Analysis Overview
SHA256
0434bd170395b848da4c6acd9e0a93c32e578bf76357d6e32603f3237a53f4fc
Threat Level: Known bad
The file DkAiW.vbs was found to be: Known bad.
Malicious Activity Summary
WSHRAT
WSHRAT Payload
Wshrat family
Blocklisted process makes network request
Adds Run key to start application
Looks up external IP address via web service
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2021-10-04 13:22
Signatures
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Wshrat family
Analysis: behavioral1
Detonation Overview
Submitted
2021-10-04 13:22
Reported
2021-10-04 13:52
Platform
win7-en-20210920
Max time kernel
1798s
Max time network
1793s
Command Line
Signatures
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1740 wrote to memory of 2004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1740 wrote to memory of 2004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 1740 wrote to memory of 2004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DkAiW.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkAiW.vbs"
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x458
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
Files
memory/1740-53-0x000007FEFC461000-0x000007FEFC463000-memory.dmp
memory/2004-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DkAiW.vbs
| MD5 | 4d8f225d32a420d577abb43f11109a4d |
| SHA1 | f7d8c8bf04aee5d32ea7a935a79a5f87a2913216 |
| SHA256 | 0434bd170395b848da4c6acd9e0a93c32e578bf76357d6e32603f3237a53f4fc |
| SHA512 | 831fe1f5519b48556c5311f269275a8f6ffa2134807d0cff19b3c728f922f069b883abebcb9a1af5bde8ba4927cdc57474d174876e67ec1b6c99ee227eb525c8 |
C:\Users\Admin\AppData\Roaming\DkAiW.vbs
| MD5 | 4d8f225d32a420d577abb43f11109a4d |
| SHA1 | f7d8c8bf04aee5d32ea7a935a79a5f87a2913216 |
| SHA256 | 0434bd170395b848da4c6acd9e0a93c32e578bf76357d6e32603f3237a53f4fc |
| SHA512 | 831fe1f5519b48556c5311f269275a8f6ffa2134807d0cff19b3c728f922f069b883abebcb9a1af5bde8ba4927cdc57474d174876e67ec1b6c99ee227eb525c8 |
Analysis: behavioral2
Detonation Overview
Submitted
2021-10-04 13:22
Reported
2021-10-04 13:52
Platform
win10v20210408
Max time kernel
1796s
Max time network
1798s
Command Line
Signatures
WSHRAT
WSHRAT Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Windows\CurrentVersion\Run\DkAiW = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\DkAiW.vbs\"" | C:\Windows\System32\wscript.exe | N/A |
| Key created | \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run | C:\Windows\System32\wscript.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 636 wrote to memory of 1004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
| PID 636 wrote to memory of 1004 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\wscript.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\DkAiW.vbs"
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\DkAiW.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
| US | 8.8.8.8:53 | kaplan-30301.portmap.io | udp |
Files
memory/1004-114-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\DkAiW.vbs
| MD5 | 4d8f225d32a420d577abb43f11109a4d |
| SHA1 | f7d8c8bf04aee5d32ea7a935a79a5f87a2913216 |
| SHA256 | 0434bd170395b848da4c6acd9e0a93c32e578bf76357d6e32603f3237a53f4fc |
| SHA512 | 831fe1f5519b48556c5311f269275a8f6ffa2134807d0cff19b3c728f922f069b883abebcb9a1af5bde8ba4927cdc57474d174876e67ec1b6c99ee227eb525c8 |