LeaseWeb hosted Bootkit Trojan | Joachim De Zutter
July 2011

Malware host: 85.17.30.205
Malware could be downloaded at the beginning of July 2011
Malware could no longer be downloaded at the end of July 2011, the host responded with: 500 Internal Server Error

http://www.utrace.de/?query=85.17.30.205
LeaseWeb B.V. (The Netherlands)
Filename: FLVDirect.exe
Filesize: 249344
MD5: f807538b94dba6a0085306f577528730
SHA1: db42f193dbd03b5441de7f15e1999654e347cac1
SHA256: cba78c0504537989091714a45e14e36b8601bfc0f5749be7297bb167a02583a7
Kaspersky FAQ: How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)?

The files Documents and Settings\%USERNAME%\Local Settings\Temp\1.tmp and Documents and Settings\%USERNAME%\Local Settings\Temp\2.tmp were created and deleted.

A file was created:
Filename: Documents and Settings\%USERNAME%\Local Settings\Temp\4.tmp
Filesize: 179200
MD5: c6d355d7d917fbf5dce6ed50f298a01a
SHA1: e34e1432fb7e040a4bac6c65db613186e44a4037
SHA256: 545fe5675990d74cbf192501e78ff22decb8db65944fb9793fb34656de78bae8

The file 30158C~1.EXE was created, executed and deleted.
Filename: Documents and Settings\%USERNAME%\Local Settings\Temp\IXP000.TMP\30158C~1.EXE
Filesize: 179200
MD5: c6d355d7d917fbf5dce6ed50f298a01a
SHA1: e34e1432fb7e040a4bac6c65db613186e44a4037
SHA256: 545fe5675990d74cbf192501e78ff22decb8db65944fb9793fb34656de78bae8
The Master Boot Record (MBR) was modified.


QEMU: FATAL: int13_harddisk: function 42. Can't use 64bits lba

A DNS query was performed for treet-0rthret.com which didn't resolve

A DNS query was performed for analytics-evasion.com which resolved to 195.3.145.251, 195.3.145.252, 38.99.180.98, 194.11.16.142 or 194.11.16.143. If the DNS query wouldn't resolve, a DNS query was performed for serch-iteration.com, which resolved to the same IP addresses.

http://www.utrace.de/?query=195.3.145.251
http://www.utrace.de/?query=195.3.145.252
RN Data, SIA (Latvia)

http://www.utrace.de/?query=38.99.180.98
PSINet (Toronto, Canada)

http://www.utrace.de/?query=194.11.16.142
http://www.utrace.de/?query=194.11.16.143
LLC Dentalis (Russia)

An HTTP connection was established with 195.3.145.251

An HTTPS connection with 91.213.29.63 failed (3 SYN packets sent)

http://www.utrace.de/?query=91.213.29.63
Info-Media Ltd (Russia)

A few HTTP connections were established with 38.99.180.98

An HTTP connection was established with Microsoft's Windows Update website

An HTTPS connection was established with 188.95.52.162

http://www.utrace.de/?query=188.95.52.162
Server Boost B.V., Rotterdam - SmartDC datacenter (Rotterdam, The Netherlands)

A DNS query was performed for tr1ck-track.com which didn't resolve

A HTTP GET request for a *.gif file was performed on 50.7.245.170

http://www.utrace.de/?query=50.7.245.170
FDCservers.net (Chicago, United States)

A few HTTP connections were established with 194.11.16.142

An HTTPS connection with 91.213.29.63 failed (3 SYN packets sent)

A few HTTP connections were established with 195.3.145.252

An HTTP connection was established with 194.11.16.144

http://www.utrace.de/?query=194.11.16.144
LLC Dentalis (Russia)

A DNS query was performed for shealake.com which resolved to 208.73.210.29

http://www.utrace.de/?query=208.73.210.29
Oversee.net (United States)

An HTTP connection was established with 208.73.210.29

An HTTP connection was established with 83.133.121.222

http://www.utrace.de/?query=83.133.121.222
Lambdanet Communications Deutschland AG, Greatnet New Media (Germany)

Files named setup.exe were created and executed, download location and content varies:

A DNS query was performed for leexogroup.in, podpeopleinvasion.in, boundz.in, atgabfest.com, ... which resolved to 66.96.214.213

An executable was downloaded over an HTTP connection established with 66.96.214.213

http://www.utrace.de/?query=66.96.214.213
Network Operations Center, server1 (Scranton, United States)

An executable was downloaded over an HTTP connection established with 83.133.123.165

http://www.utrace.de/?query=83.133.123.165
Lambdanet Communications Deutschland AG, Greatnet New Media (Germany)

An executable was downloaded over an HTTP connection established with 109.230.220.92

http://www.utrace.de/?query=109.230.220.92
Marcel Edler trading as Optimate-Server, xsserver.eu Dedicated Servers (Germany)

A DNS query was performed for usespot.in, spotrose.in, gigfeeder.in, ... which resolved to 64.20.35.165

An executable was downloaded over an HTTP connection established with 64.20.35.165

http://www.utrace.de/?query=64.20.35.165
Interserver, Root Services (Secaucus, United States)

A DNS query was performed for www.irida.nl which resolved to 109.72.85.37

An executable was downloaded over an HTTP connection established with 109.72.85.37

http://www.utrace.de/?query=109.72.85.37
Provider: PCextreme B.V. (The Netherlands)

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 112640
MD5: 2a8f6da352eb2bcafbc32773725df945
SHA1: cf2390ae035a55dc4563d77a2c85078a07eafd20
SHA256: 315a7cacba18f706a0e185590f9afe499538f0fee7b782bc61b38e893d63ae0a

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 200704
MD5: 89f8b130ad72285672de651091c85256
SHA1: a887ce03ef1575333e32e688ecac4c08368a8b7d
SHA256: 888e2512ddec1debf3a4c067cff5f28d12b319004fc23f03f82cb78c79ae0f24

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 39424
MD5: b4b4d56f85a1c1f7db6a13b13def0484
SHA1: 5387f33d8847017878363d434b9f7887e1af9a55
SHA256: fb49d0fb6bb8b41225716351a996cb2e0bc59e52064a114710b8b3a25193804c

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 109568
MD5: e1f1f480bed8599fa6dbc8aac6f66bc0
SHA1: e4281e5fab1f6fa87b855b21e52eda2ee0abeb58
SHA256: cc8a9159a34153b647df3194d39ec8402c42e7449ecd8b1e7e8f8a8147013611

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 197632
MD5: a327b900d36b6cb0874f3c56638cc5bd
SHA1: a0bc3c29ed172435c6e062e7fbd12fa40021eace
SHA256: 9930c088d0901efee986fae923636faae54feb2924494205d6085857a7a735e6

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 197632
MD5: 62be69ba52db5afc1b4c4ca6ef4024b7
SHA1: 808a05df788de8d55c70f8e74ad4700e3fbdc5f2
SHA256: 75de935ddcb3d2275541079802d2d24c490d4149c8c5d866aec8ec2ba293c37d

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 41472
MD5: d0996a5a499a6c5fe59a1219604c9800
SHA1: 53d406d4358024ee3167f222a030bfc1f9aa77d3
SHA256: e098c62d8c7c26eef2c0e53a9ea2e1fece2f37805040badaf73c8e1ffe759a5b  

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 262999
MD5: 050933035eebdc8d95422e949f8e8a8e
SHA1: 0abfa80de9394ec5c87a4dc71d06e7a18c8bb960
SHA256: 69e825cb8f6eb16c668df7971165e03b02626e5987ab83a743538f4e7f3e5ce2

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 15872
MD5: 017a04db64a110c56e906506b0cea52e
SHA1: 4c94c147f6b2d28c98c655260578408f3896f724
SHA256: 5882104f9e5c6863fdc6c5667caae00421b94e1871ed61de15666f613bef180e

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 210944
MD5: 666fd113369dadafeefbad3189940d9d
SHA1: 2c781dcae6f9392ebf8f205389a83a565f1601f6
SHA256: 8bdfdbbbf1c689ed1dd96fe347ab467d119ee7aa508c04c6b0a591637894448c

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 116736
MD5: 24765ccd5a13716c8b98670ae7a7d7e3
SHA1: dc47cc36b166c0d3f028b8ef78be25150217466f
SHA256: c2d6d06824ac45ac9b17efb1b432586e8491b65b869ed82ba48d646ec8956842

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 116736
MD5: d55fcabfbc1983795bbf2ffd60802c55
SHA1: b6e9864ddcdee73ccbcfb9b51e1a6321481f7220
SHA256: 44d58c2d1e2032701f4ebcaceb7f846c03fdbe6d849decc913a0d4f520968f4a

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 218112
MD5: 03f55e2afa1d1ed1861c81ca877b8d21
SHA1: d61b1508127047698debd064f93454523b2fe0c1
SHA256: edfd302c21cf0988f245feef4dd6ed92e447ecc8e916d690dba3a7bfb6e50d35

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 119296
MD5: cd49c321367b97de7fbb3a0c820b157d
SHA1: 34009557f53408be5889330a6d669dc3b3d079f3
SHA256: 2c25336e5472598eb45a699abab28d6ade0902a69bb5ab35de83cd3d028da1a3

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 249344
MD5: 92e0608d2d0c24519ef6d49cf4d6a949
SHA1: 478f9a49b2f1eb08b6aeae4561287b1206a6def0
SHA256: 98c656ae21190e03ed3b4c1b8bca78a0793f67b3f8be8aedbdbc45c2544a53fb

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 39424
MD5: 8720e0cc8596093aac10d0ecff36b4ca
SHA1: 038fc70d1e81953efee2ef4f71c53149ebf17869
SHA256: a94f10cb93f5c6b153563a9c51b881fa25b77a25fac5353758ea9eeef7ee2332

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 38912
MD5: d73c81540a155ac8534eae88067557f5
SHA1: f8c5f7896e8956d47fd49f2fedc0403ea80f0006
SHA256: f9d8b0759cbfc62b40d5fd1846927b0ddb11ea95e17c8289bca7cae99de69618

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 249344
MD5: 2c0758a60b718f8bcd3a7e99d8485fd0
SHA1: 7c60f37728910132b291e428556a1099bd73c75a
SHA256: ad77bd3f50caeb6a6fa22f9747889f55a9394139d8e3792a824e9dcb9a39f28e

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 229376
MD5: 34a521c54878a394c3ec9c84d557fae1
SHA1: be34325cf22e9f5e0044894f2578623be4db51b9
SHA256: b4e09b9dd5b6534b44bd452bf71d6c2169472f571fafe2dccc8a0f357bc80de7

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 1041408
MD5: 94f2cb6111a98f21dccfba9686710726
SHA1: 8c4087a9eeae7d79d36149e5893ff556d4b08d42
SHA256: 724c8f6b3695f783dc52b6c477ac09d6ab3a4ea4f4824319a8cc50da56938939

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 1067008
MD5: f9f4994998c8df53de1677765bbdba2d
SHA1: b81fc1a7b43851aea7d6aea7220c60bfa4cc030e
SHA256: 27226e9cd589870096cb105c346ed0b14768b83e18cb1eb3ae5bebaf3fb3e9ad

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 41984
MD5: a03e154b8c65162fc2fa46586b7c8856
SHA1: 81a4bb0a43e01e18587e5e071696d06fd4c1c3b0
SHA256: 9ea14d38daa4885916e5c41df9336d5541686b58dbea4735053be7a516392ebc

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 42496
MD5: e91f300b294be5ba3f30ae021ca2f9d1
SHA1: a7a410dfaba4ef5315cd485d6585fd963d9d9643
SHA256: 0fe84c82b1967739195b76279eec43c604a299bf59ed20592358b0b6e20aa6e3

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 39936
MD5: 8efc9d3e2d1c7eadabe9a41ecf813825
SHA1: 9df6f6f83c3ec4979d6055d483b0f295575b2b32
SHA256: 1bb2f14db3f3bb0c2ea781561cad325e7f66753cf52c8051c01540c5a046e14b

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 126464
MD5: b41930c9dd2c13eb7e30440dfa622aa6
SHA1: 8b7671be52bd6fe7f6ae6ce71afde5283d20e2b8
SHA256: 60a749609a97eb47e4024d9970e4fbb2935d057086f285d3f56a6a79a8fed34a

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 266752
MD5: 28abba2401c54a3b893d72ccbd15bbaf
SHA1: fa2e1e87a3bad2cd9770d4716596aceb45b2f344
SHA256: c23fb6e373fdad9ac43fc869fdbc71a5db026c9d3000971b52dd851c6349d744

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 128512
MD5: c4496b828268a1a481af0e6aa4cb9c89
SHA1: 405570267edb12d225e0077fb4720417ef67bbaf
SHA256: 994555c2b47f87623b8fa7e7b7d173b9cf9c4f9a962a0fecada69db0d1809c1c

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 336384
MD5: 2b80b02550a41712f4e98223fca86908
SHA1: bacd69834e1db2af7a765389d6317afaf619ba76
SHA256: 31d9b3d5a3849e37332459f47330fc13b1b818337040ad1743f26b116dcb4ffe

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 59904
MD5: 8381d77777a389d5130bd7fcda056803
SHA1: c47cec8f908b6d2378a96053cba8fe6760e5d5e7
SHA256: 76cc7000ddf77efea223adc6d5ed5993f41bf05ada1bef283f6ed21e5171f9f6

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 126464
MD5: f04459b5403a1ccc073b79edb90e5eb0
SHA1: 75d5138d1db5a939ff6feb0eedde620083ad6040
SHA256: 4fc8925fa7c3b6b8caf670c7731989039c6dd5298cfb2da7f579ad0c719a380a

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 15872
MD5: 45834894993c261517144659c44b771f
SHA1: c6a97d40fefcae97c366fd9e6058430712090dca
SHA256: 06fc7306938cf08d9e0583f94fc0b7b2831afc79c5af71f0bdbd19506e400266

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 188928
MD5: f907e349ad02df10e179d6eaf3766610
SHA1: 2f84a93ef57c28ab0007cf3e8c89df4487c20420
SHA256: 80438e141d2924550ccc8c4e48aa5a9b2404dc66399744ce42dac352e6d9ecba

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 200192
MD5: be327579186179a1240e249098b96829
SHA1: 3e2793f988a4598d2793faab035979adb2772cf4
SHA256: 5f2a8b7e51ed8fb5b4172665353c0de21020eec8de0c334625ddb6eeb8249de6

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 187392
MD5: db4d67de5127e180c06c53af94a2b864
SHA1: 251cc071ada3561b74615fd419e49e8a33132a2f
SHA256: 694b508a462eef98dcf942b3b67ccb7f89dea44ceacbb340ff97552e653d784c

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 123392
MD5: 0c1daceed8fb98d3ea01443d29a10a8e
SHA1: 7de3cab943aeede74386d09baa0fe19a971c304c
SHA256: d85b5d06113906918c5f344c9908734dfd3f71e5c9218fe70973c2e344d9a658

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 192000
MD5: 6c7bc60861b09a91c5d6f943ef7e8d23
SHA1: cabb05989f8d47f4e07fca14eaa8985502c551a8
SHA256: 076d8afd28931b843819442f0df49694985f5a93deaa4544e98c2be8511eb9c3

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 39424
MD5: c7cf68483d39c18b93ad35ee93c70f47
SHA1: 22fed92bc1f252fba898d6a01c47300c6a9a07d0
SHA256: edfe97182fabdee69c027cb7d092365649c91ed286fed19435ecaa79a8720846

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 52736
MD5: eb79a5afc1c2115eb4a4084360fbcc5e
SHA1: b28f00be799e8a18c3c030c392cdd6b3edfa3ade
SHA256: 228f87cf946d112ef2f2c2e6c6cb040a7bbc4a696799c322a37d7f2ce7b3cf2c

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 167936
MD5: dc8e771b3ff260dc72384d86c38c1529
SHA1: b65f8e1bb26ca4d6aa56d299b3a0afec640d1735
SHA256: 15cf9a70b73e8a073abf9838227f04cb007cc186fec200f03f83d84b2c76f1f6

Filename: %WINDIR%\TEMP\[6 random alphabetic characters]\setup.exe
Filesize: 149504
MD5: 6e9059a31802f7b4fa7ec9ffaf45c727
SHA1: fe2b0f4c2ffe9aa478b0676bf84a3a8f24b3ffb5
SHA256: c7e16b13216cb3cb00fc9331c38b873e3c7d87febb2c9028f6c48c8d4616f990

...
At some point in time, a *.bin file with the following checksums was downloaded:
Filesize: 342635
MD5: 3c522479cf81a8ceab71a6ce238b3134
SHA1: a381ffc68b2f2f5d60001c9b06befd6eac062231
SHA256: 82783ec486bfd71c1940892bbc15251a177b553ae440215a9cc0376e3ee45a2c

The following error message was witnessed:


A6Macro setup ix has encountered a problem and needs to close

A SYN packet was sent to TCP port 80 on 95.143.193.138
http://www.utrace.de/?query=95.143.193.138
ServerConnect Sweden AB (Sweden)

A DNS query was performed for wiki-0rganizer.com which didn't resolve

Attempts to reach TDSS/TDL4 command and control servers using SSL encryption were made:

A DNS query was performed for mo0nviser.com which didn't resolve

A DNS query was performed for lo4undreyk.com which resolved to 68.168.212.18 or 93.114.40.221

http://www.utrace.de/?query=68.168.212.18
Interserver, HONELIVE (Secaucus, United States)

http://www.utrace.de/?query=93.114.40.221
Jump Management SRL, SC VOXILITY SRL (Bucharest, Romania)

An HTTPS connection with 68.168.212.18 failed (3 SYN packets sent)

A DNS query was performed for sh01cilewk.com which didn't resolve

A DNS query was performed for cap01tchaa.com which didn't resolve

A DNS query was performed for kur1k0nona.com which resolved to 68.168.212.21

http://www.utrace.de/?query=68.168.212.21
Interserver, HONELIVE (Secaucus, United States)

An HTTPS connection with 68.168.212.21 failed (3 SYN packets sent)

A DNS query was performed for u101mnay2k.com which didn't resolve

setup.exe with MD5: 8efc9d3e2d1c7eadabe9a41ecf813825

The following files were found:
Filename: %WINDIR%\TEMP\hki4900.exe
Filesize: 112640
MD5: cd6c7873300503975c68fbab352af265
SHA1: d4d5505c43e1bf150db341bf62dc8d61cd8cca47
SHA256: b2a1b1dc8b9ea4f2f83a108857b8887f6ccbbbf42ffd550337378d6a9f9bef51

Filename: %WINDIR%\TEMP\I6nJ7m4s.dat
Filesize: 120602
MD5: 4b9d99907f69a336f364f3cd94cb0f7d
SHA1: 2cc921e45433dd1b82d267b300a8f08a0bddfa4e
SHA256: 838353f32ae3d17a2da56893a901ca023bdbcba5dd6fdd3ae016a2c4b3c76cf5
Or:
Filename: %WINDIR%\TEMP\hki4821.exe
Filesize: 109568
MD5: 98f65e3a48d3f46b24601260aef84103
SHA1: 9080742a1141c32d5a9357ed8cce6ce19d184c76
SHA256: ea1097d89959ef42006a7ac7a12dc6fb2c45fa171738e989d31a18beca0e4189

Filename: %WINDIR%\TEMP\I6nJ7m4s.dat
Filesize: 85516
MD5: 13c932ed3d4faff6096ac7e60a2a32e8
SHA1: b546e86b06c4e49333ab8d5d4596e2ff3bd015e7
SHA256: c6158dbe97f7e45cd1636f121c160ea0199823a604ed808c92836e505d750e35
Or:
Filename: %WINDIR%\TEMP\hki4236.exe
Filesize: 113152
MD5: 49d46a149be457f0fa60445b198b4be0
SHA1: 44fa236286a9e477298977aa926fd277ff1e4df7
SHA256: ad6153a4daa10a2b9d205f3d33cf0e46deb2f764552b4a8cc6a7581fb55dbbd6

Filename: %WINDIR%\TEMP\I6nJ7m4s.dat
Filesize: 122352
MD5: 6c161e86b4c1714c07c016187c7bceaa
SHA1: a5561181f4286e8076071a42d54d68bddfcc1cad
SHA256: 043ffb9c1b629a3e17ca65e352f6246eb7c8cd1f31a6e533a1c16a7fab00a0c4

...

The following error message was witnessed:


RUNDLL
Error in InetCpl.cpl
Missing entry:ClearMyTracksByProcess

setup.exe with MD5: d0996a5a499a6c5fe59a1219604c9800

HTTP POST /CallBack/SomeScripts/mgsNewPeer.php
HTTP POST /CallBack/SomeScripts/update25.php
HTTP POST /CallBack/SomeScripts/mgsGetMGList.php
...
requests were made on 194.242.2.60

http://www.utrace.de/?query=194.242.2.60
Stilcom Ltd (Russia)

A connection was established on TCP port 3000 with 194.242.2.60
A connection was established on TCP port 3000 with 89.149.209.156
A connection was established on TCP port 3000 with 89.248.165.137
...

setup.exe with MD5: c7cf68483d39c18b93ad35ee93c70f47

Performs similar actions to setup.exe with MD5: d0996a5a499a6c5fe59a1219604c9800.

setup.exe with MD5: 017a04db64a110c56e906506b0cea52e

A DNS query was performed for nsm9.smile4angelw.co.uk which resolved to 42.240.106.203

http://www.utrace.de/?query=42.240.106.203
KNET (BeiJing, China)

setup.exe with MD5: 45834894993c261517144659c44b771f

A DNS query was performed for nsm3.smile4angelw.co.uk which resolved to 44.100.79.245

http://www.utrace.de/?query=44.100.79.245
Amateur Radio Digital Communications (United States)

A TCP connection was made with 85.17.95.230 on port 53.

http://www.utrace.de/?query=85.17.95.230
LeaseWeb B.V., LeaseWeb, (Amsterdam, The Netherlands)

A DNS query was performed for nsm1.smile4angelw.co.uk which resolved to 44.100.181.206

http://www.utrace.de/?query=44.100.181.206
Amateur Radio Digital Communications (United States)

A TCP connection was made with 85.17.165.221 on port 53.

http://www.utrace.de/?query=85.17.165.221
LeaseWeb B.V., LeaseWeb, (Amsterdam, The Netherlands)

setup.exe with MD5: db4d67de5127e180c06c53af94a2b864

A DNS query was performed for myriffster.in which resolved to 96.9.179.72

A HTTP POST was performed on 96.9.179.72

http://www.utrace.de/?query=96.9.179.72
Network Operations Center, Arab Servers Admins c/o Network Operations Center (Scranton, United States)

A DNS query was performed for fivetagdesigns.in which resolved to 64.20.55.244

http://www.utrace.de/?query=64.20.55.244
Interserver, ZarEthernet (Secaucus, United States)

A DNS query was performed for youbeatbox.in which resolved to 98.143.147.237

An HTTP connection was established with 98.143.147.237

http://www.utrace.de/?query=98.143.147.237
OC3 Networks & Web Solutions, LLC (Los Angeles, United States)

A DNS query was performed for myyoubean.in which resolved to 69.64.58.224

An HTTP connection was established with 69.64.58.224

http://www.utrace.de/?query=69.64.58.224
Hosting Solutions International (Saint Louis, United States)

A HTTP POST was performed on 64.20.55.244

A DNS query was performed for myaitz.com which resolved to 74.91.28.195

An HTTP connection was established with 74.91.28.195

http://www.utrace.de/?query=74.91.28.195
DataShack (United States)

Files named Qkj.exe, Qkk.exe, Qkl.exe and Qkm.exe were created and executed, they use all the idle CPU cycles, so that the CPU usage increases to 100%. The content varies:
Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: c2f33a699708682f20d37b5e79ebf478
SHA1: ce1dc559b17ce28b12f3dc66ffa64e873fef68c8
SHA256: f66f4271683a42e0c2355da50d60eaf1cadd0f16789d280adbb65455744f4f9b
The 16 bytes at 0x52b34 start with 41 fa a9 6f ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 253952
MD5: 3a9b76acf9ce8918d98bea01b09c7af7
SHA1: f18237c3d0681a6271672e74876ee3cd3614615a
SHA256: 3df92773b2af23f1a1cf5f3ce0a59997c345da5760c95a5efc20b6b941b07b38
The 16 bytes at 0x39a27 start with 41 fa a9 6f ...
When the 16 bytes at 0x39a27 are set to 00 the checksums of the file are:
MD5: 5d125307501d2e6f7087ef0d74311a8f
SHA1: 9c321b6ce62469ce7e2fda7f5dca93e4be125e30
SHA256: 4e0401eaa2c2b259ec9a76e3ab831295a9c940cdd79fda4bf2316e0708c9993c

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 266240
MD5: bb5538c0ca53adde50e0f21b0ff2bf8d
SHA1: 67e21ae515ac35fce524f414007d6f36832f6b87
SHA256: fd097eb8f5f8c1f4341b341f846356c7b81087f5bbc5fa962b0506433f295a63
The 16 bytes at 0x3cd3b start with 41 fa a9 6f ...
When the 16 bytes at 0x3cd3b are set to 00 the checksums of the file are:
MD5: 3cc2a0d8d6451ee21a34d83e4d52fc08
SHA1: 6456ddf8e42ef6d2075eb37fa25498b11e5337c2
SHA256: cb20d8e4cb6474ce12264cfa293b74df998335d1fbb7eed43d97c9a63161b3ac

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 248832
MD5: 465d06eb63c3d028cc9ebe24ab274331
SHA1: f5d457973b420b083d93aee97ebb1f611e413ee4
SHA256: 491e68087f95c1b3c5086c0d057f6db7e25053c9a22d4084e93bb12589e7a304
The 16 bytes at 0x38a40 start with 41 fa a9 6f ...
When the 16 bytes at 0x38a40 are set to 00 the checksums of the file are:
MD5: 370060570a289a82cb3ed633fb3c0e46
SHA1: f50010e5735b087402a7c153eda516e51cb8207c
SHA256: ebac3e0c5506ea1ed81edcf4eee5ac342158136b5c744825b0c1eab46b12e748

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 25f514c66f68f8c2aeb1b3ae41987827
SHA1: 2ac05c3e2873ec21f14bead3e0ec9de9497c7382
SHA256: e13c40904e17431f5cd1084926d3c6e3d7c79b3b47e2ece41c0609bced5342b4
The 16 bytes at 0x52b34 start with 10 5d f7 a1 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 253952
MD5: 32a1fb815591220aafb76af6e67384b5
SHA1: 42604ec7cedb744c062b2dc7a3062ef6696f2037
SHA256: d5b7c4ef091255a3de1a5ce9c967bda39fbc8fb1268d0e4657d74788ff1e0387
The 16 bytes at 0x39a27 start with 10 5d f7 a1 ...
When the 16 bytes at 0x39a27 are set to 00 the checksums of the file are:
MD5: 5d125307501d2e6f7087ef0d74311a8f
SHA1: 9c321b6ce62469ce7e2fda7f5dca93e4be125e30
SHA256: 4e0401eaa2c2b259ec9a76e3ab831295a9c940cdd79fda4bf2316e0708c9993c

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 266240
MD5: 8f5b8a34f35f7f1bf79ac079dabf3b66
SHA1: 889f68ddd7312a3d9c7a21937b57fbda37366c86
SHA256: 2267b36a9c62ca4f1720edf188768b562a7c0df6edee00ddb0925129f5d7f473
The 16 bytes at 0x3cd3b start with 10 5d f7 a1 ...
When the 16 bytes at 0x3cd3b are set to 00 the checksums of the file are:
MD5: 3cc2a0d8d6451ee21a34d83e4d52fc08
SHA1: 6456ddf8e42ef6d2075eb37fa25498b11e5337c2
SHA256: cb20d8e4cb6474ce12264cfa293b74df998335d1fbb7eed43d97c9a63161b3ac

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 248832
MD5: 07d56a0e6f70d567d0e20cb1a48f8c09
SHA1: 9610434b0ae81f988b19ca485cfcc51f77108bad
SHA256: 0865ce43b957967a7c52650f356351234e11dea0170b6abe8a7e7da610c3c2d4
The 16 bytes at 0x38a40 start with 10 5d f7 a1 ...
When the 16 bytes at 0x38a40 are set to 00 the checksums of the file are:
MD5: 370060570a289a82cb3ed633fb3c0e46
SHA1: f50010e5735b087402a7c153eda516e51cb8207c
SHA256: ebac3e0c5506ea1ed81edcf4eee5ac342158136b5c744825b0c1eab46b12e748

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: f7d2baf0556fcc0dfdaa028397edbe1a
SHA1: 8e130181b67c176e4ef661c63558113906428c79
SHA256: 1abd79a23c9d6efa127a3cf191d37d90d5b86fd43eaa5bad764d90755cf53b26
The 16 bytes at 0x52b34 start with d8 5b db 03 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 253952
MD5: 506a3c4f92fb1eea4c99f10941e4f4fb
SHA1: 421d0f7e60d0618e5c40e144dfd62a0ea7fe9a0a
SHA256: 51951b9634d2a10d150bb10abfad6339d8d7894d89245632fa53affe2029ec84
The 16 bytes at 0x39a27 start with d8 5b db 03 ...
When the 16 bytes at 0x39a27 are set to 00 the checksums of the file are:
MD5: 5d125307501d2e6f7087ef0d74311a8f
SHA1: 9c321b6ce62469ce7e2fda7f5dca93e4be125e30
SHA256: 4e0401eaa2c2b259ec9a76e3ab831295a9c940cdd79fda4bf2316e0708c9993c

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 266240
MD5: 9d642ea4e6723c1b0e5202d40e011061
SHA1: 4e83fb60a908fe246acf2f7e72f7a9fa8bbc1dc6
SHA256: 02185a0bdc9127e228c79311ef7c8d6a1a3549ba66ddc3b5b3cb80f2d8226a43
The 16 bytes at 0x3cd3b start with d8 5b db 03 ...
When the 16 bytes at 0x3cd3b are set to 00 the checksums of the file are:
MD5: 3cc2a0d8d6451ee21a34d83e4d52fc08
SHA1: 6456ddf8e42ef6d2075eb37fa25498b11e5337c2
SHA256: cb20d8e4cb6474ce12264cfa293b74df998335d1fbb7eed43d97c9a63161b3ac

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 248832
MD5: 18c94bad2ae83a37387415bf1bc1665a
SHA1: 9a83603beef7235a12a4ab3568d305f2961517d3
SHA256: be507b7d205eb7d422000c4dbf65eb055c3a3ed96691385c4eebdb4e5e730191
The 16 bytes at 0x38a40 start with d8 5b db 03 ...
When the 16 bytes at 0x38a40 are set to 00 the checksums of the file are:
MD5: 370060570a289a82cb3ed633fb3c0e46
SHA1: f50010e5735b087402a7c153eda516e51cb8207c
SHA256: ebac3e0c5506ea1ed81edcf4eee5ac342158136b5c744825b0c1eab46b12e748

Or:

...
setup.exe with MD5: 0c1daceed8fb98d3ea01443d29a10a8e

...

Files named Qkj.exe, Qkk.exe, Qkl.exe and Qkm.exe were created and executed, they use all the idle CPU cycles, so that the CPU usage increases to 100%. The content varies:
Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 6a5353474b8436ac0e9cca6897dd55c9
SHA1: fa48fb8f1e1de82e0fa03c9d99307dae5641f49d
SHA256: 429d0f33135a0072864bb99dce7bfe885e9751fdeea7ec361a84de97699c530c
The 16 bytes at 0x52b34 start with 3e fe 7a 36 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: f1fcaa166a346bc0f02a55eeee181f3a
SHA1: 2a75c493a427fba1ec164fa835a8d5547a9df4c3
SHA256: ff41fd0e572e08e86a67a1b9ed265cabd0ac6f23b6d0ff507ca117f37465717e
The 16 bytes at 0x2b228 start with 3e fe 7a 36 ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 186368
MD5: 669c308dbed6205648337265ec0f614e
SHA1: 08fd6625491da10fa436acdb5c9f483577bdd987
SHA256: 77dbdc05776350dff383654579e14d76ae23f7a30b3fc9f86557ebc738ef105f
The 16 bytes at 0x2c44c start with 3e fe 7a 36 ...
When the 16 bytes at 0x2c44c are set to 00 the checksums of the file are:
MD5: ed5be81f8ab54f6bc79614ffb50993dc
SHA1: 2e2274e441d315ec47e538babb96dcf51d143d06
SHA256: 081b4aa515290f66c840fce713f2b419bb5501a095c6ae2c0c9853ef6f1a4f56

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 176640
MD5: 8e44771cd6c3f31a7a6c41de8ec7a382
SHA1: 50f3c699ccb25a2e84c7755972e67b035d45de8c
SHA256: 85914a8cae4431f3a030fdaa310d63a7fb8321526f993535f55144bec0d3bde5
The 16 bytes at 0x2a038 start with 3e fe 7a 36 ...
When the 16 bytes at 0x2a038 are set to 00 the checksums of the file are:
MD5: def6f20de17622081237c18bc6a6482f
SHA1: 09f1a3cb8356ed8c48d4dd31e11ac9dcd7502143
SHA256: c220a9861c9a478255fce02b60f943743997a7d932e91a79a57e1c7c12cde845

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 208e0591229998e22929db92d2362ff2
SHA1: 921027dff3bee5db572261ff9ad541f13bfe6ef7
SHA256: 0c3bfb6f009c955b93ff0345c34e8ded92e0406691c9ee741fb7af317da2838b
The 16 bytes at 0x52b34 start with 8f e6 fc 84 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: b78eee8019f4e768e461c01f54a824b0
SHA1: 15f706be9d3653f7418839a89379af56ab556bbf
SHA256: 5f969612baaea5253b4a6ca7c01e21566f1b9375f28320a51c9642a9bf6450a6
The 16 bytes at 0x2b228 start with 8f e6 fc 84 ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 186368
MD5: f6caa1e7884edced694587648b0554da
SHA1: e7f397ed385a11f9d5479bf5a96cf188a076663b
SHA256: c7b6024a024b2b43cdeaba314609db0be8907719b041d3d6af8d492ba32a777b
The 16 bytes at 0x2c44c start with 8f e6 fc 84 ...
When the 16 bytes at 0x2c44c are set to 00 the checksums of the file are:
MD5: ed5be81f8ab54f6bc79614ffb50993dc
SHA1: 2e2274e441d315ec47e538babb96dcf51d143d06
SHA256: 081b4aa515290f66c840fce713f2b419bb5501a095c6ae2c0c9853ef6f1a4f56

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 248832
MD5: 5347d339526aa726eca5a0fc0d1dfa99
SHA1: 749b4a44e027c022f4d1dc87d74b02bffa480ffd
SHA256: dfee374f17c4fbe62ad9a8a17aae23b768e8cee694e5cd201df7ec917b5ed948
The 16 bytes at 0x38a40 start with 8f e6 fc 84 ...
When the 16 bytes at 0x38a40 are set to 00 the checksums of the file are:
MD5: 370060570a289a82cb3ed633fb3c0e46
SHA1: f50010e5735b087402a7c153eda516e51cb8207c
SHA256: ebac3e0c5506ea1ed81edcf4eee5ac342158136b5c744825b0c1eab46b12e748

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 53f0e4f9a0bc1bac91093e4699232e97
SHA1: 5b4d61cf42922ed725fc9a1f6106a79cbcc56d0e
SHA256: 87a1f996491cede00bf96ee80a35548e13640eeeed1f4db4b3595ccc6d341ca1
The 16 bytes at 0x52b34 start with 6c a0 46 94 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: 1bd98301f82264295f45fce667a8bb18
SHA1: 7ebc7e9edc0370b2b7ff3831e30e697c78731c93
SHA256: c7bb59d597aa99a1c5f5b48bf51fb3a12a36511880107c58bed676443ff95b15
The 16 bytes at 0x2b228 start with 6c a0 46 94 ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 186368
MD5: ecb574ec507198866f7868d2273fc905
SHA1: 1fe6a21922b3dc79909b0687719cfa9f61fca677
SHA256: 9edc86d10f96949d7c37ec94b7b633e92e2da7699f1c1389efb9226e239b80d9
The 16 bytes at 0x2c44c start with 6c a0 46 94 ...
When the 16 bytes at 0x2c44c are set to 00 the checksums of the file are:
MD5: ed5be81f8ab54f6bc79614ffb50993dc
SHA1: 2e2274e441d315ec47e538babb96dcf51d143d06
SHA256: 081b4aa515290f66c840fce713f2b419bb5501a095c6ae2c0c9853ef6f1a4f56

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 176640
MD5: 065abe1972659d38fd3fd38cbff25127
SHA1: 003629f7dda17121dc66cfbf26bbce58ed16c5cf
SHA256: d03bfb22576e507111dd6e46cb57ef05fa3e629f5ce4fb49ce233d2c074c7ae8
The 16 bytes at 0x2a038 start with 6c a0 46 94 ...
When the 16 bytes at 0x2a038 are set to 00 the checksums of the file are:
MD5: def6f20de17622081237c18bc6a6482f
SHA1: 09f1a3cb8356ed8c48d4dd31e11ac9dcd7502143
SHA256: c220a9861c9a478255fce02b60f943743997a7d932e91a79a57e1c7c12cde845

...
setup with MD5: 6c7bc60861b09a91c5d6f943ef7e8d23

...

Files named Qkj.exe, Qkk.exe, Qkl.exe and Qkm.exe were created and executed, they use all the idle CPU cycles, so that the CPU usage increases to 100%. The content varies:
Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 4f6df608b7aa006c2572847d35ce8814
SHA1: 3e20f7e8741f3c03bc068bea5f21fa6c5cb90261
SHA256: ea33fa2938975f0c98552bf84705b32ef0cf364c5cc669d5d445b7ec918cfad1
The 16 bytes at 0x52b34 start with 91 e2 d4 06 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: 0f5f04be299b7d4ef3c158985892bc78
SHA1: 00e7094675b58463069cd4389995d755a82b57c3
SHA256: 64e0c210c1d10af330e1d00a221a58e79eb2d6527d501c5920cd84860bfbd2e3
The 16 bytes at 0x2b228 start with 91 e2 d4 06 ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 186368
MD5: 0d4decf98d760a8d0505d63f1f02ba03
SHA1: ee5d1abd9a887d624f419fc54264c68f0a56fffc
SHA256: d255cf92cbe368f8456ef9c8c1b14ca03fc57812786c68058f70954dd74eb938
The 16 bytes at 0x2c44c start with 91 e2 d4 06 ...
When the 16 bytes at 0x2c44c are set to 00 the checksums of the file are:
MD5: ed5be81f8ab54f6bc79614ffb50993dc
SHA1: 2e2274e441d315ec47e538babb96dcf51d143d06
SHA256: 081b4aa515290f66c840fce713f2b419bb5501a095c6ae2c0c9853ef6f1a4f56

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 248832
MD5: 74767343f8ea85a5ca02cbd228b6801c
SHA1: 6b95cf7903693baaaa480e6a7e6dc504ac1b7f78
SHA256: 5523b7265d8c74b54aafc0c6d85df5e19fed701e860cf01141a4e286a6b6182f
The 16 bytes at 0x38a40 start with 91 e2 d4 06 ...
When the 16 bytes at 0x38a40 are set to 00 the checksums of the file are:
MD5: 370060570a289a82cb3ed633fb3c0e46
SHA1: f50010e5735b087402a7c153eda516e51cb8207c
SHA256: ebac3e0c5506ea1ed81edcf4eee5ac342158136b5c744825b0c1eab46b12e748

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 64c7488023d4f3611734aad8b431b265
SHA1: 9327b74618b212ec697dda076154f68a08824694
SHA256: cf8a3d9c11f9502e93410425ed6eb0d369944b272761dd6337f49f99edf85daf
The 16 bytes at 0x52b34 start with 3f e8 39 f8 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: 27fa0b45886db89e2a718a8e54323b2d
SHA1: 06d4e0aeb6c7990b35c9433ac3243f3dec3da976
SHA256: 08d07e05e5133e15ab0a439491f23028eaa63077c1a8b443f9a098330fbda386
The 16 bytes at 0x2b228 start with 3f e8 39 f8 ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 176640
MD5: d4355eb64a491cbaecc552f65e2d33ab
SHA1: 029521f3969ae031505ea50f0c4bd3e652e12b60
SHA256: fdb82df8d19e661a95c1adc4661e8c6e9e9d6cd60304ee11b1bf99c971c9c40f
The 16 bytes at 0x2a038 start with 3f e8 39 f8 ...
When the 16 bytes at 0x2a038 are set to 00 the checksums of the file are:
MD5: def6f20de17622081237c18bc6a6482f
SHA1: 09f1a3cb8356ed8c48d4dd31e11ac9dcd7502143
SHA256: c220a9861c9a478255fce02b60f943743997a7d932e91a79a57e1c7c12cde845

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 4b4af7f5be5bd1be2ec43651e32cba39
SHA1: 60f0043ad4cdd3a5d90bf89029f7565e8a99e07f
SHA256: 4f4061515c104123c99bf90a923c3745658c095424b9c91ec6e3703dd71113c8
The 16 bytes at 0x52b34 start with d2 4b c7 e6 ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: a18f029c4f5aa1fe5e671bbc7dd33c2b
SHA1: b528a04142cf7797b20d8d538ef4e4e7a48f5aa8
SHA256: cac8500e9be635774153ab329d1ba82c3317e1f6a6214f6c259cffaf586e32ac
The 16 bytes at 0x2b228 start with d2 4b c7 e6 ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 186368
MD5: e12732c688c3901c81e42f8ff2f59fb8
SHA1: d64dccdc7a32790330ed8b0ac037700bc43896ac
SHA256: 73188a9503eb9ab29622d2fd29df11670dd5b28d2c225660fc5557d62143a768
The 16 bytes at 0x2c44c start with d2 4b c7 e6 ...
When the 16 bytes at 0x2c44c are set to 00 the checksums of the file are:
MD5: ed5be81f8ab54f6bc79614ffb50993dc
SHA1: 2e2274e441d315ec47e538babb96dcf51d143d06
SHA256: 081b4aa515290f66c840fce713f2b419bb5501a095c6ae2c0c9853ef6f1a4f56

Or:

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 356864
MD5: 52526375497539b7eede399ec22e9d7e
SHA1: 41ae9c21f4b2e25d4356cf7c7c14d6b6bdcbe90c
SHA256: 489d3abf5b58f1a4ebc7d9d5f33d9bf045f92f7bcdae64403e40fbd4c7ec445a
The 16 bytes at 0x52b34 start with 1b 93 2f fc ...
When the 16 bytes at 0x52b34 are set to 00 the checksums of the file are:
MD5: fb2de356e1fd3882bd60423c33354a3a
SHA1: d332d87b696e7c0ea0d69be041de688e3f7d063c
SHA256: 46bd9500614f10da5fecf8d17eadc124e5e272c39d9b840cd035b3726bf84666

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 181248
MD5: e5bb260ddb8784ff949bbde865f7238b
SHA1: a59a6275b12d55c810bb9b8c825a43da44a87ea0
SHA256: b8e463d0e42bcbf40860db7781557feae5d7dad262966b2b2beb2d9e49ca7214
The 16 bytes at 0x2b228 start with 1b 93 2f fc ...
When the 16 bytes at 0x2b228 are set to 00 the checksums of the file are:
MD5: 73b250df1e572df08873d9691d1008e1
SHA1: 8593709f2d3723c74e33fd1292ceb16d1cfaec7f
SHA256: fedf5a0321f78fd0744cb158dafc0ea5563296b3fae9aa597fd18bf57151f8b3

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 186368
MD5: 53d01b87d3d87ce651e28a0e77873f45
SHA1: 982325a5f30dce983e49793c044e8f38f230e9b9
SHA256: a3a3651da208b164a961aa29095049a30d71dd39b1c0ae2d43200191f7438cdc
The 16 bytes at 0x2c44c start with f1 70 d9 3e ...
When the 16 bytes at 0x2c44c are set to 00 the checksums of the file are:
MD5: ed5be81f8ab54f6bc79614ffb50993dc
SHA1: 2e2274e441d315ec47e538babb96dcf51d143d06
SHA256: 081b4aa515290f66c840fce713f2b419bb5501a095c6ae2c0c9853ef6f1a4f56

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 248832
MD5: d11caf17537a1c580d7aff71966f3ce3
SHA1: 8f340865db2b9c1d8d1b06c1c4dba2a84a1c8ed0
SHA256: 0e7ac4735ea3724dbe0392ec7b3fcfc986022a3a50541cceaa6a494082c04af4
The 16 bytes at 0x38a40 start with 1b 93 2f fc ...
When the 16 bytes at 0x38a40 are set to 00 the checksums of the file are:
MD5: 370060570a289a82cb3ed633fb3c0e46
SHA1: f50010e5735b087402a7c153eda516e51cb8207c
SHA256: ebac3e0c5506ea1ed81edcf4eee5ac342158136b5c744825b0c1eab46b12e748

...
setup.exe with MD5: ...

A DNS query was performed for digiregion.in which resolved to 78.46.99.57

An HTTP connection was established with 78.46.99.57

http://www.utrace.de/?query=78.46.99.57
Hetzner Online AG (Berlin, Germany)

A DNS query was performed for eastmoney.com which resolved to 69.64.58.224

An HTTP connection was established with 69.64.58.224

A DNS query was performed for jetifyshop.in which resolved to 64.20.55.244

An HTTP connection was established with 64.20.55.244

A DNS query was performed for jetifyonline.in which resolved to 98.143.147.237

An HTTP connection was established with 98.143.147.237

A DNS query was performed for myaitz.com which resolved to 74.91.28.195

An HTTP connection was established with 74.91.28.195

Files named Qkj.exe, Qkk.exe, Qkl.exe and Qkm.exe were created and executed under %WINDIR%\Temp\, they use all the idle CPU cycles, so that the CPU usage increases to 100%. The content varies.

Qkj.exe / Qkk.exe / Qkl.exe / Qkm.exe variations
Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 400896
MD5: f8ada7f0ee064b0959a4bd8d0d3ff182
SHA1: 2c97d26f81e308a1528a0026378e3527d8a70395
SHA256: e2a55ed516d1013282206825c7bcc3bda47ea7f5593cb207e8d728773da5be90

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 183296
MD5: b76635716b7121778ff635171e4b1df5
SHA1: d08dc2f048177e940240972a74802b9ec9302c55
SHA256: 779faab143c774501707c91d0bc3d64feea7cc99efc505d12f7d37a6c93ad4cd

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 344576
MD5: cc8528b263b287ef6c71c169db868d5a
SHA1: dd0e8090bdfcff72e540161fb2f9960399e893a7
SHA256: fe4ff5da76c0565dc489943d831b45db520bef22daea83cc8fde00411749217d
The 16 bytes at 0x50756 start with c0 48 1f 71 ...
When the 16 bytes at 0x50756 are set to 00 the checksums of the file are:
MD5: 60783f936710d4e468b302ced0f6827f
SHA1: 674058a23d2b7fdb565155db3553b4237b8300ff
SHA256: ec1c96784487c0f02a849c40084efd71f71b174b27639f994dce19fadf98bf38

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 344576
MD5: 03460f295eb481e55f746f9be10808d4
SHA1: ff3d64b1937f388730260419da7189cfe12ff549
SHA256: cc56337d8f337da901deb4036555e1f36f151a7030ee83c9de6dac196de4ee96
The 16 bytes at 0x50756 start with 9e 5c c6 5f ...
When the 16 bytes at 0x50756 are set to 00 the checksums of the file are:
MD5: 60783f936710d4e468b302ced0f6827f
SHA1: 674058a23d2b7fdb565155db3553b4237b8300ff
SHA256: ec1c96784487c0f02a849c40084efd71f71b174b27639f994dce19fadf98bf38

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 350208
MD5: fe704e769af00857b5619b4d9af99478
SHA1: 0185fd336b341f117d8ac11dc29a4dfc00f69814
SHA256: 8cbca28894a354efe7fe43cc5db5cc7aa3c4074ddc775d9e4da9fb0ae68d46f9

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 357376
MD5: 33889688b3b4aee42092f35db203395b
SHA1: 2f5fcdfb854e385d96a5ace270117385f227f207
SHA256: cffa8422a83c071284d507f4925332716bb3f8eb729db98258169c70bbb3f593

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 357376
MD5: a98deef0f341ea9a535671f11245f269
SHA1: 83fa4018042b7c8fbc2a3d438a964d8ff6c94ab0
SHA256: 0c7219a5f0f83eb475532dcbbbecdf59a93715e4c127f2e3a7980460c7732579

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 374784
MD5: 14a3d5a7507c36733547b9283b4d4c56
SHA1: 1f8e574d724d7714d2b39b893ba898bca5950958
SHA256: b9446c0d0f0febd5071e88626f907a0ea2ff34e506893dd6632022017027f0ac

Filename: %WINDIR%\TEMP\Qkj.exe
Filesize: 374784
MD5: 552b8e3d516dbeafe2829b3a164bc73e
SHA1: c2221de568b02275cbb6774ba5d928d46b81582d
SHA256: 9bce53373aa34f84357f5f191ef3dc7e0a6543407d3ae782c199d290e0327c08

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 173568
MD5: 60ee7e137646ebc42fedeeee5bf992ec
SHA1: 250b888d705b6d3ab212425b24b9d6aec3a937d3
SHA256: 3c7cdcb848f331cc5968b9e4403833edb292914b1644ee70b56b7b53ad85790a

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 183296
MD5: b76635716b7121778ff635171e4b1df5
SHA1: d08dc2f048177e940240972a74802b9ec9302c55
SHA256: 779faab143c774501707c91d0bc3d64feea7cc99efc505d12f7d37a6c93ad4cd
The 16 bytes at 0x2b900 start with b1 d4 52 36 ...
When the 16 bytes at 0x2b900 are set to 00 the checksums of the file are:
MD5: c773fdabd814305449ce42a074cffefd
SHA1: 88056a2d3ce64188cee3905e8164329c0d087f49
SHA256: 08b6484dacce8f0665da1f36970adb3b357c6b8df0a7c41276d354581f58bbda

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 183296
MD5: f8345acce5fb55b7991552664ef3e852
SHA1: 6ce4ae692ea3a31bff4af7a95dda0b9dda99572f
SHA256: 601e572c617b8e7d18928b6b1b40428c5c8c276446dc59ced94b8fde253b8e43
The 16 bytes at 0x2b900 start with c0 48 1f 71 ...
When the 16 bytes at 0x2b900 are set to 00 the checksums of the file are:
MD5: c773fdabd814305449ce42a074cffefd
SHA1: 88056a2d3ce64188cee3905e8164329c0d087f49
SHA256: 08b6484dacce8f0665da1f36970adb3b357c6b8df0a7c41276d354581f58bbda

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 183296
MD5: eb674ed876110ca3ab7363daf06fa9cf
SHA1: 4cbf40845c65d119f81edfc2ce84476deb778a5a
SHA256: 3d16434b0a7a38e29a3e1ab38fe879fa0bd27b3ea032dbf62af93e0b121bc826
The 16 bytes at 0x2b900 start with 9e 5c c6 5f ...
When the 16 bytes at 0x2b900 are set to 00 the checksums of the file are:
MD5: c773fdabd814305449ce42a074cffefd
SHA1: 88056a2d3ce64188cee3905e8164329c0d087f49
SHA256: 08b6484dacce8f0665da1f36970adb3b357c6b8df0a7c41276d354581f58bbda

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 187392
MD5: b6ba2aea711d0424a8508449bbdb3ea7
SHA1: 763d670ed83dfd84caae4f8e6e328b64fbded827
SHA256: 19bc5db9a81fd0291f3d37551b942577af261433f862a51816cee859ead6efa8

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 185344
MD5: 3726b183e1865708ceaa8e9ee07329e0
SHA1: c23470775c4238af8c7b14a46ed7973bdd21751a
SHA256: 4a277520d2ee3bf9633f767d2f2c72524f2725d7b9de257c7c0323fdef73d261

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 185344
MD5: a8e17b23c1314fe7efb2a530e497ee92
SHA1: 8cf597c6ec6c589635e607fea9a9876bc84e4b0e
SHA256: aaa7425f89e411973e8f33bf678b1c926652f70f0c54e68ecbc02ec5645aeb36

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 230912
MD5: 8c823bd378fb831ea44ebbe1b80cd946
SHA1: 46319f9c5d1e9f2cdf89385daa436d9b16ac85b7
SHA256: d2136bdc317a78b188c5882f5e4b50c06c80b4722d9c11782e4ebdb84d96d2b0
The 16 bytes at 0x34cf7 start with 0c 1e 83 4d ...
When the 16 bytes at 0x34cf7 are set to 00 the checksums of the file are:
MD5: 4007c31b38b9cd5ca4cd1b21a7f466d9
SHA1: 673b855883329f82d1894ae762ef2483d098a8d5
SHA256: aae126f47221b766c29d9fa4e5c9d910d3a1b8c5f77845e0719e11f93556270c

Filename: %WINDIR%\TEMP\Qkk.exe
Filesize: 230912
MD5: 2d8c46cff3d76e2f17f65baf5df359d8
SHA1: eec7f415b18180560afcedb2840c80d879a69125
SHA256: 37cfe58ce34d24599250aa2eb4b2297974e07fb346a2ab27f70b04a65a4109b2
The 16 bytes at 0x34cf7 start with e6 dd 00 6e ...
When the 16 bytes at 0x34cf7 are set to 00 the checksums of the file are:
MD5: 4007c31b38b9cd5ca4cd1b21a7f466d9
SHA1: 673b855883329f82d1894ae762ef2483d098a8d5
SHA256: aae126f47221b766c29d9fa4e5c9d910d3a1b8c5f77845e0719e11f93556270c

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 181248
MD5: 5309be9fea38d16c4b9a7804ccb9208d
SHA1: 45444885d6522340a35dc0983eaef9f2a2829955
SHA256: 89efb7b5e1016adaf384706c72b475ffa78b60af7fa1fc78afa895734f8f6168

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 189952
MD5: 59ea0c44e0389bed9b0eabfc3f327c5b
SHA1: e4c3016bf096c366f0c4950e9b0b91a9655d2146
SHA256: 8fe1f1079d4b8c76fd064d14cae586061c156c78367203ad0f44739a3173c600
The 16 bytes at 0x2d32c start with b1 d4 52 36 ...
When the 16 bytes at 0x2d32c are set to 00 the checksums of the file are:
MD5: 8a9bbbab20a4fa40e235ec7112805a95
SHA1: 07577da9acf979e8cf73713a4d7eb21bc18e89b4
SHA256: 937fb11d5715c06e961cc52d6c9ef283df711e526f7ab2837a9e0db349052a4f

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 189952
MD5: 495f6ed1d6b5d4bcebb07aabf98dd51a
SHA1: f0a55ee61fbdd63b63c2aff90c0aa94485b0ef42
SHA256: dcf6e19334a28c7e3349daf0d14d1223c548c12ea3c072decfcfaed1e17081b4
The 16 bytes at 0x2d32c start with c0 48 1f 71 ...
When the 16 bytes at 0x2d32c are set to 00 the checksums of the file are:
MD5: 8a9bbbab20a4fa40e235ec7112805a95
SHA1: 07577da9acf979e8cf73713a4d7eb21bc18e89b4
SHA256: 937fb11d5715c06e961cc52d6c9ef283df711e526f7ab2837a9e0db349052a4f

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 189952
MD5: 33e5170e4490fed9a7d4df32a086d55c
SHA1: 800e6dfc71c17b8e5a4b1f1e2c5df2b1214801f1
SHA256: b6c9104949dc20d2147d2e7ca2ba35c0c371fc9dc30707f5638169c06722fd50
The 16 bytes at 0x2d32c start with 9e 5c c6 5f ...
When the 16 bytes at 0x2d32c are set to 00 the checksums of the file are:
MD5: 8a9bbbab20a4fa40e235ec7112805a95
SHA1: 07577da9acf979e8cf73713a4d7eb21bc18e89b4
SHA256: 937fb11d5715c06e961cc52d6c9ef283df711e526f7ab2837a9e0db349052a4f

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 39940
MD5: 838fde4526ecb5fef299ac71be49b295
SHA1: c46ad7f0d66b3da311865d48fcf9590c2a4eb1dc
SHA256: fd408adf8d699051e179d8670250ef38a8e6c09f145bde13c4f6b0306a6625c1

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 189952
MD5: 64555de36e4c4203efb4bb976e3639ef
SHA1: 02eb68515da1b5ed0e686ab1fb0e15de130456e0
SHA256: d1b104d4f65b62854dc1dbd2d0d4ef39f0c32d3d8487ccd46415ae95af67276b

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 39944
MD5: 817d2b437297f283a73859fd9db413a3
SHA1: 014669c9856a69cd622dd670bdf55c83af526adb
SHA256: fec3746f01f5cce429bd503d144dd7b1dfb8873155a9cc8d394a84b3c66e4fb0

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 254464
MD5: 98fc8a1f608b632087fa6846e011edb9
SHA1: 4f86485cd8cdcc4607c0990b70b8eafeef029fd0
SHA256: a05149ba612a976e7935ff293ac6d5f0b30f7f72dde92e15bdd61d5814b7ca33
The 16 bytes at 0x3a5b6 start with 41 30 78 29 ...
When the 16 bytes at 0x3a5b6 are set to 00 the checksums of the file are:
MD5: 2cca3cbd3cbb712487d18dedc9c7dc6a
SHA1: 35c9b8152abba3f1348defd5cf8ee61e15147dfc
SHA256: 7c73f3799a05f99e8bf3689244786f53f4dc454611e2b7983821953371d84c14

Filename: %WINDIR%\TEMP\Qkl.exe
Filesize: 254464
MD5: 8f6c3066b1260faab111e9da2df3f3d7
SHA1: 39c67a6ff49920a1d46b5ce43efc7bd58d125110
SHA256: 6c81e6778398f9925159839dec6a4792c3306a9a6d188e86f8caf0046fedea00
The 16 bytes at 0x3a5b6 start with e6 dd 00 6e ...
When the 16 bytes at 0x3a5b6 are set to 00 the checksums of the file are:
MD5: 2cca3cbd3cbb712487d18dedc9c7dc6a
SHA1: 35c9b8152abba3f1348defd5cf8ee61e15147dfc
SHA256: 7c73f3799a05f99e8bf3689244786f53f4dc454611e2b7983821953371d84c14

Filename: %WINDIR%\TEMP\Qkl .exe
Filesize: 189952
MD5: ecadd975ebc6c7f0dbf1eb71e635c2b3
SHA1: 012069ad67d64af765af06d6d9ac99fa0d738b35
SHA256: 5017bfc732f52feb9900503c4f7fce9f9ce21ab5684f86d6db33d4f4dbd7da01

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 172032
MD5: 4cc78d04e3151338fc064311e4f70f46
SHA1: 60193a222b51dae9fc68e97b4b39cf280f0ac455
SHA256: 8bc80ff237ba27b0bdc8b1694780141ce24c3e0dd10f812956a409f8ffb25b73

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 179712
MD5: 4294604e147745954348956e75edc873
SHA1: 94b322d9b32de0def26a6ca2a4c1592ed311bc0b
SHA256: f4aa207fcb53abb82aa0dd6352ef6ba7f988184f6585b94a0aadfae0b3fbafbf
The 16 bytes at 0x2ac3c start with b1 d4 52 36 ...
When the 16 bytes at 0x2ac3c are set to 00 the checksums of the file are:
MD5: 8923babc6a425658f6e84c74327bdbe4
SHA1: 819c45b85629b101d1e7eee68f3ab56de4133f75
SHA256: 1039d0e6e1e7d7bdbec740b3a01eec63bbfe5c2463f22169f3fc5eaa87207d0e

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 179712
MD5: fa8970bc30eba953cacd2cc14cfd7346
SHA1: cc0cf075d5e8eb3459fa152c82fbe429999a758e
SHA256: 88f9ebe57525dc38cf21ba2b5c0015f64db9430e3bc7410dc4324197d4a1dc77
The 16 bytes at 0x2ac3c start with c0 48 1f 71 ...
When the 16 bytes at 0x2ac3c are set to 00 the checksums of the file are:
MD5: 8923babc6a425658f6e84c74327bdbe4
SHA1: 819c45b85629b101d1e7eee68f3ab56de4133f75
SHA256: 1039d0e6e1e7d7bdbec740b3a01eec63bbfe5c2463f22169f3fc5eaa87207d0e

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 179712
MD5: a550b758f1063a7670f07d186242f8ec
SHA1: 8f2f7620dc002736d4061181451287d84a3b3edd
SHA256: 7335cdb6d8d0ab31b679f8be7050a45a88f00895bbbf67d12d9dbe431f43635f
The 16 bytes at 0x2ac3c start with 9e 5c c6 5f ...
When the 16 bytes at 0x2ac3c are set to 00 the checksums of the file are:
MD5: 8923babc6a425658f6e84c74327bdbe4
SHA1: 819c45b85629b101d1e7eee68f3ab56de4133f75
SHA256: 1039d0e6e1e7d7bdbec740b3a01eec63bbfe5c2463f22169f3fc5eaa87207d0e

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 182272
MD5: a8167c5f6580f2230095bfd0da75e42b
SHA1: 59a41a31c10fe0425573b8d50c9ed123166c0d0d
SHA256: 7d399a0b73759918ad5736075990171eeb9553dacdbf2ecf6e1e13cecb2a5121

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 180224
MD5: 2b7630b5fadc6a20fd466dc19f7ebb4b
SHA1: 44ea8d8597624c993794026c592760e1ca47992b
SHA256: 1b422146b62bd5bd6f2107d67f4d23ce2818202e05869687ff7ac8087f26c44c

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 180224
MD5: c55164fecf3dffd03d96abd45e920784
SHA1: ef634efdfc864bcf572e6e4049c6222e9e18be1c
SHA256: dba5c61bcfa4fd4f168be8ceadae4899c9675ed90da75a55ac733c9a741b0956

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 236544
MD5: 4954b9e591c2841eca8be17b27e35b1c
SHA1: 490bf54c52008234e6858f1ae205ce35248bdc25
SHA256: 23ddb0aa083d11fc388b31ce898d3b892faeb17fd6fc3564cf503776991043f4
The 16 bytes at 0x36630 start with 0c 1e 83 4d ...
When the 16 bytes at 0x36630 are set to 00 the checksums of the file are:
MD5: 001aaad6f9a1bb01705d0fe78c7952c0
SHA1: 1ed6a4a5c675ba61f9fd9c7d95029126ce4d56cc
SHA256: 7914190b26ee1d9000978d2565615c8e70894b8eb3d544ca7f325196c7fd0dd4

Filename: %WINDIR%\TEMP\Qkm.exe
Filesize: 236544
MD5: 635ab7494e7a62057f7cd9a202e100b3
SHA1: 24767ca633931f4a1b41a6a3dd4a234ff40bc88d
SHA256: 73bf2055f4fa7020d34bc0d4ee63be9214e12e08c9b54e6665b2e66061a878d4
The 16 bytes at 0x36630 start with e6 dd 00 6e ...
When the 16 bytes at 0x36630 are set to 00 the checksums of the file are:
MD5: 001aaad6f9a1bb01705d0fe78c7952c0
SHA1: 1ed6a4a5c675ba61f9fd9c7d95029126ce4d56cc
SHA256: 7914190b26ee1d9000978d2565615c8e70894b8eb3d544ca7f325196c7fd0dd4

...

During a period of 4 hours and 15 minutes, 237 unique Qk?.exe files were witnessed by putting one setup.exe in an execution loop, so it is estimated that on average a new Qkj.exe, Qkk.exe, Qkl.exe and Qkm.exe binary file was hosted every 4 minutes for that particular setup.exe.

setup.exe with MD5: d55fcabfbc1983795bbf2ffd60802c55

A DNS query was performed for digiregion.in which resolved to 78.46.99.57

An HTTP connection was established with 78.46.99.57, followed by a HTTP POST

A DNS query was performed for rooftopjam.in which resolved to 87.255.51.229

An HTTP connection was established with 87.255.51.229, followed by a HTTP POST

A DNS query was performed for jumppack.in which resolved to 87.255.51.229

A HTTP connection was established with 87.255.51.229, followed by a HTTP POST

http://www.utrace.de/?query=87.255.51.229
FiberRing B.V. (Germany)

setup.exe with MD5: 03f55e2afa1d1ed1861c81ca877b8d21

A DNS query was performed for momverse.in which resolved to 78.46.99.57

An HTTP connection was established with 78.46.99.57, followed by a HTTP POST

A DNS query was performed for rooftopjam.in which resolved to 87.255.51.229

An HTTP connection was established with 87.255.51.229, followed by a HTTP POST

A DNS query was performed for jumppack.in which resolved to 87.255.51.229

A HTTP connection was established with 87.255.51.229, followed by a HTTP POST

setup.exe with MD5: cd49c321367b97de7fbb3a0c820b157d

A DNS query was performed for momverse.in which resolved to 78.46.99.57

An HTTP connection was established with 78.46.99.57, followed by a HTTP POST

A DNS query was performed for rooftopjam.in which resolved to 87.255.51.229

An HTTP connection was established with 87.255.51.229, followed by a HTTP POST

A DNS query was performed for jumppack.in which resolved to 87.255.51.229

A HTTP connection was established with 87.255.51.229, followed by a HTTP POST

setup with MD5: 92e0608d2d0c24519ef6d49cf4d6a949

A DNS query was performed for catchmeeye.in which resolved to 78.46.99.57

An HTTP connection was established with 78.46.99.57, followed by a HTTP POST

A DNS query was performed for rooftopjam.in which resolved to 87.255.51.229

An HTTP connection was established with 87.255.51.229, followed by a HTTP POST

A DNS query was performed for jumppack.in which resolved to 87.255.51.229

A HTTP connection was established with 87.255.51.229, followed by a HTTP POST

setup with MD5: 8720e0cc8596093aac10d0ecff36b4ca

A DNS query was performed for trayrun.com which resolved to 89.248.165.137

HTTP POST /CallBack/SomeScripts/mgsNewPeer.php
HTTP POST /CallBack/SomeScripts/mgsGetMGList.php
HTTP POST /CallBack/SomeScripts/update25.php
...
requests were made on 89.248.165.137

setup with MD5: 34a521c54878a394c3ec9c84d557fae1

A DNS query was performed for pelicanstate.in which resolved to 78.46.99.57

An HTTP connection was established with 78.46.99.57, followed by a HTTP POST

A DNS query was performed for rooftopjam.in which resolved to 66.228.54.181

A DNS query was performed for 88293388.com which resolved to 212.36.9.58

A HTTP connection was established with 212.36.9.58, followed by a few HTTP GET

http://www.utrace.de/?query=212.36.9.58
Spectrum NET, OTEL.NET Network (Sofia, Bulgaria)

setup.exe MD5: 94f2cb6111a98f21dccfba9686710726

The file copies itself to %WINDIR%\Temp\31.tmp, ...

The original setup.exe file is deleted

The program tries to connect to various SMTP servers

setup.exe MD5: f9f4994998c8df53de1677765bbdba2d

The file copies itself to f.e. %WINDIR%\Temp\31.tmp, %WINDIR%\Temp\2D.tmp, %WINDIR%\Temp\2E.tmp, %WINDIR%\Temp\20.tmp, %WINDIR%\Temp\1F.tmp, ...

The original setup.exe file is deleted

A command window appeared:


C:\WINDOWS\TEMP\31.tmp

Sometimes an error message appears:


C:\WINDOWS\TEMP\2D.tmp
System error 1060 has occurred.
The specified service does not exist as an installed service.
The service is not responding to the control function.
More help is available by typing NET HELPMSG 2186

Fake AV: XP Home Security 2010

Fake AV malware named "XP Home Security 2012" was installed:


XP Home Security 2012 - Unregistred Version


XP Home Security 2012 ALERT


XP Home Security 2012 - Unregistred Version


XP Home Security 2012 - Unregistred Version

The following sequence of DNS queries was witnessed:
40657+ A? fopuvuwupode.com. (34)
39126+ A? daqitufigaj.com. (33)
4820+ A? tuzycekenuqi.com. (34)
36821+ A? dipolakiri.com. (32)
40657 1/0/0 A 64.191.111.86
16584+ A? dokejecufinulo.com. (36)
60875+ A? xoxakipowu.com. (32)
39126 1/0/0 A 66.197.162.168
16584 1/0/0 A 109.236.80.208
53967+ A? porozybaru.com. (32)
31692+ A? gikekypowaqa.com. (34)
60875 1/0/0 A 66.197.162.165
9676+ A? wywazediwo.com. (32)
42697+ A? putijucyvazym.com. (35)
9676 1/0/0 A 31.207.2.12
41164+ A? zyzanewodojyx.com. (35)
41164 1/0/0 A 85.17.173.36
7373+ A? hehyvixiru.com. (32)
54476+ A? gipupeceta.com. (32)
42697 1/0/0 A 109.236.80.207
4820 1/0/0 A 66.197.162.167
53967 1/0/0 A 31.207.2.11
31692 1/0/0 A 31.207.2.10
23234+ A? qotasifelaw.com. (33)
36821 1/0/0 A 66.197.162.166
1730+ A? xipifexegybozi.com. (36)
8898+ A? cinuherijugeg.com. (35)
41410+ A? pafozykavygaj.com. (35)
40643+ A? waciroqohuli.com. (34)
7373 1/0/0 A 85.17.173.35
12480+ A? civivicuqekexo.com. (36)
63437+ A? tibumuqel.com. (31)
54476 1/0/0 A 85.17.173.38
61889+ A? zarapetahuryp.com. (35)
63437 1/0/0 A 79.143.178.101
61889 1/0/0 A 50.2.7.241
12742+ A? pejozehywe.com. (32)
27335+ A? hemusyheduf.com. (33)
22465+ A? waciroqohuli.com. (34)
27335 1/0/0 A 50.2.7.243
23234 1/0/0 A 79.143.178.100
16581+ A? suzehebaq.com. (31)
36549+ A? sivycaqilugoq.com. (35)
36549 1/0/0 A 206.217.134.45
16581 1/0/0 A 206.217.134.44
56570+ A? levulehup.com. (31)
7419+ A? ledimajezociw.com. (35)
12480 1/0/0 A 93.104.208.84
1784+ A? rabuqibareme.com. (34)
4804+ A? syqivolurypugi.com. (36)
8898 1/0/0 A 64.191.111.88
22465 1/0/0 A 64.56.65.213
40643 1/0/0 A 64.56.65.213
12742 1/0/0 A 50.2.7.242
4804 1/0/0 A 206.217.134.43
44286+ A? xipifexegybozi.com. (36)
41410+ A? pafozykavygaj.com. (35)
56570+ A? levulehup.com. (31)
7419+ A? ledimajezociw.com. (35)
1784+ A? rabuqibareme.com. (34)
41410+ A? pafozykavygaj.com. (35)
56570+ A? levulehup.com. (31)
7419+ A? ledimajezociw.com. (35)
1784+ A? rabuqibareme.com. (34)
41410+ A? pafozykavygaj.com. (35)
56570+ A? levulehup.com. (31)
7419+ A? ledimajezociw.com. (35)
1784+ A? rabuqibareme.com. (34)
27647+ A? pafozykavygaj.com. (35)
27132+ A? rabuqibareme.com. (34)
27647+ A? pafozykavygaj.com. (35)
27647+ A? pafozykavygaj.com. (35)
253+ A? ledimajezociw.com. (35)
39154+ A? levulehup.com. (31)
39154+ A? levulehup.com. (31)
14067+ A? zikudeqeqite.com. (34)
14067 1/0/0 A 64.120.165.88
11248+ A? 88293388.com. (30)
11248 1/0/0 A 212.36.9.58
61681+ A? www.irida.nl. (30)
61681 1/0/0 A 109.72.85.37
7926+ A? tuzycekenuqi.com. (34)
13559+ A? dipolakiri.com. (32)
500+ A? xoxakipowu.com. (32)
55028+ A? dokejecufinulo.com. (36)
38389+ A? putijucyvazym.com. (35)
8170+ A? daqitufigaj.com. (33)
16619+ A? porozybaru.com. (32)
40427+ A? gikekypowaqa.com. (34)
38379+ A? wywazediwo.com. (32)
48363+ A? gipupeceta.com. (32)
38379 1/0/0 A 31.207.2.12
16619 1/0/0 A 31.207.2.11
8170 1/0/0 A 66.197.162.168
38389 1/0/0 A 109.236.80.207
55028 1/0/0 A 109.236.80.208
500 1/0/0 A 66.197.162.165
13559 1/0/0 A 66.197.162.166
7926 1/0/0 A 66.197.162.167
48363 1/0/0 A 85.17.173.38
60470+ A? qotasifelaw.com. (33)
13367+ A? tibumuqel.com. (31)
46897+ A? fopuvuwupode.com. (34)
7217+ A? cinuherijugeg.com. (35)
37939+ A? sivycaqilugoq.com. (35)
14131+ A? suzehebaq.com. (31)
24637+ A? syqivolurypugi.com. (36)
48700+ A? hemusyheduf.com. (33)
38719+ A? zarapetahuryp.com. (35)
10036+ A? hehyvixiru.com. (32)
40427 1/0/0 A 31.207.2.10
14131 1/0/0 A 206.217.134.44
37939 1/0/0 A 206.217.134.45
7217 1/0/0 A 64.191.111.88
46897 1/0/0 A 64.191.111.86
60470 1/0/0 A 79.143.178.100
38719 1/0/0 A 50.2.7.241
63038+ A? waciroqohuli.com. (34)
26937+ A? waciroqohuli.com. (34)
43582+ A? civivicuqekexo.com. (36)
17205+ A? pejozehywe.com. (32)
64315+ A? zyzanewodojyx.com. (35)
63038 1/0/0 A 64.56.65.213
26937 1/0/0 A 64.56.65.213
10036 1/0/0 A 85.17.173.35
64315 1/0/0 A 85.17.173.36
13367 1/0/0 A 79.143.178.101
43582 1/0/0 A 93.104.208.84
24637 1/0/0 A 206.217.134.43
48700 1/0/0 A 50.2.7.243
17205 1/0/0 A 50.2.7.242
45033+ A? tuzycekenuqi.com. (34)
31470+ A? dipolakiri.com. (32)
61678+ A? xoxakipowu.com. (32)
9196+ A? dokejecufinulo.com. (36)
9197+ A? daqitufigaj.com. (33)
54253+ A? putijucyvazym.com. (35)
25314+ A? porozybaru.com. (32)
64738+ A? gikekypowaqa.com. (34)
10467+ A? wywazediwo.com. (32)
31713+ A? gipupeceta.com. (32)
10467 1/0/0 A 31.207.2.12
64738 1/0/0 A 31.207.2.10
25314 1/0/0 A 31.207.2.11
54253 1/0/0 A 109.236.80.207
9197 1/0/0 A 66.197.162.168
9196 1/0/0 A 109.236.80.208
61678 1/0/0 A 66.197.162.165
31470 1/0/0 A 66.197.162.166
45033 1/0/0 A 66.197.162.167
31713 1/0/0 A 85.17.173.38
2619+ A? waciroqohuli.com. (34)
14395+ A? civivicuqekexo.com. (36)
35109+ A? waciroqohuli.com. (34)
32037+ A? zarapetahuryp.com. (35)
49959+ A? pejozehywe.com. (32)
28198+ A? hemusyheduf.com. (33)
56864+ A? syqivolurypugi.com. (36)
41248+ A? suzehebaq.com. (31)
544+ A? sivycaqilugoq.com. (35)
60963+ A? cinuherijugeg.com. (35)
49186+ A? fopuvuwupode.com. (34)
2619 1/0/0 A 64.56.65.213
49959 1/0/0 A 50.2.7.242
35109 1/0/0 A 64.56.65.213
14395 1/0/0 A 93.104.208.84
49186 1/0/0 A 64.191.111.86
60963 1/0/0 A 64.191.111.88
544 1/0/0 A 206.217.134.45
41248 1/0/0 A 206.217.134.44
56864 1/0/0 A 206.217.134.43
28198 1/0/0 A 50.2.7.243
32037 1/0/0 A 50.2.7.241
44322+ A? zyzanewodojyx.com. (35)
55341+ A? hehyvixiru.com. (32)
44322 1/0/0 A 85.17.173.36
44+ A? tibumuqel.com. (31)
55341 1/0/0 A 85.17.173.35
41775+ A? qotasifelaw.com. (33)
44 1/0/0 A 79.143.178.101
41775 1/0/0 A 79.143.178.100
58854+ A? porozybaru.com. (32)
52964+ A? putijucyvazym.com. (35)
666+ A? dokejecufinulo.com. (36)
4250+ A? xoxakipowu.com. (32)
666 1/0/0 A 109.236.80.208
52964 1/0/0 A 109.236.80.207
9882+ A? dipolakiri.com. (32)
7320+ A? tuzycekenuqi.com. (34)
9882 1/0/0 A 66.197.162.166
13464+ A? gikekypowaqa.com. (34)
28569+ A? daqitufigaj.com. (33)
4505+ A? wywazediwo.com. (32)
24478+ A? gipupeceta.com. (32)
42655+ A? zyzanewodojyx.com. (35)
39581+ A? hehyvixiru.com. (32)
58854 1/0/0 A 31.207.2.11
56979+ A? tibumuqel.com. (31)
41875+ A? qotasifelaw.com. (33)
24478 1/0/0 A 85.17.173.38
62608+ A? ledimajezociw.com. (35)
41875 1/0/0 A 79.143.178.100
27537+ A? pafozykavygaj.com. (35)
42655 1/0/0 A 85.17.173.36
39581 1/0/0 A 85.17.173.35
4505 1/0/0 A 31.207.2.12
13464 1/0/0 A 31.207.2.10
56979 1/0/0 A 79.143.178.101
4250 1/0/0 A 66.197.162.165
7320 1/0/0 A 66.197.162.167
28569 1/0/0 A 66.197.162.168
27537+ A? pafozykavygaj.com. (35)
62608+ A? ledimajezociw.com. (35)
27537+ A? pafozykavygaj.com. (35)
62614+ A? cinuherijugeg.com. (35)
7060+ A? fopuvuwupode.com. (34)
62614 1/0/0 A 64.191.111.88
46741+ A? rabuqibareme.com. (34)
14219+ A? ledimajezociw.com. (35)
21641+ A? levulehup.com. (31)
43918+ A? sivycaqilugoq.com. (35)
22159+ A? suzehebaq.com. (31)
34191+ A? syqivolurypugi.com. (36)
11916+ A? hemusyheduf.com. (33)
13196+ A? pejozehywe.com. (32)
59020+ A? zarapetahuryp.com. (35)
52098+ A? waciroqohuli.com. (34)
7060 1/0/0 A 64.191.111.86
24451+ A? xipifexegybozi.com. (36)
34191 1/0/0 A 206.217.134.43
43918 1/0/0 A 206.217.134.45
22159 1/0/0 A 206.217.134.44
11916 1/0/0 A 50.2.7.243
59020 1/0/0 A 50.2.7.241
13196 1/0/0 A 50.2.7.242
52098 1/0/0 A 64.56.65.213
51584+ A? xipifexegybozi.com. (36)
50305+ A? ledimajezociw.com. (35)
46741+ A? rabuqibareme.com. (34)
21641+ A? levulehup.com. (31)
50305+ A? ledimajezociw.com. (35)
51187+ A? civivicuqekexo.com. (36)
51187 1/0/0 A 93.104.208.84
39154+ A? waciroqohuli.com. (34)
39154 1/0/0 A 64.56.65.213
46741+ A? rabuqibareme.com. (34)
21641+ A? levulehup.com. (31)
4592+ A? pafozykavygaj.com. (35)
4592+ A? pafozykavygaj.com. (35)
57990+ A? rabuqibareme.com. (34)
21641+ A? levulehup.com. (31)
4592+ A? pafozykavygaj.com. (35)
57990+ A? rabuqibareme.com. (34)
57990+ A? rabuqibareme.com. (34)
21127+ A? pafozykavygaj.com. (35)
21127+ A? pafozykavygaj.com. (35)
57990+ A? rabuqibareme.com. (34)
19844+ A? levulehup.com. (31)
21127+ A? pafozykavygaj.com. (35)
19844+ A? levulehup.com. (31)
19844+ A? levulehup.com. (31)
21127+ A? pafozykavygaj.com. (35)
37252+ A? syqivolurypugi.com. (36)
16314+ A? daqitufigaj.com. (33)
37252 1/0/0 A 206.217.134.43
50618+ A? suzehebaq.com. (31)
26811+ A? sivycaqilugoq.com. (35)
26043+ A? levulehup.com. (31)
48312+ A? ledimajezociw.com. (35)
27577+ A? rabuqibareme.com. (34)
26297+ A? tuzycekenuqi.com. (34)
36793+ A? dipolakiri.com. (32)
56511+ A? xoxakipowu.com. (32)
62143+ A? dokejecufinulo.com. (36)
26811 1/0/0 A 206.217.134.45
8636+ A? wywazediwo.com. (32)
26297 1/0/0 A 66.197.162.167
49340+ A? gipupeceta.com. (32)
62908+ A? zyzanewodojyx.com. (35)
18877+ A? hehyvixiru.com. (32)
43954+ A? tibumuqel.com. (31)
62143 1/0/0 A 109.236.80.208
49340 1/0/0 A 85.17.173.38
8636 1/0/0 A 31.207.2.12
21683+ A? xipifexegybozi.com. (36)
62908 1/0/0 A 85.17.173.36
18877 1/0/0 A 85.17.173.35
43954 1/0/0 A 79.143.178.101
15186+ A? putijucyvazym.com. (35)
15186 1/0/0 A 109.236.80.207
55120+ A? gikekypowaqa.com. (34)
30036+ A? fopuvuwupode.com. (34)
48211+ A? qotasifelaw.com. (33)
16314 1/0/0 A 66.197.162.168
11600+ A? porozybaru.com. (32)
30036 1/0/0 A 64.191.111.86
87+ A? hemusyheduf.com. (33)
11600 1/0/0 A 31.207.2.11
48211 1/0/0 A 79.143.178.100
50618 1/0/0 A 206.217.134.44
56511 1/0/0 A 66.197.162.165
36793 1/0/0 A 66.197.162.166
55120 1/0/0 A 31.207.2.10
87 1/0/0 A 50.2.7.243
35248+ A? xipifexegybozi.com. (36)
2993+ A? pafozykavygaj.com. (35)
22967+ A? waciroqohuli.com. (34)
47540+ A? civivicuqekexo.com. (36)
11189+ A? waciroqohuli.com. (34)
9397+ A? zarapetahuryp.com. (35)
10165+ A? pejozehywe.com. (32)
54954+ A? hemusyheduf.com. (33)
35754+ A? levulehup.com. (31)
16296+ A? ledimajezociw.com. (35)
54954 1/0/0 A 50.2.7.243
11189 1/0/0 A 64.56.65.213
47540 1/0/0 A 93.104.208.84
22967 1/0/0 A 64.56.65.213
9397 1/0/0 A 50.2.7.241
10165 1/0/0 A 50.2.7.242
52648+ A? gikekypowaqa.com. (34)
60840+ A? porozybaru.com. (32)
1193+ A? putijucyvazym.com. (35)
52648 1/0/0 A 31.207.2.10
60840 1/0/0 A 31.207.2.11
1193 1/0/0 A 109.236.80.207
14941+ A? tibumuqel.com. (31)
41055+ A? qotasifelaw.com. (33)
14941 1/0/0 A 79.143.178.101
51038+ A? cinuherijugeg.com. (35)
41055 1/0/0 A 79.143.178.100
3161+ A? fopuvuwupode.com. (34)
51038 1/0/0 A 64.191.111.88
600+ A? rabuqibareme.com. (34)
3161 1/0/0 A 64.191.111.86
2993+ A? pafozykavygaj.com. (35)
35754+ A? levulehup.com. (31)
16296+ A? ledimajezociw.com. (35)
600+ A? rabuqibareme.com. (34)
2993+ A? pafozykavygaj.com. (35)
16296+ A? ledimajezociw.com. (35)
35754+ A? levulehup.com. (31)
600+ A? rabuqibareme.com. (34)
16296+ A? ledimajezociw.com. (35)
35754+ A? levulehup.com. (31)
600+ A? rabuqibareme.com. (34)
17838+ A? xipifexegybozi.com. (36)
7598+ A? ledimajezociw.com. (35)
50606+ A? pafozykavygaj.com. (35)
17324+ A? rabuqibareme.com. (34)
35754+ A? levulehup.com. (31)
7598+ A? ledimajezociw.com. (35)
17324+ A? rabuqibareme.com. (34)
50606+ A? pafozykavygaj.com. (35)
7598+ A? ledimajezociw.com. (35)
17324+ A? rabuqibareme.com. (34)
50606+ A? pafozykavygaj.com. (35)
7598+ A? ledimajezociw.com. (35)
17324+ A? rabuqibareme.com. (34)
50606+ A? pafozykavygaj.com. (35)
33708+ A? levulehup.com. (31)
33708+ A? levulehup.com. (31)
7598+ A? ledimajezociw.com. (35)

http://www.utrace.de/?query=109.236.80.207
http://www.utrace.de/?query=109.236.80.208
WorldStream (The Netherlands)

http://www.utrace.de/?query=206.217.134.43
http://www.utrace.de/?query=206.217.134.44
http://www.utrace.de/?query=206.217.134.45
ColoCrossing (Buffalo, United States)

http://www.utrace.de/?query=50.2.7.241
http://www.utrace.de/?query=50.2.7.242
http://www.utrace.de/?query=50.2.7.243
Eonix Corporation, GotHOST, (Stuart, United States)

http://www.utrace.de/?query=64.120.165.88
Network Operations Center, MangoXchange Limited c/o Network Operations Center (United States)

http://www.utrace.de/?query=64.191.111.86
http://www.utrace.de/?query=64.191.111.88
Network Operations Center, II Hosting Media c/o Network Operations Center, In (Scranton, United States)

http://www.utrace.de/?query=64.56.65.213
vrtservers.net, The AV Den (Los Angeles, United States)

http://www.utrace.de/?query=66.197.162.165
http://www.utrace.de/?query=66.197.162.166
http://www.utrace.de/?query=66.197.162.167
http://www.utrace.de/?query=66.197.162.168
Network Operations Center, WooServers c/o Network Operations Center, Inc. (Scranton, United States)

http://www.utrace.de/?query=79.143.178.100
http://www.utrace.de/?query=79.143.178.101
Giga-Hosting GmbH (Germany)

http://www.utrace.de/?query=85.17.173.35
http://www.utrace.de/?query=85.17.173.36
http://www.utrace.de/?query=85.17.173.38
LeaseWeb B.V. (The Netherlands)

DNS queries for *.twothousands.cm were performed on 178.162.181.106

http://www.utrace.de/?query=178.162.181.106
NetDirect, Leaseweb Germany GmbH (previously netdirekt e. K.) (Germany)

A HTTP GET was performed on 210.211.108.215

http://www.utrace.de/?query=210.211.108.215
Provider: Viettel-CHT Company Ltd