Malware Analysis Report

2024-11-13 14:05

Sample ID 240225-fse65scb88
Target 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe
SHA256 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee
Tags
smokeloader backdoor persistence trojan upx glupteba lumma stealc pub1 discovery dropper evasion loader stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee

Threat Level: Known bad

The file 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe was found to be: Known bad.

Malicious Activity Summary

smokeloader backdoor persistence trojan upx glupteba lumma stealc pub1 discovery dropper evasion loader stealer

Stealc

Glupteba

Lumma Stealer

Glupteba payload

SmokeLoader

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables packed with VMProtect.

Detects executables containing URLs to raw contents of a Github gist

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects executables referencing many varying, potentially fake Windows User-Agents

Detects executables Discord URL observed in first stage droppers

UPX dump on OEP (original entry point)

Detects Windows executables referencing non-Windows User-Agents

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Creates new service(s)

Contacts a large (511) amount of remote hosts

Loads dropped DLL

Deletes itself

Checks computer location settings

Executes dropped EXE

UPX packed file

Legitimate hosting services abused for malware hosting/C2

Adds Run key to start application

Suspicious use of SetThreadContext

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-25 05:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-25 05:07

Reported

2024-02-25 05:10

Platform

win7-20240221-en

Max time kernel

30s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe"

Signatures

SmokeLoader

trojan backdoor smokeloader

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Downloads MZ/PE file

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS = "\"C:\\ProgramData\\Drivers\\csrss.exe\"" C:\Users\Admin\AppData\Local\Temp\692F.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2560 set thread context of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\81B0.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1204 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 1204 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 1204 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 1204 wrote to memory of 2560 N/A N/A C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 2560 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\692F.exe C:\Users\Admin\AppData\Local\Temp\692F.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Windows\system32\regsvr32.exe
PID 1204 wrote to memory of 2472 N/A N/A C:\Windows\system32\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2472 wrote to memory of 2352 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1204 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe
PID 1204 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe
PID 1204 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe
PID 1204 wrote to memory of 2448 N/A N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe
PID 2448 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe C:\Windows\SysWOW64\WerFault.exe
PID 2448 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\81B0.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe

"C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe"

C:\Users\Admin\AppData\Local\Temp\692F.exe

C:\Users\Admin\AppData\Local\Temp\692F.exe

C:\Users\Admin\AppData\Local\Temp\692F.exe

C:\Users\Admin\AppData\Local\Temp\692F.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\6F76.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\6F76.dll

C:\Users\Admin\AppData\Local\Temp\81B0.exe

C:\Users\Admin\AppData\Local\Temp\81B0.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2448 -s 124

C:\Users\Admin\AppData\Local\Temp\898D.exe

C:\Users\Admin\AppData\Local\Temp\898D.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.220.101.206:30206 tcp
DE 167.86.94.107:9001 tcp
N/A 127.0.0.1:49224 tcp
US 38.145.200.61:443 tcp
DE 5.181.51.52:9001 tcp
NL 188.116.27.219:443 tcp
FI 65.21.50.48:443 tcp
US 82.165.215.64:443 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 82.165.215.64:443 tcp
FI 65.21.50.48:443 tcp
US 8.8.8.8:53 metaltecsantos.com.br udp
US 8.8.8.8:53 iccastelverde.it udp
US 8.8.8.8:53 metaltecsantos.com.br udp
US 8.8.8.8:53 caritasmbujimayi.org udp
US 8.8.8.8:53 caritasmbujimayi.org udp
US 8.8.8.8:53 iesjuanciudadduarte.es udp
US 8.8.8.8:53 iccastelverde.it udp
US 8.8.8.8:53 srisankara.onmicrosoft.com udp
US 8.8.8.8:53 prodesp1.onmicrosoft.com udp
US 8.8.8.8:53 alomedia.info udp
US 8.8.8.8:53 mx-vip-02.uni5.net udp
US 8.8.8.8:53 digitalsport.co.th udp
US 8.8.8.8:53 iesjuanciudadduarte.es udp
US 8.8.8.8:53 srisankara.onmicrosoft.com udp
US 8.8.8.8:53 digitalsport.co.th udp
US 8.8.8.8:53 prodesp1.onmicrosoft.com udp
US 8.8.8.8:53 alomedia.info udp
US 8.8.8.8:53 wp.https udp
BR 191.6.210.110:22 metaltecsantos.com.br tcp
US 8.8.8.8:53 wp.https udp
BR 191.6.210.110:21 metaltecsantos.com.br tcp
DE 85.13.129.99:22 alomedia.info tcp
US 8.8.8.8:53 alunos.aepbs.ncom udp
IT 89.46.109.32:22 caritasmbujimayi.org tcp
US 8.8.8.8:53 gcorp.com udp
US 8.8.8.8:53 musculacaoectomorfoo.com udp
US 8.8.8.8:53 w0129fb0.kasserver.com udp
DE 85.13.129.99:143 w0129fb0.kasserver.com tcp
DE 85.13.129.99:443 w0129fb0.kasserver.com tcp
US 8.8.8.8:53 mx.caritasmbujimayi.org udp
IT 62.149.128.151:143 mx.caritasmbujimayi.org tcp
IT 62.149.128.163:143 mx.caritasmbujimayi.org tcp
US 8.8.8.8:53 ALT4.ASPMX.L.GOOGLE.COM udp
US 173.194.202.27:143 ALT4.ASPMX.L.GOOGLE.COM tcp
BR 191.6.210.110:80 metaltecsantos.com.br tcp
DE 85.13.129.99:80 w0129fb0.kasserver.com tcp
IT 62.149.128.72:143 mx.caritasmbujimayi.org tcp
US 8.8.8.8:53 alunos.aepbs.ncom udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 deloittil.com udp
US 8.8.8.8:53 gmail.cohttps udp
US 8.8.8.8:53 gmail.m.br udp
US 8.8.8.8:53 clickspic.com udp
US 8.8.8.8:53 hotmail.ctiscali.it udp
US 8.8.8.8:53 gcorp.com udp
US 8.8.8.8:53 my.ipleiria.pom udp
US 8.8.8.8:53 helmoo.com udp
US 8.8.8.8:53 musculacaoectomorfoo.com udp
US 8.8.8.8:53 musculacaoectomorfoo.com udp
US 8.8.8.8:53 musculacaoectomorfoo.com udp
US 8.8.8.8:53 deloittil.com udp
US 8.8.8.8:53 gmail.cohttps udp
US 8.8.8.8:53 deloittil.com udp
US 8.8.8.8:53 cust15051-2.in.mailcontrol.com udp
US 8.8.8.8:53 cust15051-2.in.mailcontrol.com udp
US 8.8.8.8:53 cust15051-2.in.mailcontrol.com udp
US 8.8.8.8:53 gmail.m.br udp
US 8.8.8.8:53 hotmail.ctiscali.it udp
US 8.8.8.8:53 hotmail.ctiscali.it udp
US 8.8.8.8:53 hotmail.ctiscali.it udp
US 8.8.8.8:53 clickspic.com udp
US 8.8.8.8:53 my.ipleiria.pom udp
US 8.8.8.8:53 my.ipleiria.pom udp
US 8.8.8.8:53 helmoo.com udp
US 8.8.8.8:53 helmoo.com udp
US 8.8.8.8:53 helmoo.com udp
AT 94.247.150.89:443 helmoo.com tcp
BR 191.6.210.110:22 metaltecsantos.com.br tcp
IT 89.46.109.32:22 caritasmbujimayi.org tcp
ES 185.66.41.57:80 iesjuanciudadduarte.es tcp
DE 85.13.129.99:143 w0129fb0.kasserver.com tcp
IT 89.46.109.32:80 caritasmbujimayi.org tcp
IT 89.46.109.32:21 caritasmbujimayi.org tcp
IT 89.46.109.32:80 caritasmbujimayi.org tcp
DE 85.13.129.99:21 w0129fb0.kasserver.com tcp
BR 191.6.220.39:143 mx-vip-02.uni5.net tcp
AT 94.247.150.89:21 helmoo.com tcp
US 8.8.8.8:53 mi6studios.com udp
DE 185.53.177.54:80 ftp.iccastelverde.it tcp
ES 185.66.41.57:22 iesjuanciudadduarte.es tcp
DE 85.13.129.99:443 mi6studios.com tcp
US 8.8.8.8:53 super-tangecollege.edu.np udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 www.caritasmbujimayi.org udp
DE 85.13.129.99:80 mi6studios.com tcp
US 8.8.8.8:53 mail.helmoo.com udp
US 8.8.8.8:53 super-tangecollege.edu.np udp
AT 94.247.150.89:80 mail.helmoo.com tcp
IT 89.46.109.32:443 www.caritasmbujimayi.org tcp
US 173.194.202.27:465 ALT4.ASPMX.L.GOOGLE.COM tcp
BR 191.6.210.110:443 metaltecsantos.com.br tcp
DE 85.13.129.99:465 mi6studios.com tcp
DE 85.13.129.99:990 mi6studios.com tcp
IT 89.46.109.32:222 www.caritasmbujimayi.org tcp
DE 85.13.129.99:143 mi6studios.com tcp
AT 94.247.150.89:22 mail.helmoo.com tcp
AT 94.247.150.89:995 mail.helmoo.com tcp
DE 185.53.177.54:80 ftp.iccastelverde.it tcp
IT 89.46.109.32:990 www.caritasmbujimayi.org tcp
BR 191.6.220.39:993 mx-vip-02.uni5.net tcp
ES 185.66.41.57:443 iesjuanciudadduarte.es tcp
AT 94.247.150.89:80 mail.helmoo.com tcp
AT 94.247.150.89:80 mail.helmoo.com tcp
BR 191.6.210.110:80 metaltecsantos.com.br tcp
US 8.8.8.8:53 electrobotic.in udp
US 8.8.8.8:53 janocolcerniani.com udp
US 8.8.8.8:53 ferregave.net udp
US 8.8.8.8:53 gmail.cotiongate.com udp
US 8.8.8.8:53 electrobotic.in udp
US 8.8.8.8:53 tunelscat.cat udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 ferregave.net udp
US 8.8.8.8:53 janocolcerniani.com udp
US 8.8.8.8:53 janocolcerniani.com udp
US 8.8.8.8:53 gmail.cotiongate.com udp
US 8.8.8.8:53 janocolcerniani.com udp
US 8.8.8.8:53 tunelscat.cat udp
DE 85.13.129.99:80 mi6studios.com tcp
AT 94.247.150.89:80 mail.helmoo.com tcp
ES 185.66.41.57:443 iesjuanciudadduarte.es tcp
IT 89.46.109.32:80 www.caritasmbujimayi.org tcp
AT 94.247.150.89:80 mail.helmoo.com tcp
US 8.8.8.8:53 alt1.aspmx.l.google.com udp
US 8.8.8.8:53 traviss.co.nz udp
US 8.8.8.8:53 servigenerales.com udp
US 8.8.8.8:53 dreamyard.cttps udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 mail.tunelscat.cat udp
US 8.8.8.8:53 ftp.alomedia.info udp
US 8.8.8.8:53 ftp.srisankara.onmicrosoft.com udp
US 8.8.8.8:53 traviss.co.nz udp
US 8.8.8.8:53 ftp.caritasmbujimayi.org udp
US 8.8.8.8:53 ftp.digitalsport.co.th udp
US 8.8.8.8:53 mail.tunelscat.cat udp
US 8.8.8.8:53 ftp.prodesp1.onmicrosoft.com udp
US 8.8.8.8:53 servigenerales.com udp
US 8.8.8.8:53 servigenerales.com udp
BR 191.6.210.110:80 metaltecsantos.com.br tcp
US 3.33.130.190:21 traviss.co.nz tcp
US 3.33.130.190:443 traviss.co.nz tcp
US 15.197.148.33:21 traviss.co.nz tcp
US 8.8.8.8:53 dreamyard.cttps udp
DE 85.13.129.99:443 ftp.alomedia.info tcp
US 8.8.8.8:53 bp2c.com udp
CA 23.227.38.65:80 electrobotic.in tcp
US 216.239.34.21:80 janocolcerniani.com tcp
FR 176.31.240.71:80 mail.tunelscat.cat tcp
IT 89.46.109.32:443 www.caritasmbujimayi.org tcp
AT 94.247.150.89:80 mail.helmoo.com tcp
ES 185.66.41.57:443 iesjuanciudadduarte.es tcp
US 8.8.8.8:53 zonadosconcursos.com udp
US 8.8.8.8:53 bp2c.com udp
US 8.8.8.8:53 zonadosconcursos.com udp
US 8.8.8.8:53 ftp.alunos.aepbs.ncom udp
DE 85.13.129.99:443 ftp.alomedia.info tcp
BR 191.6.220.39:25 mx-vip-02.uni5.net tcp
US 8.8.8.8:53 ftp.iesjuanciudadduarte.es udp
US 8.8.8.8:53 www.janocolcerniani.com udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp
US 8.8.8.8:53 mail.prodesp1.onmicrosoft.com udp
US 8.8.8.8:53 ftp.gmail.cohttps udp
US 8.8.8.8:53 ftp.gmail.m.br udp
US 8.8.8.8:53 mail.wp.https udp
US 8.8.8.8:53 mail.digitalsport.co.th udp
US 8.8.8.8:53 ftp.helmoo.com udp
US 8.8.8.8:53 ALT2.ASPMX.L.GOOGLE.COM udp
US 8.8.8.8:53 servigenerales-com.mail.protection.outlook.com udp
US 8.8.8.8:53 ssh.srisankara.onmicrosoft.com udp
US 8.8.8.8:53 ftp.hotmail.ctiscali.it udp
US 8.8.8.8:53 cust15051-1.in.mailcontrol.com udp
US 8.8.8.8:53 ftp.deloittil.com udp
US 8.8.8.8:53 ftp.my.ipleiria.pom udp
US 8.8.8.8:53 mail.musculacaoectomorfoo.com udp
US 8.8.8.8:53 ftp.clickspic.com udp
US 8.8.8.8:53 ftp.gcorp.com udp
US 52.101.9.11:995 servigenerales-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 gmublitz.onmicrosoft.com udp
US 8.8.8.8:53 market2ndlook.com udp
US 8.8.8.8:53 mx-vip-01.uni5.net udp
US 8.8.8.8:53 mx1.ovh.net udp
US 8.8.8.8:53 mx1.ovh.net udp
US 52.101.11.7:995 servigenerales-com.mail.protection.outlook.com tcp
US 52.101.9.0:995 servigenerales-com.mail.protection.outlook.com tcp
US 52.101.42.10:995 servigenerales-com.mail.protection.outlook.com tcp
US 52.101.11.2:995 servigenerales-com.mail.protection.outlook.com tcp
US 52.101.10.8:995 servigenerales-com.mail.protection.outlook.com tcp
US 52.101.40.4:995 servigenerales-com.mail.protection.outlook.com tcp
BR 191.6.210.110:443 metaltecsantos.com.br tcp
GB 142.250.200.19:80 www.janocolcerniani.com tcp
US 15.197.142.173:80 servigenerales.com tcp
FR 176.31.240.71:80 mail.tunelscat.cat tcp
US 3.33.130.190:80 traviss.co.nz tcp
IT 89.46.109.32:80 www.caritasmbujimayi.org tcp
AT 94.247.150.89:80 ftp.helmoo.com tcp
ES 185.66.41.57:443 ftp.iesjuanciudadduarte.es tcp
CA 23.227.38.65:443 electrobotic.in tcp
US 8.8.8.8:53 tgtechseg.com.br udp
US 8.8.8.8:53 market2ndlook.com udp
US 8.8.8.8:53 gmublitz.onmicrosoft.com udp
US 8.8.8.8:53 ttestech.edu udp
US 8.8.8.8:53 mnnit.ac.i.com udp
US 8.8.8.8:53 ssh.prodesp1.onmicrosoft.com udp
US 8.8.8.8:53 ttestech.edu udp
US 8.8.8.8:53 tgtechseg.com.br udp
US 8.8.8.8:53 servigenerales-com.mail.protection.outlook.com udp
US 8.8.8.8:53 ssh.caritasmbujimayi.org udp
US 8.8.8.8:53 ftp.super-tangecollege.edu.np udp
US 8.8.8.8:53 ssh.metaltecsantos.com.br udp
US 8.8.8.8:53 mail.clickspic.com udp
US 8.8.8.8:53 mail.deloittil.com udp
US 8.8.8.8:53 ssh.iesjuanciudadduarte.es udp
US 8.8.8.8:53 mail.gmail.m.br udp
US 8.8.8.8:53 srisankara.mail.protection.outlook.com udp

Files

memory/1228-1-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/1228-2-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/1228-3-0x0000000000400000-0x0000000002D3E000-memory.dmp

memory/1204-4-0x0000000002D20000-0x0000000002D36000-memory.dmp

memory/1228-5-0x0000000000400000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\692F.exe

MD5 6f6acad159c227395d99e3e777afe1bf
SHA1 c50b629119f2a842f5926d1be2886a502bdae0f9
SHA256 9c69bc44be42ab3766f48caf1de6b7ef8ee6849453e08af589b5879d8421ff08
SHA512 bdc7dfa1c78f11d66ce49ababb5f61e78514a8b7cfd4a0e0859d628d3ac92f8887a4b73eb80e99a9b75eb4e06b64455dcae05f47f0afc58a17a050af45b5dc67

C:\Users\Admin\AppData\Local\Temp\692F.exe

MD5 359cb18b9b67dc44321d9c484c2710c9
SHA1 3ffb07be9134cd76695325399efdc50630b507c9
SHA256 5b3a3bb023581294b0122b707cb88639859a1e6d3a20abded74d5e9881341adc
SHA512 682d6e616251db541bec2cc6f4c4c8fa69969e0eb8fb30d0456f39b2ddc8a174e21336a2bcd9f331c5f8c428a7768739f2ab8426dff0befc079bec8f0d4cbe29

memory/2560-17-0x0000000004810000-0x00000000049C8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\692F.exe

MD5 1cc2b5d0c9ea714d9778caaf467f02ff
SHA1 9d2533c822fae993be0b9960dfdd29f61f245689
SHA256 1ecf64c2cb78ef255613e1c8a39542ce156e3af4f98bfc76c0cf29f1ac1abf37
SHA512 f8e070e8ee73eb0a0d5534cd8fb9e822d64d5fa64fad35f24e5e573ca5be3930f2e426d9f28251c370de5b03c575d982a1f9b1a40009422fcae1eff1fb77b70b

\Users\Admin\AppData\Local\Temp\692F.exe

MD5 3a94f99f05c2343e9c0351c607eae248
SHA1 658b44f0b2ad93669154b9d4cd7c250a996f6bb0
SHA256 933e7f4447169bb8960d8d8af29420c18871dce491510d24a02ff86e4eb43dd1
SHA512 8b7c6b90f06df586fed0cb6ab2eaad128357c0bbbdfab61957cefa1a18041ade62d5a6d07d4dec51e4be5ec26a593546e11740555d14e869835ee04fda78b1d0

memory/2560-22-0x0000000004A00000-0x0000000004BB7000-memory.dmp

memory/2724-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2724-24-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\692F.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/2560-18-0x0000000004810000-0x00000000049C8000-memory.dmp

memory/2724-27-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-28-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-30-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-31-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\6F76.dll

MD5 a6e4c2197232278046c741c6128c72a2
SHA1 600e1a6bb0bbf69e3b4533a5f8d8de9a53abc615
SHA256 c0d213f77d33b057da5fbfaa1847ecfd63a6284ff5a54a44157ae2379abf76e1
SHA512 4e874dddaad2ea9c7c5b12d25c205464d35e60e7a5ddcc8eacef63db852312053c1ec048fbe43e19d87f5de7c7b0cfe9e436638904fe840e265ea3b3cdaa3010

\Users\Admin\AppData\Local\Temp\6F76.dll

MD5 e1837116bb692143a9d0f627f9ef5f32
SHA1 5d9773739c2e8fdf8003a88fc8870068ad3d9d6a
SHA256 34f77d0a1abec4911f4a32a5b390181ca0b840edeea4eaf43a15a73324527ca7
SHA512 c16213503795772cca05fa621476e40d8a4592f458337022b4bdf34cb7f8adde627ac763663010fcb83344effc192200e63c415a191372ca53898afd7e0b21fe

memory/2352-40-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2352-39-0x00000000001C0000-0x00000000001C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\81B0.exe

MD5 6cc5e43d43a4f816dab267f271d508e7
SHA1 1d4c9c1a4a371158afd6e0a3dbc61c8977a8184f
SHA256 89c6ae2f975f341e966d07b25b9a68db044c9f3da30bdc2040522ff4babd499b
SHA512 45f370fcb6a3b1c05f1afda3497065e70a8fc32a657ab189607bd0779190ed383f2dc81ce814ed1eed9d49ffebe7d31947b8a3028e6ba3f109eab8103bedb6b6

C:\Users\Admin\AppData\Local\Temp\81B0.exe

MD5 8bf81aa03a788ed190e0e607425d0329
SHA1 be7ebc1dce27f2579ed86715dfa1783937d5b671
SHA256 655f549e5bf785a06fcd9d20531f00fa3253f1049b4cd2a119ae67974d2cac37
SHA512 e1af6ad59a121db2a3b5a2632cb402fa6a1e47f8e6bdb479e70f5085c4ac181fc724146a5fe09796f82f584e25183f793b19a0cb6fdfedb213ca3d7d67b9af54

memory/2448-47-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2448-48-0x0000000000930000-0x00000000011DF000-memory.dmp

memory/2448-50-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2448-52-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2352-56-0x00000000025A0000-0x00000000026DC000-memory.dmp

memory/2448-54-0x0000000077700000-0x0000000077701000-memory.dmp

memory/2448-59-0x0000000000100000-0x0000000000101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 ed51aa2e212f72811969b0db8682131f
SHA1 9d23b08bc651d9f70e28174c0544b8aa92cadd4c
SHA256 68b03db481dde019b05d6c107fb796a29ae112b6872969ffba777617b4fbc396
SHA512 5ba07ad7db42971467f18d384679cae8056a92fc81991bb427cab45087f29b7d552216d672f3c6bb3a0d551cf9681783c43e0acb9a386f175ab379944c9b334a

\Users\Admin\AppData\Local\Temp\81B0.exe

MD5 7380983b85caff05cb70683d9aed46f4
SHA1 53fef1ba72de6e7f139f17b12a41cec7c81635ed
SHA256 9abacdd49ab8f8b12ee9165c73307947532ed155565fd436026c9c14fd3ea3cd
SHA512 b6a2de423203aee43640a1383a9eca0b0541c30850ea1365e562954b7db72cb6ab6d7df3df17a4191fef70d988dcf7e9314030c72700037193a071f205d26db5

\Users\Admin\AppData\Local\Temp\81B0.exe

MD5 44734c50fd10beb552a9fdf11c952801
SHA1 56b57818d8dcec39be34de5423f1d69855bfc588
SHA256 dc989a510bed23c78295680ebc68aec334ac95a760591de31dfd2d0edd37be6d
SHA512 e213acf8bffc2eed6f2d1c2b8fb310f3df5d05137957e00cb9bdec453242a4e90e0ff8b3560be587b592a4662cc98b7b8f8f6f885f5575c13652121a298a4e39

memory/2352-68-0x00000000026E0000-0x00000000027FB000-memory.dmp

memory/2352-71-0x00000000026E0000-0x00000000027FB000-memory.dmp

\Users\Admin\AppData\Local\Temp\81B0.exe

MD5 1345d94a03d17599a3fc39776ece28b0
SHA1 5d878eecbe2017deb757c9e22b1726aa53ec61c7
SHA256 caeea162992f298eeb25830241b72eeaf704418142102d194686f8a188c55e50
SHA512 66147e8942816525269b4a7bbddc37fd00ebce289cfa500e5f64d4396da27245fae549f647be2220d7cbd72665721f08bb9cbb18d0d9e72a2f41249f033b1ecc

C:\Users\Admin\AppData\Local\Temp\898D.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2700-80-0x0000000002E40000-0x0000000002F40000-memory.dmp

memory/2700-81-0x0000000002D90000-0x0000000002DFB000-memory.dmp

memory/2700-83-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2700-82-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 984e2050d12aaea6ea0512e832caf09c
SHA1 b17f8ab9cc533dbba34bbc16fd6ff9de9105b172
SHA256 bd81b032b9c18e6886bc94f90da98ea6e35683cc8186824d8ea7f0f080478530
SHA512 6d2d8a0751cf6180ffd6dd6371fbf3b8093d39dbd8e46a043afc928c4bb53b51ac8e9f082d461626410aeadf36e929b7eef35172b3eb9616dcb7d8054dbaf531

memory/2724-95-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2352-96-0x0000000010000000-0x000000001020C000-memory.dmp

memory/2700-97-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2724-103-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-105-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-109-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-112-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-113-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-114-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-115-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-117-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-119-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-124-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-127-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-130-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-131-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-128-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-126-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-134-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-136-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-139-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-140-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-138-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-137-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-135-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-125-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-122-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-121-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-120-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-118-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2724-116-0x0000000000400000-0x0000000000848000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-25 05:07

Reported

2024-02-25 05:10

Platform

win10v2004-20240221-en

Max time kernel

38s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe"

Signatures

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Contacts a large (511) amount of remote hosts

discovery

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1414748551-1520717498-2956787782-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\E2C3.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A pastebin.com N/A N/A
N/A pastebin.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3116 set thread context of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\EF66.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\EF66.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\AppData\Local\Temp\EF66.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3440 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3440 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3440 wrote to memory of 3116 N/A N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3116 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\B98C.exe C:\Users\Admin\AppData\Local\Temp\B98C.exe
PID 3440 wrote to memory of 4748 N/A N/A C:\Windows\system32\regsvr32.exe
PID 3440 wrote to memory of 4748 N/A N/A C:\Windows\system32\regsvr32.exe
PID 4748 wrote to memory of 2644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4748 wrote to memory of 2644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4748 wrote to memory of 2644 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3440 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC5A.exe
PID 3440 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC5A.exe
PID 3440 wrote to memory of 2732 N/A N/A C:\Users\Admin\AppData\Local\Temp\CC5A.exe
PID 3440 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0C0.exe
PID 3440 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0C0.exe
PID 3440 wrote to memory of 1728 N/A N/A C:\Users\Admin\AppData\Local\Temp\D0C0.exe
PID 3440 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe
PID 3440 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe
PID 3440 wrote to memory of 3604 N/A N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe
PID 3440 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF66.exe
PID 3440 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF66.exe
PID 3440 wrote to memory of 408 N/A N/A C:\Users\Admin\AppData\Local\Temp\EF66.exe
PID 3604 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3604 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3604 wrote to memory of 4592 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
PID 3604 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3604 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3604 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
PID 3604 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe
PID 3604 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Local\Temp\E2C3.exe C:\Users\Admin\AppData\Local\Temp\FourthX.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe

"C:\Users\Admin\AppData\Local\Temp\98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee.exe"

C:\Users\Admin\AppData\Local\Temp\B98C.exe

C:\Users\Admin\AppData\Local\Temp\B98C.exe

C:\Users\Admin\AppData\Local\Temp\B98C.exe

C:\Users\Admin\AppData\Local\Temp\B98C.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\BEAD.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\BEAD.dll

C:\Users\Admin\AppData\Local\Temp\CC5A.exe

C:\Users\Admin\AppData\Local\Temp\CC5A.exe

C:\Users\Admin\AppData\Local\Temp\D0C0.exe

C:\Users\Admin\AppData\Local\Temp\D0C0.exe

C:\Users\Admin\AppData\Local\Temp\E2C3.exe

C:\Users\Admin\AppData\Local\Temp\E2C3.exe

C:\Users\Admin\AppData\Local\Temp\EF66.exe

C:\Users\Admin\AppData\Local\Temp\EF66.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\F860.exe

C:\Users\Admin\AppData\Local\Temp\F860.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\is-GNFNH.tmp\F860.tmp

"C:\Users\Admin\AppData\Local\Temp\is-GNFNH.tmp\F860.tmp" /SL5="$100052,4185251,54272,C:\Users\Admin\AppData\Local\Temp\F860.exe"

C:\Users\Admin\AppData\Local\Temp\FE2D.exe

C:\Users\Admin\AppData\Local\Temp\FE2D.exe

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

"C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe" -i

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

"C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe" -s

C:\Users\Admin\AppData\Local\Temp\nsxC51.tmp

C:\Users\Admin\AppData\Local\Temp\nsxC51.tmp

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2420 -ip 2420

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2420 -s 540

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 2400

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "UTIXDCVF"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "UTIXDCVF" binpath= "C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "UTIXDCVF"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Roaming\ggbtwia

C:\Users\Admin\AppData\Roaming\ggbtwia

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

Network

Country Destination Domain Proto
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 104.21.94.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 2.94.21.104.in-addr.arpa udp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 104.21.80.118:443 technologyenterdo.shop tcp
MX 189.232.56.10:80 trmpc.com tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 detectordiscusser.shop udp
US 8.8.8.8:53 118.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 10.56.232.189.in-addr.arpa udp
US 104.21.60.92:443 detectordiscusser.shop tcp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 en.bestsup.su udp
US 172.67.171.112:80 en.bestsup.su tcp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 92.60.21.104.in-addr.arpa udp
US 8.8.8.8:53 112.171.67.172.in-addr.arpa udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
CA 149.56.98.216:9001 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
DE 185.220.101.145:10145 tcp
US 8.8.8.8:53 145.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 145.101.220.185.in-addr.arpa udp
NL 5.2.78.69:9001 tcp
DE 193.23.244.244:443 tcp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
IT 2.233.91.176:19001 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
CA 198.245.61.196:443 tcp
DE 131.188.40.189:443 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 189.40.188.131.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
DE 89.58.3.65:443 tcp
DE 185.220.101.204:8443 tcp
US 8.8.8.8:53 65.3.58.89.in-addr.arpa udp
US 8.8.8.8:53 204.101.220.185.in-addr.arpa udp
US 8.8.8.8:53 xmr-eu2.nanopool.org udp
GB 51.195.138.197:14433 xmr-eu2.nanopool.org tcp
US 8.8.8.8:53 197.138.195.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.67.143:443 pastebin.com tcp
US 8.8.8.8:53 143.67.20.104.in-addr.arpa udp
DE 185.220.101.204:8443 tcp
DE 89.58.3.65:443 tcp
DE 142.132.204.112:4443 tcp
US 8.8.8.8:53 112.204.132.142.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 topsendora.com udp
US 8.8.8.8:53 tortxperts.com udp
US 8.8.8.8:53 tripinesia.com udp
US 8.8.8.8:53 trungmaieu.com udp
US 8.8.8.8:53 tuseguromj.com udp
MY 185.93.167.13:443 topsendora.com tcp
US 8.8.8.8:53 upfluencia.com udp
ID 153.92.11.29:443 tripinesia.com tcp
US 8.8.8.8:53 veebhaexim.com udp
IN 119.18.54.125:443 tortxperts.com tcp
US 8.8.8.8:53 vinkoihome.com udp
VN 103.138.88.39:443 trungmaieu.com tcp
US 162.241.80.15:443 upfluencia.com tcp
US 192.232.218.240:443 tuseguromj.com tcp
US 8.8.8.8:53 worldpices.com udp
US 8.8.8.8:53 zeexaymaca.com udp
US 50.87.179.245:443 vinkoihome.com tcp
US 162.241.230.104:443 worldpices.com tcp
US 162.241.226.82:443 zeexaymaca.com tcp
US 8.8.8.8:53 zibrospick.com udp
IN 111.118.212.158:443 veebhaexim.com tcp
US 8.8.8.8:53 zoom-impex.com udp
US 8.8.8.8:53 1movenation.com udp
US 8.8.8.8:53 advocaciabt.com udp
US 172.104.7.246:443 zibrospick.com tcp
US 8.8.8.8:53 aktualtekno.com udp
US 8.8.8.8:53 13.167.93.185.in-addr.arpa udp
US 8.8.8.8:53 29.11.92.153.in-addr.arpa udp
US 8.8.8.8:53 125.54.18.119.in-addr.arpa udp
US 8.8.8.8:53 15.80.241.162.in-addr.arpa udp
US 8.8.8.8:53 240.218.232.192.in-addr.arpa udp
US 8.8.8.8:53 39.88.138.103.in-addr.arpa udp
US 8.8.8.8:53 245.179.87.50.in-addr.arpa udp
US 8.8.8.8:53 104.230.241.162.in-addr.arpa udp
US 8.8.8.8:53 82.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 158.212.118.111.in-addr.arpa udp
US 8.8.8.8:53 alirezaanim.com udp
US 162.0.220.139:80 zoom-impex.com tcp
US 8.8.8.8:53 arabs-marca.com udp
US 8.8.8.8:53 areosphagos.com udp
US 8.8.8.8:53 badeschnurr.com udp
US 8.8.8.8:53 www.avaluosmavi.com udp
US 8.8.8.8:53 bawanigroup.com udp
US 8.8.8.8:53 helloruchna.com udp
US 8.8.8.8:53 idolconcept.com udp
ID 103.153.3.138:443 aktualtekno.com tcp
MY 111.90.144.132:443 1movenation.com tcp
US 216.172.160.181:443 advocaciabt.com tcp
US 8.8.8.8:53 inconceptcr.com udp
US 162.241.253.231:443 arabs-marca.com tcp
IR 5.144.130.56:443 alirezaanim.com tcp
US 8.8.8.8:53 246.7.104.172.in-addr.arpa udp
US 8.8.8.8:53 139.220.0.162.in-addr.arpa udp
US 8.8.8.8:53 infopediarg.com udp
US 162.254.39.95:443 helloruchna.com tcp
US 8.8.8.8:53 inspect2fix.com udp
GB 109.70.148.67:443 areosphagos.com tcp
US 8.8.8.8:53 iptv-tooday.com udp
DE 81.169.145.148:443 idolconcept.com tcp
US 50.87.253.11:443 badeschnurr.com tcp
US 8.8.8.8:53 inoxthanhha.com udp
US 162.241.61.123:443 www.avaluosmavi.com tcp
US 8.8.8.8:53 irancarehub.com udp
US 8.8.8.8:53 induccionfa.com udp
US 207.174.214.247:443 bawanigroup.com tcp
CL 138.117.148.158:443 inconceptcr.com tcp
US 8.8.8.8:53 www.isabellkoch.com udp
BR 149.100.155.250:443 infopediarg.com tcp
US 8.8.8.8:53 israescorts.com udp
US 8.8.8.8:53 jankarivani.com udp
US 8.8.8.8:53 jjmateriais.com udp
US 8.8.8.8:53 181.160.172.216.in-addr.arpa udp
US 8.8.8.8:53 56.130.144.5.in-addr.arpa udp
US 8.8.8.8:53 132.144.90.111.in-addr.arpa udp
US 8.8.8.8:53 231.253.241.162.in-addr.arpa udp
US 8.8.8.8:53 67.148.70.109.in-addr.arpa udp
US 8.8.8.8:53 148.145.169.81.in-addr.arpa udp
US 8.8.8.8:53 11.253.87.50.in-addr.arpa udp
US 8.8.8.8:53 95.39.254.162.in-addr.arpa udp
US 8.8.8.8:53 123.61.241.162.in-addr.arpa udp
GB 185.77.97.37:443 induccionfa.com tcp
GB 141.136.33.45:443 iptv-tooday.com tcp
US 8.8.8.8:53 jockescorts.com udp
US 8.8.8.8:53 jogodecrash.com udp
DE 217.160.0.195:443 www.isabellkoch.com tcp
DE 78.159.108.71:443 irancarehub.com tcp
US 173.236.199.93:443 inspect2fix.com tcp
VN 103.154.177.139:443 inoxthanhha.com tcp
US 8.8.8.8:53 journeyoflc.com udp
US 8.8.8.8:53 jtxgreenbay.com udp
FR 178.16.128.54:443 jankarivani.com tcp
BR 149.100.155.230:443 jjmateriais.com tcp
US 8.8.8.8:53 jungle-guru.com udp
US 8.8.8.8:53 junsixtyone.com udp
US 172.67.177.18:443 jogodecrash.com tcp
US 8.8.8.8:53 kaghanfoods.com udp
US 172.67.173.219:80 israescorts.com tcp
US 8.8.8.8:53 kartingcave.com udp
US 8.8.8.8:53 www.karyasuites.com udp
US 8.8.8.8:53 247.214.174.207.in-addr.arpa udp
US 8.8.8.8:53 158.148.117.138.in-addr.arpa udp
US 8.8.8.8:53 250.155.100.149.in-addr.arpa udp
US 8.8.8.8:53 37.97.77.185.in-addr.arpa udp
US 8.8.8.8:53 45.33.136.141.in-addr.arpa udp
US 8.8.8.8:53 71.108.159.78.in-addr.arpa udp
US 8.8.8.8:53 195.0.160.217.in-addr.arpa udp
US 104.21.93.161:80 jockescorts.com tcp
US 8.8.8.8:53 kellyllanos.com udp
US 8.8.8.8:53 kesiamiguel.com udp
SG 156.67.222.242:443 journeyoflc.com tcp
US 8.8.8.8:53 kevynmarter.com udp
GB 192.250.239.241:443 kartingcave.com tcp
SG 156.67.222.39:443 kaghanfoods.com tcp
US 162.241.224.146:443 jtxgreenbay.com tcp
FR 89.117.169.183:443 kellyllanos.com tcp
TR 85.95.237.66:443 www.karyasuites.com tcp
US 104.21.80.52:443 kesiamiguel.com tcp
US 8.8.8.8:53 kfoodhealth.com udp
US 8.8.8.8:53 www.jockescorts.com udp
US 8.8.8.8:53 kiaralandon.com udp
KR 141.164.46.121:443 junsixtyone.com tcp
US 8.8.8.8:53 kissyescort.com udp
US 8.8.8.8:53 kitchenzoes.com udp
US 8.8.8.8:53 www.israescorts.com udp
US 8.8.8.8:53 93.199.236.173.in-addr.arpa udp
US 8.8.8.8:53 18.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 54.128.16.178.in-addr.arpa udp
US 8.8.8.8:53 219.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 139.177.154.103.in-addr.arpa udp
US 8.8.8.8:53 161.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 230.155.100.149.in-addr.arpa udp
US 8.8.8.8:53 241.239.250.192.in-addr.arpa udp
US 8.8.8.8:53 koolakkaraj.com udp
US 8.8.8.8:53 koregraphic.com udp
US 8.8.8.8:53 kotaagencia.com udp
FR 51.91.236.255:443 kevynmarter.com tcp
US 8.8.8.8:53 kpgapparels.com udp
US 8.8.8.8:53 www.lamermotors.com udp
US 8.8.8.8:53 kivapodcast.com udp
US 8.8.8.8:53 langeologie.com udp
US 8.8.8.8:53 laurenhclay.com udp
KR 43.201.81.209:443 kfoodhealth.com tcp
US 104.21.30.203:443 www.israescorts.com tcp
US 104.21.89.15:443 kitchenzoes.com tcp
US 72.167.204.198:80 kiaralandon.com tcp
US 104.21.93.161:443 www.jockescorts.com tcp
US 172.67.214.89:80 kissyescort.com tcp
US 8.8.8.8:53 laxmigirlpg.com udp
US 8.8.8.8:53 lcafood2024.com udp
FR 188.130.25.102:80 koregraphic.com tcp
IR 185.10.73.42:443 koolakkaraj.com tcp
US 8.8.8.8:53 242.222.67.156.in-addr.arpa udp
US 8.8.8.8:53 183.169.117.89.in-addr.arpa udp
US 8.8.8.8:53 146.224.241.162.in-addr.arpa udp
US 8.8.8.8:53 52.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 66.237.95.85.in-addr.arpa udp
US 8.8.8.8:53 39.222.67.156.in-addr.arpa udp
US 8.8.8.8:53 255.236.91.51.in-addr.arpa udp
US 8.8.8.8:53 letsummerbe.com udp
US 8.8.8.8:53 leatherbuyz.com udp
US 173.201.184.215:443 www.lamermotors.com tcp
US 172.67.138.155:443 kivapodcast.com tcp
IN 217.21.87.229:443 kpgapparels.com tcp
AR 200.58.112.188:443 kotaagencia.com tcp
FR 193.203.239.77:443 langeologie.com tcp
US 8.8.8.8:53 librarysage.com udp
US 8.8.8.8:53 likehome-ua.com udp
US 8.8.8.8:53 www.journeyoflc.com udp
US 8.8.8.8:53 limpaenergy.com udp
US 172.67.167.84:443 laurenhclay.com tcp
US 8.8.8.8:53 www.linadamshop.com udp
IN 89.117.188.112:443 laxmigirlpg.com tcp
US 8.8.8.8:53 lindanewtee.com udp
ES 82.98.147.45:443 lcafood2024.com tcp
US 86.38.202.178:443 leatherbuyz.com tcp
US 8.8.8.8:53 livebreking.com udp
US 8.8.8.8:53 203.30.21.104.in-addr.arpa udp
US 8.8.8.8:53 15.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 89.214.67.172.in-addr.arpa udp
US 8.8.8.8:53 102.25.130.188.in-addr.arpa udp
US 8.8.8.8:53 155.138.67.172.in-addr.arpa udp
US 8.8.8.8:53 42.73.10.185.in-addr.arpa udp
US 8.8.8.8:53 209.81.201.43.in-addr.arpa udp
US 8.8.8.8:53 229.87.21.217.in-addr.arpa udp
US 66.235.200.146:443 letsummerbe.com tcp
US 8.8.8.8:53 lizaseluler.com udp
US 8.8.8.8:53 www.kissyescort.com udp
FR 109.234.165.172:443 www.linadamshop.com tcp
SG 156.67.222.242:443 www.journeyoflc.com tcp
US 172.67.188.170:443 likehome-ua.com tcp
US 104.21.90.182:443 lindanewtee.com tcp
US 89.117.139.101:443 librarysage.com tcp
US 8.8.8.8:53 localnibble.com udp
US 8.8.8.8:53 logoescorts.com udp
US 8.8.8.8:53 lola-lamour.com udp
SG 66.42.53.125:443 lizaseluler.com tcp
US 104.21.37.226:443 www.kissyescort.com tcp
US 8.8.8.8:53 lotustablet.com udp
US 195.35.10.149:443 livebreking.com tcp
US 8.8.8.8:53 balloontutorial.com udp
US 8.8.8.8:53 lucasamadeu.com udp
US 8.8.8.8:53 77.239.203.193.in-addr.arpa udp
US 8.8.8.8:53 188.112.58.200.in-addr.arpa udp
US 8.8.8.8:53 84.167.67.172.in-addr.arpa udp
US 8.8.8.8:53 112.188.117.89.in-addr.arpa udp
US 8.8.8.8:53 45.147.98.82.in-addr.arpa udp
US 8.8.8.8:53 146.200.235.66.in-addr.arpa udp
US 8.8.8.8:53 178.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 172.165.234.109.in-addr.arpa udp
US 8.8.8.8:53 170.188.67.172.in-addr.arpa udp
US 8.8.8.8:53 182.90.21.104.in-addr.arpa udp
US 8.8.8.8:53 101.139.117.89.in-addr.arpa udp
US 104.26.6.146:443 localnibble.com tcp
US 104.21.87.173:80 logoescorts.com tcp
US 151.101.130.159:443 lola-lamour.com tcp
US 8.8.8.8:53 macanrokesh.com udp
US 8.8.8.8:53 mahmudabbas.com udp
US 8.8.8.8:53 malickshola.com udp
US 8.8.8.8:53 maria-shopp.com udp
US 8.8.8.8:53 mariseluler.com udp
US 8.8.8.8:53 www.marvinguyot.com udp
US 8.8.8.8:53 mbeusafaris.com udp
US 8.8.8.8:53 meaterprobe.com udp
US 142.93.120.185:443 balloontutorial.com tcp
US 8.8.8.8:53 medulasport.com udp
US 8.8.8.8:53 mentoruncle.com udp
US 104.21.36.121:443 lotustablet.com tcp
US 8.8.8.8:53 www.logoescorts.com udp
US 68.178.247.241:443 lucasamadeu.com tcp
US 8.8.8.8:53 226.37.21.104.in-addr.arpa udp
US 8.8.8.8:53 125.53.42.66.in-addr.arpa udp
US 8.8.8.8:53 149.10.35.195.in-addr.arpa udp
US 8.8.8.8:53 146.6.26.104.in-addr.arpa udp
US 8.8.8.8:53 173.87.21.104.in-addr.arpa udp
US 8.8.8.8:53 159.130.101.151.in-addr.arpa udp
US 8.8.8.8:53 mercato2023.com udp
IN 193.203.185.47:443 mahmudabbas.com tcp
FR 91.234.195.123:443 malickshola.com tcp
US 8.8.8.8:53 www.metalvanllc.com udp
US 8.8.8.8:53 www.mindlypeace.com udp
US 8.8.8.8:53 minhtrifilm.com udp
US 8.8.8.8:53 minimoohome.com udp
IR 185.237.85.9:443 maria-shopp.com tcp
FR 109.234.165.172:443 www.marvinguyot.com tcp
US 172.67.198.212:443 meaterprobe.com tcp
SG 66.42.53.125:443 mariseluler.com tcp
ZA 154.0.174.123:443 mbeusafaris.com tcp
US 8.8.8.8:53 mlbbesports.com udp
US 8.8.8.8:53 www.laurenhclay.com udp
US 8.8.8.8:53 mobiescorts.com udp
US 8.8.8.8:53 momentodefe.com udp
US 8.8.8.8:53 monarchword.com udp
US 8.8.8.8:53 moneyguardx.com udp
US 8.8.8.8:53 moontriumph.com udp
US 8.8.8.8:53 mobilitygom.com udp
US 8.8.8.8:53 185.120.93.142.in-addr.arpa udp
US 8.8.8.8:53 121.36.21.104.in-addr.arpa udp
US 8.8.8.8:53 moss-agates.com udp
US 8.8.8.8:53 mozarchives.com udp
FR 185.166.37.103:443 medulasport.com tcp
US 82.180.138.150:443 mercato2023.com tcp
US 8.8.8.8:53 mrshempfire.com udp
US 8.8.8.8:53 fsd52.site udp
US 8.8.8.8:53 pix55.site udp
US 172.67.145.4:443 www.logoescorts.com tcp
US 154.49.142.40:443 minimoohome.com tcp
US 8.8.8.8:53 ustts.site udp
US 8.8.8.8:53 cricpk.site udp
IN 82.180.166.247:443 mentoruncle.com tcp
FI 135.181.6.251:443 www.mindlypeace.com tcp
US 8.8.8.8:53 mysone6.site udp
US 8.8.8.8:53 www.lindanewtee.com udp
US 104.21.11.86:443 mlbbesports.com tcp
US 208.113.188.11:443 www.metalvanllc.com tcp
US 172.67.183.97:80 mobiescorts.com tcp
US 8.8.8.8:53 www.glcblog.site udp
US 104.21.83.22:443 www.laurenhclay.com tcp
JP 133.130.111.75:443 minhtrifilm.com tcp
US 8.8.8.8:53 al-banna.site udp
US 8.8.8.8:53 123.195.234.91.in-addr.arpa udp
US 8.8.8.8:53 47.185.203.193.in-addr.arpa udp
US 8.8.8.8:53 212.198.67.172.in-addr.arpa udp
US 8.8.8.8:53 9.85.237.185.in-addr.arpa udp
US 8.8.8.8:53 123.174.0.154.in-addr.arpa udp
US 8.8.8.8:53 103.37.166.185.in-addr.arpa udp
US 8.8.8.8:53 hokusaifx.site udp
US 8.8.8.8:53 tuimpulso.biz udp
PT 176.61.148.168:80 mozarchives.com tcp
US 8.8.8.8:53 abdomik.site udp
NL 89.116.53.56:443 moneyguardx.com tcp
IN 89.117.157.175:443 monarchword.com tcp
JP 45.76.49.196:443 mobilitygom.com tcp
US 8.8.8.8:53 jjcglobal.biz udp
US 162.254.39.101:443 moss-agates.com tcp
BR 154.56.48.196:443 momentodefe.com tcp
US 208.113.190.207:443 ustts.site tcp
US 8.8.8.8:53 iptvbit.store udp
US 209.172.2.100:443 cricpk.site tcp
US 8.8.8.8:53 macgyver.store udp
US 172.67.203.208:443 www.lindanewtee.com tcp
US 8.8.8.8:53 samaaalbda.store udp
NZ 103.250.233.242:443 moontriumph.com tcp
US 173.236.242.120:443 www.glcblog.site tcp
US 8.8.8.8:53 haniherbals.store udp
US 8.8.8.8:53 150.138.180.82.in-addr.arpa udp
US 8.8.8.8:53 4.145.67.172.in-addr.arpa udp
US 8.8.8.8:53 40.142.49.154.in-addr.arpa udp
US 8.8.8.8:53 251.6.181.135.in-addr.arpa udp
US 8.8.8.8:53 86.11.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.183.67.172.in-addr.arpa udp
US 8.8.8.8:53 22.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 247.166.180.82.in-addr.arpa udp
US 8.8.8.8:53 11.188.113.208.in-addr.arpa udp
US 8.8.8.8:53 168.148.61.176.in-addr.arpa udp
US 8.8.8.8:53 56.53.116.89.in-addr.arpa udp
US 8.8.8.8:53 75.111.130.133.in-addr.arpa udp
SG 194.163.41.8:80 al-banna.site tcp
US 50.31.177.197:443 tuimpulso.biz tcp
US 172.96.187.93:443 mysone6.site tcp
SG 109.106.252.141:443 hokusaifx.site tcp
US 8.8.8.8:53 womenhealth.store udp
US 8.8.8.8:53 gorkadinjaba.store udp
US 8.8.8.8:53 iptvessentials.store udp
US 162.241.225.189:80 jjcglobal.biz tcp
US 66.29.132.10:443 iptvbit.store tcp
US 8.8.8.8:53 ammorestrainarms.store udp
US 8.8.8.8:53 entrenamientosonline.store udp
US 8.8.8.8:53 judislotonlinejackpotterbesar.vip udp
US 8.8.8.8:53 www.mobiescorts.com udp
US 8.8.8.8:53 balto.live udp
US 8.8.8.8:53 scb90.live udp
US 8.8.8.8:53 thb99.live udp
US 8.8.8.8:53 2qlive.live udp
US 8.8.8.8:53 175.157.117.89.in-addr.arpa udp
US 8.8.8.8:53 101.39.254.162.in-addr.arpa udp
US 8.8.8.8:53 196.48.56.154.in-addr.arpa udp
US 8.8.8.8:53 207.190.113.208.in-addr.arpa udp
US 198.54.114.183:443 womenhealth.store tcp
US 8.8.8.8:53 208.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 100.2.172.209.in-addr.arpa udp
US 8.8.8.8:53 120.242.236.173.in-addr.arpa udp
US 8.8.8.8:53 tv-hd.live udp
US 8.8.8.8:53 amb456.live udp
US 8.8.8.8:53 fin555.live udp
US 8.8.8.8:53 grosir.live udp
US 8.8.8.8:53 datboi.live udp
US 8.8.8.8:53 mkslot.live udp
US 104.21.69.176:443 judislotonlinejackpotterbesar.vip tcp
US 198.54.116.201:443 iptvessentials.store tcp
US 198.54.114.183:80 womenhealth.store tcp
US 160.153.0.51:443 balto.live tcp
US 104.21.96.81:443 2qlive.live tcp
US 172.67.183.97:443 www.mobiescorts.com tcp
US 8.8.8.8:53 cimatun.live udp
US 8.8.8.8:53 mybet56.live udp
US 8.8.8.8:53 fifa797.live udp
US 8.8.8.8:53 myib888.live udp
US 8.8.8.8:53 ufa8888.live udp
US 8.8.8.8:53 cairo987.live udp
US 67.223.118.19:443 samaaalbda.store tcp
US 198.54.116.155:443 ammorestrainarms.store tcp
FI 37.27.57.153:443 haniherbals.store tcp
US 198.54.115.46:80 gorkadinjaba.store tcp
DE 38.242.246.92:443 tv-hd.live tcp
US 172.67.160.126:443 scb90.live tcp
US 8.8.8.8:53 93.187.96.172.in-addr.arpa udp
US 8.8.8.8:53 197.177.31.50.in-addr.arpa udp
US 8.8.8.8:53 242.233.250.103.in-addr.arpa udp
US 8.8.8.8:53 8.41.163.194.in-addr.arpa udp
US 8.8.8.8:53 189.225.241.162.in-addr.arpa udp
US 8.8.8.8:53 10.132.29.66.in-addr.arpa udp
US 8.8.8.8:53 141.252.106.109.in-addr.arpa udp
US 8.8.8.8:53 183.114.54.198.in-addr.arpa udp
US 8.8.8.8:53 176.69.21.104.in-addr.arpa udp
US 8.8.8.8:53 cursofcv.live udp
US 8.8.8.8:53 deshipku.live udp
US 8.8.8.8:53 imunify-alert.com udp
US 162.0.229.227:443 entrenamientosonline.store tcp
LT 84.32.84.32:443 datboi.live tcp
US 198.252.106.251:443 grosir.live tcp
US 8.8.8.8:53 lsm99wow.live udp
US 8.8.8.8:53 xxtikporn18.com udp
SG 104.248.147.52:443 mkslot.live tcp
US 8.8.8.8:53 casino-daddy.live udp
US 8.8.8.8:53 fitehdstream.live udp
US 8.8.8.8:53 trumpsecrets.live udp
US 8.8.8.8:53 freetemplates.live udp
US 8.8.8.8:53 www.ustts.site udp
US 104.21.7.71:443 mybet56.live tcp
US 8.8.8.8:53 recaptcha.cloud udp
US 8.8.8.8:53 201.116.54.198.in-addr.arpa udp
US 8.8.8.8:53 51.0.153.160.in-addr.arpa udp
US 104.21.78.8:443 cimatun.live tcp
US 8.8.8.8:53 81.96.21.104.in-addr.arpa udp
US 8.8.8.8:53 153.57.27.37.in-addr.arpa udp
US 8.8.8.8:53 19.118.223.67.in-addr.arpa udp
US 104.21.6.40:443 cairo987.live tcp
US 8.8.8.8:53 155.116.54.198.in-addr.arpa udp
US 8.8.8.8:53 46.115.54.198.in-addr.arpa udp
US 8.8.8.8:53 126.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 istanbulpools.live udp
US 86.38.202.18:443 deshipku.live tcp
US 8.8.8.8:53 awesomewebsites.live udp
US 8.8.8.8:53 noticiasdomundo.live udp
US 193.160.64.108:443 cursofcv.live tcp
US 104.21.8.129:443 ufa8888.live tcp
US 8.8.8.8:53 glocaluniversity.live udp
US 8.8.8.8:53 modernmen-association.live udp
US 104.21.7.117:443 lsm99wow.live tcp
US 8.8.8.8:53 azmi.app udp
US 8.8.8.8:53 arxan.app udp
US 8.8.8.8:53 www.anset.fr udp
US 8.8.8.8:53 taxter.at udp
US 104.21.234.146:443 xxtikporn18.com tcp
US 172.67.176.47:443 imunify-alert.com tcp
US 8.8.8.8:53 1bet2u.app udp
US 8.8.8.8:53 www.realia.app udp
US 8.8.8.8:53 customersolution.live udp
US 8.8.8.8:53 wing888.app udp
US 208.113.190.207:443 www.ustts.site tcp
US 8.8.8.8:53 32.84.32.84.in-addr.arpa udp
US 8.8.8.8:53 251.106.252.198.in-addr.arpa udp
US 8.8.8.8:53 227.229.0.162.in-addr.arpa udp
US 104.21.234.146:443 xxtikporn18.com tcp
FI 95.217.112.97:443 freetemplates.live tcp
US 89.117.139.217:443 modernmen-association.live tcp
US 199.188.200.104:443 istanbulpools.live tcp
US 8.8.8.8:53 dimzsky.app udp
US 162.210.101.174:443 azmi.app tcp
US 8.8.8.8:53 sky-deck.app udp
US 192.145.232.145:443 awesomewebsites.live tcp
IN 82.180.142.193:443 glocaluniversity.live tcp
US 8.8.8.8:53 roman888.app udp
US 172.67.189.177:443 casino-daddy.live tcp
BR 170.81.42.59:443 noticiasdomundo.live tcp
US 162.0.215.54:443 fitehdstream.live tcp
US 8.8.8.8:53 pgslot5g.app udp
FR 109.234.162.14:443 www.anset.fr tcp
US 8.8.8.8:53 ufabet789.app udp
AT 91.220.179.9:443 taxter.at tcp
FI 95.217.145.143:443 arxan.app tcp
US 63.250.43.3:80 trumpsecrets.live tcp
US 8.8.8.8:53 vocabella.app udp
US 8.8.8.8:53 cashprank.app udp
US 8.8.8.8:53 ufaauto888.app udp
IN 62.72.28.164:443 customersolution.live tcp
IT 89.46.107.229:443 www.realia.app tcp
FI 95.217.5.229:443 recaptcha.cloud tcp
US 104.21.65.135:443 1bet2u.app tcp
US 172.67.161.28:443 wing888.app tcp
US 8.8.8.8:53 71.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 8.78.21.104.in-addr.arpa udp
US 8.8.8.8:53 40.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 129.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 108.64.160.193.in-addr.arpa udp
US 8.8.8.8:53 117.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 18.202.38.86.in-addr.arpa udp
US 8.8.8.8:53 52.147.248.104.in-addr.arpa udp
US 8.8.8.8:53 146.234.21.104.in-addr.arpa udp
US 8.8.8.8:53 47.176.67.172.in-addr.arpa udp
US 8.8.8.8:53 tindergratis.app udp
SG 156.67.222.70:443 sky-deck.app tcp
US 63.250.43.11:443 cashprank.app tcp
US 104.21.23.114:443 roman888.app tcp
NL 185.224.138.27:443 vocabella.app tcp
US 172.67.205.50:443 ufaauto888.app tcp
SG 23.106.53.137:443 dimzsky.app tcp
US 8.8.8.8:53 www.tennisanalyzer.app udp
US 8.8.8.8:53 shadowfightmodapk.app udp
US 104.21.89.120:443 pgslot5g.app tcp
US 8.8.8.8:53 madart.club udp
US 8.8.8.8:53 threadsvideodownload.app udp
US 50.31.177.136:443 tindergratis.app tcp
US 8.8.8.8:53 77ball.club udp
US 8.8.8.8:53 97.112.217.95.in-addr.arpa udp
US 8.8.8.8:53 217.139.117.89.in-addr.arpa udp
US 8.8.8.8:53 177.189.67.172.in-addr.arpa udp
US 8.8.8.8:53 174.101.210.162.in-addr.arpa udp
US 172.67.160.27:443 shadowfightmodapk.app tcp
US 8.8.8.8:53 145.232.145.192.in-addr.arpa udp
US 8.8.8.8:53 104.200.188.199.in-addr.arpa udp
US 172.67.132.6:443 ufabet789.app tcp
US 8.8.8.8:53 14.162.234.109.in-addr.arpa udp
US 8.8.8.8:53 9.179.220.91.in-addr.arpa udp
US 8.8.8.8:53 193.142.180.82.in-addr.arpa udp
US 8.8.8.8:53 143.145.217.95.in-addr.arpa udp
US 8.8.8.8:53 135.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 229.107.46.89.in-addr.arpa udp
US 8.8.8.8:53 28.161.67.172.in-addr.arpa udp
US 8.8.8.8:53 229.5.217.95.in-addr.arpa udp
US 8.8.8.8:53 54.215.0.162.in-addr.arpa udp
US 8.8.8.8:53 59.42.81.170.in-addr.arpa udp
US 8.8.8.8:53 3.43.250.63.in-addr.arpa udp
US 8.8.8.8:53 164.28.72.62.in-addr.arpa udp
US 173.236.222.98:443 www.tennisanalyzer.app tcp
US 8.8.8.8:53 www.yeschad.club udp
US 8.8.8.8:53 2qlive.club udp
US 8.8.8.8:53 newpoint.club udp
US 8.8.8.8:53 wellways.ch udp
US 8.8.8.8:53 vercalhit.club udp
US 8.8.8.8:53 www.wycieczki.club udp
US 8.8.8.8:53 planseeds.club udp
US 160.153.0.111:443 madart.club tcp
US 172.67.128.82:443 threadsvideodownload.app tcp
SG 172.96.191.158:443 77ball.club tcp
US 8.8.8.8:53 sbobet168z.club udp
US 8.8.8.8:53 ufa888club.club udp
US 8.8.8.8:53 moda-verano.club udp
US 8.8.8.8:53 waitamoment.club udp
US 8.8.8.8:53 27.138.224.185.in-addr.arpa udp
US 8.8.8.8:53 50.205.67.172.in-addr.arpa udp
US 8.8.8.8:53 11.43.250.63.in-addr.arpa udp
US 8.8.8.8:53 120.89.21.104.in-addr.arpa udp
US 8.8.8.8:53 70.222.67.156.in-addr.arpa udp
US 8.8.8.8:53 137.53.106.23.in-addr.arpa udp
US 8.8.8.8:53 27.160.67.172.in-addr.arpa udp
US 8.8.8.8:53 6.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 136.177.31.50.in-addr.arpa udp
US 8.8.8.8:53 98.222.236.173.in-addr.arpa udp
US 8.8.8.8:53 111.0.153.160.in-addr.arpa udp
US 172.67.182.65:443 xxxpornhub.club tcp
FR 87.98.236.253:443 www.wycieczki.club tcp
US 104.21.35.138:443 ufa888club.club tcp
FR 109.234.160.161:443 www.yeschad.club tcp
FR 155.133.132.8:443 wellways.ch tcp
GB 154.49.138.194:443 newpoint.club tcp
US 172.67.200.223:443 2qlive.club tcp
US 104.21.59.177:443 vercalhit.club tcp
US 104.21.90.86:80 planseeds.club tcp
US 8.8.8.8:53 82.128.67.172.in-addr.arpa udp
US 8.8.8.8:53 xcolegialas.club udp
US 8.8.8.8:53 woyaojianfei.club udp
US 8.8.8.8:53 paddockracing.club udp
US 8.8.8.8:53 kingkong89vip.club udp
US 8.8.8.8:53 notgood.co udp
US 8.8.8.8:53 tekno.cfd udp
US 8.8.8.8:53 roxcasino-odin10.club udp
US 8.8.8.8:53 syairsgp.life udp
US 8.8.8.8:53 syairsdy.life udp
US 8.8.8.8:53 uneminute.life udp
US 8.8.8.8:53 158.191.96.172.in-addr.arpa udp
US 8.8.8.8:53 65.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 253.236.98.87.in-addr.arpa udp
US 8.8.8.8:53 138.35.21.104.in-addr.arpa udp
US 8.8.8.8:53 161.160.234.109.in-addr.arpa udp
US 8.8.8.8:53 223.200.67.172.in-addr.arpa udp
US 8.8.8.8:53 177.59.21.104.in-addr.arpa udp
US 8.8.8.8:53 86.90.21.104.in-addr.arpa udp
US 104.21.53.102:443 paddockracing.club tcp
US 8.8.8.8:53 8.132.133.155.in-addr.arpa udp
US 8.8.8.8:53 194.138.49.154.in-addr.arpa udp
US 104.21.58.111:443 waitamoment.club tcp
US 172.67.202.239:443 kingkong89vip.club tcp
US 172.67.181.143:443 moda-verano.club tcp
US 8.8.8.8:53 healtheland.life udp
US 8.8.8.8:53 7thheavenclub.life udp
US 8.8.8.8:53 lucidideastream.life udp
US 8.8.8.8:53 rahasiaberuntung.life udp
NL 45.139.122.160:443 xcolegialas.club tcp
US 104.21.90.86:443 planseeds.club tcp
US 8.8.8.8:53 casino-daddy.life udp
US 8.8.8.8:53 flooringmaestro.com udp
US 8.8.8.8:53 florespelomundo.com udp
US 216.239.38.21:443 syairsdy.life tcp
SG 45.130.231.97:443 tekno.cfd tcp
US 216.239.36.21:443 syairsdy.life tcp
US 172.67.174.53:443 roxcasino-odin10.club tcp
US 8.8.8.8:53 fluencyinfrench.com udp
US 8.8.8.8:53 fractionalboost.com udp
US 8.8.8.8:53 www.vercalhit.club udp
US 8.8.8.8:53 furin-interiors.com udp
US 8.8.8.8:53 goodvibesdesign.com udp
US 8.8.8.8:53 goldcleancarpet.com udp
US 63.250.38.139:443 uneminute.life tcp
US 160.153.0.153:443 notgood.co tcp
US 8.8.8.8:53 greenandglowing.com udp
ID 103.189.235.224:80 rahasiaberuntung.life tcp
IN 68.178.145.171:443 7thheavenclub.life tcp
US 172.67.182.67:443 casino-daddy.life tcp
US 172.67.177.250:443 lucidideastream.life tcp
US 50.87.173.197:80 fluencyinfrench.com tcp
US 107.180.14.67:80 fractionalboost.com tcp
US 162.241.224.62:443 flooringmaestro.com tcp
US 8.8.8.8:53 www.syairsgp.life udp
US 8.8.8.8:53 www.syairsdy.life udp
US 104.21.29.168:443 healtheland.life tcp
US 162.241.24.59:443 goodvibesdesign.com tcp
US 192.185.223.167:443 goldcleancarpet.com tcp
US 162.214.80.49:443 furin-interiors.com tcp
US 104.21.59.177:443 www.vercalhit.club tcp
US 192.185.213.244:443 florespelomundo.com tcp
US 8.8.8.8:53 hailreliefgroup.com udp
US 8.8.8.8:53 1830daytoniaroad.com udp
US 8.8.8.8:53 hierofaniastore.com udp
US 8.8.8.8:53 102.53.21.104.in-addr.arpa udp
US 8.8.8.8:53 111.58.21.104.in-addr.arpa udp
US 8.8.8.8:53 239.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.181.67.172.in-addr.arpa udp
US 8.8.8.8:53 160.122.139.45.in-addr.arpa udp
US 8.8.8.8:53 21.38.239.216.in-addr.arpa udp
US 8.8.8.8:53 21.36.239.216.in-addr.arpa udp
US 8.8.8.8:53 53.174.67.172.in-addr.arpa udp
US 8.8.8.8:53 97.231.130.45.in-addr.arpa udp
US 8.8.8.8:53 153.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 www.waitamoment.club udp
US 8.8.8.8:53 ballpythonforsale.com udp
US 8.8.8.8:53 adicakobauschool.com udp
US 8.8.8.8:53 adviseweightloss.com udp
US 162.241.225.171:443 greenandglowing.com tcp
US 172.67.176.47:443 imunify-alert.com tcp
US 8.8.8.8:53 www.moda-verano.club udp
NL 45.139.122.160:80 xcolegialas.club tcp
US 8.8.8.8:53 analistademarcas.com udp
GB 142.250.200.19:443 www.syairsdy.life tcp
US 8.8.8.8:53 apphackerdotigre.com udp
US 162.241.252.44:443 adicakobauschool.com tcp
US 162.241.252.110:443 adviseweightloss.com tcp
US 8.8.8.8:53 attaquranacademy.com udp
US 172.67.203.149:443 www.waitamoment.club tcp
US 8.8.8.8:53 augmenteddefence.com udp
US 8.8.8.8:53 bkflooring-nl.com udp
US 8.8.8.8:53 139.38.250.63.in-addr.arpa udp
US 8.8.8.8:53 67.182.67.172.in-addr.arpa udp
US 8.8.8.8:53 250.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 197.173.87.50.in-addr.arpa udp
US 8.8.8.8:53 62.224.241.162.in-addr.arpa udp
US 8.8.8.8:53 168.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 167.223.185.192.in-addr.arpa udp
US 8.8.8.8:53 244.213.185.192.in-addr.arpa udp
US 8.8.8.8:53 59.24.241.162.in-addr.arpa udp
US 8.8.8.8:53 49.80.214.162.in-addr.arpa udp
US 162.241.218.88:80 1830daytoniaroad.com tcp
US 8.8.8.8:53 blazedvaperstore.com udp
US 8.8.8.8:53 bloggary2success.com udp
US 8.8.8.8:53 bomboragroupindo.com udp
US 8.8.8.8:53 www.bookprizearchive.com udp
US 129.121.17.226:80 hailreliefgroup.com tcp
US 108.167.183.71:443 ballpythonforsale.com tcp
GB 142.250.200.19:443 www.syairsdy.life tcp
US 108.179.193.4:443 hierofaniastore.com tcp
US 104.21.18.98:443 www.moda-verano.club tcp
US 8.8.8.8:53 brownmarketing23.com udp
US 8.8.8.8:53 bugbustersmyrtle.com udp
US 8.8.8.8:53 burialcremations.com udp
US 8.8.8.8:53 ftworthdetailing.com udp
US 8.8.8.8:53 ganharcomchatgpt.com udp
US 8.8.8.8:53 getperfectquotes.com udp
US 8.8.8.8:53 gocebeseyirciler.com udp
BR 177.154.191.198:443 apphackerdotigre.com tcp
US 192.185.129.61:443 bkflooring-nl.com tcp
US 8.8.8.8:53 hareshpadmanaban.com udp
US 8.8.8.8:53 hassinakhanglass.com udp
US 8.8.8.8:53 19.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 149.203.67.172.in-addr.arpa udp
US 8.8.8.8:53 44.252.241.162.in-addr.arpa udp
US 8.8.8.8:53 110.252.241.162.in-addr.arpa udp
US 8.8.8.8:53 health-gratitude.com udp
US 8.8.8.8:53 homefinityafrica.com udp
US 8.8.8.8:53 innovatemomentum.com udp
US 8.8.8.8:53 171.225.241.162.in-addr.arpa udp
US 143.95.228.27:443 attaquranacademy.com tcp
US 162.241.253.126:443 augmenteddefence.com tcp
US 8.8.8.8:53 jangidmehandiart.com udp
US 8.8.8.8:53 hulkorthorpedics.com udp
US 8.8.8.8:53 kettlehauscoffee.com udp
US 173.254.30.127:443 www.bookprizearchive.com tcp
US 8.8.8.8:53 kingdom-blessing.com udp
US 50.6.138.155:443 blazedvaperstore.com tcp
US 162.241.224.182:443 bloggary2success.com tcp
GB 45.77.57.25:443 bomboragroupindo.com tcp
US 198.57.151.25:443 ftworthdetailing.com tcp
US 8.8.8.8:53 tlcservicesclean.com udp
US 8.8.8.8:53 vidacomabundancia.com udp
US 8.8.8.8:53 vidaemequiolibrio.com udp
US 108.179.234.88:443 getperfectquotes.com tcp
US 8.8.8.8:53 wallaronfreelance.com udp
US 8.8.8.8:53 88.218.241.162.in-addr.arpa udp
US 8.8.8.8:53 71.183.167.108.in-addr.arpa udp
US 8.8.8.8:53 98.18.21.104.in-addr.arpa udp
US 8.8.8.8:53 226.17.121.129.in-addr.arpa udp
US 8.8.8.8:53 4.193.179.108.in-addr.arpa udp
US 8.8.8.8:53 weekofsuperoffers.com udp
US 8.8.8.8:53 jwbicyclerepairs.com udp
US 8.8.8.8:53 wicamartartesanos.com udp
US 192.232.220.138:443 burialcremations.com tcp
US 162.241.226.40:80 brownmarketing23.com tcp
US 8.8.8.8:53 1mblueprintmethod.com udp
US 192.185.48.190:443 hassinakhanglass.com tcp
US 162.241.216.74:443 gocebeseyirciler.com tcp
US 8.8.8.8:53 48hourcashmachine.com udp
US 162.241.123.133:443 hareshpadmanaban.com tcp
US 108.167.157.134:443 innovatemomentum.com tcp
US 8.8.8.8:53 aakraticonsultant.com udp
US 106.0.62.69:443 homefinityafrica.com tcp
US 162.214.80.91:443 jangidmehandiart.com tcp
US 50.87.253.32:443 bugbustersmyrtle.com tcp
US 106.0.62.81:443 health-gratitude.com tcp
US 8.8.8.8:53 anticipatingmagic.com udp
US 66.235.200.147:443 kettlehauscoffee.com tcp
US 8.8.8.8:53 198.191.154.177.in-addr.arpa udp
US 8.8.8.8:53 27.228.95.143.in-addr.arpa udp
US 8.8.8.8:53 126.253.241.162.in-addr.arpa udp
US 8.8.8.8:53 25.57.77.45.in-addr.arpa udp
US 8.8.8.8:53 127.30.254.173.in-addr.arpa udp
US 8.8.8.8:53 155.138.6.50.in-addr.arpa udp
US 8.8.8.8:53 182.224.241.162.in-addr.arpa udp
DE 81.169.145.92:80 kingdom-blessing.com tcp
US 198.54.115.46:443 tlcservicesclean.com tcp
US 70.32.23.113:443 jwbicyclerepairs.com tcp
US 8.8.8.8:53 ascending-therapy.com udp
US 162.241.217.204:80 1mblueprintmethod.com tcp
US 162.222.225.246:443 hulkorthorpedics.com tcp
US 8.8.8.8:53 assistprostaffing.com udp
US 162.241.2.61:443 weekofsuperoffers.com tcp
US 108.167.149.240:443 wicamartartesanos.com tcp
US 162.241.62.211:443 vidacomabundancia.com tcp
US 104.26.2.65:443 48hourcashmachine.com tcp
US 8.8.8.8:53 www.backbenchersmedia.com udp
US 8.8.8.8:53 bandha-supermarkt.com udp
US 8.8.8.8:53 bestsaleonlytoday.com udp
US 8.8.8.8:53 anxietybotstudios.com udp
US 162.241.224.245:80 wallaronfreelance.com tcp
US 8.8.8.8:53 bibliotecadomundo.com udp
US 8.8.8.8:53 beyondsightstudio.com udp
US 8.8.8.8:53 blackdiamondherps.com udp
US 8.8.8.8:53 bosiadventuretour.com udp
US 8.8.8.8:53 brostableandchair.com udp
IN 119.18.49.69:443 aakraticonsultant.com tcp
US 8.8.8.8:53 88.234.179.108.in-addr.arpa udp
US 8.8.8.8:53 138.220.232.192.in-addr.arpa udp
US 8.8.8.8:53 40.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 190.48.185.192.in-addr.arpa udp
US 8.8.8.8:53 74.216.241.162.in-addr.arpa udp
US 8.8.8.8:53 134.157.167.108.in-addr.arpa udp
US 8.8.8.8:53 133.123.241.162.in-addr.arpa udp
US 8.8.8.8:53 69.62.0.106.in-addr.arpa udp
US 8.8.8.8:53 32.253.87.50.in-addr.arpa udp
US 8.8.8.8:53 91.80.214.162.in-addr.arpa udp
US 8.8.8.8:53 81.62.0.106.in-addr.arpa udp
US 8.8.8.8:53 bumblinforbourbon.com udp
US 8.8.8.8:53 bunnydestinations.com udp
US 8.8.8.8:53 business-fortress.com udp
US 8.8.8.8:53 caesarimportacoes.com udp
US 8.8.8.8:53 caicosenterprises.com udp
US 8.8.8.8:53 canberrasolarguru.com udp
US 8.8.8.8:53 caracterdomestico.com udp
US 8.8.8.8:53 cardxwestpartners.com udp
US 8.8.8.8:53 careathomenursing.com udp
US 162.241.218.136:80 anticipatingmagic.com tcp
US 108.179.235.107:443 ascending-therapy.com tcp
US 8.8.8.8:53 careerpathway-llc.com udp
US 8.8.8.8:53 www.cartowingkirkland.com udp
US 8.8.8.8:53 carolinebattilani.com udp
US 8.8.8.8:53 caseairpodsminion.com udp
US 8.8.8.8:53 cchealthcaregroup.com udp
US 8.8.8.8:53 celikinsaatiskele.com udp
US 8.8.8.8:53 centroestudiosetl.com udp
US 50.116.87.224:443 bestsaleonlytoday.com tcp
US 162.241.226.16:443 anxietybotstudios.com tcp
US 162.241.244.16:443 assistprostaffing.com tcp
US 8.8.8.8:53 147.200.235.66.in-addr.arpa udp
US 8.8.8.8:53 92.145.169.81.in-addr.arpa udp
US 8.8.8.8:53 113.23.32.70.in-addr.arpa udp
US 8.8.8.8:53 240.149.167.108.in-addr.arpa udp
US 8.8.8.8:53 61.2.241.162.in-addr.arpa udp
US 8.8.8.8:53 204.217.241.162.in-addr.arpa udp
US 8.8.8.8:53 246.225.222.162.in-addr.arpa udp
US 8.8.8.8:53 65.2.26.104.in-addr.arpa udp
US 8.8.8.8:53 245.224.241.162.in-addr.arpa udp
US 8.8.8.8:53 ceritachiisycheek.com udp
US 8.8.8.8:53 www.chloeanddavid2024.com udp
US 8.8.8.8:53 ceylangayrimenkul.com udp
US 8.8.8.8:53 chocolateelpalmar.com udp
US 8.8.8.8:53 www.chothuexemayhanoi.com udp
US 162.240.81.18:443 bibliotecadomundo.com tcp
US 192.185.141.13:443 blackdiamondherps.com tcp
TR 94.199.206.94:443 brostableandchair.com tcp
IT 86.107.32.169:443 bosiadventuretour.com tcp
IN 68.178.159.92:443 www.backbenchersmedia.com tcp
US 8.8.8.8:53 cmentarze-wojenne.com udp
PL 94.152.207.10:443 bunnydestinations.com tcp
US 8.8.8.8:53 clockworkcontacts.com udp
DE 81.169.145.160:443 bandha-supermarkt.com tcp
US 132.148.237.122:80 beyondsightstudio.com tcp
US 8.8.8.8:53 coinpreconfinados.com udp
US 160.153.0.6:443 canberrasolarguru.com tcp
FR 195.35.49.204:443 caracterdomestico.com tcp
US 8.8.8.8:53 collabresidential.com udp
US 3.33.130.190:443 careathomenursing.com tcp
US 104.21.59.127:443 cardxwestpartners.com tcp
US 66.81.203.198:443 caicosenterprises.com tcp
IN 68.178.149.21:80 business-fortress.com tcp
US 8.8.8.8:53 69.49.18.119.in-addr.arpa udp
US 204.44.192.78:443 bumblinforbourbon.com tcp
US 89.117.8.121:443 chocolateelpalmar.com tcp
IE 78.153.210.32:80 www.chloeanddavid2024.com tcp
US 8.8.8.8:53 www.comfymovementgear.com udp
US 8.8.8.8:53 comunidadessalnes.com udp
VN 103.74.116.147:80 caseairpodsminion.com tcp
FR 89.116.147.3:443 ceylangayrimenkul.com tcp
VN 103.74.116.126:443 www.chothuexemayhanoi.com tcp
SG 151.106.119.247:443 ceritachiisycheek.com tcp
FR 54.36.145.173:80 centroestudiosetl.com tcp
TR 104.247.165.146:443 celikinsaatiskele.com tcp
GB 188.166.150.35:80 cchealthcaregroup.com tcp
FR 92.204.218.255:443 careerpathway-llc.com tcp
US 8.8.8.8:53 conversationtopia.com udp
FR 213.32.10.111:80 cmentarze-wojenne.com tcp
US 198.12.218.67:443 www.cartowingkirkland.com tcp
BR 149.100.155.174:443 coinpreconfinados.com tcp
US 8.8.8.8:53 copenhagenshiatsu.com udp
US 8.8.8.8:53 107.235.179.108.in-addr.arpa udp
US 8.8.8.8:53 136.218.241.162.in-addr.arpa udp
US 8.8.8.8:53 224.87.116.50.in-addr.arpa udp
US 8.8.8.8:53 169.32.107.86.in-addr.arpa udp
US 8.8.8.8:53 16.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 16.244.241.162.in-addr.arpa udp
US 8.8.8.8:53 13.141.185.192.in-addr.arpa udp
US 8.8.8.8:53 10.207.152.94.in-addr.arpa udp
US 8.8.8.8:53 160.145.169.81.in-addr.arpa udp
US 8.8.8.8:53 6.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 204.49.35.195.in-addr.arpa udp
US 8.8.8.8:53 127.59.21.104.in-addr.arpa udp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 corporacionlarson.com udp
US 104.21.7.25:443 carolinebattilani.com tcp
US 8.8.8.8:53 courseandproducts.com udp
US 151.101.130.159:443 collabresidential.com tcp
US 8.8.8.8:53 creativelycassidy.com udp
US 8.8.8.8:53 cubicletoilettase.com udp
US 8.8.8.8:53 cuocsongvietdalat.com udp
US 8.8.8.8:53 www.dailybdcrimetimes.com udp
US 8.8.8.8:53 dailyinfojunction.com udp
US 8.8.8.8:53 daveedaaccounting.com udp
US 191.101.79.249:443 conversationtopia.com tcp
US 8.8.8.8:53 deportesgenerales.com udp
US 8.8.8.8:53 deadamapeluqueria.com udp
US 107.150.82.83:443 www.comfymovementgear.com tcp
MX 216.238.66.129:443 corporacionlarson.com tcp
DK 81.7.161.163:80 copenhagenshiatsu.com tcp
BR 185.239.210.134:443 courseandproducts.com tcp
US 8.8.8.8:53 wow99live.com udp
US 8.8.8.8:53 78.192.44.204.in-addr.arpa udp
US 8.8.8.8:53 3.147.116.89.in-addr.arpa udp
US 8.8.8.8:53 173.145.36.54.in-addr.arpa udp
US 8.8.8.8:53 32.210.153.78.in-addr.arpa udp
US 8.8.8.8:53 111.10.32.213.in-addr.arpa udp
US 8.8.8.8:53 35.150.166.188.in-addr.arpa udp
US 8.8.8.8:53 146.165.247.104.in-addr.arpa udp
US 8.8.8.8:53 121.8.117.89.in-addr.arpa udp
US 8.8.8.8:53 147.116.74.103.in-addr.arpa udp
US 8.8.8.8:53 247.119.106.151.in-addr.arpa udp
US 8.8.8.8:53 25.7.21.104.in-addr.arpa udp
US 8.8.8.8:53 174.155.100.149.in-addr.arpa udp
US 8.8.8.8:53 xr4online.com udp
US 104.21.83.28:443 cubicletoilettase.com tcp
ES 31.47.78.180:443 comunidadessalnes.com tcp
US 149.100.151.34:443 creativelycassidy.com tcp
US 8.8.8.8:53 xtuevents.com udp
FR 89.117.116.190:443 deadamapeluqueria.com tcp
US 204.93.224.55:80 deportesgenerales.com tcp
US 8.8.8.8:53 yerkinuly.com udp
US 8.8.8.8:53 yincilang.com udp
FI 65.109.39.121:443 www.dailybdcrimetimes.com tcp
US 172.67.209.193:443 wow99live.com tcp
CA 149.56.133.72:443 dailyinfojunction.com tcp
US 8.8.8.8:53 yoscher-s.com udp
US 8.8.8.8:53 yrruchome.com udp
VN 103.57.222.17:443 cuocsongvietdalat.com tcp
US 8.8.8.8:53 ys-events.com udp
FR 54.36.145.173:443 centroestudiosetl.com tcp
GB 149.255.58.57:443 yerkinuly.com tcp
US 8.8.8.8:53 83.82.150.107.in-addr.arpa udp
US 8.8.8.8:53 163.161.7.81.in-addr.arpa udp
US 8.8.8.8:53 249.79.101.191.in-addr.arpa udp
US 8.8.8.8:53 129.66.238.216.in-addr.arpa udp
US 8.8.8.8:53 134.210.239.185.in-addr.arpa udp
US 8.8.8.8:53 28.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 180.78.47.31.in-addr.arpa udp
US 8.8.8.8:53 34.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 ytbuddies.com udp
US 8.8.8.8:53 zaemchiki.com udp
US 8.8.8.8:53 zbet88bet.com udp
US 8.8.8.8:53 zecklance.com udp
US 8.8.8.8:53 zuluposts.com udp
ES 134.0.10.50:80 xtuevents.com tcp
US 8.8.8.8:53 1newsmedia.com udp
US 8.8.8.8:53 1xbetaktif.com udp
ID 103.247.8.35:443 ys-events.com tcp
US 8.8.8.8:53 2bedtelbkk.com udp
US 8.8.8.8:53 2elurunsat.com udp
US 8.8.8.8:53 4markitect.com udp
US 8.8.8.8:53 a1000month.com udp
US 149.100.151.235:443 yrruchome.com tcp
US 104.21.68.166:443 zaemchiki.com tcp
FI 65.108.198.252:443 zuluposts.com tcp
US 104.21.70.156:443 zbet88bet.com tcp
US 8.8.8.8:53 2033east70.com udp
US 31.220.48.75:443 zecklance.com tcp
US 8.8.8.8:53 190.116.117.89.in-addr.arpa udp
US 8.8.8.8:53 55.224.93.204.in-addr.arpa udp
US 8.8.8.8:53 193.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 121.39.109.65.in-addr.arpa udp
US 8.8.8.8:53 72.133.56.149.in-addr.arpa udp
US 8.8.8.8:53 57.58.255.149.in-addr.arpa udp
US 8.8.8.8:53 17.222.57.103.in-addr.arpa udp
US 8.8.8.8:53 aamchealth.com udp
JP 153.127.141.167:443 yoscher-s.com tcp
US 8.8.8.8:53 aarmubarok.com udp
US 8.8.8.8:53 www.abelolotto.com udp
US 8.8.8.8:53 acecourten.com udp
US 8.8.8.8:53 www.bunnydestinations.com udp
US 199.188.206.68:443 1newsmedia.com tcp
IN 154.41.233.95:443 ytbuddies.com tcp
US 173.236.152.242:443 www.abelolotto.com tcp
US 172.67.128.112:443 1xbetaktif.com tcp
US 208.113.147.1:443 2033east70.com tcp
US 8.8.8.8:53 abwraleigh.com udp
DE 2.58.82.72:443 4markitect.com tcp
US 8.8.8.8:53 adoretours.com udp
US 8.8.8.8:53 aecsworlds.com udp
US 8.8.8.8:53 air-sealog.com udp
SG 178.128.118.97:443 aarmubarok.com tcp
SG 68.183.226.120:443 a1000month.com tcp
US 104.21.18.3:443 aamchealth.com tcp
US 8.8.8.8:53 agenciaylt.com udp
US 8.8.8.8:53 www.xtuevents.com udp
US 8.8.8.8:53 166.68.21.104.in-addr.arpa udp
SG 156.67.222.25:443 2bedtelbkk.com tcp
US 8.8.8.8:53 156.70.21.104.in-addr.arpa udp
US 8.8.8.8:53 252.198.108.65.in-addr.arpa udp
US 8.8.8.8:53 235.151.100.149.in-addr.arpa udp
TR 45.84.189.3:443 2elurunsat.com tcp
US 8.8.8.8:53 35.8.247.103.in-addr.arpa udp
US 8.8.8.8:53 75.48.220.31.in-addr.arpa udp
US 8.8.8.8:53 aisparklab.com udp
US 8.8.8.8:53 www.alabeeregy.com udp
US 8.8.8.8:53 alanfoushi.com udp
US 104.21.36.160:443 acecourten.com tcp
PL 94.152.207.10:443 www.bunnydestinations.com tcp
US 8.8.8.8:53 albapagani.com udp
US 212.1.208.186:443 air-sealog.com tcp
US 8.8.8.8:53 alihuseman.com udp
SG 118.139.160.92:443 aecsworlds.com tcp
US 8.8.8.8:53 www.bosiadventuretour.com udp
GB 109.70.148.62:443 adoretours.com tcp
US 50.6.138.179:443 agenciaylt.com tcp
US 8.8.8.8:53 www.4markitect.com udp
US 74.220.199.6:443 www.alabeeregy.com tcp
US 149.100.151.233:443 aisparklab.com tcp
ES 134.0.10.50:80 www.xtuevents.com tcp
US 8.8.8.8:53 167.141.127.153.in-addr.arpa udp
US 8.8.8.8:53 95.233.41.154.in-addr.arpa udp
US 8.8.8.8:53 68.206.188.199.in-addr.arpa udp
US 8.8.8.8:53 242.152.236.173.in-addr.arpa udp
US 8.8.8.8:53 112.128.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.82.58.2.in-addr.arpa udp
US 8.8.8.8:53 1.147.113.208.in-addr.arpa udp
US 8.8.8.8:53 3.189.84.45.in-addr.arpa udp
US 8.8.8.8:53 120.226.183.68.in-addr.arpa udp
US 8.8.8.8:53 160.36.21.104.in-addr.arpa udp
US 8.8.8.8:53 97.118.128.178.in-addr.arpa udp
NL 89.116.53.102:443 alanfoushi.com tcp
US 173.236.137.134:443 alihuseman.com tcp
FR 212.129.9.181:443 albapagani.com tcp
US 209.145.49.186:443 abwraleigh.com tcp
CN 139.9.5.28:443 aitoooools.com tcp
US 8.8.8.8:53 alladinapp.com udp
US 8.8.8.8:53 sashimi-sp.com udp
US 8.8.8.8:53 alqofashop.com udp
IT 86.107.32.169:443 www.bosiadventuretour.com tcp
US 8.8.8.8:53 www.altitud200.com udp
US 8.8.8.8:53 amirmansha.com udp
US 8.8.8.8:53 ampbozeman.com udp
US 8.8.8.8:53 amstarpack.com udp
US 8.8.8.8:53 annapakvis.com udp
US 8.8.8.8:53 www.2033east70.com udp
US 8.8.8.8:53 billlionair.app udp
DE 2.58.82.72:443 www.4markitect.com tcp
US 8.8.8.8:53 25.222.67.156.in-addr.arpa udp
US 8.8.8.8:53 186.208.1.212.in-addr.arpa udp
US 8.8.8.8:53 62.148.70.109.in-addr.arpa udp
US 8.8.8.8:53 179.138.6.50.in-addr.arpa udp
US 8.8.8.8:53 233.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 102.53.116.89.in-addr.arpa udp
US 8.8.8.8:53 181.9.129.212.in-addr.arpa udp
US 162.241.218.106:443 alqofashop.com tcp
US 195.35.15.107:443 amirmansha.com tcp
US 72.167.105.216:443 www.altitud200.com tcp
US 162.241.24.41:443 annapakvis.com tcp
US 172.67.191.105:443 sashimi-sp.com tcp
US 8.8.8.8:53 annkristen.com udp
US 8.8.8.8:53 enaknyo.com udp
US 8.8.8.8:53 antalyavix.com udp
US 8.8.8.8:53 www.comunidadessalnes.com udp
US 8.8.8.8:53 apenas1gol.com udp
GB 192.250.239.58:443 alladinapp.com tcp
US 8.8.8.8:53 ar-gravity.com udp
SG 149.28.139.72:443 ampbozeman.com tcp
US 8.8.8.8:53 arrvcursos.com udp
US 8.8.8.8:53 artpadzone.com udp
US 8.8.8.8:53 artsurania.com udp
TH 202.9.90.144:80 amstarpack.com tcp
US 198.54.117.242:443 billlionair.app tcp
US 8.8.8.8:53 arufenacht.com udp
US 8.8.8.8:53 asoulofart.com udp
US 208.113.147.1:443 www.2033east70.com tcp
US 8.8.8.8:53 134.137.236.173.in-addr.arpa udp
US 8.8.8.8:53 186.49.145.209.in-addr.arpa udp
US 8.8.8.8:53 ashiura-rv.com udp
US 63.250.43.10:443 ar-gravity.com tcp
US 8.8.8.8:53 astridlisa.com udp
US 108.179.252.47:443 apenas1gol.com tcp
US 8.8.8.8:53 avianbliss.com udp
US 8.8.8.8:53 ayitibooks.com udp
US 8.8.8.8:53 badasv9010.com udp
US 8.8.8.8:53 bacsihabmt.com udp
US 104.21.95.31:80 antalyavix.com tcp
US 62.106.90.75:443 artpadzone.com tcp
ES 31.47.78.180:443 www.comunidadessalnes.com tcp
GB 81.19.215.12:443 arufenacht.com tcp
US 104.21.8.182:443 asoulofart.com tcp
US 104.21.39.163:443 annkristen.com tcp
BR 154.49.247.75:443 arrvcursos.com tcp
SG 178.128.118.97:443 enaknyo.com tcp
US 8.8.8.8:53 badbunnyuk.com udp
US 162.241.225.102:80 artsurania.com tcp
US 8.8.8.8:53 bafaototal.com udp
US 8.8.8.8:53 www.bagslegion.com udp
US 8.8.8.8:53 105.191.67.172.in-addr.arpa udp
US 8.8.8.8:53 106.218.241.162.in-addr.arpa udp
US 8.8.8.8:53 58.239.250.192.in-addr.arpa udp
US 8.8.8.8:53 107.15.35.195.in-addr.arpa udp
US 8.8.8.8:53 242.117.54.198.in-addr.arpa udp
US 8.8.8.8:53 72.139.28.149.in-addr.arpa udp
US 8.8.8.8:53 144.90.9.202.in-addr.arpa udp
US 8.8.8.8:53 bahadinler.com udp
US 104.21.6.38:443 badasv9010.com tcp
US 8.8.8.8:53 bakingchat.com udp
US 104.21.33.60:443 astridlisa.com tcp
US 8.8.8.8:53 balispa543.com udp
US 8.8.8.8:53 ballhuddle.com udp
US 89.117.139.53:443 badbunnyuk.com tcp
US 172.67.196.73:443 avianbliss.com tcp
US 45.32.165.132:443 ayitibooks.com tcp
US 8.8.8.8:53 bamiglobal.com udp
US 8.8.8.8:53 bananaquad.com udp
US 8.8.8.8:53 antalyazoxs.com udp
MY 103.191.76.170:443 www.bagslegion.com tcp
VN 112.213.88.148:443 bacsihabmt.com tcp
BR 154.49.247.232:443 bafaototal.com tcp
TR 5.2.85.161:80 bahadinler.com tcp
US 8.8.8.8:53 baylievike.com udp
TH 202.9.90.144:443 amstarpack.com tcp
US 8.8.8.8:53 31.95.21.104.in-addr.arpa udp
US 8.8.8.8:53 12.215.19.81.in-addr.arpa udp
US 8.8.8.8:53 163.39.21.104.in-addr.arpa udp
US 8.8.8.8:53 182.8.21.104.in-addr.arpa udp
US 8.8.8.8:53 10.43.250.63.in-addr.arpa udp
US 8.8.8.8:53 47.252.179.108.in-addr.arpa udp
US 8.8.8.8:53 75.90.106.62.in-addr.arpa udp
US 8.8.8.8:53 75.247.49.154.in-addr.arpa udp
US 8.8.8.8:53 102.225.241.162.in-addr.arpa udp
US 8.8.8.8:53 bazarmovel.com udp
TW 103.153.177.35:443 balispa543.com tcp
US 172.67.178.80:443 ballhuddle.com tcp
US 8.8.8.8:53 baramee365.com udp
US 8.8.8.8:53 bcomhealth.com udp
US 8.8.8.8:53 bellinnovo.com udp
KR 158.247.192.70:443 bakingchat.com tcp
US 162.241.194.166:80 bananaquad.com tcp
DE 88.198.22.18:443 bamiglobal.com tcp
US 162.241.216.182:443 baylievike.com tcp
US 50.6.138.101:443 bazarmovel.com tcp
US 8.8.8.8:53 bengalsnyc.com udp
TH 119.59.97.28:443 baramee365.com tcp
US 162.241.244.49:443 bellinnovo.com tcp
US 162.241.226.175:80 bcomhealth.com tcp
US 172.67.209.194:80 antalyazoxs.com tcp
US 8.8.8.8:53 38.6.21.104.in-addr.arpa udp
US 8.8.8.8:53 73.196.67.172.in-addr.arpa udp
US 8.8.8.8:53 60.33.21.104.in-addr.arpa udp
US 8.8.8.8:53 132.165.32.45.in-addr.arpa udp
US 8.8.8.8:53 53.139.117.89.in-addr.arpa udp
US 8.8.8.8:53 161.85.2.5.in-addr.arpa udp
US 8.8.8.8:53 80.178.67.172.in-addr.arpa udp
US 8.8.8.8:53 232.247.49.154.in-addr.arpa udp
US 8.8.8.8:53 170.76.191.103.in-addr.arpa udp
US 8.8.8.8:53 148.88.213.112.in-addr.arpa udp
US 8.8.8.8:53 35.177.153.103.in-addr.arpa udp
US 8.8.8.8:53 betterrepo.com udp
US 8.8.8.8:53 bevcraftla.com udp
US 8.8.8.8:53 bhalnonesh.com udp
US 8.8.8.8:53 www.annkristen.com udp
US 8.8.8.8:53 birthdayle.com udp
PL 77.87.193.69:443 bengalsnyc.com tcp
DE 185.30.32.165:443 bensnotion.com tcp
US 8.8.8.8:53 bendarumah.com udp
US 8.8.8.8:53 biznectify.com udp
US 8.8.8.8:53 blackycats.com udp
US 8.8.8.8:53 blissjetva.com udp
US 8.8.8.8:53 www.asoulofart.com udp
KR 183.111.183.76:443 betterrepo.com tcp
US 8.8.8.8:53 bloomleaks.com udp
US 8.8.8.8:53 bobolife77.com udp
US 8.8.8.8:53 boombet789.com udp
US 8.8.8.8:53 70.192.247.158.in-addr.arpa udp
US 160.153.0.60:443 bevcraftla.com tcp
US 8.8.8.8:53 18.22.198.88.in-addr.arpa udp
US 8.8.8.8:53 182.216.241.162.in-addr.arpa udp
US 8.8.8.8:53 166.194.241.162.in-addr.arpa udp
US 8.8.8.8:53 101.138.6.50.in-addr.arpa udp
US 8.8.8.8:53 49.244.241.162.in-addr.arpa udp
US 8.8.8.8:53 175.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 28.97.59.119.in-addr.arpa udp
US 8.8.8.8:53 194.209.67.172.in-addr.arpa udp
US 8.8.8.8:53 brainybubs.com udp
US 8.8.8.8:53 boozhanteb.com udp
US 8.8.8.8:53 brekamfarm.com udp
US 172.67.146.194:443 www.annkristen.com tcp
US 8.8.8.8:53 www.amstarpack.com udp
US 8.8.8.8:53 budznbites.com udp
US 8.8.8.8:53 bullionest.com udp
US 8.8.8.8:53 buyweed-ge.com udp
DE 161.97.140.51:443 bhalnonesh.com tcp
FR 46.105.204.30:443 birthdayle.com tcp
US 172.67.157.164:443 www.asoulofart.com tcp
US 3.33.130.190:443 blackycats.com tcp
US 172.67.150.16:443 bendarumah.com tcp
SG 128.199.150.69:443 bobolife77.com tcp
US 8.8.8.8:53 carryloots.com udp
US 8.8.8.8:53 www.astridlisa.com udp
US 8.8.8.8:53 carteteria.com udp
US 8.8.8.8:53 165.32.30.185.in-addr.arpa udp
US 8.8.8.8:53 69.193.87.77.in-addr.arpa udp
US 8.8.8.8:53 60.0.153.160.in-addr.arpa udp
US 8.8.8.8:53 76.183.111.183.in-addr.arpa udp
US 8.8.8.8:53 catfunfact.com udp
US 8.8.8.8:53 chadfinllc.com udp
US 8.8.8.8:53 bensventures.com udp
US 154.49.142.50:443 biznectify.com tcp
CA 23.227.38.65:443 brainybubs.com tcp
US 217.21.77.225:443 brekamfarm.com tcp
FI 95.216.71.227:443 boozhanteb.com tcp
TH 118.27.130.68:443 boombet789.com tcp
US 8.8.8.8:53 chakrabuzz.com udp
FI 135.181.226.231:443 buyweed-ge.com tcp
US 63.250.43.135:80 budznbites.com tcp
US 172.67.215.208:443 carteteria.com tcp
FR 92.204.218.157:443 chadfinllc.com tcp
US 104.21.81.116:443 catfunfact.com tcp
DE 185.30.32.165:443 bensventures.com tcp
TH 202.9.90.144:443 www.amstarpack.com tcp
US 8.8.8.8:53 chisamusic.com udp
US 149.100.151.143:443 bullionest.com tcp
US 172.67.141.183:443 www.astridlisa.com tcp
US 8.8.8.8:53 194.146.67.172.in-addr.arpa udp
US 8.8.8.8:53 51.140.97.161.in-addr.arpa udp
US 8.8.8.8:53 30.204.105.46.in-addr.arpa udp
US 8.8.8.8:53 164.157.67.172.in-addr.arpa udp
US 8.8.8.8:53 16.150.67.172.in-addr.arpa udp
US 8.8.8.8:53 69.150.199.128.in-addr.arpa udp
US 8.8.8.8:53 65.38.227.23.in-addr.arpa udp
US 8.8.8.8:53 50.142.49.154.in-addr.arpa udp
US 8.8.8.8:53 227.71.216.95.in-addr.arpa udp
US 54.186.244.192:443 chakrabuzz.com tcp
US 66.235.200.112:443 carryloots.com tcp
US 8.8.8.8:53 clubetenis.com udp
US 8.8.8.8:53 coreyscutz.com udp
US 8.8.8.8:53 cortoformo.com udp
US 86.38.202.98:443 chiconshop.com tcp
US 8.8.8.8:53 max-multimedia.com udp
US 8.8.8.8:53 mbrdigitalmart.com udp
US 8.8.8.8:53 medconectindia.com udp
US 8.8.8.8:53 www.bahadinler.com udp
US 8.8.8.8:53 mycurvyfashion.com udp
US 8.8.8.8:53 mymusicmytrack.com udp
US 8.8.8.8:53 mysmdcproperty.com udp
US 8.8.8.8:53 narutosenkipro.com udp
US 8.8.8.8:53 navigategomaps.com udp
US 8.8.8.8:53 nechama-neuman.com udp
US 8.8.8.8:53 navroopdhillon.com udp
US 104.21.71.194:443 clubetenis.com tcp
US 8.8.8.8:53 225.77.21.217.in-addr.arpa udp
US 8.8.8.8:53 231.226.181.135.in-addr.arpa udp
US 8.8.8.8:53 68.130.27.118.in-addr.arpa udp
US 8.8.8.8:53 208.215.67.172.in-addr.arpa udp
US 8.8.8.8:53 135.43.250.63.in-addr.arpa udp
US 8.8.8.8:53 116.81.21.104.in-addr.arpa udp
US 8.8.8.8:53 183.141.67.172.in-addr.arpa udp
US 8.8.8.8:53 143.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 112.200.235.66.in-addr.arpa udp
US 8.8.8.8:53 192.244.186.54.in-addr.arpa udp
US 172.67.173.112:443 chisamusic.com tcp
US 8.8.8.8:53 newsinthefield.com udp
US 104.21.71.199:443 cortoformo.com tcp
US 172.67.202.128:443 medconectindia.com tcp
GB 154.49.138.9:443 coreyscutz.com tcp
IN 62.72.28.18:443 mymusicmytrack.com tcp
US 34.120.137.41:443 max-multimedia.com tcp
TR 5.2.85.161:80 www.bahadinler.com tcp
US 162.241.123.158:443 mycurvyfashion.com tcp
US 8.8.8.8:53 nhaxethenguyen.com udp
US 149.100.151.124:443 mysmdcproperty.com tcp
US 8.8.8.8:53 ngcadvertising.com udp
NL 160.153.137.123:443 navigategomaps.com tcp
US 172.67.198.158:443 navroopdhillon.com tcp
US 8.8.8.8:53 nitchaproperty.com udp
US 8.8.8.8:53 norestefoodbar.com udp
US 8.8.8.8:53 oficialsitebra.com udp
US 8.8.8.8:53 olinger-marine.com udp
US 8.8.8.8:53 www.omdistribucion.com udp
US 8.8.8.8:53 newsiplcricket.com udp
US 8.8.8.8:53 optimaxoficial.com udp
US 8.8.8.8:53 194.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 oreillysnearme.com udp
IN 217.21.90.178:443 narutosenkipro.com tcp
IN 154.41.233.197:443 mbrdigitalmart.com tcp
US 8.8.8.8:53 originalgrails.com udp
US 8.8.8.8:53 onlinesnapseed.com udp
US 8.8.8.8:53 www.palazzo-royale.com udp
US 8.8.8.8:53 pandatoycenter.com udp
US 162.241.203.66:443 newsinthefield.com tcp
US 172.67.169.123:443 nechama-neuman.com tcp
US 8.8.8.8:53 pdgpowersports.com udp
TH 203.170.129.119:443 nitchaproperty.com tcp
US 8.8.8.8:53 www.chisamusic.com udp
US 8.8.8.8:53 peakvistatrips.com udp
US 75.98.174.27:443 ngcadvertising.com tcp
VN 103.130.218.47:443 nhaxethenguyen.com tcp
US 143.95.238.90:443 www.omdistribucion.com tcp
US 34.125.57.24:443 norestefoodbar.com tcp
US 172.67.199.236:443 olinger-marine.com tcp
US 172.67.145.13:443 newsiplcricket.com tcp
BR 154.49.247.171:443 oficialsitebra.com tcp
US 172.67.176.47:443 imunify-alert.com tcp
US 8.8.8.8:53 personal-smart.com udp
US 8.8.8.8:53 112.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 199.71.21.104.in-addr.arpa udp
US 8.8.8.8:53 128.202.67.172.in-addr.arpa udp
US 8.8.8.8:53 9.138.49.154.in-addr.arpa udp
US 8.8.8.8:53 18.28.72.62.in-addr.arpa udp
US 8.8.8.8:53 158.123.241.162.in-addr.arpa udp
US 8.8.8.8:53 158.198.67.172.in-addr.arpa udp
US 8.8.8.8:53 124.151.100.149.in-addr.arpa udp
FI 65.21.238.170:443 optimaxoficial.com tcp
US 172.67.131.31:443 oreillysnearme.com tcp
US 141.193.213.10:443 originalgrails.com tcp
US 104.21.32.38:80 onlinesnapseed.com tcp
US 172.67.173.112:443 www.chisamusic.com tcp
IN 154.41.233.113:443 peakvistatrips.com tcp
US 104.21.93.21:443 pandatoycenter.com tcp
CA 64.34.156.172:443 www.palazzo-royale.com tcp
DE 199.247.17.135:443 personal-smart.com tcp
US 8.8.8.8:53 petra-schleier.com udp
US 8.8.8.8:53 perthsportsuit.com udp
US 8.8.8.8:53 phoneserviceyo.com udp
US 209.59.137.156:443 pdgpowersports.com tcp
US 8.8.8.8:53 www.navroopdhillon.com udp
US 8.8.8.8:53 www.cortoformo.com udp
US 8.8.8.8:53 178.90.21.217.in-addr.arpa udp
US 8.8.8.8:53 123.169.67.172.in-addr.arpa udp
US 8.8.8.8:53 236.199.67.172.in-addr.arpa udp
US 8.8.8.8:53 66.203.241.162.in-addr.arpa udp
US 8.8.8.8:53 13.145.67.172.in-addr.arpa udp
US 8.8.8.8:53 27.174.98.75.in-addr.arpa udp
US 8.8.8.8:53 90.238.95.143.in-addr.arpa udp
US 8.8.8.8:53 24.57.125.34.in-addr.arpa udp
US 8.8.8.8:53 31.131.67.172.in-addr.arpa udp
US 8.8.8.8:53 170.238.21.65.in-addr.arpa udp
US 8.8.8.8:53 171.247.49.154.in-addr.arpa udp
US 8.8.8.8:53 47.218.130.103.in-addr.arpa udp
US 8.8.8.8:53 119.129.170.203.in-addr.arpa udp
US 8.8.8.8:53 38.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 piposlotonline.com udp
US 8.8.8.8:53 portelogistics.com udp
US 8.8.8.8:53 portonamarillo.com udp
US 154.49.142.62:443 phoneserviceyo.com tcp
US 8.8.8.8:53 prconsultghana.com udp
US 104.21.32.166:443 perthsportsuit.com tcp
US 104.21.13.235:443 petra-schleier.com tcp
FI 95.217.5.229:443 recaptcha.cloud tcp
US 8.8.8.8:53 pro-roofinginc.com udp
IN 68.178.156.243:443 prconsultghana.com tcp
US 8.8.8.8:53 propertiesbygm.com udp
US 8.8.8.8:53 publickgazette.com udp
US 8.8.8.8:53 purehealthboss.com udp
US 8.8.8.8:53 www.qualitareplica.com udp
US 8.8.8.8:53 quangcaosukien.com udp
US 8.8.8.8:53 queencontainer.com udp
US 8.8.8.8:53 21.93.21.104.in-addr.arpa udp
US 8.8.8.8:53 172.156.34.64.in-addr.arpa udp
US 8.8.8.8:53 135.17.247.199.in-addr.arpa udp
US 8.8.8.8:53 113.233.41.154.in-addr.arpa udp
US 8.8.8.8:53 156.137.59.209.in-addr.arpa udp
DE 199.247.17.135:80 personal-smart.com tcp
US 143.95.84.35:80 portonamarillo.com tcp
US 8.8.8.8:53 quirkytechspot.com udp
US 8.8.8.8:53 quinoadelights.com udp
US 8.8.8.8:53 qunaibitrading.com udp
US 104.21.71.199:443 www.cortoformo.com tcp
US 104.21.21.125:443 www.navroopdhillon.com tcp
US 172.67.190.234:443 piposlotonline.com tcp
IN 154.41.233.156:443 portelogistics.com tcp
US 172.67.180.77:443 purehealthboss.com tcp
US 172.67.179.191:443 pro-roofinginc.com tcp
US 162.241.226.34:443 publickgazette.com tcp
US 23.231.3.33:443 propertiesbygm.com tcp
US 8.8.8.8:53 www.rainbowelegant.com udp
US 8.8.8.8:53 raodevprojects.com udp
GB 139.162.237.239:443 verifymagically.com tcp
LT 46.17.175.229:443 queencontainer.com tcp
US 142.171.138.19:443 www.qualitareplica.com tcp
US 8.8.8.8:53 166.32.21.104.in-addr.arpa udp
US 8.8.8.8:53 235.13.21.104.in-addr.arpa udp
US 8.8.8.8:53 62.142.49.154.in-addr.arpa udp
US 8.8.8.8:53 125.21.21.104.in-addr.arpa udp
US 8.8.8.8:53 234.190.67.172.in-addr.arpa udp
US 8.8.8.8:53 raptorcontacts.com udp
US 8.8.8.8:53 www.nechama-neuman.com udp
FR 91.234.195.40:443 racineetsource.com tcp
US 149.100.151.21:443 quirkytechspot.com tcp
US 162.241.216.17:443 qunaibitrading.com tcp
ES 81.25.126.70:443 quinoadelights.com tcp
VN 103.154.177.11:80 quangcaosukien.com tcp
US 8.8.8.8:53 rapturexgaming.com udp
US 8.8.8.8:53 reaspecturself.com udp
US 199.231.93.236:443 raodevprojects.com tcp
US 23.111.136.242:443 www.rainbowelegant.com tcp
US 104.21.71.49:443 www.nechama-neuman.com tcp
IN 49.50.111.55:443 raptorcontacts.com tcp
US 8.8.8.8:53 rechtsdokument.com udp
US 8.8.8.8:53 refinadabeleza.com udp
US 8.8.8.8:53 remotejobscity.com udp
US 8.8.8.8:53 reformasmicasa.com udp
US 8.8.8.8:53 www.replikauhrende.com udp
US 162.241.218.184:443 reaspecturself.com tcp
US 8.8.8.8:53 77.180.67.172.in-addr.arpa udp
US 8.8.8.8:53 191.179.67.172.in-addr.arpa udp
US 8.8.8.8:53 35.84.95.143.in-addr.arpa udp
US 8.8.8.8:53 156.233.41.154.in-addr.arpa udp
US 8.8.8.8:53 34.226.241.162.in-addr.arpa udp
US 8.8.8.8:53 229.175.17.46.in-addr.arpa udp
US 8.8.8.8:53 70.126.25.81.in-addr.arpa udp
US 8.8.8.8:53 19.138.171.142.in-addr.arpa udp
US 8.8.8.8:53 21.151.100.149.in-addr.arpa udp
US 8.8.8.8:53 17.216.241.162.in-addr.arpa udp
US 8.8.8.8:53 236.93.231.199.in-addr.arpa udp
US 8.8.8.8:53 11.177.154.103.in-addr.arpa udp
US 8.8.8.8:53 242.136.111.23.in-addr.arpa udp
US 8.8.8.8:53 55.111.50.49.in-addr.arpa udp
US 8.8.8.8:53 rhtrainingclub.com udp
AU 103.212.226.233:80 rapturexgaming.com tcp
US 8.8.8.8:53 ripenedamerica.com udp
US 8.8.8.8:53 rolineswatches.com udp
US 8.8.8.8:53 ronnycastelain.com udp
US 104.21.83.88:443 rechtsdokument.com tcp
US 8.8.8.8:53 romeoundjuliet.com udp
US 172.67.130.94:443 www.replikauhrende.com tcp
US 8.8.8.8:53 roselynetanguy.com udp
US 8.8.8.8:53 saburateknikac.com udp
US 8.8.8.8:53 sailmaststudio.com udp
US 8.8.8.8:53 sadrainsurance.com udp
US 162.241.24.71:443 remotejobscity.com tcp
US 8.8.8.8:53 saleofproducts.com udp
US 8.8.8.8:53 sandrinecoulon.com udp
US 8.8.8.8:53 saludosdiarios.com udp
US 8.8.8.8:53 sanskritibooks.com udp
US 8.8.8.8:53 sartipilawfirm.com udp
US 8.8.8.8:53 sarvamhomecare.com udp
US 8.8.8.8:53 saudemulherfit.com udp
US 8.8.8.8:53 www.savantshopping.com udp
US 8.8.8.8:53 sayarlarinsaat.com udp
US 8.8.8.8:53 184.218.241.162.in-addr.arpa udp
US 162.241.2.49:443 refinadabeleza.com tcp
US 45.138.107.40:443 rhtrainingclub.com tcp
US 8.8.8.8:53 scripts-buying.com udp
US 8.8.8.8:53 searocketmedia.com udp
US 8.8.8.8:53 selfcomplexity.com udp
US 172.67.191.87:443 sandrinecoulon.com tcp
BR 35.247.239.165:443 saludosdiarios.com tcp
US 8.8.8.8:53 servicestraded.com udp
US 8.8.8.8:53 sewantmushroom.com udp
ES 82.194.68.89:443 reformasmicasa.com tcp
US 172.67.202.23:443 sartipilawfirm.com tcp
US 8.8.8.8:53 sheorantourism.com udp
US 8.8.8.8:53 sharenewsindia.com udp
US 185.28.21.81:443 sadrainsurance.com tcp
US 34.71.139.72:443 sailmaststudio.com tcp
US 8.8.8.8:53 shinehairstyle.com udp
US 8.8.8.8:53 shineunmatched.com udp
US 104.21.86.235:443 roselynetanguy.com tcp
CA 51.161.122.78:443 roulette-elite.com tcp
IN 154.41.233.159:443 sanskritibooks.com tcp
US 50.116.87.223:443 saudemulherfit.com tcp
US 162.241.203.80:443 saleofproducts.com tcp
IN 89.117.157.192:443 sarvamhomecare.com tcp
US 208.97.150.60:443 ripenedamerica.com tcp
US 67.205.15.4:443 rolineswatches.com tcp
TR 213.238.168.220:443 sayarlarinsaat.com tcp
US 104.21.57.189:443 ronnycastelain.com tcp
IN 154.41.233.120:443 scripts-buying.com tcp
US 8.8.8.8:53 88.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 94.130.67.172.in-addr.arpa udp
US 8.8.8.8:53 233.226.212.103.in-addr.arpa udp
US 8.8.8.8:53 shinichiconsul.com udp
US 8.8.8.8:53 www.shoppingvistar.com udp
US 8.8.8.8:53 shopwithayesha.com udp
US 173.236.172.149:443 www.savantshopping.com tcp
CH 149.126.4.119:80 selfcomplexity.com tcp
US 8.8.8.8:53 showtimerecaps.com udp
US 8.8.8.8:53 sleepgoodguide.com udp
IN 154.41.233.152:443 sharenewsindia.com tcp
NL 160.153.138.203:443 shineunmatched.com tcp
US 8.8.8.8:53 slotonlinepoke.com udp
US 149.100.151.36:443 sheorantourism.com tcp
US 160.153.0.160:443 searocketmedia.com tcp
US 8.8.8.8:53 skyloftadvisor.com udp
US 8.8.8.8:53 slotonlinexbit.com udp
US 82.180.172.197:443 sewantmushroom.com tcp
US 8.8.8.8:53 49.2.241.162.in-addr.arpa udp
US 8.8.8.8:53 87.191.67.172.in-addr.arpa udp
US 8.8.8.8:53 235.86.21.104.in-addr.arpa udp
US 8.8.8.8:53 89.68.194.82.in-addr.arpa udp
US 8.8.8.8:53 189.57.21.104.in-addr.arpa udp
US 8.8.8.8:53 78.122.161.51.in-addr.arpa udp
US 8.8.8.8:53 81.21.28.185.in-addr.arpa udp
US 8.8.8.8:53 223.87.116.50.in-addr.arpa udp
US 8.8.8.8:53 72.139.71.34.in-addr.arpa udp
US 8.8.8.8:53 4.15.205.67.in-addr.arpa udp
US 8.8.8.8:53 60.150.97.208.in-addr.arpa udp
US 8.8.8.8:53 220.168.238.213.in-addr.arpa udp
JP 54.168.135.96:443 shinichiconsul.com tcp
US 8.8.8.8:53 80.203.241.162.in-addr.arpa udp
US 8.8.8.8:53 159.233.41.154.in-addr.arpa udp
US 8.8.8.8:53 192.157.117.89.in-addr.arpa udp
US 8.8.8.8:53 165.239.247.35.in-addr.arpa udp
US 8.8.8.8:53 120.233.41.154.in-addr.arpa udp
DE 185.185.83.24:443 shinehairstyle.com tcp
US 8.8.8.8:53 smartdronezone.com udp
NL 162.0.217.92:443 shopwithayesha.com tcp
US 50.87.217.13:443 servicestraded.com tcp
US 173.236.169.61:443 www.shoppingvistar.com tcp
US 8.8.8.8:53 www.petra-schleier.com udp
US 8.8.8.8:53 smartcampervan.com udp
US 8.8.8.8:53 soakinginprovo.com udp
US 149.100.151.229:443 skyloftadvisor.com tcp

Files

memory/4468-1-0x0000000002DD0000-0x0000000002ED0000-memory.dmp

memory/4468-2-0x0000000004A80000-0x0000000004A8B000-memory.dmp

memory/4468-3-0x0000000000400000-0x0000000002D3E000-memory.dmp

memory/3440-4-0x0000000001E40000-0x0000000001E56000-memory.dmp

memory/4468-5-0x0000000000400000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B98C.exe

MD5 f429714dc196a1ae2130f1996b4e2eaa
SHA1 2566af9b0eb1c3dc5d027de8491b124c230417ce
SHA256 684ec7eada428e6471fce207cbf42dade6cb9766e239c3fdbfb2a50d3332d3b0
SHA512 21c87428593f3111f82610ea17a4755687e69c035ad14fc0b5e7da8d0d6c4fb8d59a71e28f70e66a7b93a38c937a9fbf9ecc68b985c41847b3fe9e33a7e27efc

C:\Users\Admin\AppData\Local\Temp\B98C.exe

MD5 48f0af43491eed7f840310fb65553692
SHA1 99cba5c46a82516babb15dd53c9d8758ff9f3565
SHA256 c15a9e548052d6b547c165e8aae85580100c146c64398294aa8505ced9aec3bc
SHA512 b81343c6e14cc8380150562714a31cb836da9896dcef00d08ec2111a90b8bbd95f68cb3402d5ea6a63698bec472edb0b3d4b4d9f1ac8d73b31ed72dbfd40ec97

memory/3116-16-0x0000000004CA0000-0x0000000004E61000-memory.dmp

memory/3116-17-0x0000000004E70000-0x0000000005027000-memory.dmp

memory/396-18-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\B98C.exe

MD5 147f5f5bbc80b2ad753993e15f3f32c2
SHA1 16d73b4abeef12cf76414338901eb7bbef46775f
SHA256 40dc1ae099f2278650c0aa599ba00f659a87996208133d6a64b0cc5cbb5fe990
SHA512 9c43aaa68161ef04c60e3f64c3fd54426dfd387f0013f009f3da94d45f19e514cd41de7b95865c47f55e5800222fd74736659138bb96406aa37f9cdc8e5799b6

memory/396-20-0x0000000000400000-0x0000000000848000-memory.dmp

memory/396-21-0x0000000000400000-0x0000000000848000-memory.dmp

memory/396-22-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEAD.dll

MD5 b66379323022a073f1f7cdefed747401
SHA1 14cfd615676b85960154df8273ca841f4a0e268b
SHA256 19a75f92a288042be52f1d38976909a22f81e92d22b69b6ab2f1f4d5856448db
SHA512 94b8dbe483f2f624723b831186bfcabc52eb74b8293f7acc4e3152ccdaef86885e2fb89453b91a78493795c99edc96e47dbbd489f92aec4cb30c21c064eb052b

memory/396-25-0x0000000000400000-0x0000000000848000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BEAD.dll

MD5 26549a8766dbb7ec1e64503f0d80daeb
SHA1 45d6c219fdf7bd49f2fdd717bd2fe107272bd077
SHA256 7d3760341cdf5dde2275cd545536336ea238028685aa368e859cda731d40984b
SHA512 0408bd1a3ceff935d063ad2d95c42d04822547f9e01e2a738108c8dc570173e7e59ce9c5a30c483cf812f82ebeaa4829a3fa55ccb4522e0d171aeb63db3fb3fc

memory/2644-27-0x0000000000E40000-0x0000000000E46000-memory.dmp

memory/396-29-0x0000000000400000-0x0000000000848000-memory.dmp

memory/2644-28-0x0000000010000000-0x000000001020C000-memory.dmp

memory/396-33-0x0000000000AE0000-0x0000000000AE6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CC5A.exe

MD5 f024b5c63f0be482106d561d9b0fcbf4
SHA1 0273c450a41bf8df49eaae756fefc23d86c73d6d
SHA256 e3345c4b6ffad6e8a7ad15b664d80bcda9c26cba46e1c30312eb6ee748464c8a
SHA512 4610e2a371cc39cf48835723a3320fe61bcc9ffa62973f3c22291cc9555cc531372a074c249b28ad933b60e8e638cdb19bf6ac44d8e578d9ee4f8e3400c680d0

C:\Users\Admin\AppData\Local\Temp\CC5A.exe

MD5 c2e793eade61c168412f8f2427721fe2
SHA1 4473667cf6f5d77c9af242202b09774273951b7b
SHA256 9694672695c4168ad97cc476ec7e44fd75d8e4d0546c6f970945e342efe5eea0
SHA512 1ce6b3d299f67def8e302226cbcba12183c2d7c3b46686d0c8cd45414de2fe71bde8457be12067fa7301495e0f318ed5a0f8ced9666e7e270d56296fc6f7af46

memory/2732-44-0x00000000015F0000-0x00000000015F1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\D0C0.exe

MD5 e6dd149f484e5dd78f545b026f4a1691
SHA1 3ea5d0fb2de5bfad3dc6dc1744708ccd31102df6
SHA256 11243641663323721ba21494a394de70ae70d4ea23c23f2e2a397fcc3cfea1a7
SHA512 0defb358d59221c56731745a25250dfea49ecbb411f11f31a92ec20fa2123646f4aaf9fd4999898c39e4674f616bc1bed7ef2368b61a29d595dc7b9340dd058b

memory/2732-45-0x0000000000CC0000-0x000000000156F000-memory.dmp

memory/1728-47-0x00000000030C0000-0x00000000031C0000-memory.dmp

memory/2732-46-0x0000000000CC0000-0x000000000156F000-memory.dmp

memory/1728-49-0x0000000002FF0000-0x000000000305B000-memory.dmp

memory/1728-48-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2732-51-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2732-52-0x0000000001A10000-0x0000000001A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\E2C3.exe

MD5 79b1c5df98d3810ec21749780349ffcf
SHA1 3cc7f65d34f769f69fb980cce070238911fbb886
SHA256 bd3facb8ea2d3515a83054f88dfa3588f47236e3773f5cb720c9cbf2e0e429de
SHA512 68c57dc48582ceb0bed781fbf91440694232be6d5e8ca24886dca13daffa1ef13663e56c18298c4a77e1d84903c251508ca7cae31b6ef94a2b45e814ab99b55e

C:\Users\Admin\AppData\Local\Temp\E2C3.exe

MD5 aab7f7d28c9bef614cc2e65d139eaaf4
SHA1 84138c677df38c85972fe71f9bd486f511a4c3b4
SHA256 36ae09029b49edd53313b205d399e2b9848c63870edfbb2bf975e09329337985
SHA512 3e47415b48b4db38b12611efe5a37559827deb246059119f87f48678825537639160ee3fd8e0acc16249fbad2c46a113b38b8ee3d7b6f3b3b132c754846259a6

memory/3604-59-0x0000000000B80000-0x0000000001436000-memory.dmp

memory/3604-60-0x00000000737D0000-0x0000000073F80000-memory.dmp

memory/396-63-0x0000000002E50000-0x0000000002F8C000-memory.dmp

memory/2644-64-0x0000000002CE0000-0x0000000002E1C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 f30b31cd985bb3b4c2dced17df5ed9fb
SHA1 94a2218267ddd03b538636ace0593e38f52c9b5a
SHA256 b650d35b4c45c0ae9ff9a10df74e5d3c724a8e693a05706e61e798805a731645
SHA512 648ae868eaf7473a7922796d1e1572df192a81dc7ee38c6ca17b3ca8c81dc6af7b3539564fce58ba8c220a3154618e45dfb79640a96a14c56a51123a339b2213

C:\Users\Admin\AppData\Local\Temp\EF66.exe

MD5 3893d9674f9791363d8f92edae4427a7
SHA1 93603d9de7c259c8437f320f032ba171be67e200
SHA256 ad3a5d32351e9b26a5206751e45f27bf4def2890008e573dce58c4e9791fdcce
SHA512 9918357b96ea5af2ec3f056c0d7c41a025558fba88d6ada2ade153dc5b944670acdcc0e1abc76e52d9a9186abd15345519802f605473bf4fb59c81f972a3a6d6

memory/396-79-0x0000000002F90000-0x00000000030AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 fb8129e365391576bb219e9c32633d1e
SHA1 8bea7c52cfb0921c24446e00351d19c8a9cb8484
SHA256 9e73f75e4b618189e5624f02c4cc5dfb810600181434ede34815a645cc4b24b1
SHA512 941ab808da324d78f3aeef63e274994ff50d8d4270315fe9f3a4029ce86efe372c28b6ab6d39accb61f03eab27ae432fc11155d2dc2f74fe0fb621675016c93f

memory/408-85-0x0000000002FB0000-0x0000000002FBB000-memory.dmp

memory/396-93-0x0000000002F90000-0x00000000030AB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 b45b646c5c3131dbbb69c15d98255ab1
SHA1 391cb13c4a7d43b683444f6c3a87305de5004a37
SHA256 e107f6f456b4f9c1138e7e0f1c7d4b88db97f62cb5e624da3e574d59681dd7a1
SHA512 13edee5cc6e7a05339aeb9ac4c91f7c787ba887192523f977a4eaac61aeecaccad01791ebee78ddf51196563397a3d52b064af0c897c241e6caf0466c9b7f479

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 e57b67d14aa175312da3f5a69294668e
SHA1 01618135f1a7177023c59fd8d1fed58e03c59945
SHA256 170a9e9bf03a35b9d62cc43bcd485ca87482e0dab5ce1a6eaa1a38c0f73425da
SHA512 0fdcc9b5a2018c67c2cb7019e8684f9f44d5af83d36cde827d38c1fc35def799af6a056d0bf023a6f164f7b87a281cb7816c433221e3068357e7d65e96b4f299

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 02df76a7b45d874395b4274c2e5b7b1f
SHA1 1b8d7060e9fa5204fa74efeb4192a168b778e9ca
SHA256 2f84a4b95126d6047929174a1d44106d9d4f62ba23c77e10218f79eca126d7a9
SHA512 5675e3895878a8b558aa4a31e06ea9858ece0dde7eca67d7e80033a96571786790ddaa0a53859f84222eb87e6eaa451245e41b31b8b66ab946a50072d6ab249e

memory/2644-105-0x0000000002E20000-0x0000000002F3B000-memory.dmp

memory/2644-114-0x0000000002E20000-0x0000000002F3B000-memory.dmp

memory/3604-111-0x00000000737D0000-0x0000000073F80000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 7c09db9c2dacb9e2f18b225f9f204f7a
SHA1 8b2e2227f02371994fb1a5d3839568a713fa7600
SHA256 2f0d802802e13e5208a8adf47fb03f66e2ba0625396220a2f6af920bd0fc6674
SHA512 ee6eb0cc2ccc30ebcb3a7b70e2bdbbbbaf17d8745576cc1eb5d80744118ac484e42eb202ff4b8c8a59aa380e95b2d5b09d1754d26c3d72bfb0c6f8ef4f85830b

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 d36d5fcf6f7e6c67304fed7123a7f816
SHA1 e8fd7e15c0e589532c8c2f908f68db1c39b326c5
SHA256 1a50d506c0ff940abf59a98a627d7be435a0cdd2f5beb9271a3c5a362ed76657
SHA512 39927f760d26def097777f2db9f4267ea226f5c36ad96073572be241293975ccaade37b7d491b4894b748fcc2827a5e1152dfb7bef33eec9bc6b992ae00a02fa

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 f75b9beec810c7d22ac06871935465cc
SHA1 02a949c1e44035114022079454555c9c145bf8fb
SHA256 edbe5331590b5dd47a67f9546820b96f3f2b4590cd4444ec6e6185762c6a2182
SHA512 e2e8b13f7e69d46fd1d3a08e08ef0bf661dc690df37583ea653321ac05ccc717a716ec9ac1670e574a87e70c8096bce538b976d7fbb4af9f46cf5c1ad598a37c

memory/408-80-0x0000000003050000-0x0000000003150000-memory.dmp

memory/1332-123-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsvF936.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\F860.exe

MD5 fe66dc5193082866daa3218bfc17e03e
SHA1 679fadc0836c53935a31c57610de66507e54cef6
SHA256 415126f846f34d62f5e5e52c0439d130115360465e601c0a989143a8cc151e18
SHA512 eab939095c5b08a3ddbd73f640abc97b1c1ea9454d57113cfa3d39904d1fd33fe7b681407ad7ab8fadefeee836988115a48960eb44286acaeace3247f3a28cde

C:\Users\Admin\AppData\Local\Temp\F860.exe

MD5 d15ce5a5cd29ede149385fcaa52326f9
SHA1 65eb7a808da310db5f90ee98212c2c73dfc25a2a
SHA256 0b526714203552492e5a8b1f85529ad849c0018df153a82e9ef435f93b5c5317
SHA512 c12755280279c907552dfc2156158dbe1cd39fa8acaf92c9b21341c9f49c5c59b6ac8c82a9fcccd9c8384d353958770b3deb47ae91cfba4d446fba617c6b97b1

memory/408-115-0x0000000000400000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 0f68106658c054bde5c705e5b1f000e6
SHA1 5cc1bb15c4dfd5ad0630ae0ae9ac2286f3050102
SHA256 58d6747e01ef0fce7a9a53341707556e91276314acbae7f6228d782291686b3c
SHA512 30bbfc56175b7245acb175f85fc5023b497bb0ed26e6ccf6a585b408044b6adc8d165e1b6e797f1de1e5dd33806c14c9e3d5d818f5455ea0d7a2c381c269e59e

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

MD5 c66156682cd08ea200547907b7e5e1ea
SHA1 f6778e34905907b10fe0788e3ddd5e1766a7a205
SHA256 d1605c5bec82ffd54eeff6adfe5c1a700e4633232d27e903655adeadddab2347
SHA512 1a3da2b1c45a1a1a698c55a1dd09e1c88e174e13b7ed40dbda41f6a69077d613b7758f380dd28f29ebd9a41bc95e13e13c6fecc49c61d120e6671a4ff7fd4e3d

C:\Users\Admin\AppData\Local\Temp\is-GNFNH.tmp\F860.tmp

MD5 2cdc1f1b74fdf3435106fc715a9a28f8
SHA1 aa65f3c6a6c9aee4183b9b17d0b3eb8c47c531b3
SHA256 f8baa0389f932a1c3999c756d6d860d13d1f343989963b5a620ba2f82c116e04
SHA512 1e98aafc80ec47556175b634c2e1a6ee64b1cd59f631ea658619402fb111076c12e6ce49dd139f5ca93785c16411ec8e7581431edb819f8884dfc15aa5ff6640

C:\Users\Admin\AppData\Local\Temp\is-GNFNH.tmp\F860.tmp

MD5 539c3889efe7287cfac6602816434284
SHA1 c9ad3c6c9b4a92c65516408bebbde2b2d863b26e
SHA256 24f67a53989646e6ca6be9342b05cab88604328d2cb799075b4d32b053a88c12
SHA512 033f1c22ebc388b18ebc95f008cd916693c1a18a13b728b7c6c252d4e8cd9da1cb1f14ba01672713c65fb03888e93fe3b2d64e3a984174f9fc21bc7b2153b56a

C:\Users\Admin\AppData\Local\Temp\FE2D.exe

MD5 df2076b7ede154d455fdd1035115de54
SHA1 62df9325ff2fce5e5a2cf121e84065221a513d77
SHA256 0730675048e9e0a97e9ad20f73712d7e3ba6ed114a7cdfbf8b50075656c4395c
SHA512 5f55d313b2451f14f101d7383e03cdc3a9b36a9f6487a7c164def8018b76983e6fe74288f4457a2f4273d117f1a10a886409f713173bb1f791e86205caf80430

C:\Users\Admin\AppData\Local\Temp\is-6I7LC.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

C:\Users\Admin\AppData\Local\Temp\is-6I7LC.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/396-155-0x0000000002F90000-0x00000000030AB000-memory.dmp

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

MD5 c2fd2b3871f260fb181b590de8d07c81
SHA1 869269b2fb358ce1d0c276c643d289561cf3693a
SHA256 7dd4f9d2631b87895d1cc0f8499bff9dc230f7f319de12a21e0d23ae42ebaa93
SHA512 106baba651ac09a7c0cbeaf780ea9ec4f24dc958dc544e8bfc836c026832406310a76b9daec23a377088e0a721f7025a63aeaedd96d5de8269b73aebf00db200

memory/3440-154-0x0000000002510000-0x0000000002526000-memory.dmp

memory/3972-203-0x0000000000400000-0x000000000076F000-memory.dmp

memory/2732-199-0x0000000000CC0000-0x000000000156F000-memory.dmp

memory/2420-152-0x0000000002F50000-0x0000000003050000-memory.dmp

memory/2728-137-0x0000000002460000-0x0000000002461000-memory.dmp

memory/1728-126-0x0000000000400000-0x0000000002D8C000-memory.dmp

C:\ProgramData\PowerGo 65.0 Build 2191 Essential\PowerGo 65.0 Build 2191 Essential.exe

MD5 ec1396125cdd5bcbdd91c441b7e520ed
SHA1 c2524cc2742692538cbcd9b695b64f51b4cc58c8
SHA256 d1c0c54b056959bae44e6476f8251dc980554a608c853ce70a8f317bb1ae6f13
SHA512 497ca4e000aae3d2937c765d3c1325a572faa338af7ffac40a307b313b8ebb4e37408295cbd9d123a1d22ccccf3574c59326411e946f641ac75a0974facafb7d

memory/408-188-0x0000000000400000-0x0000000002D3E000-memory.dmp

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

MD5 c4f292bf2814791ebec3f38ef1562624
SHA1 5979028e6efcdadf934dd1ab4e4bcedc5c2ae08e
SHA256 2363e6cbdce4dc1d6a2d3a2657a93fe881079e6db29993697635676997bd6009
SHA512 a2da2c6ec67dff35df920ed1a292830a55891d1328b4f64ab42337c0dab4ddf635a7676f61e310b611ea9ea4ef796de950e1abb0f075b988f3aa2bb32f7477c7

memory/396-208-0x0000000000400000-0x0000000000848000-memory.dmp

memory/3972-207-0x0000000000400000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsxC51.tmp

MD5 97ef014b840482b8f70f7b5c4c1d2fae
SHA1 cea6ff48552f7ec509160179ffda28ab4f26da0f
SHA256 f910b7e8832dde437c7556a4c61c1eee980261ab474753c149987aa7bc03306e
SHA512 e434df5878ed44d9ca445b0b82f7c45531349426e5251ab6a75e34fe6c01181eddb2ec857c250f0bb946bad974043e6ab1e6b50bf7fc67fc3d818cb9e4ef185c

memory/2264-227-0x0000000002F20000-0x0000000002F54000-memory.dmp

memory/5012-224-0x0000000000400000-0x000000000076F000-memory.dmp

memory/5012-223-0x0000000000400000-0x000000000076F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsxC51.tmp

MD5 593c6bba2414d94e5e05d505074793dc
SHA1 1315c0ffbecf2e1eea0f5ac63adce7cc403ea9e8
SHA256 44a0af487346e24e3a06361a917a81ec151ddb8b7a1c558294cfc283a35ce4ec
SHA512 6e9d0191723db1caf54f50d1ba249079f74c0b8cdb745fefb283a248279375248c6ddc27f70b1887678c5e5e22fc9a58cec1a613e758b3a96d2c72a5b7da5257

C:\Users\Admin\AppData\Local\DVD Slow\dvdslow.exe

MD5 511046a3e2eaff557688393ab156326c
SHA1 1225f137eed53202a39e2e37e55b518735af2f68
SHA256 4219c43aa76caf222e68412ac96548573463829c34d0b362d41676225c66c2ff
SHA512 5d87a2917974461bf592a289543c17a160946ca79058c85858a2eea6829ad41b4fee264d174d4ca4d642cf14e42fa540932129c486a13e844f7f2de4f505b294

memory/2420-153-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2644-206-0x0000000002E20000-0x0000000002F3B000-memory.dmp

memory/2264-228-0x0000000000400000-0x0000000002D41000-memory.dmp

memory/1332-229-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4552-230-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/1728-232-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2728-233-0x0000000000400000-0x00000000008E2000-memory.dmp

memory/4552-235-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2420-236-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/2264-237-0x0000000002F90000-0x0000000003090000-memory.dmp

memory/4592-238-0x00000000029A0000-0x0000000002DA0000-memory.dmp

memory/4592-239-0x0000000002DA0000-0x000000000368B000-memory.dmp

memory/396-240-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4592-241-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/2264-242-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\ProgramData\nss3.dll

MD5 0607cd187509fdce22e54c74956ba431
SHA1 7956ad9007dbba05873848d9ef9f05e577fac4b1
SHA256 cb1080b50baa8c439799306d9d90819ff45352ae91e0b8424b61a0b9c2935b4c
SHA512 eb60024e98f1bc839dbdba1c46a9976edaa01755adf7d3dc3908257ce03689e815f710d73019bdbe76acc5b50f529481fdcb59aba9320bc52809166425d02c4a

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2420-314-0x0000000000400000-0x0000000002D8C000-memory.dmp

memory/4500-324-0x0000000004DF0000-0x0000000004E26000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

memory/4500-326-0x0000000005530000-0x0000000005B58000-memory.dmp

memory/4500-330-0x00000000054F0000-0x0000000005512000-memory.dmp

memory/4500-334-0x0000000005CD0000-0x0000000005D36000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u4phro4f.l4u.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4500-345-0x0000000005EB0000-0x0000000005F16000-memory.dmp

memory/4500-346-0x0000000005F20000-0x0000000006274000-memory.dmp

memory/4492-352-0x0000026A3DF50000-0x0000026A3DF72000-memory.dmp

memory/4500-365-0x0000000005130000-0x000000000514E000-memory.dmp

memory/4500-366-0x0000000006990000-0x00000000069DC000-memory.dmp

memory/396-367-0x0000000000400000-0x0000000000848000-memory.dmp

memory/4500-368-0x00000000723B0000-0x0000000072B60000-memory.dmp

memory/4500-370-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4500-369-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/4492-371-0x00007FFF52D60000-0x00007FFF53821000-memory.dmp

memory/4492-372-0x0000026A3DF40000-0x0000026A3DF50000-memory.dmp

memory/4500-374-0x00000000068C0000-0x0000000006904000-memory.dmp

memory/4492-375-0x0000026A3DF40000-0x0000026A3DF50000-memory.dmp

memory/4492-379-0x00007FFF52D60000-0x00007FFF53821000-memory.dmp

memory/4500-381-0x0000000004EF0000-0x0000000004F00000-memory.dmp

memory/1728-380-0x00000000030C0000-0x00000000031C0000-memory.dmp

memory/4500-382-0x00000000074F0000-0x0000000007566000-memory.dmp

memory/2264-383-0x0000000000400000-0x0000000002D41000-memory.dmp

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 339ae084992f79f0aef36344dd4e6025
SHA1 272bbe16c5503a75ae76c151a643b7847b602d19
SHA256 017b139ec9dc6ae5b6f2ebc0d3da651eafc97935433287ecbb2c2bc0d89bead2
SHA512 baab07bf7255fbefe2e6d8e7da7ee6cab618832aa998fe536c429b08ecbbd857fcd48f7382fb6815e2e60b7c7ed8f2d97745f7d393e68bf1cf35c11d6aaed426

C:\ProgramData\xcfonrchdkar\vueqjgslwynd.exe

MD5 1a1eec858fdd4da30285232b6066970c
SHA1 8a08a7bda607d5cfe2355364c89ec6f350c7379b
SHA256 08168b7a1400c408d4822eaf88db0530ca98d25cd8c844c37c47da3ecdd79113
SHA512 fd44b927f7159407b667d9b832c12a3476dadc2dac8dc5f810bc1d30cc55ae46264eecabfa1b1eda67c9b238131627d7e32ac3b534838b2b47c29fa0d907c1ec

memory/4500-393-0x0000000007E20000-0x000000000849A000-memory.dmp

memory/4072-396-0x000002101C630000-0x000002101C640000-memory.dmp

memory/4072-395-0x00007FFF52D60000-0x00007FFF53821000-memory.dmp

memory/4500-394-0x00000000077A0000-0x00000000077BA000-memory.dmp

memory/4072-399-0x000002101C630000-0x000002101C640000-memory.dmp

memory/2728-400-0x0000000002460000-0x0000000002461000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 3735ecbf90e19e9f6b7756221a55023c
SHA1 932e703fe169090989804529e41939f876f1a309
SHA256 ce44187d859672c8f89a33d7e07d0cdc7ffa969191131fc84e74c7b249f20603
SHA512 dcd3e7530e707623b63231353bc8aa2a63a015ac2c33b0d572e1e648cc377eea78c13cc8eaf0fa31303551601d6d278ab07e84715d7015329bc854e68d92baca

memory/5012-416-0x0000000000400000-0x000000000076F000-memory.dmp

memory/4072-417-0x000002101C630000-0x000002101C640000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 89848a95cf00ff11f64f2f17b36cf096
SHA1 0b457b1790674539c7c8309ef7ed1c9751fbfdbb
SHA256 8d585e24302b62dc845fa00622dc2486f2927a4307f780096cbf049bb7d4d4c9
SHA512 8ccdb4cb7359c5b3c73621a7ff556432a412fe7b9b3cc998312f80f11de3b3c2321c2f200bf13d56fec0829512a9b8caa031d8ccae04ab47dd01af8192fc87ab

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 a17ddf61e72d3aaf1a9c40d049b3effb
SHA1 bf2928c97189ec8f1b13af877ff58229017ca1f4
SHA256 d3159b621c03b528b64bed80f78e9ae4cf8a12204ee5abc1f2c243dd64d8ccef
SHA512 7cb3b94ec807855050027105117c5c203be96e7ac1620a95d3a200d62e6aa4ae1e4c66fcd1d8f00200b3953b54851dc6285207aafd13ea09f32b8cbc7914128e

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 3d086a433708053f9bf9523e1d87a4e8
SHA1 b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA256 6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512 931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

MD5 d1c11cac3b28abfe10df6b810be74a77
SHA1 caaec56a8e10bb133551fa053a0216a709959b6e
SHA256 523efbb3f7660ba189376e1c90a135d20cae4c4492b54100031b4e8f1a1367fa
SHA512 6d4955585d979bba2d7d2b0155a458abce6b8a60b419ed1109467dc9f60e810f1b727ef640e8f04220ac7733f57a119851e8799daa9a34b8f141c64dab4b7bb9

C:\Users\Admin\AppData\Roaming\ggbtwia

MD5 ee10bfcf63cd0ff3316ed52b392b4052
SHA1 2debffd971013ccb07fe705c79c3aae14bc21037
SHA256 744daaf2fadeaba15a63e9e1d04fe6ce88520a72145e790badb0aa15ced1d6eb
SHA512 4c2a2672e54df03bcb8e14c80585fa361b58cf17e7c54a55f430fdcb58b50413710a0c7f71b98e17c73b9ecc7ef65803566a96a4befc5c15bbdf83ca5b73b774

C:\Users\Admin\AppData\Roaming\ggbtwia

MD5 c725af162ad3190c0b65770fb08fbe23
SHA1 521eae0390bef9140f9a6e896066515ca7a98c5d
SHA256 98c3d93eeb1c3139c530df4aa6270bb3df7c24148e71f195c929486136872eee
SHA512 6fe7edc75ee4d52ace5450a211362808a4c24a41ae67d1e74dabd3adc687349dba35743acc4cd96e37c1d2701f03c6511a1127773f0aeb480f7025556bb3e59e