memory of 1724 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe |
| PID 2800 wrote to memory of 1724 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe |
| PID 2800 wrote to memory of 1724 | N/A | C:\Windows\system32\taskeng.exe | C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
"C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {18F9B98C-3F1F-46B2-BD15-05A935E04000} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe -u
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | checkip.amazonaws.com | udp |
| IE | 34.251.61.44:80 | checkip.amazonaws.com | tcp |
| US | 8.8.8.8:53 | xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvhf2yizgrp3n3wlk.iaocifahpdaeoeihydf6td5ndgasjggcqhowc.3andmjjdr5cf2nltlaqpdadjpgbe3oqszygn.dzp3glhs2sdyddddpddddddiujd.zaj2vj5o3risswwz9xa9u2ltsk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 3hu2imrwzdossgif3hs6yqyrhvvyz25fk2.zntwagdf34caqcymau22lqcpnhhvq.idmmhutghypgyjldinzqdh3lqodqnha4.cuma423yqbpfq2vyiizlhusgddldp4vb.zaj2vj5o3risswwz9xa9u2ltsk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | syicdurhxznwb2pcbbch3.zdjcgqhjd5cgbd42zpjqgoch3zrz.yiwdtihxgfn33dcjfch324jcmrhjltc.g3vdddldozhg.zaj2vj5o3risswwz9xa9u2ltsk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddsxwg.nfe4smitck9nsgezixsoomvxyc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlpnr.t3ofs5sdbdsisjhvrkwhplkdng.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddld5g.gbvpda2vi5k3sye4vzd9egduzd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddgbx.rnwm99d2qkkycongiz6mi5s6ed.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp9rc.kslbtuhekmfcsdje22jnjsqzqh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlohr.mvmvvzzkse9hc9hegzsekcn4yh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlocc.vx3w52vkec6ssnjytaahiwcmwd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpp9w.znmr6wviz4vrs2hev9k6hsep4i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlg5j.gzfs6igabhjhs5hnmvbcm3zjtc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy9sj.q5zcu6mhr9rvslui4ldnwujxxg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyckf.tqa5se33zhthc96wdsv93dxapk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyxbb.sufdbge4i3nas42mnvh4ylks2k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyp4k.gakmntgydmtzs52fymladrfpsh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpmwk.q9qwi69xi5q3szeqilv6zt4hub.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyemi.r4xds5s3kssrcah5etijdt54nc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlxql.aejwwsqy3xwgspu6wem9pseqkh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddiff.qs6rwr2tigyxszeqnvhk2cvs6h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpgom.xm6qqlkoshh3swwoelwsap3woi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyayd.tkiox4ofxrdqsfwp2wmac2gudb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpewd.icf3j4d5k9nhsmncdls5gpusnh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp2rn.vbmryafkihjrcau349zepasvfi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpwhl.vnpfvu436rrscrnvrxjbgxsapk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpq2j.wqiohptymkklsehatbde4iqo3i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpncc.3ihflgwmfkl2sv6dkqnlfzbagj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlwcj.nzwwxb2xqsadc66zgy2lthe2ug.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddser.66pe4zsbpawtcb6ms4rglmzj4h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddspb.q9otw2gonh24c6hszlwage5i6k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpkfl.r6h6bqxv2p2essus63goxsgrbb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd3qm.pmpzmqsnydbzcknr3sdul339wb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddymfw.xbh3hgath3btseuqxehkikdtgk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddeeq.jmyj9spxei9esbhqgu32eg5r3g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddsar.muycfflnhcjls4wp4uanymsmzg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd5zj.9hs3ukxsinctsujuci9psczgik.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddami.i6exx3ysgvyws6ws9kjoz2tobj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpf3x.x6racatubhfbs5jwlo2hnbpohb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyhun.ye64lznfs6erco2e2uzekdcnwg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd2ji.xrutcnkgshnichwtbi354cxg9h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyqrm.56lo9tdpnrx4spwcc2eq4qwuai.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddymuw.hcdpbis33e6nsr2uxz9w2y2q2d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl2kg.hlvggqv6vboicxurk4svlmu3jk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlzsh.gmz6x2r444cwcbesqvz54sps2c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddldih.24mkiwxmi3ius92pgz6dm4t26d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl9qb.dkwilk4j5dpic5eu36lvyh9kwk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd4ci.raaw5eh93gq5cqugwzzw94wnpd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddprdi.2d9hw9q6wnwkckhrxjgufnuhxd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddbsh.yevcxyevpmuhcen2r22ieyftab.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddmar.6g3gqbo3zlghcueshxba59giag.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpmff.utbquv29qsypsonu6hvsqva9bb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddparn.gn5bp3d6bx22cmecqbunt9dnsb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddxkh.jthr3r4yde2fsdh24fspuicqig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd3ug.69smw2veoljacgh2k4dvjdppah.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvhf2yizgrp3n3wlkiaocifa.hpdaeoeihydf6td5ndgasjggcqhowc3andmjjdr.5cf2nltlaqpdadjpgbe3oqszygndz.p3glhs2sjiqifdlddddqdddddyh24.kutmspexehrhssu2lv9aknxkwk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 2e4hgwmmbnujil5gadvcuogbivow.cbtn52bdujam2ald32riizplytccuand2.2cqfbcdzbdrydnshadcjzpwgps.c2amq32aikgajyopcogfnhzc.qmbiqggyr3pfs2vycjapdddcdeczd.kutmspexehrhssu2lv9aknxkwk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ylqjhpycympds3cqdyfjhvyi42lqj.uihupgsul4iqmrwhypqzlqn2v.yctmpdt2cqwbdddgyq4d.kutmspexehrhssu2lv9aknxkwk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddd4lh.fxm4libiuqakclhug4y9jr2fud.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyofn.2wmad3xcmav2shwc62kjbbo4jg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyq4f.njymxssdoau6s4unh5eq6beovc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddssi.g99jlhvisj9acx6kawhsdfkw3h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddplwb.v4ofwx4sqck2c4way5lsxsjxlg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyqcc.4dtkyu565pa5ckubbmv4eumwrh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpovk.ht2zvkjcvc2hc9wqm2z43je63k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlvhq.3erilirezy2ms9wvgie2w9uulj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlx3h.yke3sllzqhp6cb2u4a5j64zxng.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyxfd.4fcwqflydqgvcgebw2urvjvkji.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddywnl.lartviq3rclbcbn9cy5db9jw2j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddmor.rbpbbvqglsyxsd642mpehqlk9h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlb6h.hlprka9x62uus9wqzn2ynpkc9k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddkjg.cokljqkrwqxws3enklfevozemi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyfzh.5jovabhpgemeswjhz3anpzw2gh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl9dh.frkbh3ea3ltrsmez3xe2nikauk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp2mn.ocdilrko6khvsfjiadiiipthhg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddda3q.plcvd4uchbpmsqeximprjtlpcb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpqqx.kigk6kr2renksq6fd3btkw4xzb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddduwl.l5u4ttsarn6es26a23euseelkb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy2eh.wrqfnaeqohsdcnj6sbymszggqh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp6id.3wtfcozxdnsdscuhvwl3duvzyi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpdhd.62unpf4rvevjsvhhg3wcgnltki.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy9km.w6lcdwu6nwnbsohk6otroex3ig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddpbw.6lbj6qkztjcpcuwsehd5boyyij.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddrij.nf6s9mqaqmllsi2bnao2xn3dyk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd4aj.4vdbocu9dkyes4nyqfvthzkwag.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddhii.l9jm2btsuyutconbqixvvgffwh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpwzq.r6wqwws3okcssvjzmojxbqn32g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpigr.zwr2ld36ftjbsh6rgz9fzyfroi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlguw.czqqs9yvsa2lsfnnmuwzer3mad.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddddpm.5amprd3a55jyconbuwyxsyczoh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyvgd.pfb9lavwaamxswnxcbsxrsbqwk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl54h.yjbzmocssc3usdht3xpiuic3wg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddc2i.vsini3yizo2ssq2imd6o66ge6b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyn6g.jyxofvsiqedcchnt32l26kxomj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpphx.ixbzjjm5dcqtc4wub9zftmuvzk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpvpr.jcnxdh9zwb65c36tqvma5s3hqh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddld3h.jgykjlfvgjrec3n2c3zdb62elj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddptob.q6jhxn3hcx34sb23k3btpzg53d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyl9m.imap3mguxyzqsqhitnvizlcv2i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp3ri.qlr5cxkgnsr5c3jvcwgkjpr2qd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddb3l.qg4hgy9hfyqvsyhafleyuxcohg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddptpm.5zevwqnuni6xsled4v9zjj96mi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddydoj.9it5cvo99ztmcd62eeb4ogptpk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlcdk.rnzhbqnehikgshnodfb2zno65k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddla4n.iy3wjtkdb6rrca6atypnh4wiic.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp42c.kdtpte9jwen4syug3dkcrcg6kg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyf9f.5i44yp5zyclksbn4pipuj5oheg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvhf2.yizgrp3n3wlkiaocifahpdae.oeihydf6td5ndgasjggcqhowc3andmj.jdr5cf2nltlaqpdadjpgbe3o.qszygndzp3glhs2sjiqif2e.4dyddddpdddddd9syg.fpxo25sukqaes9wulbpvno4ewj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | zdossgif3hs6yqyrhvvyz25fk2zntwagd.f34caqcymau22lqcpnhhvqidmmh.utghypgyjldinzqdh3lqodqnha4cuma423yqbp.fq2vyiizlhuszhuydpum4idddhya2c.fpxo25sukqaes9wulbpvno4ewj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | narlh3qqylqjhpycympds3cqdyf.jhvyi42lqjuihupgsul4iqmrwh.ypqzlqn2vyctmpdt2cqwbdddg42vd.fpxo25sukqaes9wulbpvno4ewj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddecxb.raeylvhjgdafsb6i92hrcl662b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddllbl.m4pucekfjj5jcq2osk59lhftei.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlo9g.x3jnbgkbuq6uc9nfcme5btktzh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyvir.l9gf4dqoqaaks9hogwd24fmwfb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl9ec.fu3vqufp4jejchw9gxtllriwbj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddggn.aqu9qwffc9meceudl4rj2b43qb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddydjq.h44z3jxeuch5srnrvrazdmy35h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddytiw.abf4c4pcsp6xs2692orma36zgb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpusw.jc4b9uojk59gs3h56v6tc5dxmi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpaed.gatnm44wrdxxscnbdhxnjjxyoi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl6ah.mfkfxdqkaruocvjtdmfm5oy9tj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyqmn.z3yhkgbv3h3mcuesbxkpak9ytc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyl4n.2c6xmiqaq6ftseeleitkah45mj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddljkk.bk5kznb4gv3nsheoomdj3erf6d.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl5hc.is6jg9x3dnyece2l3q2pzcp2nb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpwun.hpezyv6ehikjcfnwuo9ariynwi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddykbj.pcaysfgoq4efcyesom4mddh29h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp2vl.z6f95f2q6cewstubtf23m2qcxh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddihh.y3yrefglq3uccinsohc53a6udi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddytpl.6n2olymkdw4oca25fevwvmvdjk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlenn.q2hx9nmbk3sls2e9dhk6edrr5g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyovf.l5lqhlobpqh6cjjxgk2oynst4k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyulw.hyusmvxlaqbasc6m3fzhetgamc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddcjx.qlty2bege35dcbwe4lh54zqreg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddq2x.h5vzsvdsq5ffcuwzfzull5psyj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddllun.o3wvcamq2on2cpnlae3jwldu2h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlnci.cabeyx52xeg5sbjl93xjxamuvd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpm9q.bx3ioivyjf2wcrn6zzuftpxcoj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy9rf.agltf54nc3mssxnb6qf4zi3rod.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddliyk.xfbaxd2v6p2ccy22ndzzyhf4ti.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyvfx.6nsoig6wzei6caethzgn5qdc2h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddhfn.5olk9nnfngodsajgpvgflkj4ej.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl4tm.vatspkq4tvo2s6wswhd6w4atlg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyusj.n3f3xrqvmmfmct2tmf9wbryo9g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy6or.9ucwdsfuahocc3wmxyycxsv5lk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyumb.kgzrdvpwrribsn6h9mn9xjaotb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpflg.kfgxkbmuv4m6cp2k9n6qmuv3pc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpp4j.6j4eonaxdpfvssuwkfqupclnji.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlgoi.j2rqofryqx4ncyuse2ocrosqjh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddle4n.trcpbrrzapelcajyhpq4t2kzug.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlgod.mky3upiho4x9s5wq9c25p6wi9c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddygkh.bsmucj66ymnyc3jdt6iy3ejtkb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpbif.w4pm9vsxnphdclehql6but2t5i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyupg.jmat9sfoxlfusq2bnitvfweish.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyp3d.mhog99mmnrjjc5nypq9fhv9nkd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddisb.wejvrgx5tcmjson2ooguk4gjck.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpisf.mawblekmpe9gsl2zkitmpxwldh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddzem.pfq2ptpchhlvcq2do5b4o3porb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl9fh.ajoepvbqjsw4ctuwpjnchkjnzh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyfww.3ltvn9h2c3x5slh39fagselv3c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyhtf.9fshlavhg3u9cluogttyfr226i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvhf2yizgrp3n3wlkia.ocifahpdaeoeihydf6td5ndgasjggcqhow.c3andmjjdr5cf2nltlaqpdadjpgbe3.oqszygndzp3glhs2sjiqifdlddddqdddddyxjo.y92m62vhg5pvs4hlsbyelx9wzk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 2e4hgwmmbnujil5gadvcuogbi.vowcbtn52bdujam2ald32riizplytccu.and22cqfbcdzbdrydnshadcjzpwgp.sc2amq32aikgajyopcogfnhzcqmbiqggyr.3pfs2vycjgddydqjji.y92m62vhg5pvs4hlsbyelx9wzk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | bbch3zdjcgqhjd5cgbd42zpjqgoch3zrzy.iwdtihxgfn33dcjfch324jc.mrhjltcg3vdddld9sqg.y92m62vhg5pvs4hlsbyelx9wzk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddydddddd6xib.uznzg5b6zr3bs5uu5ptwfetx2i.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlx4r.rutdgfq6ttlccl69gete4poc3k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpc2d.h3quua3lcgv4sr2jmcf5ek4zfj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy5rg.h2oqhm2dnxacc9jxf5sqpdvegc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddyjl.ocpubgjwjygecduy2pz4ocfgad.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddds6n.olptypf9owtecy6evrwwbdeqgi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddl5j.tj3ktqnvsj4zscux6ogqbw5twb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddtaq.5mxygyibavods5jqgwr4v2nx9j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddyxq.3edguw65blshc6ubz6gb5mdvnc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddylb.naqbhoapbumbcduaw2tscr4klg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlsqr.ij3ct3iljfklcouzqod9dyoyib.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpoax.nkxf4dus4mvzsc6e4fwconjkig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpelb.tk2zargishiesdhsoyez4k4wnd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlbol.ew3cilcm5llgc3eiucte4nagfh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlzrc.efeevmlvxfyyssnouxfotmuklb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlx3i.b9hrp342eppjc42cvvsumw665c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp66n.f4bap9l3aobssc24e3ak9uyoah.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpwim.a36u96aizkl2ct2rvbcpjasoni.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddps3r.2bnkaohn5m5ksbe5urr6jlyuug.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddd4b.h2imzyimlaows6j4sbt4ub9yri.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyavq.2imgqtoc9ewmcpeinima9rdsvd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyxyl.dw5cb4dvyxg3s62dukig64g2xk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddym3b.lnmyun54nlbhcq2cq4qn6jehzi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddluyr.kjoqbmu29rkvcfjljlwjrqq3zc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddhvj.f9g6bg9nx2p9suh5rrwaqk4ati.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddljpl.we5xtoqu42ersa2fm6hef5uifd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddrdk.klhxlc6lkexdshhzknjl63r5gk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd2vm.kje2kmswa9jks6wq9tdtitityj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd3bk.yyr3kxbvqfats4naqbewqpy24g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddxtr.ivedfnu54svfcand5kbaizyrpj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyxdl.io4psrdxofs6snhrd2bgoisa4g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpgxf.vuywahdpt34esp2wjqihcrji3c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl5xf.k4izh4cwgho5cfexf96eqawmrd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddl3br.aoex3wymfxkrsu2t2uj3jgqohi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy4tj.u2wjkzr9pp5ic3u2o2yvvlztpd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddp53i.caofjdptii5ssgj5l3luwqvolh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyebb.dqiwroudfbjgsdhoip9s2ffq9h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpzzf.xbonrydus4b6c569qovxz5wz3c.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpi3m.kv2gkhmc2n5vslnulsowh4e4ud.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlyrb.ngrslizqxrc6sxnagzyqq3qbgh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddarq.gdz5ynlta9wesi6nd35xmyvhbj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy34q.rq3ndpicq3axc36zivrrivxxub.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddycoj.vv53gudbfvz2ctempds5tvtn3h.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpbob.lln3sx9biynbcm6bdpcpeil5th.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddy2q.rwg5lcgynvkmszno9it5bpwuub.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddps3b.piq6djn46j6gs5ufy3u5ec9lyh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyqtr.kte4unyqubljs2ntgbshy4sbfh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpeof.meqys95jtwubswnzcgksp3skzh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddjbw.wmy4cleboky3smuopinfbjumxd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | efkezwpdxpsq3lsdvhf2yi.zgrp3n3wlkiaocifahpdaeo.eihydf6td5ndgasjggcqhowc3andmjj.dr5cf2nltlaqpdadjpgbe3oq.szygndzp3glhs2sdyddddpddddddcvug.xd4teiu3eju4cxutuqxzgtuyxg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | 3hu2imrwzdossgif3hs6yqyrhvv.yz25fk2zntwagdf34caqcym.au22lqcpnhhvqidmmhutghypgy.jldinzqdh3lqodqnha4cuma423yqbpfq2vyi.izldddcdjtld.xd4teiu3eju4cxutuqxzgtuyxg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | gfelgfldqvc6ht4jczmjjlcj.bgqlhpcqdemhjdpibzrphwmcjbvhgf.4dnfc6husjkglqulcjiarl2ecqynmhj.ogddyddpvh.xd4teiu3eju4cxutuqxzgtuyxg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zog496kddyddddddutzb.43zk3chx6llwsuw4ygelsseeab.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddddkj.brraxm2kbuvvcr2isf95mfkvth.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyrvg.b54fearcyfpac6ninuea62nghh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpmqg.clyvopbu39zwsmh2o6ekarpubc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd2gw.9i9buystqxf3cywrcoyhpe9l4b.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyzqd.yli62t5mrqorcejwyvedrxsdjg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddybrl.62xgch444w29s6hliv6z5brich.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlgvk.ne3pmpkh4pyhcr2cszudcltqgg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlsii.puwgvehv5b2oswuoqmiivfifjk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy4af.tnpqvphmc5spsuhqcjxn4wzt6j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddls3x.2uz3syo9mnoksyugspbzv4fdmi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlqhj.pfsg3nwv4hg5cynivlq9puncak.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddypbb.uipua5mkf3txsbjjmt222up4rc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyivd.ahmpdqc2yfdvsun5b2djbqlo9k.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddw9w.n4x46zya443fchwl22gvn5z9nd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddsnr.cbotkx2wnh39seweesypdnided.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy9gh.dw9j9igcgbmlsq2he5jl5oifec.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlpqk.tl2w9adiiwzosy6kxtioof3shd.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddnjx.eahhir2u9enns2uu53ekbrlibj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddydjl.y5hprcl9j3u5c424rdojqce5bb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyihb.obhotfbpshzwcrwpmfowftsa6g.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddytag.63awkleq6y4ws3wtpz9nkqipmk.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddy3dj.9l4ro6yubgg9se2ciy6zlikrqg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddatm.fyhw2enlyzq2scnr46be6yy2wj.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddds6x.vtxln5b3f4y9cxhs44x4kfwjeb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpczl.srdwiupvlirqch2eugv6fbjhyh.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyjtj.y425k36ulslccwjeaf5p9hv5li.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddynrm.2dp6sxhezws4cpeynsc55liroc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpr5d.pqdoyowttt6pc4hqlcadfwznyi.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyfmr.erjya6ca3s4wssehqwgibqdhac.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddm3r.r9neunoodzrysh2gdxnfqkzt3j.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddyurw.s55texnh6iyxsbhcdbt33oq5td.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlqof.2osrppri3cipsw6p26kxf9othc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhddddddcxj.y5jljhxbhsx5cf2oim6xqv69ch.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlqkd.oqot4itu9tvbsohyvu5brmwmyb.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddlbkh.lhznq9cmnk3qswuhrux6mwdqjg.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddphjl.y26bghisdtdtcjurcpnc6kslig.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddpg9n.z633jouldmhzcn6nd2mso6zwpc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddldri.cn3plcy4psq9c4w93q2n92okbc.xyskencevli.com | udp |
| US | 8.8.8.8:53 | ao9zogddddddy999dddhdddddd4rg.rufs6hgaga6us3w2necsfltjik.xyskencevli.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp |
Files
\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe
| MD5 | 86fefa2e8be486a49782d4d04095015e |
| SHA1 | f29d6b5c8777028eeef161729b153b4d6e8ba28a |
| SHA256 | a8a8c66b155fcf9bfdf34ba0aca98991440c3d34b8a597c3fdebc8da251c9634 |
| SHA512 | 272c3bcd54f580a50f1601f7a6e71a02f33be93aaf975c081ea8042d50d548c9baf8b1401c15bc1fcabcc37bbc326c3ce79037a73425cfaeff58b1afd2e6b92c |
C:\Users\Admin\AppData\Local\Temp\Windows\Temp\adf\anchor_x64.exe: data
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |